NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 1 of 15 Dated: 12 February, 2008 To: All NSI H&S Gold Approved Companies and all Applicants for H&S Gold Approval TECHNICAL BULLETIN No. 0008 Guidance and clarification of NSI requirements for the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems – Requirements with guidance for use (Supersedes OHSAS 18001:1999) BS OHSAS 18001:2007 shows a publication date of the 31 st July 2007 and is now available through licensed outlets including the NSI who can supply copies at a discounted rate. BS OHSAS 18001:2007 will now be applied to the NSI H&S Gold Scheme as a condition of NSI approval. The Standard will be applied with immediate effect, subject to the additional clarifications and guidance within this Special Bulletin. With immediate effect Applicant Companies will be assessed against the 2007 Edition and any Improvement Needs recorded against clauses of the Standard will have to be satisfactorily addressed before approval can be granted. Companies already approved by NSI to the 1999 edition will however be given until the 1 st August 2009 to fully comply with the amended requirements such that there is a full 2 year transition period. In the interim, Improvement Observation Reports will be issued for any of the revised requirements that are not satisfied and if such reports are not adequately addressed by the time of the next visit they will be elevated to Improvement Needs. Failure to then close-out any Improvement Needs by the end of the transition period i.e. the 1 st August 2009 will mean that an updated certificate to BS OHSAS 18001:2007 cannot be issued and the existing certificate to OHSAS 18001:1999 will be cancelled. Certificates for existing NSI Approved Companies will be updated as and when compliance with the new edition is demonstrated. The guidance in this Technical Bulletin has also generally taken note of OHSAS 18002, Occupational health and safety management systems – Guidelines for the implementation of OHSAS 18001. NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 2 of 15 SUMMARY OF KEY CHANGES (Highlighted under the clauses of the new Standard) Comments under each clause consist of a summary of the changes when compared with the corresponding clause within BS OHSAS 18001:1999 and where relevant any specific NSI requirements are also detailed. Where the actual wording is quoted it is reproduced in bold text. Where it is considered relevant to further clarify the specified requirement, additional guidance is included in italics. It is not, however, the intent of the NSI to only impose its own recommended methods of compliance with specified requirements and the NSI will give full consideration to any alternative methods of achieving compliance with specified requirements. FRONT PAGE The front sheet makes it clear that BS OHSAS 18001:2007 has the status of a British Standard. NATIONAL FOREWORD The foreword makes it clear that the British Standard is the official English language version of OHSAS 18001:2007 developed by the International OHSAS Project Group. It is also identical with OHSAS 18001:2007 and supersedes OHSAS 18001:1999 which is now obsolescent. A reminder is included that compliance with a British Standard does not of itself confer immunity from legal obligations . ACKNOWLEDGEMENT The following note is included against the entry for the Health and Safety Executive: As the regulatory authority responsible for health and safety in Great Britain, the Health and Safety Executive would wish to make it clear that reliance on the OHSAS Standard by organisations will not absolve them from compliance with any of their legal health and safety obligations under the laws of England, Wales and Scotland. NSI will not approve any company under its H & S Scheme until it is clear that they are aware of all applicable Health and Safety Legislation and have considered its impact on their business. Additionally no approval under the NSI H & S Scheme will be granted until any breach of applicable legislation is addressed to the satisfaction of the appropriate authority . NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 3 of 15 FOREWORD It is made clear that the 2007 edition of OHSAS 18001 has been developed to be compatible with the ISO 9001:2000 (Quality) and ISO 14001:2004 (Environmental) management systems standards, in order to facilitate their integration by organisations, should they wish to go down this route. The Foreword includes the following series of bullet points to illustrate the extent of change in the 2007 edition: ∑ The importance of “ health”has been given greater emphasis. ∑ OHSAS 18001 now refers to itself as a standard, not a specification, or document, as in the earlier edition. This reflects the increasing adoption of OHSAS 18001 as the basis for national standards on occupational health and safety management systems. ∑ The “ Plan-Do-Check-Act” model diagram is only given in the Introduction, in its entirety, and not also as sectional diagrams at the start of each major clause. ∑ Reference publications in clause 2 