OHSAS 18001 - Occupational Health & Safety Management System
OHSAS18001 - Questions and Answers If you wish to implement an OHSAS18001 system, we will be happy to assist.
Note: Answers provided by Dr Terry (based in UK).
You can use the information supplied below, with a copy of OHSAS18001 and do it yourself, of course.
Q - What is OHSAS18001 all about?
A - OHSAS 18001 is an internationally-accepted standard for the Management of Occupational Health and Safety systems.
It was created via a consortium of various standards bodies, certification bodies, and specialist consultancies, who were trying to produce a single standard out of the various certifiable OH&S specifications.
A main driver for this was to try to remove confusion in the workplace as to which standard was applicable or "best".
Q - What does "OHSAS" stand for?
A - Occupational Health and Safety Assessment Series.
Q - Does it have anything in common with the other management system standards?
A - Yes. OHSAS 18001 was developed to be compatible with the ISO 9001 (Quality) and ISO 14001 (Environmental) management systems standards, so that it would easier to integrate the required procedures with an existing ISO9001 and/or ISO14001 management system.
Q - Does this standard tell us what to do with regard to accidents?
A - No. To quote OHSAS18001: "The OHSAS specification gives requirements for an occupational health and safety (OH&S) management system, to enable an organisation to control its OH&S risks and improve its performance. It does not state specific OH&S performance criteria, nor does it give detailed specifications for the design of a management system" (from Clause 1 - Scope).
From this you can see that the purpose of the standard is to ensure that organisations have management systems in place with policies and objectives that cause the necessary procedures to be determined and implemented, and their suitability to be monitored. This in turn will lead to improvements. (that's the Plan-Do-Check-Act cycle in a nutshell!).
Q - Who can use this standard?
A - Any organisation that wishes to minimise risks to employees, customers, visitors etc and especially those organisations that wish to demonstrate to others that they have such a system in place.
It is possible to self-certify, but your customers (the "interested parties") might not be very convinced by this.
Q - How do we get it started?
A - There are a number of key things required. Policies, objectives and procedures form a large part of this, as do audits and other measurement methods feeding back to management review.
Probably the very first thing to do is to consider what the risks are within your working environment, including any other premises where your staff or contractors conduct work for you. List them all out, no matter how ridiculous or unlikely. Record them in a table or similar.
We can provide an online tool for this process. Just email us for details.
It's very simple to use and very easy to keep it updated.
Q - "I've been told that good safety is free, that it should pay for itself". Is that true?
A - Probably not. Safety is NOT free.
The premise of this argument (put about by the people trying to sell you their services, no doubt) is that in the long run, effective safety programs save money and add business value. This is difficult to prove.
It strikes me as being similar to the “free market” argument that financial markets don’t need to be regulated because they will regulate themselves. Did you notice the depression that happened as a result?
However, there are opportunities for recouping at least some of the costs. Company insurances should be less for a company being independently assessed for OHSAS 18001. However, not all insurance providers are that smart…
Especially for larger organisations, the reduction in accruals for potential litigation may be significant. The reduction in accidents, especially in some sectors, may help pay for some of the costs of the system as well.
So, you need to consider the costs of doing this. But you do need to balance them against the costs of not doing it.
Within the UK (it may be similar in other countries): With the changes in Health & Safety law that came into operation in recent years, organisations failing to implement effective H&S systems are finding that fines have increased, the chance of imprisonment have increased and the likelihood of being found guilty have increased. The approach of the courts seems to move towards “the organisation is guilty unless it can prove otherwise”.
Q - Can you tell me some basic information about the clauses of OHSAS18001?
A - Certainly. See below
Clauses 0 - 3 - As with almost all management system standards, the first few clauses contain things are not requirements, such as definition of terms, background of the standard and so on. OHSAS18001 is no different.
Clause 4.1 - General Requirements This states that the system must contain the things that the following clauses specify. Useful as an auditor's cross-check, but probably no other useful purpose.
Clause 4.2 - OH&S Policy This is very similar to the policy requirements of ISO9001 & 14001 & 27001, except it is concerned with H&S aspects, of course.
Clause 4.3 - Planning4.3.1 Hazard identification, risk assessment and determining controls
This requires one or more procedures (although it does not specify that they must be documented) for ongoing hazard identification, risk assessment and determination of the necessary controls. It lists a number of factors that must be taken into account by the procedure. (items a – j).
