You are on page 1of 29

The Route to

OHSAS 18001


ERS 007
E 2007 V on the 2
D TO TH mentary
UPDATE lud e s c o m
now inc ndard
Booklet e 1 8001 sta
g e s to th
ch a n

SGS 5258/0308
The Route to OHSAS 18001 The Route to OHSAS 18001

Page Number
What is OHSAS 18001?
It is a standard which many countries and organisations have Introduction 4
chosen to implement in their commitment to establish a formal
3 Terms and Definitions 6
and recognised mechanism for managing occupational health &
safety. OHSAS 18001 has been specifically designed to provide 4.1 General Requirements 6
such a mechanism and was developed with the requirements 4.2 Occupational Health & Safety Policy 7
of both ISO 9001:2000 and ISO 14001:2004 in mind, thereby 4.3.1 Hazard Identification, Risk Assessment
allowing ready integration of management systems and the and Determining Controls 10
efficiencies that this can bring, as well as implicitly recognising
4.3.2 Legal and Other Requirements 15
an organisation’s own business needs.
4.3.3 Objectives and Programmes 18
OHSAS 18001 was first issued in 1999 but was subject to
4.4.1 Resources, roles, responsibility,
review during 2006 and then issued as a revised standard on 1
accountability and authority 20
July 2007. This booklet is intended to provide an introduction
to the changes made to OHSAS 18001 and the potential 4.4.2 Competence, Training and Awareness 22
implications of those changes. 4.4.3 Communication, Participation
and Consultation 24
OHSAS is based on a number of principles:
4.4.4 Documentation 28
• Clear demonstration of leadership and management commitment
4.4.5 Control of Documents 30
• Setting of objectives leading to improvement of OHS performance
4.4.6 Operational Control 32
• Effective hazard identification, risk management and risk control
4.4.7 Emergency Preparedness and Response 34
• Competence of workforce
• Consultation and communication with all stakeholders 4.5.1 Performance, Measurement and Monitoring 36

• Clear lines and definitions of responsibility 4.5.2 Evaluation of Compliance 38

• Systematic approach to managing occupational health & safety 4.5.3 Incident Investigation, Non-Conformity,
Corrective and Preventive Action 40
• Monitoring the effectiveness of the management system through
audit and review 4.5.4 Control of Records 45

It has been appreciated for many years that effective 4.5.5 Internal Audit 46
management of occupational health & safety can significantly 4.6 Management Review 48
reduce risk exposure and potentially improve an organisation’s
profitability and sustainability. Leading studies have recognised
that implementing a formal occupational health & safety
management system based on OHSAS 18001 is an excellent
means of achieving this business aim.

Price £20.00 Sterling

©Copyright SGS United Kingdom Ltd 2008

All rights reserved. No part of this publication may be copied,
reproduced or transmitted in any form by any means without the
written permission of SGS United Kingdom Ltd.
Published by Systems and Services Certification. 2008 
The Route to OHSAS 18001 The Route to OHSAS 18001

INTRODUCTION as a national standard. OHSAS 18001 was initially developed and

recently reviewed by a committee of interested parties including
This booklet gives a brief introduction to OHSAS 18001:2007 and national standards bodies, certification bodies, learned bodies
identifies the changes that have been made as a result of the and industry representatives. It should be noted that although
recent review of the standard. A summary of the key changes is OHSAS 18001:2007 is not an international standard it is being
listed below and explored in more detail throughout this booklet used internationally as a framework of requirements for a Safety
Management System.
The foreword to the standard provides an overview of the
• OHSAS now refers to itself as a “Standard”
changes to the standard as listed above. A comprehensive
Previously OHSAS 18001 was referred to as a Specification.
introduction to the Standard has been added which outlines the
Although it is now referred to as a Standard it is not an
intent of the Standard and emphasises its intended application
international standard
for all types, sizes of organisation and to accommodate diverse
• Significant improvement in alignment with ISO 14001:2004
geographical, cultural and social conditions. The basic approach
• The importance of “health” has now been given greater emphasis taken within OHSAS 18001:2007 continues to be the familiar
• New definitions have been added, and existing definitions revised mechanism of PLAN ~ DO ~ CHECK ~ ACT and it systematically
• The term “tolerable risk” has been replaced by the term requires an organisation to:
“acceptable risk” • Detail an Occupational Health & Safety Policy applicable to
• The term “accident” is now included in the term “incident” its operations
• The definition of the term “hazard” no longer refers to “damage • Identify the OHS hazards and risks which the organisation
to property or damage to the workplace environment” needs to manage
The scope of the standard now specifically excludes health & • Identify the legal and other requirements applicable to
safety areas such as property damage and environmental impacts the organisation
• A new requirement has been introduced for the consideration of • Define and implement the means of managing these issues
the hierarchy of controls as part of OH&S planning and requirements
• The management of change is now more explicitly addressed • Implement a means of effecting continuous improvement in
• Sub-clauses 4.3.3 Objectives and 4.3.4 Management the organisation’s occupational health & safety performance
programmes have been merged • Check and review the continuing effectiveness, suitability and
• A new clause “Evaluation of compliance” has been introduced adequacy of the OHS management system

• New requirements have been introduced for the investigation THE SCOPE OF OHSAS 18001:2007 STATES:
of incidents
“This Occupational Health & Safety Assessment Series
OHSAS 18001 is now a Standard which defines a set of (OHSAS) Standard specifies requirements for an
requirements for an Occupational Health & Safety Management Occupational Health & Safety (OH&S) management system,
System (SMS) which would be suitable for any kind and size of to enable an organisation to control its OH&S risks and
organisation. Currently no ISO standard is available that defines improve its performance. It does not state specific OH&S
the requirements for a SMS, although national standards bodies performance criteria, nor does it give detailed specifications
have developed standards, and some have adopted OHSAS 18001 for the design of a management system.”

The Route to OHSAS 18001 The Route to OHSAS 18001

This firmly establishes the purpose of OHSAS 18001. Not only 4.2 OCCUPATIONAL HEALTH & SAFETY POLICY
does an effective SMS improve existing and establish new controls,
it also installs and drives a system of continuous improvement An organisation’s Occupational Health & Safety Policy should
in Occupational Health & Safety performance. It must also be be the cornerstone of SMS. Development of a Policy may be
recognised that in many countries there is a legal requirement for required by legislation, but even if it is not, the OHS Policy is
organisations to develop and implement Occupational Health & an essential tool in the formulation and communication of the
Safety Management Systems. In many cases there is no definition
organisation’s intent. The safety policy should in any case reflect
of the required structure for such a system.
the organisation’s operations and processes, and should ideally
A SMS based on the requirements of OHSAS 18001 provides be produced after identifying the OH&S hazards and risks which
for the development of a system of interlinking processes and the organisation may face as a result of its operations.
is a simple and effective toolkit of mechanisms for managing
Occupational Health & Safety issues in any kind of organisation. KEY REQUIREMENTS
It is only prescriptive in terms of what must happen, leaving the
The Policy must:
how to the organisation to decide or devise for itself.
• Be appropriate to the scale and operations of the organisation
The notes below are preceded by the clause number of OHSAS
18001:2007 and are presented in the order they appear in that • Commit to continuous improvement of safety performance
specification. New or changed requirements are shown in italics.
• Commit to compliance with relevant legal and other requirements

• Commit to the prevention of injury and ill health

• Provide a framework for setting objectives for improvement
Section 3 of the Standard lists a number of useful Terms and
Definitions. Some of these terms have been revised notably • Be communicated to all persons working under the control
the terms Hazard and Risk. Also the new terms Ill Health and of the organisation with the intent that they are made aware
Incident have been added. of their individual OH&S obligations