have been limited to purely international documents. ∑ New definitions have been added, and existing definitions revised . ∑ Significant improvement in alignment with ISO 14001:2004 throughout the Standard, and improved compatibility with ISO 9001:2000. ∑ The term “ tolerable risk” has been replaced by the term “ acceptable risk”(see 3.1). ∑ The term “ accident”is now included in the term “ incident” (see 3.9). ∑ The definition of the term “ hazard” no longer refers to “ damage to property or damage to the workplace environment” (see 3.6). It is now considered that such “ damage” is not directly related to occupational health and safety management, which is the purpose of this OHSAS Standard, and that it is included in the field of asset management. Instead, the risk of such “ damage” having an effect on occupational health and safety should be identified through the organisation’ s risk assessment process, and be controlled through the application of appropriate risk controls. ∑ Sub-clauses 4.3.3 and 4.3.4 have been merged, in line with ISO 14001:2004. ∑ A new requirement has been introduced for the consideration of the hierarchy of controls as part of OH & S planning (see 4.3.1). ∑ Management of change is now more explicitly addressed (see 4.3.1 and 4.4.6). ∑ A new clause on the “ Evaluation of compliance” (see 4.5.2) has been introduced. ∑ New requirements have been introduced for the investigation of incidents (see 4.5.3.1). NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 4 of 15 INTRODUCTION The second paragraph reference to OH&S reviews and audits is retained. The fourth paragraph now gives more emphasis to the provision of requirements for an OH&S management system to enable an organisation to develop and implement a policy and objectives, which take into account legal requirements and information about OH&S risks. Although there is not a specific requirement to conduct a comprehensive initial OH&S review before developing an OH&S policy and programme, it is a sensible starting point and probably the best way to identify and list the significant risks or issues that the organisation can control or influence. A new fifth paragraph is added to make it clear that the second edition of the Standard focuses on clarification of the requirements originally set out in the first edition and to give more consideration of the provisions of ISO 9001(2000) to enhance the compatibility of the two standards for the benefit of the user community. (Annex A now contains updated tables showing the correspondence between OHSAS 18001:2007, ISO14001:2004 and ISO 9001:2000 which may be useful for those organisations implementing a fully integrated management system). The remainder of the introduction retains the references to the PDCA (Plan-Do- Check-Act) methodology that the standard is based upon but also gives more emphasis to the required commitment to comply with applicable legal requirements and with other requirements to which the organisation subscribes, to prevent injury and ill health and to continual improvement. A new final paragraph makes it clear that the level of detail and complexity of the OH&S management system, the extent of documentation and the resources devoted to it depend on a number of factors, such as the scope of the system, the size of an organisation and the nature of its activities, products and services. This may be the case in particular for small and medium – sized enterprises. NSI will take such detail into account and although the fundamentals to be addressed are essentially the same for any organisation, it is accepted the complexity of the OH&S may vary considerably dependent upon the product or service and the size and complexity of the organisation. The range of issues to be addressed by organisations wishing to have their OH&S System approved by NSI will also be influenced by NSI policy to target its OH&S certification at existing clients already holding NSI QMS (Quality Management Systems) and PC (Product Certification) within the Security and Fire Safety Industries. In the absence of any outstanding Improvement Needs on the existing QMS/PC Approval it may reduce the time that needs to be spent on assessing areas common to all management systems e.g. management review, internal audit, document control etc. NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 5 of 15 1. SCOPE The existing sub-clauses d), e) and f) have been reworded and expanded upon as four numbered methods of demonstrating conformity with the standard under a new clause d). Point 4 is the one relevant to certification with the NSI i.e. an organisation applying for certification by the NSI is seeking certification/registration of its OH&S management system by an external organisation. The final paragraph has a modified statement to make it clear that the OHSAS standard is intended to address occupational health and safety and is not intended to address other health and safety areas such as employee well- being/wellness programs, product safety, property damage or environmental impacts. 