It also requires that the methodology shall be proactive and provide for the “identification, prioritization and documentation of risks, and the application of controls as appropriate”. Using our Risk Register system, this meets all these requirements.
This clause also defines a hierarchy of risk reduction methods (most important shown first, one assumes):
4.3.2 Legal and other requirements
A procedure is required for identifying and accessing the “legal and other OH&S requirements that are applicable to it”. It must be kept up to date, and that the relevant information is communicated to “persons working under the control of the organization and other relevant interested parties”. So this could include contractors, and your client especially if the client is required to perform actions (e.g. to clear an area in readiness, make structures ready or install signage etc)
4.3.3 Objectives and programme(s)
Measurable (where practicable) objectives must be established and documented.
There must also be a programme of actions for achieving the objectives, with timescales. Although this is not required to be documented, we should insist that our clients at least record the programme. Perhaps using our on-line Feedback system so that they get a weekly reminder? Or at the absolute minimum in the minutes of their management reviews. But this latter method won’t get updated very often.
Clause 4.4 - Implementation and Operation4.4.1 Resources, Roles, Responsibility, Accountability and Authority
As with other management standards, Top Management must provide required resources. They must also define responsibilities etc. These should show to whom each person is responsible. An organisational chart, supported by text as usual, will do this of course.
A “Management Representative” is of course required. The identity of this person must be “made available to all persons working under the control of the organization”.
In addition, the organisation must ensure that persons in the workplace take responsibility for aspects of OH&S over which they have control. This includes the responsibility to meet the organisation’s OH&S requirements.
4.4.2 Competence, training and awareness
All persons performing tasks that can impact on OH&S must be competent for the task.
A procedure is required to make such persons aware of the consequences and risks arising from their work activities, their role & responsibilities in achieving the requirements of the policy and procedures, including emergency preparedness and responses, and the potential consequences of departure from specified procedures. (This may require that the critical procedures are identified in some way).
4.4.3 Communication, Participation and Consultation
4.4.3.1 Communication
A procedure is required for internal communication between the various levels and functions of your organisation, communication with contractors and workplace visitors and for receiving, documenting and responding to “relevant communications from external interested parties” (e.g. H&S Executive, Customers, etc)
4.4.3.2 Participation and Consultation
A procedure is required for ensuring the participation of workers in hazard identification, incident investigation, development and review of OH&S policies and objectives, consultation regarding changes with OH&S impacts, other representation on OH&S matters.
This could be addressed by having worker representatives on committees, or forming their own committees that feed into higher level meetings, etc.
Consultation with contractors with respect to changes that affect their OH&S is also required.
4.4.4 Documentation
This defines the documentation that the system must include (and which will be the subject of the controls in 4.4.5). This is:
4.4.5 Control of Documents
This is virtually identical to clause 4.2.3 of ISO9001 and clause 4.5.5 of ISO14001. The usual controls for identification, approval, release withdrawal, etc are required.
4.4.6 Operational Control
Your organisation must identify the activities that are associated with hazards that have been identified, where OH&S controls are needed to manage those risks. (Including change management processes).
Note that although controls are required for these instances, procedures are only required where their absence could cause problems. Section (e) is similar, but criteria could be some other set of controls apart from procedures. Perhaps the use of PPE, or technical specifications for machinery would be relevant here. But don’t get too hung up (joke) on the meaning of the word.
4.4.7 Emergency Preparedness and Response
A procedure is required to identify the potential for emergency situations and to respond to those situations. Your organisation is required to respond to such incidents to prevent or reduce their OH&S impact.
The procedures should be periodically tested where practicable. Although not specifically required by OHSAS18001, you should consider keeping records of all such practices. Perhaps using our on-line Feedback Reporting System.
Clause 4.5 - Checking4.5.1 Performance Measurement and Monitoring
As part of the Plan-Do-Check-Act cycle, the performance of the system must be monitored and measured “on a regular basis”. Although not specifically required to be documented, your should probably specify the measures (as far as possible) in the procedures. Perhaps in the management review procedure, although you might want a specific “monitoring” procedure.
Note that where equipment is used for the measurement, calibration and maintenance is required, with records of these events.
