Auditing, reviewing and certifying occupational safety and health management systems
Emilia Dobrescu, National Research - Development for Health and Safety, Romania
- 1 Introduction
- 2 Definition and principles
- 3 Types of audits
- 4 Auditors – qualifications and abilities
- 5 Audit programme
- 6 Audit activities
- 7 Utilisation of outputs of an audit in the management review
- 8 External audits and certification of the OSH management system
- 9 Weakness in certification of the OSH management system
- 10 References
- 11 Links for future reading
The article presents specific elements of the process of auditing occupational health and safety(OSH) management system, such as definition and principles to be applied during audit, types of audit (internal, second-party and third-party), role of different parties involved (auditor, team-leader, observer, etc), qualification and abilities of OSH auditors, planning and activities in an audit programme, information on conducting an audit, management review and certification or registration of OSH management systems.
Definition and principles
European directives or national legislation establish that the employers have a duty to ensure the safety and health of workers in every aspect related to the work. The employers have responsibilities not only to take the necessary measures, including protection and prevention of occupational risks, information and training of workers, but also to assure an improvement in the level of protection afforded to workers.
Guidelines issued by national authorities in OSH at workplace describe the elements of an OSH management system model, subjected to periodic audits that could conduct to success in implementation of legislation. An audit is defined as a systematic, independent and documented process for obtaining “audit evidence” and evaluating it objectively against standards to determine to what extend the ”audit criteria” are fulfilled.
The auditor must look for all the necessary proofs to demonstrate the adequacy of the audit findings. This means first of all to collect information and data from different sources that are relevant to the audit criteria, such as:
- Employee’s declarations during interviews;
- records: inspection record, audit reports, occupational accident records, professional diseases records, test reports (noise, dangerous substances etc);
- documents: procedures, plans;
- web site addresses.
Information is then verified and the relevant one becomes “audit evidence” to be compared with the audit criteria in order to generate “audit findings”. These, after being analysed in relation to the objectives of the audit, will lead to the “audit conclusion”.
In an audit of OSH management system, audit criteria are the references against which the “audit evidences” are compared: policies, procedure and requirements, related to occupational health and safety or standards, such as OHSAS 18001, which is largely applied, particularly in Europe.
There are also other standards containing audit criteria, applied in United States, Canada, Australia or even in some countries of Europe. In Canada, for example, there are a general standard, as well as standards for particular economical activities, regarding specifies requirements for the implementation of a safety management system for firms engaged in the transportation of goods and/or people on public roadways. In United States it has been developed a national standard with requirements for OSH management system and the international standard regarding audit has been adapted. In Australia and New Zeeland the audit criteria and criteria for accreditation of OHS auditors are developed in a legal frame when the certification is made in scope of self-insurance or there are national standards.
All these standards are based on the same principles and are in most cases harmonized with the existing standards regarding quality management system and environmental system. They include similar requirements, the differences comprising the structure of standards, priorities in evaluation or the necessary documentation.
The auditing process of OSH management system could be applied to the entire organisation’s system or to a subdivision of the organisation. The following principles are to be observed in audit activities:
a) Principles regarding the auditors:
- ethical behaviour;
- correct report;
- adequate professional attention
b) Principles regarding the audit:
Types of audits
Classification of audits
The main types of audits are:
- internal audits;
- external audits;
- second party audits;
- third party audits
An internal audit is performed following a decision of the organisation’s management and it is applied to the activities of the same organisation. The audit must be independent and, in order to ensure the independence of the internal auditor from the auditee, a possible solution is to use auditors from within the organisation, e.g. from other location or other department, but not from the auditee’s site and/or another solution is to apply for external expertise. Internal audits of the OSH management system are conducted in order to determine whether the management system complies with the functioning plan for OSH management, with respect to legal requirements or to standards and to review and evaluate the performance and effectiveness of OSH MS. Internal audits can be made, for example, to check that hazards’ identification, risk assessment and controls are in place and up-to-date and if the risk assessment reflects actual workplace conditions and practice.
External audit: second and third party audits
A second-party audit is performed following a decision of the organisation’s management by competent personnel from within the organisation and/or by external personnel selected by the organisation and the audit is applied to the activities of a second organisation, usually a supplier of the first organisation. The purpose of the audit is for the auditor to verify if the auditee meets specific requirements and become satisfied with the performance level of the auditee. The conclusions of the audit are communicated to the management of the two organisations and to no other interested party.