2. REFERENCE PUBLICATIONS The existing references have been updated and a new reference added i.e. to the 2001 Guidelines on Occupational Health and Safety Management Systems (OSH- MS) produced by the ‘ International Labour Organization. 3. TERMS and DEFINITIONS A significant number of the definitions have been reworded to provide greater clarity and some additional ones have been included. 3.1 The term ‘ tolerable risk’has been replaced by the term ‘ acceptable’risk but the intent is the same i.e. that the risk has been reduced to a level where it can be tolerated and there is no indication of any breach of applicable legislation. 3.3 The definition for ‘ continual improvement’ has been modified and is now defined as the recurring process of enhancing the OH&S management system in order to achieve improvements in overall OH&S performance consistent with the organisation’ s OH&S policy. 3.4 A definition is now included for ‘ corrective action’ i.e. action to eliminate the cause of a detected nonconformity or other undesirable situation. NSI expect to see appropriate references in the OH&S Management System to all the defined methods for capturing and dealing with nonconformity e.g. whether from internal or external audit, internal inspection/monitoring, customer complaint etc. 3.5 A definition is now included for ‘ document’ i.e. information and its supporting medium with an explanatory note that the medium can be paper, magnetic, electrical or optical computer disc, photograph or master sample, or a combination thereof . 3.6 The definition for ‘ hazard” no longer refers to “ damage to property or damage to the workplace environment” NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 6 of 15 3.8 A new definition for ‘ ill health’ is included i.e. identifiable, adverse physical or mental condition arising from and/or made worse by a work activity and/or work-related situation. 3.9 The definition of an ‘ incident’ has been reworked and is now defined as a work-related event(s) in which an injury or ill health (3.8) (regardless of severity) or fatality occurred, or could have occurred. A note is then shown to emphasise that an accident is an incident which has given rise to injury, ill health or fatality. 3.10 A new term for ‘ interested party’ has been included i.e. person or group, inside or outside the workplace, concerned or affected by the OH&S performance of an organisation. 3.11 A definition for ‘ nonconformity’ is now included i.e. non-fulfilment of a requirement. This equates to the Improvement Need and Improvement Observation Reports in NSI terminology. Please note however, that under the NSI Schemes a significant nonconformity is the Improvement Need and that all improvement needs have to be addressed before certification can be granted. An Improvement Observation Report can be either be a nonconformity that is not considered significant in terms of the product or service supplied, or it can be the auditors view that there is the potential for improvement even if currently there is no actual nonconformity. If it is purely recording the potential for improvement then a corrective action response is not required and the NSI Inspector determines whether any action has taken place on the next visit. 3.12 A new definition for ‘ occupational health and safety’ (OH&S) is included i.e. conditions and factors that affect, or could affect, the health and safety of employees or other workers (including temporary workers and contractor personnel), visitors, or any other person in the workplace. 3.13 The definition for ‘ OH&S management system)’ has been modified and is now defined as part of an organisation’ s management system used to develop and implement its OH&S policy and manage its OH&S risks. Two notes are also included which are generally compatible with the additional text that was in the original definition i.e. Note 1 states that A management system is a set of interrelated elements used to establish policy and objectives and to achieve those objectives ’ and Note 2 states that ‘ A management system includes organisational structure, planning activities, responsibilities, practices, procedures, processes and resources. 3.14 The definition for ‘ OH&S objective’ has been modified and is now defined as the OH&S goal, in terms of OH&S performance that an organisation sets itself to achieve . NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 7 of 15 Two notes then emphasise that the objectives should be quantified wherever practicable and consistent with the OH&S Policy. 3.15 The definition for ‘ OH&S performance’ has been modified and is now defined as the measurable results of an organisations management of its OH&S risks , followed by an explanatory note that states that in the context of OH&S management systems, results can be measured against the organisation’ s OH&S policy, OH&S objectives and other OH&S performance requirements. 3.16 The definition for ‘ OH&S policy’ has been modified and is now defined as the overall intentions and direction of an organisation related to its OH&S performance as formally expressed by top management , followed by an explanatory note that states that the environmental policy provides a framework for action and for setting of OH&S objectives and targets . 