4.5.2 Evaluation of Compliance
- Clause 4.5.5.1states that a procedure is required to evaluate compliance with the applicable legal requirements. Note that this is for “applicable legal requirements”.
- Clause 4.5.5.2 states that the organization shall evaluate compliance with other requirements, although it does not require this to be proceduralised. However, it might be best to include it in the same procedure as the legal compliance evaluation.
In both cases, records of the evaluations are required.
4.5.3 Incident Investigation, Nonconformity, Corrective action and Preventive Action
4.5.3.1 Incident Investigation
A procedure is required for recording, investigating and analysing incidents. The process should determine underlying OH&S deficiencies (as with “root cause analysis” of ISO9001), to identify the need for corrective actions, to identify opportunities for preventive actions (consider similar things that might go wrong, etc) and to communicate the findings.
All of this must be recorded.
4.5.3.2 Nonconformity, Corrective action and Preventive Action
A procedure is required for identifying and correcting nonconformities, for identifying their cause, recording the results of the actions taken and reviewing their effectiveness.
Where changes are significant, a new risk assessment should be conducted. In any case, the procedure should require that the risk assessment (required earlier!) is reviewed following any significant incidents.
4.5.4 Control of Records AND
4.5.5 Internal Audit AND
Pretty much identical to ISO9001, 14001 27001 etc, except the scope is OH&S, of course.
Clause 4.6 - Management ReviewPretty much identical to ISO9001, 14001 27001 etc, except the scope is OH&S, of course. The standard specifies a range of things that must be reviewed by Top Management in order to identify opportunities for improvement. The reviews must be recorded.
If you wish to implement an OHSAS18001 system, we will be happy to assist.
You can use the above and a copy of OHSAS18001 and do it yourself, of course.
Note: Answers provided by Dr Terry (based in UK).
You can use the information supplied below, with a copy of OHSAS18001 and do it yourself, of course.
Q - What is OHSAS18001 all about?
A - OHSAS 18001 is an internationally-accepted standard for the Management of Occupational Health and Safety systems.
It was created via a consortium of various standards bodies, certification bodies, and specialist consultancies, who were trying to produce a single standard out of the various certifiable OH&S specifications.
A main driver for this was to try to remove confusion in the workplace as to which standard was applicable or "best".
Q - What does "OHSAS" stand for?
A - Occupational Health and Safety Assessment Series.
Q - Does it have anything in common with the other management system standards?
A - Yes. OHSAS 18001 was developed to be compatible with the ISO 9001 (Quality) and ISO 14001 (Environmental) management systems standards, so that it would easier to integrate the required procedures with an existing ISO9001 and/or ISO14001 management system.
- It therefore follows the standard management system structure of Plan-Do-Check-Act.
- In fact, the clause headings of OHSAS18001 are virtually identical to those of ISO14001.
Q - Does this standard tell us what to do with regard to accidents?
A - No. To quote OHSAS18001: "The OHSAS specification gives requirements for an occupational health and safety (OH&S) management system, to enable an organisation to control its OH&S risks and improve its performance. It does not state specific OH&S performance criteria, nor does it give detailed specifications for the design of a management system" (from Clause 1 - Scope).
From this you can see that the purpose of the standard is to ensure that organisations have management systems in place with policies and objectives that cause the necessary procedures to be determined and implemented, and their suitability to be monitored. This in turn will lead to improvements. (that's the Plan-Do-Check-Act cycle in a nutshell!).
Q - Who can use this standard?
A - Any organisation that wishes to minimise risks to employees, customers, visitors etc and especially those organisations that wish to demonstrate to others that they have such a system in place.
It is possible to self-certify, but your customers (the "interested parties") might not be very convinced by this.
Q - How do we get it started?
A - There are a number of key things required. Policies, objectives and procedures form a large part of this, as do audits and other measurement methods feeding back to management review.
Probably the very first thing to do is to consider what the risks are within your working environment, including any other premises where your staff or contractors conduct work for you. List them all out, no matter how ridiculous or unlikely. Record them in a table or similar.
- (i) Then give each of these threats a "likelihood" value between 1 and 5, where 1 is very unlikely to happen and 5 is almost certain to happen.
- (ii) Next, consider each of the threats and give it an "impact" value of 1 to 5, where 1 means that none or very little harm is likely to arise if the risk occurred and 5 is where serious injury or death is likely.