• Be available to interested parties

4.1 GENERAL REQUIREMENTS • Be authorised by top management

Paragraph 1 has been extended but a new requirement has • Be periodically reviewed to ensure its ongoing suitability
been added:
Taking these in turn:
The organisation shall establish, document, maintain and continuously
improve an OH&S management system in accordance with the
requirements of this OH&S Standard and determine how it will The Policy should be appropriate to an organisation. The opening
fulfil these requirements. paragraph(s) of the Policy should give a brief outline of the
organisation’s business sector and operations so that the Policy
The organisation shall define and document the scope of its
can be viewed in context. This will also enable the scope of the
OH&S management system.
SMS to be described (see clauses 4.1 and 4.4.4). The Policy
This requirement links with the revised system document needs to be authorised by top management; evidence of this
requirements shown at clause 4.4.4b. authorisation should be available.
The Route to OHSAS 18001 The Route to OHSAS 18001


Documented: For the OH&S Policy to be effective it needs to be
documented in a written format, either on paper or electronically.
Occasionally these commitments are more implied than explicitly This will enable all aspects of the Policy, either in total or in part,
stated in the Policy. This can lead to confusion, since the to be communicated both within and outside the organisation.
Policy should be understandable and clear. It is right to show This will also facilitate the review of the Policy to ensure it
this commitment clearly and it is perfectly acceptable to use remains relevant and suitable to the organisation (see clause 4.6)
the exact words from the standard in the Policy – this gives a
Implemented: Refers to the need to deliver the Policy in detail,
very clear mandate and direction to the SMS. It is part of the
i.e. developing whatever arrangements and controls that are
foundations of Occupational Health & Safety Management.
deemed necessary and keeping the Policy’s promises.
COMMITMENT TO COMPLY WITH RELEVANT LEGAL Maintained: Refers to making sure that the Policy is kept up-to-
AND OTHER REQUIREMENTS date and relevant (this is partly covered by Management Review
Commitment to legal compliance is another fundamental part of see clause 4.6).
the SMS and as such deserves a place in the Policy ~ ideally in COMMUNICATED TO ALL PERSONS WORKING UNDER THE
just those words. Remember that compliance to legislation is CONTROL OF THE ORGANISATION
the minimum required by an organisation, not the maximum.
The matter of “relevant other requirements” can be more Communicating the Policy is not a new requirement but the
difficult. The Policy should indicate any other pertinent phrase “all persons working under the control of the organisation”
requirements to which the organisation subscribes, e.g. is new. This phrase now appears in a number of clauses
corporate requirements where the organisation is part of a larger although the context varies slightly, e.g. clause 4.4.1 and 4.4.2.
group, trade association requirements, sector best practice, This requirement widens the need to communicate either the
etc. This is because the Policy is the only (mandatory) public organisation’s SMS Policy statement or aspects of the SMS
window into the SMS and those who read it should understand arrangements to those who are working under the organisation’s
the key issues and intentions of the organisation with respect to control, e.g. employees, contractors, consultants, agency staff etc.
occupational health and safety. AVAILABLE TO INTERESTED PARTIES

PROVIDE A FRAMEWORK FOR SETTING OBJECTIVES Typical interested parties might include shareholders, other
FOR IMPROVEMENT stakeholders, neighbouring companies or residents, emergency
services etc. Some organisations have published their Safety
The OH&S Policy should make reference to the setting of
Policies on their company websites. In some clauses, e.g. 4.4.7,
safety objectives and objectives for the improvement of safety
interested parties are now specifically identified.
performance. Problems can arise when the Policy is written
with good intent but with unrealistic expectation of what The table below summarises the requirements of clause
an organisation can do. For example, if your Policy states a 4.2 and identifies the new requirements now included in
commitment to accident reduction, risk elimination etc., the OHSAS 18001:2007. So to sum up, the Safety Policy is one
SMS must keep such promises. These will need to be delivered of the cornerstones of an SMS. If it makes promises or raises
by means of documented objectives and supported by detailed expectations, they must be delivered. It is the only part of
Management Programmes (see clause 4.3.3). your system that must be made available to the public. Your
employees must know about it and its relevance to them.
The Route to OHSAS 18001 The Route to OHSAS 18001


Documented, dated and authorised by The key features of this clause are:
top management
• The implementation of a procedure(s) for ongoing hazard
Appropriate to the nature and scale of identification, risk assessment, and determination of
the organisation’s OH&S risks necessary controls
Commits to:
• The organisation’s methodology for hazard identification and
• Continuous improvement
risk assessment shall be proactive
• Compliance with legislation
• The methodology should provide for the prioritisation of
• Compliance with other requirements
hazards and the identification of those that are significant
• Prevent ill health and injury
• Keeping risk assessments and any resultant improvement
Provides framework for setting and
objectives up to date
reviewing objectives?
Communicated to all persons under the A PROCEDURE FOR THE ONGOING IDENTIFICATION
control of the organisation. OF OCCUPATIONAL HEALTH & SAFETY HAZARDS
Available to interested parties
Implemented and maintained? This means that a documented procedure containing sufficient
detail to ensure a repeatable and consistent process. There
Subject to review to ensure
is also a need to keep sufficient records to show that the
ongoing suitability?
procedure has been effectively applied. New requirements have
been introduced which the procedure must take into account.
In some cases these requirements were previously found in
other clauses, e.g. Design of Work Areas was previously part of
clause 4.4.6. These requirements are listed below, those that are
new or revised are shown in bold italics. Where appropriate or
Hazard identification and risk assessment form the core of
necessary a short explanatory note has been included.
the SMS. It is important that the difference between the
meaning of the words “hazard” and “risk” is fully understood. routine and non-routine activities;
It should be noted that the definition of these words has been
• activities of all persons having access to the workplace
revised and that both the word hazard and the Standard itself
(including contractors and visitors)
no longer focus on damage to property. Overall this clause
has been significantly revised and is now the longest clause • human behaviour, capabilities and other human factors.
in the Standard. New requirements to be taken into account This means taking into account all aspects of human behaviour
when identifying hazards and completing risk assessment have and capability, e.g. physical fitness, training etc.
been introduced. Additionally when determining risk controls
consideration must now be given to a hierarchy of controls
listed as part of clause 4.3.1.

10 11
The Route to OHSAS 18001 The Route to OHSAS 18001

• identified hazards originating outside the workplace capable part of the workplace design process. To some extent this
of adversely affecting the health and safety of persons requirement links with the management of change
under the control of the organisation within the workplace.
• the organisation’s methodology for hazard identification
This could mean the use of hazardous machinery brought to
and risk assessment shall: be defined with respect to its scope,
the workplace or chemicals brought to the workplace.
nature and timing to ensure it is proactive rather than reactive;
• hazards created in the vicinity of the workplace by work- and provide for the identification, prioritisation and documentation
related activities under the control of the organisation. of risks, and the application of controls, as appropriate
Possibly hazards created by non-routine activities
• for the management of change, the organisation shall
• infrastructure, equipment and materials at the workplace, identify the OH&S hazards and OH&S risks associated
whether provided by the organisation or others; This with changes in the organisation, the OH&S management
requirement is focusing on hazards associated with work system, or its activities, prior to the introduction of such
equipment, e.g. forklift trucks and material, e.g. chemicals changes. This is a definite requirement to manage change and
in particular to identify associated OH&S hazards and risks
• changes or proposed changes in the organisation, its
before the introduction of change. There would need to
activities, or materials. The management of change is now
be evidence of the manner in which this requirement has
addressed in a more definite way within the Standard; this
been addressed so an external auditor can verify the change
requirement, to some extent, links with managing change
management arrangements
and in particular identifying new or revised hazards resulting
from change • when determining controls, or considering changes to
existing controls, consideration shall be given to reducing
• modifications to the OH&S management system, including
the risks according to the following hierarchy: The
temporary changes, and their impacts on operations,
application of the hierarchy of controls shown below is now a
processes, and activities. This is similar to the requirement
requirement. Auditors will need to see evidence that the
above but focuses on the SMS arrangements which, if changed,
controls hierarchy has at least been considered. It is anticipated
may produce additional hazards or weaken existing controls
that OH&S professionals and those with OH&S training
• any applicable legal obligations relating to risk assessment will recognise this hierarchy and the need for its application.
and implementation of necessary controls (see also the However, short explanatory notes have been attached to some
NOTE to 3.12). This requirement ensures that legal and other of the requirements
requirements are considered when determining risk controls. - elimination
Third party auditors have always sought evidence of the
- substitution
consideration of legal and other requirements but until now it
has not been a specific requirement in the Standard - engineering controls - Previously the only clause to refer to
maintenance was clause 4.4.6 Operational Control. Now the
• the design of work areas, processes, installations, words “Engineering Controls” are the only reference to
machinery/equipment, operating procedures and maintenance within the Standard. Although only a short
work organisation, including their adaptation to human reference it is true to say that engineering arrangements,
capabilities. This requirement was originally part of clause e.g. planned maintenance, statutory inspections etc., some
4.4.6 but is now included here to ensure that the OH&S of which are required by legislation or regulation, are risk
hazards and risks associated with the development or change controls. Auditors will need to verify that maintenance
of the workplace are identified and controls determined as arrangements are applied as risk controls.
12 13
The Route to OHSAS 18001 The Route to OHSAS 18001