3.18 A definition for ‘ preventive action’ is now included i.e. action to eliminate the cause of a potential nonconformity or other undesirable situation with three notes that make it clear that there can be more than one cause for a potential nonconformity, that preventative action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence and that the definition is adapted from ISO 9000:2000, 3.6.4. 3.19 A definition is now included for ‘ procedure’ i.e. a specified way to carry out an activity or a process , with two notes that make it clear that it can be documented or not and that the definition is adapted from ISO 9000:2000, 3.4.5. 3.20 A definition is now included for a ‘ record’ i.e. a document stating results achieved or providing evidence of activities performed. 3.23 A definition is now included for ‘ workplace’ i.e. any physical location in which work related activities are performed under the control of the organization taking into account the OH&S effects on personnel. 4 OH&S MANAGEMENT SYSTEM REQUIREMENTS 4.1 General requirements The general requirements have been expanded to make it clear that not only should an OH&S Management System to be established and maintained but that the organisation shall document, implement and continually improve an OH&S and determine how it will fulfil the requirements of the Standard. An additional sentence is also added to make it clear that the organisation shall define and document the scope of its OH&S system. NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 8 of 15 The above principles have always been generally understood and applied; the main change is that there is now a more precise or additional clause that the auditor can reference if there is any failure to effectively document, implement, continually improve or fulfil the requirements of the standard. The scope of the OH&S management system shall be included as part of the OH&S policy (statement). 4.2 OH&S Policy Minor changes have been made to the opening sentence to stress that the listed requirements should be addressed within the defined scope of the organisations OH&S management system Item b) now also includes a commitment to prevention of injury and ill health. Item c) now references ‘ applicable legal requirements’ rather than ‘ relevant OH&S legislation and regulations’ . Item d) added i.e. the policy provides the framework for setting and reviewing OH&S objectives. Item f) amended from ‘ all employees’ to ‘ all persons working under the control of the organisation’ . The new wording is a sensible and additional reference to remind organisations that subcontractors working for or on behalf of the organisation should be made aware of the organisation’ s OH&S Policy. There may also be additional personnel who could in some respects be considered as working for the organisation. 4.3 Planning 4.3.1 Hazard identification, risk assessment and determining controls New sub-clauses have been added to define what an organisation should take into account in its procedure for hazard identification and risk assessment i.e. c) human behaviour, capabilities and other human factors; d) identified hazards originating outside the workplace capable of adversely affecting the health and safety of persons under the control of the organization within the workplace; e) hazards created in the vicinity of the workplace by work-related activities under the control of the organization (Note 1: It may be more appropriate for such hazards to be assessed as an environmental aspect); f) infrastructure, equipment and materials at the workplace, whether provided by the organization or others; NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 9 of 15 g) changes or proposed changes in the organization, its activities, or materials; h) modifications to the OH&S management system, including temporary changes, and their impacts on operations, processes, and activities; I) any applicable legal obligations relating to risk assessment and implementation of necessary controls; j) the design of work areas, processes, installations, machinery/equipment, operating procedures and work organization, including their adaptation to human capabilities. A new requirement has also been introduced for the consideration of the hierarchy of controls as part of OH&S planning i.e. a) elimination; b) substitution; c) engineering controls; d)signage/warnings and/or administrative controls; e) personal protective equipment (PPE) . The above are fundamental principles that organisations should always bear in mind i.e. always start with a review of whether the task is really required or are there alternative ways to achieve the same result as opposed to blind acceptance of the risk because the process has always been carried out that way and then just concentrating on the issue of PPE. An additional sentence is also incorporated to emphasise that the organisation shall ensure that the OH&S risks and determined controls are taken into account in establishing, implementing and maintaining its OH&S management system. 