- (You should state clearly what the levels 2, & 4 mean in each of the above. I'm sure you get the point of how to do it, though).
- Now calculate the value of (i) times (ii). You will get a range of values from 1 to 25, of course. Higher scores should attract your interest!
We can provide an online tool for this process. Just email us for details.
It's very simple to use and very easy to keep it updated.
Q - "I've been told that good safety is free, that it should pay for itself". Is that true?
A - Probably not. Safety is NOT free.
The premise of this argument (put about by the people trying to sell you their services, no doubt) is that in the long run, effective safety programs save money and add business value. This is difficult to prove.
It strikes me as being similar to the “free market” argument that financial markets don’t need to be regulated because they will regulate themselves. Did you notice the depression that happened as a result?
However, there are opportunities for recouping at least some of the costs. Company insurances should be less for a company being independently assessed for OHSAS 18001. However, not all insurance providers are that smart…
Especially for larger organisations, the reduction in accruals for potential litigation may be significant. The reduction in accidents, especially in some sectors, may help pay for some of the costs of the system as well.
So, you need to consider the costs of doing this. But you do need to balance them against the costs of not doing it.
Within the UK (it may be similar in other countries): With the changes in Health & Safety law that came into operation in recent years, organisations failing to implement effective H&S systems are finding that fines have increased, the chance of imprisonment have increased and the likelihood of being found guilty have increased. The approach of the courts seems to move towards “the organisation is guilty unless it can prove otherwise”.
Q - Can you tell me some basic information about the clauses of OHSAS18001?
A - Certainly. See below
Clauses 0 - 3 - As with almost all management system standards, the first few clauses contain things are not requirements, such as definition of terms, background of the standard and so on. OHSAS18001 is no different.
Clause 4.1 - General Requirements This states that the system must contain the things that the following clauses specify. Useful as an auditor's cross-check, but probably no other useful purpose.
Clause 4.2 - OH&S Policy This is very similar to the policy requirements of ISO9001 & 14001 & 27001, except it is concerned with H&S aspects, of course.
Clause 4.3 - Planning4.3.1 Hazard identification, risk assessment and determining controls
This requires one or more procedures (although it does not specify that they must be documented) for ongoing hazard identification, risk assessment and determination of the necessary controls. It lists a number of factors that must be taken into account by the procedure. (items a – j).
It also requires that the methodology shall be proactive and provide for the “identification, prioritization and documentation of risks, and the application of controls as appropriate”. Using our Risk Register system, this meets all these requirements.
This clause also defines a hierarchy of risk reduction methods (most important shown first, one assumes):
- Elimination (of the risk)
- Substitution
- Engineering controls
- Signage/warnings and/or administrative controls
- Personal protective equipment
4.3.2 Legal and other requirements
A procedure is required for identifying and accessing the “legal and other OH&S requirements that are applicable to it”. It must be kept up to date, and that the relevant information is communicated to “persons working under the control of the organization and other relevant interested parties”. So this could include contractors, and your client especially if the client is required to perform actions (e.g. to clear an area in readiness, make structures ready or install signage etc)
4.3.3 Objectives and programme(s)
Measurable (where practicable) objectives must be established and documented.
There must also be a programme of actions for achieving the objectives, with timescales. Although this is not required to be documented, we should insist that our clients at least record the programme. Perhaps using our on-line Feedback system so that they get a weekly reminder? Or at the absolute minimum in the minutes of their management reviews. But this latter method won’t get updated very often.
Clause 4.4 - Implementation and Operation4.4.1 Resources, Roles, Responsibility, Accountability and Authority
As with other management standards, Top Management must provide required resources. They must also define responsibilities etc. These should show to whom each person is responsible. An organisational chart, supported by text as usual, will do this of course.
A “Management Representative” is of course required. The identity of this person must be “made available to all persons working under the control of the organization”.
In addition, the organisation must ensure that persons in the workplace take responsibility for aspects of OH&S over which they have control. This includes the responsibility to meet the organisation’s OH&S requirements.
4.4.2 Competence, training and awareness
All persons performing tasks that can impact on OH&S must be competent for the task.
A procedure is required to make such persons aware of the consequences and risks arising from their work activities, their role & responsibilities in achieving the requirements of the policy and procedures, including emergency preparedness and responses, and the potential consequences of departure from specified procedures. (This may require that the critical procedures are identified in some way).