- signage/warnings and/or administrative controls Risk assessment methodology determined,

- personal protective equipment proactive and consistently applied

• the organisation shall document and keep the results of Hierarchy of controls considered
identification of hazards, risk assessments and determined and applied
controls up to date. This requirement ensures that risk Risk assessments reviewed and
assessments are subject to periodic review and up dating controls updated
as necessary as a minimum
Records of process enable it to be audited?
• the organisation shall ensure that the OH&S risks
Process is carried out by competent persons?
and determined controls are taken into account when
establishing, implementing and maintaining its OH&S
management system
HAZARD & RISK IDENTIFICATION or Comment/Plan Having identified all hazards and associated risks which could
Procedure(s) and process for identifying impact on occupational health & safety, the process of rating
hazards, subsequent risk assessment the risks for significance can be carried out. This crucial process,
determining controls is documented? together with a thorough knowledge of legal and other similar
requirements, provide the foundations of the SMS.
Process includes reference to:
This assessment process is vital in determining the need for
• Responsibilities
controls aimed at either reducing risk to levels deemed to be
• Document control
acceptable, or meeting the requirements of legislation. The
• Records
changes introduced in the Standard are intended to strengthen the
• Review
hazard identification and risk assessment process. The importance
Procedure(s) ensure that the following of this process cannot be overestimated. Accurate hazard
requirements are taken into account: identification is fundamental to effective risk assessment as is the
• Routine and non-routine activities identification of significant hazards. If this process not effective
• All persons having access to then risk controls and much of the SMS may be questionable.
the workplace
• Human behaviour/factors
• Hazards originating outside 4.3.2 LEGAL AND OTHER REQUIREMENTS
the workplace
• Hazards in the vicinity of A limited revision of this clause has been made although the
the workplace phrase “persons working under the control of the organisation”
• Infrastructure, equipment etc. has been included with regard to the communication of
• Changes in the organisation information on legal and other requirements. The requirements
• Modification to the SMS of this clause when coupled with the completion of risk
• Legal and other requirements assessments, and there is now a definite requirement to do so
• Design of the workplace (see clause 4.3.1i), forms the foundation of the SMS. This clause
• Management of change of the specification requires that the organisation identifies all

14 15
The Route to OHSAS 18001 The Route to OHSAS 18001

relevant legal and other requirements which are applicable to its compliance with legal and other requirements. This clause is
activities, and uses this data to ensure that suitable controls are part of the ‘Checking’ section of the standard and is discussed
in place to ensure compliance. In this context “compliance” is on page 36.
related not only to the identified requirements but also with the
Ideally the process should ensure that an organisation knows:
organisation’s own Policy.
• What legislation and other requirements are applicable
• What it means to the organisation
The Standard requires that there is a procedure(s) for identifying • What duty or obligation is imposed
and gaining access to relevant legal and “other requirements”
• How compliance is ensured
which are applicable to the organisation. This procedure
• A reference to the mechanism for confirming compliance.
should include:
It must also ensure that the details of legal and other
• Responsibilities for compiling the listing of legislation and requirements are kept up-to-date.
“other requirements”
• Sources of data (e.g. update services, subscriptions to journals etc.)
Procedure in place to describe how access
• The means of gaining access to updates
is gained to legal and other requirements,
• The methods employed to communicate the demands of any how to keep track of changes, and who
relevant legislation or “other requirements” does this?
• The types of “other requirements” to be included, e.g. policies, Mechanism in place to record these
codes of practice, national standards, corporate requirements requirements, make sure they are
(if a member of a group of companies) communicated and understood by persons
working under the control of the organisation
The organisation shall ensure that these applicable legal
requirements and other requirements to which the organisation Records and procedure are controlled
subscribes are taken into account in establishing, implementing documents and regularly reviewed
and maintaining its OH&S management system. This is a new There is a means of accessing the
paragraph which is in effect a general statement but is intended original laws, regulations etc.?
to ensure that reference is made to legal and other requirements Register or listing includes (as applicable):
when developing or revising an SMS. • Laws, regulations
The organisation shall keep this information up-to-date. • Policies
• Codes of practice
The organisation shall communicate relevant information on legal • Schemes, e.g. “responsible care”
and other requirements to persons working under its control, • Licences, authorisations, permits, certificates
and to other relevant interested parties. The phrase persons • Planning permission
working under its control means that there needs to be • Insurance
evidence of communication to such persons. • Lease
There is now a new clause, clause 4.5.2 Evaluation of And the means of accessing changes to all
Compliance, which requires the organisation to evaluate of the relevant “other requirements”

16 17
The Route to OHSAS 18001 The Route to OHSAS 18001

Legal and other requirements taken into OBJECTIVES AND PROGRAMMES or Comment/Plan
account when developing, implementing
Is there a process for selecting and
or changing the SMS
documenting the objectives?
The procedure links to the Evaluation of
Are objectives set at relevant levels and
Compliance (clause 4.5.2)
functions within the organisation?
Are there records to show how the
objectives were selected?
Are there links to:
Clause 4.3.3 is now an amalgamation of the original • Significant risks
requirements of clause 4.3.3 objectives and what was clause • Policy commitments
4.3.4 OH&S management programmes. There have been some • Legal and other requirements
changes in wording, which to some extent includes wording • The views of interested parties?
from other standards, and is evidence of the closer link with Are objectives:
ISO 14001 and ISO 9001. Objectives are the drivers for the • Specific
continuous improvement process which ensures that your SMS • Measurable
delivers real improvements in the functioning of the SMS and, • Achievable
perhaps more importantly, occupational safety performance. • Realistic
Management programmes or action plans
OHSAS 18001 requires that:
in place for achieving objectives
• Objectives are established, maintained, documented, and exist at Do programmes show designated
each relevant function and level in the organisation responsibility and authority for achieving
• Objectives are measurable, where practicable, and are consistent objectives, the means and a time frame by
with the OH&S Policy including the commitments to prevent injury which objectives are to be achieved?
and ill health, comply with applicable legal and other requirements Programmes subject to planned reviewed
and continuous improvement

• Consideration of legal and other requirements, significant risks,

financial, technical, operational and business issues, as well as the
views of interested parties when formulating objectives

• Establish and maintain programmes for achieving objectives

• Programmes shall include, as a minimum, designated responsibility

and authority for achieving objectives, the means and a time frame
by which objectives are to be achieved

• Programmes subject to planned reviewed

18 19
The Route to OHSAS 18001 The Route to OHSAS 18001

4.4.1 RESOURCES, ROLES, RESPONSIBILITY, ACCOUNTABILITY • The organisation shall ensure that persons in the workplace
AND AUTHORITY. take responsibility for aspects of OH&S over which they have
control, including adherence to the organisation’s applicable
In common with all management systems’ standards, OHSAS OH&S requirements. This requirement ensures that line
18001 recognises the need to make sure that personnel involved managers, supervisors etc. must now take responsibility for
in the SMS are aware of their responsibilities and authority. In OH&S matters in their area and ensure adherence to applicable
general although the wording of the clause has been revised the OH&S requirements e.g. procedures safe systems of work etc.
requirements remain the same. However, two new requirements
have been introduced. These requirements are shown below;
where requirements are new they are shown in bold italics. Resources, roles, responsibility or Comment/Plan
accountability and authority.
Evidence of Top management taking
OHSAS 18001 requires that
responsibility for the SMS
• Top management shall take ultimate responsibility for OH&S and
Roles and responsibilities defined,
the OH&S management system.
accountabilities and authorities allocated
• Top management shall demonstrate its commitment by ensuring in manuals, job specifications, organisation
the availability of resources essential to establish, implement, charts, procedures etc
maintain and improve the OH&S management system.
Including responsibilities in
Defining roles, allocating responsibilities and accountabilities, and
emergency situations
delegating authorities, to facilitate effective OH&S management;
roles, responsibilities, accountabilities, and authorities shall be Responsibilities etc. documented and
documented and communicated. communicated e.g. staff aware.