4.3.2 Legal and other requirements There is now more emphasis on determining how the applicable legal requirements relate to the OH&S hazards and to ensure that the applicable legal requirements and other requirements that the organisation subscribes to are taken into account in establishing, implementing and maintaining the OH&S . In light of such developments NSI has reviewed its approach to verifying compliance with this clause of the Standard and as per the Standard already applied on the EMS (Environmental Management Systems) Scheme, shall not recommend certification until it is clear that the organisation has an adequate understanding of relevant legislation, has reviewed its impact on the business and verified that it is compliant with all applicable legislation. The following supplementary requirements shall also apply: 1) There shall be a detailed, documented, implemented and maintained procedure that clearly explains the methods and systems etc that are regularly accessed to identify applicable legal requirements and any other requirements to which the organisation subscribes. NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 10 of 15 2) The procedure shall also detail the process(es) for determining how such requirements apply to the organisation’ s OH&S policy, objectives & targets and its activities. 3) The procedure shall also detail the arrangements for periodically evaluating/re- evaluating compliance with applicable legal requirements and demonstrate that if there are any subsequent and significant amendments to such requirements they are subject to timely consideration such that any potential breaches of legal requirements are immediately brought to the attention of top management. 4) A central register of applicable legislation and other requirements that the organisation subscribes to shall be maintained and it shall reference any significant OH&S hazards and risks. 5) A central record of any breaches of legislation or other requirements to which the organisation subscribes to shall be maintained and there shall be a clear audit trail to verify that timely action has been or is being taken to rectify any failure to fully comply. Such records shall also show that the appropriate authorities have been informed/consulted and that the conditions of any temporary concessions or exceptions are clearly understood and communicated to relevant personnel. Note: Although NSI does not necessarily carry out a complete legal compliance evaluation, the organisation’ s register of OH&S legislation will be reviewed in sufficient depth to verify whether there are any obvious omissions. If there are significant omissions, an Improvement Need shall be immediately raised and certification shall not be recommended until the organisation has reviewed/revised its procedures for identifying, accessing and determining the significance of appropriate legal and other requirements and rectified the omissions. If there are any current breaches of applicable legislation, registration shall not be recommended unless the appropriate authorities have granted a concession and there is an agreed action plan leading to eventual compliance. 4.3.3 Objectives and programme(s) This clause merges the previous clause 4.3.3 Objectives and targets with 4.3.4 OH&S management programme(s) and includes a new paragraph as follows: The objectives and targets shall be measurable, where practicable, and consistent with the environmental policy, including the commitments to prevention of pollution, to compliance with applicable legal requirements and with other requirements to which the organisation subscribes, and to continual improvement. The prime requirement remains i.e. to establish, implement and maintain documented OH&S Objectives, at relevant functions and levels within the organisation NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 11 of 15 The above clause clarifies the sensible principles that should always have been applied and organisations should take care to ensure there is important linkage between the various documents and ensure they are not developed in isolation. For example it would not make sense to include in the Policy Statement a general commitment to reduce the number of work-related incidents and then have no specific objectives, targets or milestones to show how this is to be measured, monitored or achieved. 