CQI. Chartered Quality Institute

Transcription

1 CQI Chartered Quality Institute

2 Introduction Report published in September 2014 by: International Register of Certificated Auditors (IRCA), part of The Chartered Quality Institute (CQI), 2nd Floor North, Chancery Exchange, 10 Furnival Street, London EC4A 1AB T: +44 (0) I I Incorporated by Royal Charter and registered as a charity number

3 IRCA has prepared this briefing note to update IRCA auditors and other interested parties on the future of BS OHSAS and the work of ISO Project Committee 283, the committee responsible for developing the international standard ISO Occupational health and safety management systems. Development of ISO has now reached the Committee Draft (CD) stage. This briefing note provides the background to development of ISO and outlines the likely main similarities and differences between OHSAS and ISO Effective management of business risk is high on the boardlevel agenda of most organisations. Background In today s ever-changing world, organisations operate in increasingly complex environments, often involving multinational supply chains and outsourcing parts of their operation. Differences in cultural norms, legislation, business and social ethics and practices, technologies, etc add to those complexities. Yet when things go wrong, it is the reputation of the prime organisation that falls under the spotlight, as we saw with the Deepwater Horizon catastrophe and Boeing Dreamliner battery problems. Effective management of business risk is high on the board-level agenda of most organisations. These days, it is not enough for a company merely to be profitable it also needs to have robust systems of internal control, covering not just narrow financial risks, but also risks relating to the environment, business reputation and health and safety. The need for integrated risk-control systems ISO management system standards (MSSs), for quality, environment, food safety standards etc, have been developed and published over a number of years. While some may say these standards are compatible with each other, the reality is that the proliferation of ISO MSSs and the manner in which they have been developed has resulted in many apparently common requirements that are subtly or substantially different. This has caused confusion and inconsistent understanding and implementation. Consequently, it has been easy to compartmentalise these different risk-control systems. But that is simply not how organisations operate or top management thinks. This compartmentalisation can be a significant barrier to getting the buy-in and hands-on participation of top management and often results in failure to embed these systems into routine operations. Instead, each is operated as an independent system in its own right with its own dedicated management structure. This had led to the need to combine or integrate these different aspects of business risk management more easily in an effective and efficient manner. Occupational health and safety management systems BS OHSAS moving to ISO

4 Despite not being an ISO standard, OHSAS 18001:2007 has gained global acceptance. ISO management system standards development In order to deliver consistent and compatible management system standards in the future, the ISO Technical Management Board has produced a common framework for all MSSs. This common framework is referred to as Annex SL. Essentially, Annex SL describes how management standards of the future will be structured using a common high-level structure (ie, clause sequence, common text and terminology provided in Annex SL). The first standard to adopt this structure was the Business Continuity Management standard (ISO 22301:2012). BS OHSAS First published in 1999, OHSAS was developed to fill the gap where no international standard for occupational health and safety existed. The current version of the standard is OHSAS 18001:2007, which was adopted as a British Standard, hence BS OHSAS 18001:2007. Despite not being an ISO standard, OHSAS 18001:2007 has gained global acceptance. In recent years there has been a rapid increase in the use of OHSAS and versions of OHSAS that have been adopted by countries, of which there are about 40. Recent surveys report approximately 90,000 accredited certifications in more than 127 countries and a pressing desire from business and interested parties for an international standard. IRCA has seen growing interest and take-up of IRCA s OH&S auditor certification scheme and auditor/lead auditor training courses with the number of delegates attending auditor training for OHSAS increasing by 40% in four years and exceeding those for EMS. ISO

5 Development of ISO In 2013, ISO approved the creation of a new project committee to develop an International Standard for occupational health and safety (OH&S). The work is being overseen by ISO Project Committee (PC) 283. The ISO project committee has been tasked with transforming OHSAS into an ISO standard, ISO The secretariat of ISO/PC 283 has been assigned to BSI, the British Standards Institution. There are currently 50 countries/organisations working on or involved in producing ISO 45001, including the International Labour Organisation (ILO). Richard Green, Head of IRCA Technical Services, is participating in the development of ISO as a member of HS/001, the UK committee which is responsible for the preparation, publication review and revision of generic British Standards or other products on occupational health and safety. Development timeline Development and approval of ISO MSSs follow an established process and sequence; Working Draft (WD), Committee Draft (CD), Draft International Standard (DIS), Final Draft (FDIS) followed by publication of the Standard. The significance of change diminishes as development progresses. Once FDIS is released the nature of any further change is normally minor. JUNE 2013 OCTOBER 2013 JULY 2014 JUNE 2015 JULY 2015 OCTOBER 2016 PROPOSED TRANSITION PERIOD DRAFT DESIGN SPEC. AND WDO APPROVED DESIGN SPEC AND WD1 CD FOR COMMENT AND BALLOT (3 MONTHS) PROPOSED DIS PUBLICATION PROPOSED FDIS PUBLICATION PROPOSED ISO 45001:2016 PUBLICATION 2-3 YEARS FROM STANDARD PUBLICATION Occupational health and safety management systems BS OHSAS moving to ISO