• The organization shall appoint a member(s) of top management Management Appointee nominated
with specific responsibility for OH&S, irrespective of See clause 4.4.1 note 2.
other responsibilities. Management appointee responsibilities
• The identity of the top management appointee shall be made defined by clause 4.4.1 para 2 a and b.
available to all persons working under the control of the
Means of communicating the ID of the
organization. This new requirement means that all persons
management appointee
working under the control of the organisation e.g. employees,
contractors, agency staff etc need to be informed of the identity Personnel taking OH&S responsibility
of the management appointee.  and recognise the need to comply with
SMS requirements
• All those with management responsibility shall demonstrate their
commitment to the continual improvement of OH&S performance. Resources provided, defined and adequate?

Training provided to meet competence

needs for responsibilities.

20 21
The Route to OHSAS 18001 The Route to OHSAS 18001

4.4.2 COMPETENCE, TRAINING AND AWARENESS • The organisation shall establish, implement and maintain a
procedure(s) to make persons working under its control aware of
The general intent of the clause remains the same; however,
- the OH&S consequences, actual or potential, of their work
the second paragraph now contains requirements which can
activities, their behaviour, and the OH&S benefits of improved
be found in other standards particularly ISO 9001:2000. Where
personal performance;
requirements are new these are shown in bold italics. Training
and competence form important keystones in the prevention - Their roles and responsibilities and importance in achieving
of OH&S related problems within the workplace. Employees conformity to the OH&S policy and procedures and to the
cannot be expected to carry out tasks safely or assume OH&S requirements of the OH&S management system, including
responsibility if they have not been adequately trained and are emergency preparedness and response requirements (see 4.4.7);
not competent. Identification of training needs and competence - The potential consequences of departure from
relative to the hazards, risks and legislative requirements specified procedures.
applicable to the operations and activities carried out by the
The requirements above are unchanged, however some
organisation, forms a key aspect of occupational health & safety
additional wording, shown in bold italics, has been included.
management. Legislation generally refers to a need for personnel
Again the phrase persons working under its control appears
to be competent to perform their functions – it is incumbent
whereas previously only employees were referenced. The
on the organisation to ensure that this is fulfilled and that there
behaviour of personnel is referenced so that personnel need
is adequate provision of necessary training and records to
not only to work safely but conduct themselves in a safe manner.
substantiate this.
Training procedures shall take into account differing levels of:
- responsibility
OHSAS 18001 requires that - ability
• The organisation shall ensure that any person(s) under its - language skills and literacy
control performing tasks that can impact on OH&S is (are) - risk
competent on the basis of appropriate education, training or
experience, and shall retain associated records. Although COMPETENCE, TRAINING & AWARENESS or Comment/Plan
not entirely a new requirement the wording has been changed
and now includes the phrase any persons under its control. Procedure(s) documented and include:
This means that an organisation has to ensure that not only • Means of identifying training needs
employees but contractors, agency staff etc. are competent to • Provision of training to meet needs
carry out work safely.
• A means of evaluating the effectiveness
• The organisation shall identify training needs associated with of training
its OH&S risks and its OH&S management system. It shall • Awareness training (link OH&S
provide training or take other action to meet these needs, consequences of work activities,
evaluate the effectiveness of the training or action taken, and OH&S Policy. EM preparedness)
retain associated records. The wording of these requirements
All necessary training and skills in place?
can be found in other standards, e.g. ISO 9001:2000 clause
6.2.2. If an organisation has certification to other Standards A means of verifying the training/
then arrangements addressing these requirements will competence of persons under the control
already be in place. Therefore safety training and associated of the organisation other than employees
records will simply need to be included. If this not the case Are there records to identify delivery of
then arrangements will need to be developed. training and to verify “competence”?

22 23
The Route to OHSAS 18001 The Route to OHSAS 18001

4.4.3 COMMUNICATIONS, PARTICIPATION AND CONSULTATION Participation and Consultation: The previous version
of the Standard contained requirements for consultation between
This clause has been revised and now consists of two sub-clauses: management and employees, now referred to in this clause
as “workers”, however, the Standard now sets out these Communication: The organisation needs to ensure
requirements in more detail. Where requirements are new these
that suitable communication methods are available for facilitating
are shown in bold italics.
both internal and external communications. Regarding internal
communications it is essential that personnel at all levels are Key Requirements
included and are able to be involved with OH&S issues. Also
OHSAS 18001 requires:
important is appropriate and effective means of communication
with interested parties particularly authoritative bodies, e.g. the The organisation shall establish, implement and maintain a
HSE. The requirements of clause are not entirely new procedure(s) for the participation of workers by their:
but are an expansion of the previously sketchy one-sentence
• appropriate involvement in hazard identification, risk
requirement. Where requirements are new these are shown in
assessments and determination of controls
bold italics.
• appropriate involvement in incident investigation;
This requirement now requires organisations to involve, as
OHSAS 18001 requires: appropriate, workers in the process of hazard identification,
risk assessment and determining controls. There will need to
With regard to its OH&S hazards and OH&S management
be evidence of this involvement.
system, the organisation shall establish, implement and
maintain a procedure(s) for • involvement in the development and review of OH&S policies
and objectives;
• internal communication among the various levels and functions
Not a new requirement but there will need to be evidence of
of the organisation.
involvement of workers in developing policy and objectives.
• communication with contractors and other visitors to
• consultation where there are any changes that affect their OH&S;
the workplace
Also not a new requirement.
This requirement will mean that recognisable and verifiable
arrangements need to be in place for contractors and other • representation on OH&S matters.
visitors to the workplace. Not a new requirement.

• receiving, documenting and responding to relevant • Workers shall be informed about their participation arrangements,
communications from external interested parties. including who is their representative(s) on OH&S matters.
This requirement has been strengthened and requires that Not strictly a new requirement but the wording has been
there is a procedure for receiving communication from revised to ensure that personnel are aware of their
external interested parties. This implies that there needs to be participation arrangements.
a documented record of all communication to and from
• consultation with contractors where there are changes that
external organisations, e.g. HSE, emergency services etc.
affect their OH&S.
A new requirement is that arrangements are in place to consult
with contractors with regard to changes that may affect them.