A third-party audit is performed following an application for certification/registration against an OSH standard issued by an organisation’s management. It is undertaken by competent personnel from the certification/registration body. It is applied to the applicant’s organisations and the conclusions of the audit are communicated to the certification body and the management of the applicant. Only a positive decision is public or a negative decision after annual surveillance observations, as established in the final records: certificates, communications of withdrawal of certification.
Auditors – qualifications and abilities
The audit is performed by an audit team, which can be formed by one or more individuals having specific competencies, abilities and experience in activities, audit criteria and audit techniques. The team may include a lead auditor, auditors, and technical experts.
Actually, there is only one international specifications comprising requirements regarding the role, competencies and evaluation of auditors for quality and/or environmental management systems . This standard is applied all over the world, although guidelines regarding documentation of the audit or developing an audit in a particular industry have been issued in countries as Canada. A project is undertaken by the organisations of standardisation in order to expand the requirements of the existing standard on auditing to other types of management systems, including OSH management system auditing.
In the absence of standard containing similar guidelines for auditors of OSH management system, these elements are established by each certification body or organisation applying OSH audits, according to its own rules and procedure. The certification bodies adapt the conditions established in standards for quality and environmental systems’ auditors to the particular aspects of the OSH management system.
For accomplishing the specific task, an auditor must have particular personal attributes, knowledge and the skill to be able to apply the previous two in conducting an audit. An auditor shall be correct, honest and discrete, with an open mind, ready to take into consideration alternative points of view or hypotheses, able to attentively observe the surrounding environment and the activities going on, able to adapt to different situations, to reach adequate conclusions based on logical reasons and analysis and to have the capacity to act and perform independently the activities, although he/she effectively interacts with other people.
An OSH management system auditor shall have knowledge and abilities in the following fields:
- principles of prevention, legal requirements;
- other requirements related to health and safety at workplace or environment, e.g. contractual conditions, standards or non-regulatory guidelines related to the work environment, work equipment, personal protective equipment;
- the requirements of the applied occupational health and safety standard and of the guidelines for its application, including procedures, work instructions, plans, programmes;
- identification of OSH hazards and effects on the exposed people (human injury or ill health), risk assessment methodologies, methods of controlling risks of incidents, statistics of accidents, good practices, results of studies and research;
- design of work area, processes, installations, machinery/work equipment, operating processes and work organisation;
- auditing principles, procedures and techniques.
A team leader must have additional knowledge and abilities for being capable to plan the audit and to efficiently use the resources, to represent the audit team in interactions with the client and the auditee, to organize and conduct the audit team, to prevent or solve the eventual conflicts and to prepare and finalise the audit report.
Experts provide consultation or advice to the auditors regarding particular technical aspects of operations or of legal requirements, standards, etc.
A person can obtain the necessary competencies and abilities to perform activities of auditing by a combination of education, training and experience. In some countries, e.g. Romania, ’auditor of OSH management system’ is an officially recognized occupation and the auditor’s formation is conducted by approved institutions, on the basis of specific occupational standards.
The competence of the auditor is essential in performing a good audit and in obtaining correct results for an audit. An auditor having a solid background in general auditing techniques and requirements of the OSH standard, but only superficial knowledge of the OSH regulations, procedures and standards (specific legislation or good practices, hazards, risk assessment procedures, characteristics or requirements for personal protective equipment) would be able to only assess the formal accomplishment of the requirements and could fail to reveal major non-conformities of the organisation in adopting adequate measures for preventing accidents or occupational diseases and for protecting the health of the employees.
Good practices recommend performing series of audits based on a planned audit programme and each audit to be conducted according to the audit planning. The management of the audit programme and activities related to an audit should be in accordance with guidelines (OHSAS, 2008) or adapted after the standards referring to quality management system auditing. Any audit programme has particular objectives, taking into account the management’s priorities, OSH management system’s requirements, legal or contractual requirements, clients' requirements.
The frequency and coverage of audits in an audit programme should be established taking into account the maturity of the system, the risk of failure of the various elements of the management system, the data obtained from the previous management review and the extent to which the OSH management system and the organisational activities are subject to changes. Audits must be accomplished especially when changes occur in risk assessment or in organisation, and when an increasing rate of incidents or of the gravity of incidents is noted.
An audit programme can include audit follow-up, as part of each audit or separately.