6 5

7 What we know about ISO ISO will include guidelines on the use of the standard. At its first meeting, the project committee re-examined the scope of application of the standard and proposed extending it to cover the working out of guidelines for use supplementing the requirements relating to Occupational Health and Safety Management Systems. The proposal was submitted to the ISO Technical Management Board (ISO/TBM) and approved. Therefore, unlike OHSAS 18001:2007 that only has the requirements, and one had to purchase OHSAS for the guidelines, at this time it looks as though ISO will have both. This is reflected in the title: ISO/CD Occupational health and safety management systems Requirements with guidance for use. ISO/CD 45001:2014 Annex A Guidance on the use of this international standard, includes the caveat that this guidance is strictly informative and is intended to prevent misinterpretation of the requirements contained in this International Standard. An important statement making it clear that Annex A is not part of the auditable criteria. The purpose of the standard remains much the same as before... ISO will adopt the high-level structure of Annex SL This is the same common structure, definitions and core text being used to revise ISO (EMS) and ISO 9001 (QMS). This will mean the structure of the standard will be: 1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organisation 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement The first significant change therefore is that there are now ten sections instead of four in OHSAS ISO/CD includes familiar concepts and requirements The purpose of the standard remains much the same as before and ISO/CD retains many familiar concepts and requirements. The stated purpose is to enable an organization to proactively improve its OH&S performance in preventing injury and ill-health ; whereas the purpose of OHSAS is given as to enable an organisation to control its OH&S risks and improve its OH&S performance. Some will argue this puts more emphasis on seeking continual improvement and not only by addressing OH&S risks, but also through other initiatives, for example health education and training. Others may argue that this simply clarifies previous intent. Familiar concepts and requirements include application of the PDCA model, setting policy, setting objectives, carrying out internal audit, and management review. In many cases the current requirements have been carried over from OHSAS 18001, albeit with some minor changes of wording at times. For these topics, the existing processes within current OH&S management systems may well already address the new requirements since they have largely only been re-arranged to fit in with the Annex SL structure. Occupational health and safety management systems BS OHSAS moving to ISO

8 Continual improvement is a separate section in ISO/CD 45001, unlike OHSAS where continual improvement is shown in the OH&S management system model as coming from the interaction of policy, planning, monitoring and review etc. ISO/CD has a specific section on improvement. However looking in detail at section 10 we find familiar concepts including incident, nonconformity and corrective action as well as a specific requirement for continual improvement and a requirement to establish, implement and maintain a continual improvement process. Missing from ISO/CD is reference to preventive action. The term preventive action, and any specific reference to it, has been removed. This stems from the approach of Annex SL. Preventive action has been replaced with: 4.1 (determination of external and internal issues) 6.1 (actions to address risks associated with threats and opportunities) 5.2c (commitment to satisfy applicable legal and other requirements to which the organisation subscribes) 8.6 Emergency preparedness and response (where potential emergency situations are identified and planned for and the emergency procedures are tested). In reality, as currently, the whole of the standard is about eliminating or minimising OH&S risks by taking appropriate preventive measures. The hierarchy of control is a concept the OH&S practitioner and auditor will be familiar with. The requirement in OHSAS to consider reducing risks according to a hierarchy of controls is strengthened in ISO/CD 45001, which requires a policy commitment to the control of OH&S risks through a hierarchy of control and mandates use of the hierarchy in section 8.1 Operational planning and control. This is typical of a number of changes where what may have seemed optional in OHSAS is mandatory in ISO/CD ISO/CD includes some enhanced requirements ISO/CD places more emphasis on risk management and ongoing assessment of risks and opportunities to prevent, or reduce, undesired effects. There is a strengthening of the requirement to demonstrate and understand compliance status at all times (with legal and other requirements). There are specific sub-sections and requirements for contractors and procurement, clarifying and expanding requirements of OHSAS Also a specific requirement on outsourcing of operations The organization shall ensure that outsourced processes affecting its OH&S management system are controlled. There are enhanced requirements for the use of performance indicators to monitor performance (9.1 Monitoring, measurement, analysis and evaluation) and track OH&S performance including status and trends in monitoring and measurement results (9.3 Management review c). 7