24 25
The Route to OHSAS 18001 The Route to OHSAS 18001

• The organisation shall ensure that, when appropriate, relevant PARTICIPATION and CONSULTATION or Comment/Plan
external interested parties are consulted about pertinent OH&S
Established, implemented and maintained
matters, e.g. emergency services, neighbours etc.
a procedure(s) for the participation of
Not an entirely new requirement but the clause wording has
workers by their
been slightly enhanced.
- appropriate involvement in hazard
Legislation often requires an organisation to have methods in identification, risk assessments and
place to communicate OHS issues between workforce and determination of controls;
management and often states that the workforce is entitled to
- appropriate involvement in
elect representatives to discuss OHS issues. The organisation
incident investigation;
needs to ensure that procedures to control internal and external
communications and interfaces are in place. Particular care needs - involvement in the development and
to be taken when dealing with communications from external review of OH&S policies and objectives;
parties, which might include enforcement authorities, lawyers/ - consultation where there are any
solicitors, insurance companies, etc. In many parts of the world changes that affect their OH&S;
there is an increasing trend towards litigation resulting from - representation on OH&S matters.
injuries received in the workplace, so the need to manage the
Workers are informed about their
communication process is critical. The procedures also need to
participation arrangements, including who
define which information relating to the SMS will be divulged to
is their representative(s) on OH&S matters?
outsiders in addition to the Policy (which from clause 4.2 needs
Documented arrangements in place for
to be available to interested parties).
consultation with contractors where there
are changes that affect their OH&S?
The organisation to ensure that, when
Procedure to define processes for internal appropriate, relevant external interested
and external communication? parties are consulted about pertinent
Staff aware of procedure? OH&S issues?

Staff know the process for making a safety

complaint or representing a safety issue

Communications relevant to emergencies

covered in procedures?

Arrangements for communicating with

contractors and other visitors to the workplace

Documented arrangements for receiving,

documenting and responding to relevant
communications from external
interested parties

26 27
The Route to OHSAS 18001 The Route to OHSAS 18001

4.4.4 DOCUMENTATION Documents, including records, required by this OHSAS standard.

Again a requirement similar to that in the other standards which
The organisation needs to document its OHS management requires that the system documentation includes the documents
system so that all personnel are able to refer to requirements. The and records that are cited throughout the standard.
description of the documentation requirements for a SMS were
Documents, including records, determined by the organisation
previously very limited, this clause has now been significantly
to be necessary to ensure the effective planning, operation
revised such that it now provides a more comprehensive
and control of processes that relate to the management of
description of the documentation required by the Standard. The
its OH&S risks. Finally another requirement, similar to that
wording of this clause is very similar to the wording of document
in other standards, which provides the opportunity for the
requirement clauses in both ISO 9001:2000 and ISO 14001:2004
organisation to develop and issue whatever documentation it
and describes similar document requirements. The reference to
requires and identify and maintain records it considers necessary
the medium in which documentation may be written, e.g. paper
for the effective operation of the SMS.
or electronic form, has been removed. However, it has long
been accepted that system documentation can be produced in There is no reference to specific documents such as a safety manual.
any suitable medium. The footnote to clause 4.4.4, reminding It is matter for the organisation to identify the type of documents
organisations that it is important that system documentation is it wants to support the structure of the SMS. The familiar three- or
proportional to the level of complexity, hazard and risk concerned four-tiered pyramid documentation model is still an acceptable means
and is kept to the minimum required for effectiveness and of developing and arranging system documentation.
efficiency, has been retained.


OHSAS 18001 requires that OHS system documentation includes: Documented Policy and Objectives

OH&S policy and objectives. Not a new requirement in that Description of the scope of the SMS
clause 4.2 requires the OH&S policy to be documented and clause Description of the main elements of the
4.3.3 requires documented objectives; however, this is new OH&S management system, their interaction
wording for clause 4.4.4. and reference to related documents, e.g.
A description of the scope of the OH&S management system. system procedures, other systems etc.
This is similar to the requirement in ISO 9001:2000. It may be useful Documents, including records, required by
to include in this description the wording of the technical scope of this OHSAS standard
the SMS, e.g. the product and service provided by the organisation
as well as the geographic locations covered by the SMS. Documents, including records, determined
by the organisation to be necessary to ensure
A description of the main elements of the OH&S the effective planning, operation and control
management system and their interaction, and reference
of processes that relate to the management
to related documents. This requirement is also similar to the
of its OH&S risks
document requirements of ISO 9001:2000 and ISO 14001:2004.
This is often addressed by the use of a process map showing the Documents are subject to document
principal elements of the management system and how they work control disciplines?
together as a system and the link to system documentation.
The same approach can be used for the SMS.
28 29
The Route to OHSAS 18001 The Route to OHSAS 18001

4.4.5 CONTROL OF DOCUMENTS • Ensure that documents remain legible and readily identifiable.
Again although a revised requirement this is a standard
The wording of this clause is now almost word for word identical document control requirement.
to that in other standards, e.g. ISO 9001:2000 clause 4.2.3. The
• Ensure that documents of external origin determined by the
requirements have been strengthened and slightly expanded.
organisation to be necessary for the planning and operation
The intent of the clause has not changed in that overall document
of the OH&S management system are identified and their
control aims to ensure that the latest versions of system
distribution controlled. Although a standard document control
documentation are available to personnel at points of use.
requirement this was not included in the previous version of
Organisations which have a Quality (QMS) or Environmental
the standard. To some extent there is a link here with clause
(EMS) management system will be familiar with the requirements
4.3.2 as many documents of external origin may relate to
of this clause. With very little change to wording a document
regulatory requirements.
control procedure from a QMS or EMS will fit with the
requirements of OHSAS 18001. • Prevent the unintended use of obsolete documents and apply
suitable identification to them if they are retained for any purpose.
OHSAS 18001 requires that documents are controlled so that DOCUMENT CONTROL or Comment/Plan
they can be located, are approved before issue and periodically
reviewed. The revised requirements are listed below. Where Procedure in place to define mechanism
requirements are new or revised they are shown in bold italics. for the control of documents.

Documents required by the OH&S management system and by Procedure includes:

this OHSAS Standard shall be controlled. Records are a special • Approval of documents for adequacy
type of document and shall be controlled in accordance with prior to issue
the requirements given in 4.5.4. This is new introductory wording
• Arrangements to review and update as
to this clause but simply makes the statement that documents
necessary and re-approve documents
shall be controlled and draws attention to the requirements for the
control records which are described in clause 4,5,4. • Measures to ensure that changes and
the current revision status of documents
The organisation shall establish, implement and maintain a
are identified
procedure(s) to
• Measures to ensure that relevant versions
• Approve documents for adequacy prior to issue. There is only
of applicable documents are available at
a minor change here requiring documents to be approved for
points of use
adequacy prior to issue.
• Reference to a master list of documents
• Review and update as necessary and re-approve documents.
and a list of document holders to ensure
• Ensure that changes and the current revision status of they are available to those who need them
documents are identified. Although a revised requirement this
• Measures to ensure that documents
is a standard document control requirement.
remain legible and readily identifiable
• Ensure that relevant versions of applicable documents are
available at points of use.
30 31
The Route to OHSAS 18001 The Route to OHSAS 18001

• Removal and disposal of obsolete documents now reference to the management of change the full
unless retained for reference or historical requirement for which is cited in clause 4.3.1.
reasons. A means of identification if retained
• For those operations and activities, the organisation shall
• Arrangements to ensure that documents implement and maintain:
of external origin determined by the
• operational controls, as applicable to the organisation and
organisation to be necessary for the
its activities; the organisation shall integrate those operational
planning and operation of the OH&S
controls into its overall OH&S management system
management system are identified and
their distribution controlled • controls related to purchased goods, equipment and services

• controls related to contractors and other visitors to the workplace

4.4.6 OPERATIONAL CONTROL • documented procedures, to cover situations where their

absence could lead to deviations from the OH&S policy and
This clause of OHSAS 18001 relates to the actual performance the objectives
of tasks to which OHS hazard and risk is attached, and for which • stipulated operating criteria where their absence could lead
controls may be needed to eliminate or control risks. Essentially to deviations from the OH&S policy and objectives. Not an
operational controls are developed from the outcome of risk entirely new requirement but a slightly enhanced wording of
assessment. Operational controls can take many forms and the requirement in the previous standard.
can include training, preventive maintenance or documented
procedures. The need for separate procedures, work instructions,
safe systems of work etc., as a means of risk control needs to OPERATIONAL CONTROL or Comment/Plan
take into account the risk levels and the competence level of
Documented procedures, to cover situations
the personnel involved. It is also important to remember when
where their absence could lead to deviations
developing new operational controls or revising existing controls to
from the OH&S policy and the objectives
apply the hierarchy of controls listed at clause 4.3.1
Operational control procedures are in place
for all relevant significant risks?
OHSAS 18001 requires that the organisation needs to identify
Hierarchy of controls applied
the operations and activities which are associated with identified
hazards where control measures need to be applied. Key Controls related to purchased goods,
requirements are listed below, where requirements are new they equipment and services in place
are shown in bold italics.
Are operational controls subject to
• The organisation shall determine those operations and activities effective document control and available
that are associated with the identified hazard(s) where the where needed?
implementation of controls is necessary to manage the OH&S
Controls related to contractors and other
risk(s). This shall include the management of change (see
visitors to the workplace
4.3.1). Although the wording has been revised this introductory
paragraph is essentially the same as the previous standard.
However, there is a stronger emphasis on the word hazard and
32 33
The Route to OHSAS 18001 The Route to OHSAS 18001

Are operational control procedures Many organisations do take in to account the requirements of
communicated to suppliers and the emergency services and neighbours as a matter of course
contractors where needed and in some cases legislation requires this, e.g. COMA.