Internal audit programme
The internal audit programme could have as objectives the evaluation of the compliance of the OSH management system with the occupational safety and health standard (system level), to review and evaluate the performance and effectiveness of the OSH system (operational level), to analyse compliance capability of the organisation to legal requirements (compliance audit) or to some particular aspects (record management and documentation, incident management). It should be planned and established on the basis of the risk assessment and previous audits and shall be maintained and implemented by the organisation. A typical internal audit programme, includes series of audits, it is established for one year and shall cover all the areas and activities and all the audit criteria/ requirements.
External audit programme: second and third party audits
A second–party audit programme usually has as objective to provide and maintain confidence in the capability of a supplier/contractor to respect the occupational safety and health requirements of an organisation. It should be planned on the basis of the assessment of the suppliers’ activities, the impact to the risk assessment of the supplier to the policy and objectives of the first organisation and the results of the previous audits. A typical second–party programme length is six months.
A third party audit programme has as objective to evaluate the conformity/compliance of the OSH MS of an organisation with the requirements of an OSH standard or other recognized audit criteria. It is planned and established on the grounds pertaining to the size of the organisation and the nature of risks involved, following the procedures of the certification bodies. A typical certification/registration audit programme is for three years and includes: an application and an agreed contract, pre-audit (optional), review/examination of the documentation, certification auditing and at least two surveillance audits (typically at 6 and 12 months spans) and, where the case arises, follow-up audits. Auditing undertaken for purposes of certification must cover all areas and activities within the scope of OSH management system and shall assess the conformity with all the requirements of the standard to be applied.
The process of auditing originated in the domain of finance and accounting and it was translated to social audits and OSH MS audit.
Audit generally means an on-site audit. Activities in a typical on-site audit are similar to those for auditing quality systems:
- initiating the audit;
- conducting document review (analysis of the relevant documents of OSH MS, including records in order to determine their adequacy);
- preparing the activities to be undertaken during the on-site audit (audit-plan, tasks of audit team, check-lists, questionnaires);
- conducting the audit (opening meeting, communication modalities, collecting and verifying the information, generating the audit findings, preparing the audit conclusions, end meeting);
- preparing and communicating audit report;
- completing the audit (preparing, approval and transmission of the audit report);
- performing the audit follow up.
Audit criteria from standards being general ones, it is important for the auditor to dispose of objectives and measurable audit criteria in order to minimize the subjectivity in evaluation.
The methods of collecting the necessary information are:
- examination of documents and records;
- direct observation of the performed activities and workplace conditions, including specific measuresments to be assessed, e.g. exposure levels.
The audit should ensure that an important part of the main activities is sampled and the relevant personnel are interviewed, otherwise the audit conducting to false conclusions. The examination of the documents, records or the observation of equipments, installations and on-site activities should not be performed formally but profoundly. The auditors should have the capacity to detect deficiencies in identification of dangers and risk assesment, non-conformities of equipments, negligences in respect to preventive or monitoring measures. The interviewed personnel should not be only the top-manager, OSH management representative and executives, but also workers and, if it is the case, external personnel, such as contractors. Interviewing the workers should be an important part of an audit, in order to determine the measure to which the organisation really implemented the OSH arrangements, the awareness of the employers, internal communications, and the participation of the workers in the OSH matters.
The audit report must summarize all the activities performed during the audit and must comprise information on identification of the audit, a summary of the audit process, including obstacles which could affect the confidence in audit conclusion, audit findings, including details of non-conformities and audit conclusion; internal or second-party audits may include suggestions for improvement of the healhy and safety at work place.
Utilisation of outputs of an audit in the management review
The top management review is one of the most important instruments in order to determine if the OSH MS is appropriate to the organisation’ structure, operations and personnel, is adequate to the organisation policy and objectives and is implemented with effectiveness and to adopt the best measures for improving. However, experts’ opinion is that internal audits should be not used as a primary tool for measuring the effectiveness of OSH management system, as long as they are of an infrequent nature. Internal audits are characterized by the risk of concentrating on the extent of compliance by the organisation with its own OSH policies, procedures and standards, instead of assessing if the system is capable of delivering the required level of safety appropriate to the organisation. In such cases, the organisation is compared itself with itself.
The outputs of the audit programme are performance indicators, such as safety audits conducted, the percentage of sub-standard conditions identified and corrected as a result of the safety audit. These outputs are used in the top management review as inputs, together with other indicators of safety performance or measurements. The details of non-conformities found during the internal or third-party audit can be used in the management review for establishing the weak points of the OSH management system and for adopting adequate measures to prevent other failures.
The findings and conclusions of internal audits having as the objective to review and evaluate the performance and effectiveness of occupational safety and health management systems are used to define new objectives for the OSH management system or to adopt measures for continual improvement of the system.