4.3 Implementation and operation 4.4.1 Resources, roles, responsibility and authority The title of this clause has changed in order to give more emphasis to the requirement for management to ensure the availability of resources essential to establish, implement, maintain and improve the OH&S management system . The requirement for Top Management to demonstrate its commitment stresses that they shall define rolls, allocating responsibilities and accountabilities and delegate authorities, to facilitate effective OH&S management. Roles, responsibilities, accountabilities, and authorities shall be documented and communicated. The requirement for the management representative to report to top management on the performance of the OH&S for review has been retained but there is now a specific requirement to include recommendations for improvement . The above is a sensible clarification and recognises that the management representative for OH&S will often be best placed to review in detail, information obtained as a result of the monitoring and measurement activities and identify opportunities for improvement that can then be communicated to top management for discussion and agreement at a management review meeting. 4.4.2 Competence, training and awareness This section introduces new terminology i.e. person(s) performing tasks under its control that can impact on OH&S. This is a useful change when compared with the previous text on ‘ personnel’ as it assists in driving home the message that the requirements may also apply to contractors, sub-contractors, temporary staff etc if their tasks have the potential to cause an OH&S hazard. 4.4.3 Communication, participation and consultation 4.4.3.1 Communication Item b) has been added to emphasise communication with contractors and other visitors to the workplace. Methods of communication will vary considerably particularly across different sizes of organisation. NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 12 of 15 4.4.3.2 Participation and consultation This clause has been subject to minor amendment to ensure that it is clear that a procedure for worker consultation and participation is required. This now includes appropriate involvement in hazard identification, risk assessments, determination of controls and incident investigation. The need to consult with contractors where there are changes that affect their OH&S is also emphasised. 4.4.4 Documentation This clause has been brought more in – line with ISO 9001:2000 and now includes a specific list of documents that have to be maintained within the OH&S. The OH&S documentation shall include: a) the OH&S policy and objectives, b) description of the scope of the OH&S management systems, c) description of the main elements of the OH&S and their interaction, and reference to related documents, d) documents, including records, required by this OHSAS Standard , and e) documents, including records, determined by the organisation to be necessary to ensure the effective planning, operation and control of processes that relate to its OH&S risks. Requirements a) to c) inclusive may be best presented in the form of a higher level Policy Manual that addresses all clauses of BS OHSAS 18001:2007 as further interpreted by this Technical Bulletin. Such a document should also provide a clear audit trail to any supporting procedures, defined processes, and work instructions etc that in turn should link to the standard proforma or records that are completed as evidence of conformity. 4.4.3 Control of documents This clause has also been brought more in-line with ISO 9001:2000 but only references a requirement for a procedure, unlike ISO 9001:2000 which requires a documented procedure. As most organisations implementing an OHSAS 18001:2007 will already have a certificated QMS embracing ISO 9001:2000 then NSI shall normally expect such a detailed and documented procedure to be also applied for OH&S, modified as necessary to reflect any specific requirements of OHSAS 18001:2007 or this Technical Bulletin. 4.4.6 Operational control The requirements of this clause have not really changed but have been reworded to be brought more in-line with ISO 9001:2000. 4.4.7 Emergency preparedness and response NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 13 of 15 Again the requirements of this clause have not really changed but have been reworded to ensure greater clarity with respect to the need for the organisation to have a procedure to identify potential emergency situations that can have an impact(s) on the OH&S and how it will respond to them. Also more emphasis is put on the organization to take account of the needs of relevant interested parties e.g. emergency services and neighbours in planning its emergency response. 4.5 Checking (Previously checking and corrective action) 4.5.1 Performance measurement and monitoring) The requirement now refers to procedures rather than documented procedures and the clause on periodic evaluation of legal compliance has been moved to clause 4.5.2. As with the text under 4.4.6 a) of the standard, a decision upon whether to maintain a fully detailed and documented procedure should be based upon consideration as to whether the absence of the same could lead to a deviation from the OHSAS policy, objectives and targets. In the absence of a documented procedure it can sometimes be harder to verify that there is a clearly defined and communicated procedure (practice) that is fully in tune with established policy and that can be effectively audited (both internally and externally). Item c) has been added to highlight a need for a procedure to provide for monitoring the effectiveness of controls (for health as well for safety). 