PART 3 - AUDITING AGAINST BS OHSAS18001:2007

Section 3.4 - Implementation and operation

Once policy, hazard identification, risk assessment and control, legal requirements and
objectives have been established, internal auditors need to assure themselves that the
arrangements have been put in place for implementing and operating the system.

Much of the internal auditor’s time will be spent on assessing the operational
arrangement of the system. There are seven sub-clauses in BS OHSAS 18001, 4.4 that
need to be addressed. The following points should be considered when evaluating
compliance with clause 4.4 relating to implementation and operation, internal auditors
can use these points to guide their open questions to explore the requirements of this
clause.

Resources, roles, responsibility, accountability and

authority (Clause 4.4.1)

Is the identity of the top management appointee readily available and made know to all
persons working under the control of the organization?

Is there clear responsibilities within the management structure?

What is the attitude within the organisation to good health and safety practices?

Is there a positive health and safety culture?

Are resources identified and allocated as necessary to make the system effective?

Does everyone know their responsibility with respect to OH&S

Competence, training and awareness (Clause 4.4.2)

For an occupational health and safety (OH&S) management system to be effective, and
for an organization to ensure that it is protecting the people affected by it, it is necessary
that the people working within the system understand the duties and responsibilities
assigned to them and are competent to carry them out. BS OHSAS 18001 has specific
requirements in this regard.

Points for consideration by the internal auditor:

Has the organization determined competency requirements?

Is there evidence that training needs have been identified in a systematic manner?

Is there training for all workers from the core operational workers to senior managers?

How does the organization ensure that people working within the system have acquired
and maintain the necessary knowledge and skills?

Is there a programme of “refresher” training in place?

© 2009 RMS v1.0 Section 3.4 1

 PART 3 - AUDITING AGAINST BS OHSAS18001:2007

Are there arrangements for retraining, as new technologies and work practices evolve?

Do appropriate records of training exist, are they up to date, and do they meet
organizational objectives?

Communication, participation and consultation (Clause

4.4.3)
COMMUNICATION
It is fair to say that everyone will have something to say on the subject of communication.
That does not necessarily mean that their ideas are always effective. However, if the
organization is to gain maximum benefit from an effective OH&S management system it
needs to consider carefully how it communicates with both regular workers and
temporary visitors to its sites – e.g. contractors, visitors. Communication should be a two
way within in the organization. There should be effective communication up the chain of
command as well as downwards.

Points for consideration by the internal auditor:

Is there an effective system for communicating OH&S information throughout the

organization?

Does the information get to the people to whom it really counts?

Is the mechanism for communication easy to understand?

Is understanding of what has been communicated been confirmed?

Is there an effective communication system for workers to management?

PARTICIPATION AND CONSULTATION

Those people actually involved in work activities are often best placed to understand the
problems and needs for safe and healthy operation of procedures, and how
improvements can be made. Where organizations have involved workers fully in the
process of participation the organizational performance against health and safety
objectives is often on target.

Points for consideration by the internal auditor:

Is there an effective mechanism for involving staff – e.g. a health and safety safety
committee or briefings which include discussion?

Are members of the workforce involved in risk assessment and selection of controls?

Where such a committee exists, are there regular meetings and evidence that concerns of
and recommendations of the committee are placed before top management?

© 2009 RMS v1.0 Section 3.4 2

 PART 3 - AUDITING AGAINST BS OHSAS18001:2007

Are workers aware of how they can raise concerns about OH&S to the attention of
managers?

What procedures are in place for consultation with contractors or other external interested
parties?

Documentation (Clauses 4.4 and 4.5)

The BS OHSAS 18001 standard specifies a range of documents that are required and
arrangements should be in place for producing, retaining and managing the various
documents. Documents may be in ‘hard copy’ or computer-based, in line with most
regulatory authority requirements computer-based records must be able to be printed. It
is important that the level of documentation reflects the nature of the organization and
that they are simple, understandable and readily available.

Points for consideration by the internal auditor:

Is someone assigned responsibility for keeping documents up to date?

Is documentation up to date?

Does documentation reflect the literacy and language skills of the present work force?

Is it readily available to those who need to use it?

Is there a mechanism through which key documents will be available in an emergency?

How does the organization identify external documents required for implementing the
OH&S system?