9 ISO/CD includes some irregularities with ISO/DIS 9001:2014 Remembering that we are looking at the CD version and very likely some significant changes at detail level will be made, some differences exist between ISO/CD and ISO/DIS 9001:2014 for no apparent reason. For example, ISO/CD has introduced sub-clause titles which ISO/DIS 9001:2014 does not have (ie, Internal audit objectives). And ISO/CD has a requirement that management review includes consideration of the extent to which OH&S policy and OH&S objectives have been met which is not in ISO/DIS 9001:2014. While seemingly of little consequence, it is this type of difference that causes confusion, to implementers and auditors, and Annex SL was introduced to prevent. Ideally, these will be resolved as development progresses. ISO/CD includes new concepts Context of the organisation, leadership and documented information are generally thought to be the more significant new concepts. The hierarchy of control is a concept the OH&S practitioner and auditor will be familiar with. New clause: Context of the organisation (4.1) The intent of 4.1 is to provide a high-level, conceptual understanding of the important issues that can affect, either positively or negatively, the way the organisation manages its responsibilities in relation to the OH&S management system for persons working under its control. The issues of interest are those that affect the organisation s ability to achieve the intended outcome, including the objectives it sets for its OH&S management system, which include meeting its OH&S policy commitments. Examples of the issues are: a) External issues such as the cultural, social, political, legal, financial, technological, economic and natural surroundings and market competition, whether international, national, regional or local. b) Internal characteristics or conditions of the organisation such as governance, structure, roles and accountabilities and the organisation s culture. The guidance given in ISO/CD adds the comment that: The results of the context review should be used to assist the organization in understanding and determining the scope of its OH&S management system, determining its risks and opportunities, developing or enhancing its OH&S policy, setting its OH&S objectives and determining the effectiveness of its approach to maintaining compliance with applicable legal requirements and other requirements to which the organization subscribes. Occupational health and safety management systems BS OHSAS moving to ISO

10 New clause: Interested parties (4.2) The organisation has to determine the interested parties that are relevant to the OH&S management system, and then the relevant requirements of those interested parties. However, there is no expectation that the organisation shall comply with all those relevant requirements. ISO/CD adds the statement: and which of these become applicable legal and other requirements to which the organisation subscribes. Referring to the guidance given in Annex A, we have the explanation: That Interested party needs and expectations are not necessarily compliant requirements of the organization. It is important to distinguish between what these needs and expectations will lead to: mandatory requirements, laws, regulations voluntary commitments to interested parties to which the organization voluntarily subscribes Needs and expectations from interested parties only become obligatory requirements for an organization if that organization chooses to adopt them. 9

11 Scope of the OH&S management system (4.3) ISO/CD states that The scope shall include all the activities, products or services within the organization s control or influence that can impact on the organization s OH&S performance. An area likely to cause some discussion will be that of outsourced operations. In the definitions ISO/ CD states that An external organization is outside the scope of the management system, although the outsourced function or process is within the scope. The question will be to what extent is the organisation responsible for the OH&S of outsourced operations carried out by another organisation or contractor? The guidance given in Annex A advises that: Supply and procurement policies should address hazards and potential OH&S risks to persons in the organization and, as far as possible, impacts on persons, outsourced or subcontracted, carrying out activities or producing products or services for the organization. An area likely to cause some discussion will be that of outsourced operations. New clause: Leadership (5) Section 5 dedicates itself to Leadership This section is divided into three sub-clauses: 5.1 Leadership and commitment. 5.2 Policy. 5.3 Organizational roles, responsibilities, accountabilities and authorities. Although some of section 5 will seem familiar to users of OHSAS there are significant new and enhanced requirements. This clause calls for the organisation s top management to demonstrate their involvement and engagement with the OH&S management system through direct participation in, for example: Taking OH&S performance into account in strategic planning Communicating the importance of effective OH&S management and of conforming to the OH&S management system requirements Directing and supporting persons to contribute to the effectiveness of the OH&S management system for all functions Promoting and leading organisational culture with regard to the OH&S management system Top management shall identify one or more of its members to be accountable for the OH&S policy and OH&S management system. Note that these are activities top management are required to carry out, they cannot delegate them to others. Thus, the top management assume an active role in the OH&S management system. The leaders must also ensure the integration of the OH&S management system requirements into the organisation s business processes. Revised requirements Documented information (7.5) OHSAS requirements for documentation and records are largely transferred to section 7.5, with revisions. Sub clause7.5 is further divided into three parts: General Creating and updating Control of documented Information The significant change is use of the term documented information not documents and records as is the case in OHSAS Documented information includes processed information held for example on smartphones, tablets etc. Occupational health and safety management systems BS OHSAS moving to ISO