Management of change considered • The organisation shall also periodically test its procedure(s) to
where appropriate respond to emergency situations, where practicable, involving
relevant interested parties as appropriate. The requirement to
Are Permit to Work systems in use if relevant
test emergency arrangements is not new but the need to
involve interested parties, e.g. the emergency services, as
appropriate is new.
• The organisation shall periodically review and, where necessary,
The organisation needs to consider what needs to happen if, or revise its emergency preparedness and response procedure(s),
when, things go wrong. The range of emergencies which might in particular, after periodical testing and after the occurrence of
arise can be wide, there needs to be some thought as to what emergency situations (see 4.5.3).
can be controlled by the organisation, and what the potential
consequences of any emergency might be.
OHSAS 18001 requires: A procedure to identify potential Procedure in place to identify potential
emergency situations and to respond to them thereby preventing emergency situations, develop and document
or mitigating any adverse OHS consequences. The key measures to prevent, control and mitigate
requirements are listed below. Where requirements are new they the effects?
are shown in bold italics.
The planning of emergency responses take
• The organisation shall establish, implement and maintain account of the needs of relevant interested
a procedure(s): parties, e.g. emergency services
and neighbours
• Identify the potential for emergency situations.
All potential emergency situations identified e.g.:
• Respond to such emergency situations.
Fire Toxic gas/fumes
• The organisation shall respond to actual emergency situations Flood Radiation
and prevent or mitigate associated adverse OH&S
The weather Injury
consequences. This is a definite requirement to respond to
emergency situations and for that response to prevent or Power cuts Equipment failure
mitigate OHS consequences. Spillage

• In planning its emergency response the organisation shall Explosions

take account of the needs of relevant interested parties, e.g. Emergency procedures and plans are
emergency services and neighbours. The requirement to plan documented and subject to document control
emergency response has always been in place, but what is new Responsibilities are clear and known
is the need to take into account the needs of interested parties. to relevant staff

34 35
The Route to OHSAS 18001 The Route to OHSAS 18001

Plans are periodically tested where • Both qualitative and quantitative measures, appropriate to the
practicable. Interested parties involved needs of the organisation.
as appropriate
• Monitoring to the extent to which the organisation’s OH&S
There is a schedule for future tests? objectives are met..

Records of tests, emergencies and false • Monitoring the effectiveness of controls (for health as well
alarms are maintained? as safety). The new requirement here is the need to monitor
health as well as safety and supports the commitment to
Procedures are amended in the light of
prevent ill health and injury.
experience from tests, drills and incidents
if necessary • Proactive measures of performance that monitor conformance
with the OH & S programme(s), controls and operational criteria.
Emergency equipment maintained, e.g.
fire extinguishers, sprinkler systems, alarms • Reactive measures of performance that monitor ill health,
emergency lighting, spill kits etc. incidents (including accidents, near-misses etc.) and other
(See clause 4.3.1) historical evidence of deficient OH&S performance. A very
small change in wording here that does not change the overall
Staff with emergency response
requirement, which remains the same as that shown in the
responsibilities are trained and competent
previous Standard.

• Recording of data and results of monitoring and measurement

4.5.1 PERFORMANCE, MEASUREMENT AND MONITORING sufficient to facilitate subsequent corrective action and
preventive action analysis.
Clause 4.5 is the checking part of the Standard and focuses on
• If equipment is required to monitor or measure performance, the
SMS monitoring mechanisms which are intended to determine
organisation shall establish, implement and maintain procedures
OHS performance and the effectiveness of the SMS. The
for the calibration of such equipment, as appropriate. Records of
principal focus of monitoring is to identify opportunities for the
calibration and maintenance activities shall be retained.
improvement of both OHS performance and the effectiveness
of the SMS. The tile of clause 4.5.1 has been revised but the
requirements within this clause have not changed significantly, PERFORMANCE MEASUREMENT or Comment/Plan
some minor wording changes have been made to strengthen the AND MONITORING
effectiveness of performance monitoring.
Procedures established, implemented and
KEY REQUIREMENTS maintained to monitor and measure OH&S
OHSAS 18001 requires that OHS performance is monitored performance on a regular basis
on a regular basis. Key requirements are listed below, where Procedure(s) include both qualitative and
requirements are new they are shown in bold italics quantitative measures, appropriate to the
The organisation shall establish, implement and maintain a needs of the organisation
procedure(s) to monitor and measure OH&S performance on a Is there monitoring of the extent to which
regular basis. This procedure(s) shall provide for: the organisation’s OH&S objectives are met?

36 37
The Route to OHSAS 18001 The Route to OHSAS 18001

Is the effectiveness of controls (for health an EMS will have little difficulty with this requirement as they
as well as for safety) monitored? will have developed arrangements to evaluate compliance with
environmental legislation. Those organisations implementing
Proactive measures of performance that
an SMS or revising an existing SMS will now need to develop
monitor conformance with the OH&S
compliance evaluation arrangements.
programme(s), controls and operational
criteria identified Clause 4.5.2 has been split into two sub-clauses; contains
requirements for the evaluation of applicable legal requirements
Procedure(s) include reactive measures of
and clause contains requirements for the evaluation of
performance that monitor ill health, incidents
other requirements to which the organisation subscribes.
(including accidents, near-misses, etc.), and
other historical evidence of deficient KEY REQUIREMENTS
OH&S performance
OHSAS 18001 requires that compliance with applicable legal and
Procedure(s) provide for recording of data other requirements is monitored and records maintained. Where
and results of monitoring and measurement requirements are new they are shown in bold italics.
sufficient to facilitate subsequent corrective Consistent with its commitment to compliance
action and preventive action analysis
(see 4.2c), the organisation shall establish, implement and
Monitoring instruments and equipment maintain a procedure(s) for periodically evaluating compliance
calibrated and maintained to ensure accuracy with applicable legal requirements (see 4.3.2).
of measurement
The organisation shall keep records of the results of the
Methods of calibration are defined and periodic evaluations.
traceable to National Standards
NOTE The frequency of periodic evaluation may vary for
Calibration status is clear differing legal requirements.