4.5.2 Evaluation of compliance This is a new clause but not a new requirement and it has been made into a separate clause to emphasise the importance of periodic evaluation of legal compliance and compliance with other requirements to which the organisation subscribes. With regard to the frequency of such periodic evaluations, it makes sense to have such evaluations as an input to each management review at intervals not exceeding twelve months, with the proviso that more frequent reviews should be carried out whilst the OHSAS System is still relatively immature. This still assumes that if significant amendments are made to applicable legislation listed on the register, between the periodic review dates, the significant changes will be detected and evaluated in a timely manner particularly if there is an early implementation date. 4.5.3 Incident investigation, nonconformity, corrective action and preventative action (previously Accidents, incidents, non-conformances and corrective and preventative action clause 4.5.2) NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 14 of 15 4.5.3.1 Incident investigation New requirements have been introduced for the investigation of incidents emphasising a need to have a procedure to record, investigate and analyse incidents. Also the results of incident investigations shall be documented and maintained. 4.5.3.2 Nonconformity, corrective action and preventative action Nonconformity is now utilised instead of non-conformance and the requirements incorporate similar wording to that utilised within ISO 9001:2000 and it therefore normally makes sense to have a common procedure to satisfy all QMS, EMS and OHSAS requirements. However from an OH & S point of view there also needs to be emphasis on taking action to mitigate the OH & S impact of any actual and potential nonconformity. Nonconformity is defined in the Standard as non-fulfilment of a requirement; a definition based upon ISO 9000:2000 Clause 3.6.2. In many respects this is easier to understand if we talk about specified requirements and the recommended higher level, policy manual should detail the various methods or systems for identifying, recording and actioning nonconformities e.g. internal and external audit, periodic evaluation of legal compliance, incident reporting including reviews carried out after accidents or emergency situations and as a result of the monitoring and measurement of processes or operations that can impact on the OH&S provisions. 4.5.4 Control of records (previously clause 4.5.3) In general terms the requirements have not changed significantly but are restructured to give greater clarity. The requirement to establish and maintain a procedure for the identification, maintenance and disposition of OH&S records has been expanded and now reads ‘ the organisation shall establish, implement and maintain a procedure(s) for the identification, storage, protection, retrieval, retention and disposal of records’ . Greater clarity is also provided with respect to the type of records to be maintained by the organisation i.e. records as necessary to demonstrate conformity to the requirements of its OH&S management system and of this international standard (OHSAS 18001:2007), and the results achieved. 4.5.5 Internal Audit (previously clause 4.5.4 Audit) Again the clause has been more closely aligned with that in ISO 9001: 2000 and the text makes it much clearer the audit programme should be planned, established, NSI Technical Bulletin 0008 Guidance on the implementation of BS OHSAS 18001:2007, the British Standard for Occupational health and safety management systems 15 of 15 implemented and maintained by the organisation, taking into consideration the OH&S importance of the operation(s) concerned and the results of previous audits. In order to ensure that OH&S audits are sufficiently robust it is essential that they are conducted by auditors who have not only received some formal training in auditing techniques but will also be able to demonstrate that they are sufficiently informed of and aware of OH&S. It shall also be clear that the audit programme pays particular attention to the process for periodic evaluation of legal compliance and the process for establishing, implementing and maintaining appropriate objectives and targets that are consistent with the OH&S policy. 4.6 Management review Top management should now review the organisations OH&S management system at planned intervals and it is now much clearer that the reviews shall include assessing opportunities for improvement. Again the text has come more in line with ISO 9001:2000 as it now reproduces a list of items that should be an input to the management review as well as being more prescriptive regarding the output from the review. NSI shall expect to see a clear agenda and minutes of the management review meeting that clearly demonstrate that as a minimum, items a) to h) are included as a standard topic for review/discussion and the specified requirements in terms of output are satisfied.