© 2009 RMS v1.0 Section 3.4 3

 PART 3 - AUDITING AGAINST BS OHSAS18001:2007

Table showing minimum Documentation requirements in BS OHSAS 18001

Clause Title Record/Documentation Requirement BS OHSAS 18001

4.1 General Scope of the MS and a documented management system as required

by the standard (refer to 4.4.4)
4.2 Policy Documented policy
4.3.1 Hazard identification, risk Documentation of identified risks, document and keep the results of
assessment and identification of hazards, risk assessments and determined controls up
determining controls to date
4.3.2 Legal and other
4.3.3 Objectives and Documented objectives
Programmes
4.4.1 Resources, roles, Documented roles, responsibilities, accountabilities, and authorities
responsibility,
accountability and
authority
4.4.2 Competence, training and Records of identification of training needs and evaluation of
awareness competence and records of competence (i.e. appropriate education,
training or experience).
4.4.3.1 Communication Documenting relevant communications from external interested parties
4.4.3.2 Participation and
consultation
4.4.4 Documentation Documented policy, objectives, scope, description of the main
elements of the OH&S MS and their interaction, reference to related
documents, all documents (including records), required by the
standard and documents (including records), to ensure effective
planning, operation and control of processes
4.4.5 Document and data
control
4.4.6 Operational control Documented procedures (where their absence could lead to deviations
from the OH&S policy and the objectives)
4.4.7 Emergency
4.5.1 Performance Records of data and results from monitor and measure. Records of
calibration of equipment
4.5.2.1 Evaluation of Records of results of compliance with legal requirements
compliance
4.5.2.2 Evaluation of Records of results of compliance with other requirements
compliance
4.5.3.1 Incident investigation Records of investigation and analysis , documented results of
investigations
4.5.3.2 Nonconformity, corrective Records of the results of actions and associated changes to
action and preventive procedures from CA, PA
action
4.5.4 Records Records necessary to demonstrate conformity to the requirements of
the OH&S MS and the standard
4.5.5 Internal audit Records of internal audits
4.6 Management review Record of management reviews

Minimum documentation requirements – abstracted from BS OHSAS 18001

© 2009 RMS v1.0 Section 3.4 4

 PART 3 - AUDITING AGAINST BS OHSAS18001:2007

Operational control (Clause 4.4.6)

The objective of an OH&S management system that conforms to BS OHSAS 18001 is to
enable an organization to manage OH&S risks to fulfill stated policy aims. OH&S
activities will need to be embraced both within functions and between functions. All too
often accidents occur because of lack of clarity about who is responsible where different
functions of the organization interface. This can be a difficult area for internal auditors,
but effective questioning and following up on responses will enable the internal auditor to
add real value to the organization by getting to the bottom of any problem identified. It is
important to ensure that whatever controls are put in place, they should be designed to
be consistent with the hierarchy of controls as outlined in BS OHSAS 18001 clause 4.3.1.

This is part of the standard where the auditor tests whether the organization is doing what
it has committed to do in 4.3.1/4.3.2 and 4.3.3 and whether the controls selected (4.3.1)
are effective in minimizing the risk. Areas that the internal auditor should examine are
where OH&S issues typically occur:

Hazardous tasks.

Hazardous materials.

Equipment.

Facilities.

Purchase of goods and services.

Contractors.

Visitors to the site.

Internal auditor’s need to ensure they link the operational controls evidenced back to the
organizations stated aims for hazard identification and risk assessment. The objective is
to ensure that there are effective controls in evidence where hazards and risks have been
identified.

Emergency preparedness and response (Clause 4.4.7)

Preparation for emergencies is becoming more and more important. Even small
organizations need to identify the risks of an emergency occurring and understand how
they will address it. Not all the risks that may become apparent are generated within the
organization and account should be taken of how hazards posed by neighbours could
affect your own site.

Points for consideration by the internal auditor:

Have potential emergency situations been identified?

Are there emergency procedures in existence?

Has the equipment required been identified?

© 2009 RMS v1.0 Section 3.4 5

 PART 3 - AUDITING AGAINST BS OHSAS18001:2007

Have personnel been trained to initiate a response?

Are the arrangements for evacuation of the site known and understood by all staff?

Have the emergency procedures been implemented?

Is there periodic testing of emergency procedures?

Are senior managers aware of individual responsibilities in the event of an emergency and
do they have access to plans that are kept off site?

Is sufficient regard paid to changes in the workplace and is there evidence that plans have
been revised?

Is emergency preparedness an agenda item in management reviews?

Is there evidence that emergency procedures are reviewed and revised?

© 2009 RMS v1.0 Section 3.4 6