Are the records of calibration and The organisation shall evaluate compliance with
maintenance activities retained? Records are other requirements to which it subscribes (see 4.3.2).
kept of calibration certificates and of which The organisation may wish to combine this evaluation with
instrument was used for each test the evaluation of legal compliance referred to in
or to establish a separate procedure(s). To reduce system
documentation one procedure can be produced to describe
4.5.2 EVALUATION OF COMPLIANCE the evaluation of both legal and other requirements and both
evaluations may be combined.
This is a completely new requirement which is intended to ensure
The organisation shall keep records of the results of the
the evaluation of compliance with legal and other requirements.
periodic evaluations.
It is true to say that many organisations previously implemented
compliance evaluation arrangements but now this is a specific NOTE The frequency of periodic evaluation may vary for various
requirement. The content of this clause has been extracted from other requirements to which the organisation subscribes.
ISO 14001 where it was introduced as part of the 2004 revision
of that Standard. Those organisations which have implemented

38 39
The Route to OHSAS 18001 The Route to OHSAS 18001

EVALUATION OF COMPLIANCE or Comment/Plan The organisation shall establish, implement and maintain a
procedure(s) to record, investigate and analyse incidents in
Procedure(s) for periodically evaluating
order to -
compliance with applicable legal
requirements in place • determine underlying OH&S deficiencies and other factors that
might be causing or contributing to the occurrence of incidents.
Records maintained of the results of the
periodic evaluations • identify the need for corrective action

Procedure for evaluating compliance with • identify opportunities for preventive action
other requirements to which the organisation
• identify opportunities for continuous improvement
subscribes in place
• communicate the results of such investigations
Does the organisation keep records of the
results of the periodic evaluations? The wording of this requirement has been enhanced to ensure that
incidents are investigated and the results are recorded and analysed.

The investigations shall be performed in a timely manner. This

4.5.3 INCIDENT INVESTIGATION, NON-CONFORMITY, CORRECTIVE was always part of the recognised requirements for conducting
AND PREVENTIVE ACTION an investigation now it is a definite requirement of the standard.

Any identified need for corrective action or opportunities for

Clause 4.5.3, previously clause 4.5.2, has been revised, preventive action shall be dealt with in accordance with the
restructured and split into two sub-clauses. relevant parts of

Clause Incident Investigation: this sub-clause is consistent The results of incident investigations shall be documented and
with the new focus on incidents rather than accidents and sets maintained.
out the requirements for procedures to complete the investigation Clause Non-conformity, Corrective and Preventive Action.
of incidents. The results of investigations should facilitate the This clause is in part a revision of the previous OHSAS 18001
identification and implementation of appropriate corrective and clause and the inclusion of wording from other Standards.
preventive actions which either prevent occurrence or recurrence Consequently the clause is significantly more comprehensive. This
of the incidents and that lessons are learned. Overall the is to ensure that corrective and preventive actions are effectively
requirements listed below always were part of the investigation or identified, implemented and closed, also that the effectiveness of
part of the outcome of investigations. corrective and preventive action is determined.


OHSAS 18001 requires the organisation to put in place procedures
OHSAS 18001 requires the organisation shall establish, implement
to respond to safety related non-conformances. The definitions
and maintain procedure(s) to investigate and analyse incident data.
given in OHSAS 18001 are helpful in understanding the differences
Where requirements are new they are shown in bold italics.
in terms. This clause addresses the need to manage things that
either could have gone wrong or actually have gone wrong. Where
requirements are new they are shown in bold italics.

40 41
The Route to OHSAS 18001 The Route to OHSAS 18001

The organisation shall establish, implement and maintain INCIDENT INVESTIGATION OF or Comment/Plan
a procedure(s) for dealing with actual and potential non- NON-CONFORMITY, CORRECTIVE
conformities and for taking corrective action and preventive AND PREVENTIVE ACTION
action. The procedure(s) shall define requirements for Incident Investigation
• identifying and correcting non-conformity(ies) and
Procedures established, implemented and
taking action(s) to mitigate their OH&S consequences,
maintained to record, investigate and analyse
• investigating non-conformity(ies), determining their incidents in order to determine underlying
cause(s) and taking actions in order to avoid their recurrence, OH&S deficiencies and other factors that
• evaluating the need for action(s) to prevent may be causing or contributing to the
non-conformity(ies) and implementing appropriate occurrence of incidents
actions designed to avoid their occurrence, Procedures include arrangements to
• recording and communicating the results of corrective identify the need for corrective action,
action(s) and preventive action(s) taken, and identify opportunities for preventive
action and identify opportunities for
• reviewing the effectiveness of corrective action(s) and continuous improvement?
preventive action(s) taken.
Results of investigations communicated
Where the corrective action and preventive action identifies new
or changed hazards or the need for new or changed controls, Investigations performed in a timely manner?
the procedure shall require that the proposed actions shall be Any identified need for corrective action or
taken through a risk assessment prior to implementation. opportunities for preventive action dealt with
This requirement was part of the previous OHSAS 18001 in accordance with the relevant parts
requirement but previous wording was to some extent of
impractical. The revised wording provides an element of
Legal and other requirements addressed
choice in the application of this requirement and makes
implementation more sensible. The results of incident investigations
documented and maintained?
Any corrective action or preventive action taken to eliminate
the causes of actual and potential non-conformity(ies) shall Staff trained to undertake
be appropriate to the magnitude of problems and incident investigation
commensurate with the OH&S risk(s) encountered. Non-conformity, Corrective Action
The organisation shall ensure that any necessary changes and Preventive Action
arising from corrective action and preventive action are made
Procedure(s) for dealing with actual and
to the OH&S management system documentation.
potential non-conformity(ies) and for taking
corrective action and preventive
action implemented

42 43
The Route to OHSAS 18001 The Route to OHSAS 18001

Procedure(s) define requirements for 4.5.4 CONTROL OF RECORDS

identifying and correcting non-conformity(ies)
and taking action(s) to mitigate their Records are essential to demonstrate the satisfactory operation of
OH&S consequences? the safety management system. Records are equally essential in
the event of a system failure, in either providing support to stated
Corrective action - Procedure(s) define
fact, or as a tool to identify gaps or failures in the management
requirements for investigating
system. The procedure for the control of records should require
non-conformity(ies), determining their
that records be legible, protected and readily retrievable. A key
cause(s) and taking actions in order to
issue for safety-related records is for retention times to be stated.
avoid their recurrence?
In this regard, it is essential that the organisation has knowledge
Preventive Action - Procedure(s) define of any legislation surrounding either accident or ill-health-related
requirements for evaluating the need for claims, which may set outer limits for claims to be made. The
action(s) to prevent non-conformity(ies) organisation may need to defend itself against such claims, and
and implementing appropriate actions it will be important for it to be able to demonstrate what controls
designed to avoid their occurrence? were in place at the time of any incident.

The results of corrective action(s) KEY REQUIREMENTS

and preventive action(s) recorded
OHSAS 18001 requires an organisation to ensure that it develops a
and communicated
procedure for identifying, maintaining and disposition of safety-related
The effectiveness of corrective action(s) records. Although the wording to this clause has been revised the
and preventive action(s) reviewed requirements are almost exactly the same as those found in both
and confirmed ISO 9001:2000 and ISO 14001:2004 for the control of records.

Does the procedure require that the proposed • The organisation shall establish and maintain records as
actions shall be taken through a risk necessary to demonstrate conformity to the requirements
assessment prior to implementation where of its OH&S management system and of this OHSAS Standard,
the corrective action and preventive action and the results achieved.
identifies new or changed hazards or the
• The organisation shall establish, implement and maintain a
need for new or changed controls?
procedure(s) for the identification, storage, protection, retrieval,
Changes arising from corrective action and retention and disposal of records.
preventive action made to the OH&S
• Records shall be and remain legible, identifiable and traceable.
management system documentation?

Staff recognise and report non-conformances?

Non-conformance identified by Internal Audit

handled in accordance with the procedure

44 45
The Route to OHSAS 18001 The Route to OHSAS 18001

CONTROL OF RECORDS or Comment/Plan • conforms to planned arrangements for OH&S management

including the requirements of this OHSAS Standard
Records maintained as required by the
Standard to demonstrate conformity to the • has been properly implemented and is maintained, and
requirements of its OH&S management
• is effective in meeting the organisation’s policy and objectives
system and of this OHSAS Standard,
and the results achieved? • provide information on the results of audits to management.

Procedure define arrangements for: Audit programme(s) shall be planned, established, implemented
identification, and maintained by the organisation, based on the results of risk
storage, assessments of the organisation’s activities, and the results of
previous audits.
protection – e.g. computer back-up,
retrieval – records readily retrievable Audit procedure(s) shall be established, implemented and
retention – retention times defined maintained that address
disposal • the responsibilities, competencies, and requirements for
Are records legible, identifiable and traceable? planning and conducting audits, reporting results and retaining
associated records,

• the determination of audit criteria, scope, frequency and methods.