External audits and certification of the OSH management system
External audits of OSH management system are accomplished by independent auditors of an external organisation, ‘the certification body’, the applicant intending to make public the results attesting the conformity to all interested parties. The audit criteria can be a standard, legal provisions or particular criteria.
In Europe, the Netherlands was the first country to set up an extensive infrastructure for certification at the beginning of 1990s, for the accreditation of bodies undertaking product certification (testing), certification of individuals and system certification, as Safety Certificate for Contractors in chemical industry or certification of asbestos removal firms. In Australia, external audits of OSH management system have been implemented as a result of the changes in state insurance arrangements in the early 1990s, asking self-insured organisations to prove to the workers’ compensation agency that they were high performers in occupational health and safety management systems.
A certification body applies an external, third-party programme audit in order to assess and demonstrate the compliance of the OSH management system of an organisation to the requirements of one or more occupational international or national standards or to “recognition’ schemes.
When the audited organisation’s OSH management system fulfills the audit criteria, the certification body issues a written document, ‚the certificate’, attesting the conformity and it records in its cleint register data about the audited company. The atestation of the conformity of a system by an independent body is usually called „certification”, but the term ‚registration’ is often preferred in North America
Certification delivers “justified confidence” that the organisation meets the set of relevant requirements, which does not mean “certainty” or a ‘guarantee’, although it is often perceived that way and it is sometimes suggested by less scrupulous certifiers.
Certification of the OSH management system is usually voluntary, with the exception of some countries in Asia. Certification becomes actually mandatory when an important potential client, such as a public organisation requires suppliers to provide OSH management system certification as part of the tendering process.
Only a part of the certification bodies in Europe are accredited by national accreditation bodies following the rules established in particular standards and in national or regional specifications.
The reason for an organisation to apply for a third-party certification/registration of OSH management system is to increase the confidence of the clients and other parties in its commitment to prevent accidents and ill-health and to upgrade its brand image.
In the beginning of years 2000, the most of the European companies were against the development of a national or international standard regarding OSH management system. After the endorsement of a specific British standard and especially after the approval of the first edition of the actual series of standards on occupational health and safety assessment, more and more companies in Europe asked for certification or registration of their OSH management system. According to statistics of BSI, OSH management system registration to OHSAS 18001:2007 covers over 80% of the issued occupational safety and health management system certificates.
In North America, only after the year 2005 companies’ interest in certification and/or registration of their OSH management system has increased, and today most of the certifications bodies offer registration7registration against one, two or three standards in the same time, respectively the Canadian, American or occupational standard.
Weakness in certification of the OSH management system
Certification is supposed to add extra quality to the internal OSH management system, because the audits presumably ensure both compliance and a continuous focus on improvement of the healhy and safety at work place, but this aim is not entirely reached due to the weaknesses of the process, presented below.
Traditional management standards have a bias towards identifying deviations and solutions in a way that promotes viewing them as technical problems with unambiguous technical solutions and the management of the organisation, as well as auditors, prioritize safety issues and issues having a single cause-and-effect problem and a technical solution, ignoring especially those work environment issues presenting a dilemma.
The audits for certification require standardized solutions to OSH problems, and standardization is therefore indirectly promoted in certified systems, but increased standardization may in itself compromise areas as the professional judgment of workers or more flexible solutions. The mechanisms of certification in this way partly reconstruct the work environment that they are supposed to control.
OSH audits actually fail also when one of the following causes is involved:
- a lack of auditor independence (overt and intentional or covert) and a lack of skill (lacking in elements of technical or legislative knowledge), leading to confusing or misleading results pr even to fraud;
- focusing of the auditors on audit of documentation and failure to allow worker participation;
- paperwork for the sake of the audit – organisations generate and retain documentation in order to meet the audit criteria, overly prescribing work activities and making rules that are unworkable, with little impact on the action that are necessary to make the workplace healthy and safe and even actually prevent such actions;
- unintended consequences of audit scoring – organisations focus on the goal of passing an OSH management system audit at the expense of the more vital goal of making the workplace healthy and safe;
- the confusion of audit criteria – reductionist reporting of audit results (done or not done, good or bad) may oversimplify matters that should cause concern and the confusion of audit criteria with the OSH MS itself may divert attention away from actions to improve OSH and towards activities that ensure audit success.
Such aspects explain why a positive conclusion of an audit or certification of the occupational safety and health management system is not a guarantee of the compliance with all the requirements of OSH management system and may lead to a false sense of security and why serious accidents have happened soon after an on-site audit.