4.4.3 Communication, Participation and Consultation
4.4.3.1 Communication
A procedure is required for internal communication between the various levels and functions of your organisation, communication with contractors and workplace visitors and for receiving, documenting and responding to “relevant communications from external interested parties” (e.g. H&S Executive, Customers, etc)
4.4.3.2 Participation and Consultation
A procedure is required for ensuring the participation of workers in hazard identification, incident investigation, development and review of OH&S policies and objectives, consultation regarding changes with OH&S impacts, other representation on OH&S matters.
This could be addressed by having worker representatives on committees, or forming their own committees that feed into higher level meetings, etc.
Consultation with contractors with respect to changes that affect their OH&S is also required.
4.4.4 Documentation
This defines the documentation that the system must include (and which will be the subject of the controls in 4.4.5). This is:
- OH&S policy & objectives
- Description of the scope of the system
- Description of the main elements of the OH&S system and their interaction and reference to related documents
- The documents and records required by OHSAS18001
- Any other documents and records required by your organisation for the system
4.4.5 Control of Documents
This is virtually identical to clause 4.2.3 of ISO9001 and clause 4.5.5 of ISO14001. The usual controls for identification, approval, release withdrawal, etc are required.
4.4.6 Operational Control
Your organisation must identify the activities that are associated with hazards that have been identified, where OH&S controls are needed to manage those risks. (Including change management processes).
Note that although controls are required for these instances, procedures are only required where their absence could cause problems. Section (e) is similar, but criteria could be some other set of controls apart from procedures. Perhaps the use of PPE, or technical specifications for machinery would be relevant here. But don’t get too hung up (joke) on the meaning of the word.
4.4.7 Emergency Preparedness and Response
A procedure is required to identify the potential for emergency situations and to respond to those situations. Your organisation is required to respond to such incidents to prevent or reduce their OH&S impact.
The procedures should be periodically tested where practicable. Although not specifically required by OHSAS18001, you should consider keeping records of all such practices. Perhaps using our on-line Feedback Reporting System.
Clause 4.5 - Checking4.5.1 Performance Measurement and Monitoring
As part of the Plan-Do-Check-Act cycle, the performance of the system must be monitored and measured “on a regular basis”. Although not specifically required to be documented, your should probably specify the measures (as far as possible) in the procedures. Perhaps in the management review procedure, although you might want a specific “monitoring” procedure.
Note that where equipment is used for the measurement, calibration and maintenance is required, with records of these events.
4.5.2 Evaluation of Compliance
- Clause 4.5.5.1states that a procedure is required to evaluate compliance with the applicable legal requirements. Note that this is for “applicable legal requirements”.
- Clause 4.5.5.2 states that the organization shall evaluate compliance with other requirements, although it does not require this to be proceduralised. However, it might be best to include it in the same procedure as the legal compliance evaluation.
In both cases, records of the evaluations are required.
4.5.3 Incident Investigation, Nonconformity, Corrective action and Preventive Action
4.5.3.1 Incident Investigation
A procedure is required for recording, investigating and analysing incidents. The process should determine underlying OH&S deficiencies (as with “root cause analysis” of ISO9001), to identify the need for corrective actions, to identify opportunities for preventive actions (consider similar things that might go wrong, etc) and to communicate the findings.
All of this must be recorded.
4.5.3.2 Nonconformity, Corrective action and Preventive Action
A procedure is required for identifying and correcting nonconformities, for identifying their cause, recording the results of the actions taken and reviewing their effectiveness.
Where changes are significant, a new risk assessment should be conducted. In any case, the procedure should require that the risk assessment (required earlier!) is reviewed following any significant incidents.
4.5.4 Control of Records AND
4.5.5 Internal Audit AND
Pretty much identical to ISO9001, 14001 27001 etc, except the scope is OH&S, of course.
Clause 4.6 - Management ReviewPretty much identical to ISO9001, 14001 27001 etc, except the scope is OH&S, of course. The standard specifies a range of things that must be reviewed by Top Management in order to identify opportunities for improvement. The reviews must be recorded.
If you wish to implement an OHSAS18001 system, we will be happy to assist.
You can use the above and a copy of OHSAS18001 and do it yourself, of course.