• Selection of auditors and conduct of audits shall ensure
objectivity and the impartiality of the audit process. There
In common with EMS and QMS standards, OHSAS 18001
always was a requirement for auditors to be independent but
requires that the system is subject to formal audit to provide
the wording has been changed to be a little more explanatory
assurance that it is providing the benefits that the organisation
and ensure that the audit process is impartial and objective.
expects. This clause remains largely unaltered; however, some
wording from other standards has been included. The frequency
of audits must be related to OHS risk levels. It is also important INTERNAL AUDIT or Comment/Plan
that all elements of the SMS, including those elements which are
Procedure in place to describe the
more system related, such as document control, records, system
audit process:
audits, management review etc. are subject to audit.
• Production of schedule/programme based
KEY REQUIREMENTS on risk significance and the results of
OHSAS 18001 requires that an organisation confirms through previous audits
internal audit that the implemented SMS complies with intentions • Responsibilities and competencies for
and with the requirements of OHSAS 18001. Where requirements planning audits
are new they are shown in bold italics. • Carrying out the audit

The organisation shall ensure that internal audits of the OH&S • Reporting audits
management system are conducted at planned intervals to • Establishing audit criteria, scope,
determine whether the OH&S management system frequency of audits
• Non-conformance reporting and close-out

46 47
The Route to OHSAS 18001 The Route to OHSAS 18001

Schedule covers all areas/procedures and Input to management reviews shall include
SMS functions in a given time? • results of internal audits and evaluations of compliance with
Document control and approval of audit applicable legal requirements and with other requirements to
which the organisation subscribes,
paperwork including schedule?
• the results of participation and consultation (see 4.4.3)
Internal auditors trained
• relevant communication(s) from external interested parties,
Able to identify a SMS and
including complaints,
safety non-conformance
Have an understanding of applicable legal • the OH&S performance of the organisation,
and other requirements • the extent to which objectives have been met,
• status of incident investigations, corrective actions and
Non-conformances actioned in a
preventive actions,
timely manner?
• follow-up actions from previous management reviews,
• changing circumstances, including developments in legal and
other requirements related to OH&S, and
• recommendations for improvement.
The requirement to carry out formal management reviews of Previously these requirements were described in OHSAS
the SMS is common with that of other management system 18002:2000 but have now been defined in the Standard.
standards. Management Review, if carried out fully and effectively, The outputs from management reviews shall be consistent
will help the organisation to develop its SMS so that overall safety with the organisation’s commitment to continuous improvement
performance is improved. Previously this clause was somewhat and shall include any decisions and actions related to possible
sketchy but has been significantly revised to include both required changes to
inputs, effectively the review agenda, and outputs. This is in
• OH&S performance
keeping with the management review requirements of both EMS
and QMS Standards and some inputs have been taken from both • OH&S policy and objectives
these standards. • resources, and

KEY REQUIREMENTS • other elements of the OH&S management system

Relevant outputs from management review shall be made
OHSAS 18001 requires that the organisation’s top management
available for communication and consultation (see 4.4.3).
review the SMS at planned intervals. Where requirements are
new they shown in bold italics. Overall clause 4.6 is lengthy and detailed but only sets out that
which was expected of an effective management review.
Top management shall review the organisation’s OH&S
management system, at planned intervals, to ensure its continuing • Review of SMS by ‘top management’ at predetermined intervals
suitability, adequacy and effectiveness. Reviews shall include • Reporting by the Management Representative
assessing opportunities for improvement and the need for • Review needed for changes to Policy, Objectives and other
changes to the OH&S management system, including the OH&S elements of the SMS
policy and OH&S objectives. Records of the management reviews
• At least one management review to be carried out before third
shall be retained.
party certification

48 49
The Route to OHSAS 18001 The Route to OHSAS 18001

MANAGEMENT REVIEW or Comment/Plan • Contact SGS as early in the process as possible

Frequency and format of reviews • Don’t ask for the certification audit until you are sure you
is documented are ready!
NB there is no specific requirement for
The certification process breaks down into five stages:
a meeting
Attendees at meeting listed in procedure? • Pre-audit (not mandatory at this stage
e.g. Management Appointee and but highly recommended as assess an organisation
senior management preparedness for assessment)

Reviews take place at specified frequency? • Review of documented system against the Standard and
Reviews included all the required inputs according to the scope of certification
and outputs • Certification Audit
Records, e.g. meeting minutes are kept?
• Certification
Actions assigned and followed up?
• Ongoing surveillance visits
Outputs from management review available
for consultation and communicated to The pre-audit reviews the key processes of hazard identification and
relevant personnel risk assessment, audits, identification of legislation and also checks
that the system is designed to deliver continuous improvement.
Certification of OHSAS 18001:2007 management systems is
The document review is a detailed review of the documented
supported by UKAS accreditation. However, in all countries,
system to verify that it complies with both OHSAS 18001 and
accredited third-party certifications are supported by the
the needs of the organisation.
International Accreditation Forum Guidelines, which describe
how certification bodies must function and expand a little on The certification audit then verifies that the system is fully
the Standard. Despite the fact that accredited certification is not implemented and functioning. All requirements of the
available in all countries, you can rest assured that SGS applies the Standard are checked on a sampling basis across all of
same level of controls required by accreditation bodies to all of its the organisation’s operations.
OHSAS certification activities.

Finally, some pointers on what helps an organisation to achieve

certification at the first attempt:

• Make sure the system is fully implemented

• Carry out at least one full sweep of internal audits and carry
out any resulting corrective and preventive actions
• Ensure that all personnel understand the system, Policy
and objectives
• Have evidence available to show that the process of
continuous improvement is actually happening

50 51
The Route to OHSAS 18001 The Route to OHSAS 18001


OHSAS 18001:2007 – Safety Management Systems Training

SGS can help provide the appropriate training solution as part of

your system development.

Our OHSAS courses are designed to challenge and provoke

powerful ideas and pragmatic solutions for participants to
improve health and safety in line with their business needs.

A selection of our OHSAS 18001:2007 courses are listed below.

The courses are certified by IRCA (International Register of
Certified Auditors) and are scheduled publicly and can also be
delivered in company:

Introduction & Awareness to OHSAS 18001:2007 – An

introduction for anyone involved in developing, implementing and
managing an occupational health and safety management system

OHSAS 18001:2007 Internal Auditor - This course will equip

participants with the knowledge and skills needed to assess an
internal occupational health and safety management system.

OHSAS 18001: 2007 Lead Auditor - This course is designed for

participants who are, or will be, responsible for auditing safety
management systems.

To find out more contact our customer service team on

+44 (0)1276 697777, e-mail or
visit our website

52 53
The Route to OHSAS 18001 The Route to OHSAS 18001

The SGS Group

The SGS Group of companies is the world’s largest organisation

in the field of inspection, verification, testing and certification.
The Group comprises more than 300 affiliated companies, each
separately organised and managed in accordance with the laws
and local practices of the countries in which it does business.

Founded in 1878, it has expanded across the world, operating in

over 140 countries, 845 offices, 338 laboratories and with more
than 50,000 employees. Since it was established the SGS Group
has remained dedicated to its independence as a guarantee of
its total impartiality. SGS does not engage in any manufacturing,
trading or financial activities which might compromise its
independence and neutrality.

For more information, please contact:

SGS United Kingdom Ltd

Systems & Services Certification
SGS House
217-221 London Road
GU15 3EY
United Kingdom

Tel: +44 (0)1276 697999

Fax: +44 (0)1276 697696


54 55
The Route to
OHSAS 18001
avoiding the pitfalls


ERS 007
E 2007 V on the 2
D TO TH mentary
UPDATE lud e s c o m
now inc ndard
Booklet e 1 8001 sta
g e s to th
ch a n

SGS 5258/0308