12 Conclusion Both internal and external auditors need to have a real-time, practical approach to their audits. ISO/CD signals the significant similarities between OHSAS and the high-level changes and enhancements we expect to see in the new ISO standard. The DIS is likely to continue to refine the standard. Contentious issues such as definitions (eg, definition of risk, worker, and workplace) and proposals to replace hazard identification with risk identification will need to be resolved in ways that are acceptable to all nations involved in this process. We expect the OH&S specific text being added to the Annex SL core text will continue to be refined as development progresses. The extent and significance of ongoing changes will depend upon the degree of acceptance of the CD version when put to a ballot. That said, much of what is in ISO/CD is familiar to those already using OHSAS and while specific requirements may change, the overall concepts and intent of the new ISO standard are unlikely to change much from what we see in the CD version. By the time ISO is published in 2016, the new concepts coming from Annex SL will, for many organisations and auditors, be tried and tested because they appear also in the updated QMS and EMS standards due to be released in Organisations operating QMS, EMS and OH&S management systems will have a unique opportunity to align and integrate these three management systems, if they choose to do so. Organisations, OH&S professionals and auditors should be aware that at Committee Draft International Standard (CD) stage, technical changes may still occur, therefore it is recommended that, while preparation can be carried out, significant changes should not be implemented until the Final Draft International Standard (FDIS) is issued and the technical content is finalised. CQI/IRCA will continue to issue updates as development progresses. 11

13 THE BUSINESS VIEW DNV GL Business Assurance We see the new standard as a dynamic standard which can be easily coupled to all other available ISO standards that follow the high-level structure (HLS), which is sure to have a true business impact on the organisation. We expect to see more consistency in the content of training, but more flexibility and tailored approach in the delivery. The consistency in the content is required as it is an ISO standard based on the HLS and the standard requirements will be the same around the world. However, every time you try to implement these requirements, you need to be aware of the business context (both internal and external) of your organisation, and this demands a lot of updated knowledge, flexibility and customisation in our training. Not only because of the changes in the standard but especially when compared to the current practices in training, these changes call for a clear facelift for our training modules in terms of the market and business awareness. As such, the trainers should have a sound knowledge on the specific business context and its impacts including the identification, prioritisation and management of relevant interested parties, risks, opportunities and so on, connected to the specific industry, country or local community. This means that the users of the standard should be able to explore the consequences related to ever-changing demands in various business and industry sectors coupled to the technical or technological and societal changes etc. In other words, they need to be able to look outside of the box. Auditors and the people working with the standards not only need to be trained for the Occupational Health & Safety related risks, PDCA cycle and the process approach, but also on the other factors such as market awareness, risks and opportunity management, financial and human resources management, for example,that would have a direct or an indirect impact on the processes within the organisation. Both internal and external auditors need to have a real-time, practical approach to their audits. The times when they used standard checklists are gone. They need to focus on the impact of the business plans as a result of good or bad management of Occupational Health and Safety Systems in the organisation and vice versa. This will raise the awareness and commitment from the top management in adhering to the standard, and this is also the expectation of the HLS. The awareness and commitment from the top management in adhering to the standard, and especially to HLS elements, will need to be improved significantly as well compared to the past. As such, there will be a training need for all stakeholders involved, including the top management. Last but not least, as the busy organisations need flexibility, we strongly believe that elearning and blended learning will have higher demand in the near future. Occupational health and safety management systems BS OHSAS moving to ISO

14 Published in September 2014 by: The International Register of Certificated Auditors (IRCA) Part of: The Chartered Quality Institute The Chartered Quality Institute (CQI) 2nd Floor North, Chancery Exchange 10 Furnival Street London EC4A 1AB United Kingdom T: +44 (0) I F: +44 (0) I Incorporated by Royal Charter and registered as a charity number the CQI. All Rights Reserved