Even in organisations with successful implementation and certification of OSH management system it can be observed that the external performance for an external audience became the major issue for company management and the demand for visible performance changes the focus from internal identification and control of the work environment to the ability to demonstrate that the work environment is safe and problem-free. Management’s focus on safety, especially the system of monitoring safety, led to a neglect of some areas, such as psychosocial issues, job intensity (related to work pressure and production goals), poor management and general concern for employee well-being. Auditors appear to accept these priorities, most of them identifying minor technical deviations and no offering comments on the exclusion of psychosocial risks.
Accreditation of certification bodies and their periodical independent evaluation focused on critical factors that may undermine the effectiveness of the audit procedures could minimize the impact of negative factors that lead to a false conclusion of the external audits.
- OSHA – US Department of Labour, Occupational Health & Safety Administration, FactSheet, ’Effective Workplace Safety and Health Management System‘, 2008. Available at: http://www.osha.gov/Publications/safety-health-management-systems.pdf
- CAN/CSA-Z1000-06 Occupational Health and Safety Management, Canadian Standards Association (CSA), 2006
- CAN/CSA B619-00 (R2005) Carrier Safety Management Systems, Canadian Standards Association (CSA),
- ANSI/AIHA Z10-2005, ‘American National Standard for Occupational Health and Safety Management Systems‘, American National Standards Institute (ANSI), 2005
- EN ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing, European Committee for Standardization (CEN), Brussels, 2002
- ANSI/ISO/ASQ QE19011S-2008, ‘Guidelines for management systems auditing – U.S. Version with supplemental guidance added‘, American National Standards Institute (ANSI), 2008
- AS/NZS 4801:2001 ‘Occupational health and safety management systems – Specification with guidance for use‘, Standards Australia, 2001, Available at: www.standards.org.au.
- Pozniak, E., Comparison of Occupational Health & Safety Management System Standards Worldwide CSA, ANSI & OHSAS (2007). Retrieved 27 April 2011, from: www.pozniaksafety.com/eldeenpresentation.pdf
- health Canada, ‘Guidance Document GD211: Guidance on the Content of Quality Management System Audit Reports’, 2011. Available at: http://www.hc-sc.gc.ca/dhp-mps/md-im/qualsys/cmdcas_scecim_audit13485_gd211-eng.php
- Blewett, V., O’Keeffe, V.,’Weighing the pig never made it heavier: Auditing OHS, social auditing as verification of process in Australia’. Safety Science, Vol. 49, Issue 7, August 2011, Pages 1014-21, Available at: http://www.sciencedirect.com/science/article/pii/S0925753510002882
- Zwetsloot, G. I.J.M., Hale, A., Zwanikken, S. ‘Regulatory risk control through mandatory occupational safety and health (OSH) certification and testing regimes (CTRs)‘, Safety Science, Vol. 49, Issue 7, August 2011, pp. 995-1006. Available at: http://www.sciencedirect.com/science/article/pii/S0925753510002857
- ANAB/ANSI-ASQ – National Accreditation Board, Accreditation for Occupational Health and Safety Management Systems (2011). Retrieved 27 April 2011, from: http://www.anab.org/accreditation/ohsms.aspx
- Gallagher, C., Underhill E., Rimmer, M., Occupational Health and Safety Management Systems: A Review of their Effectiveness in Securing Healthy and Safe Workplaces - A report prepared for the National Occupational Health and Safety Commission, Sydney, Australia, April 2001. Available at: http://www.safeworkaustralia.gov.au/AboutSafeWorkAustralia/WhatWeDo/Publications/Pages/ACRR2001OHSManagementSystemsReview.aspx
- EN ISO 17021:2006, Conformity assessment – Requirements for bodies providing audit and certification of management systems, European Committee for Standardization (CEN), Brussels, 2002
- BSI – British Standards Institution, BS 8800:1996 Occupational health and safety management systems. Specifications, BSI, London, 1996
- BSI – British Standards Institution, OHSAS 18001:2007 Occupational health and safety management systems, Requirements, BSI, London, 2007.
- BSI – British Standards Institution, OHSAS 18002:2008 Occupational health and safety management systems Guidelines for the implementation of OHSAS 18001:2007, BSI, London, 2008
- BSI Group EMEA – BSI Management Systems, Health & Safety OHSAS 18001, Case Study (2007). Retrieved 23 March 2011, from: http://www.bsi-emea.com/OHS/CaseStudies/index.xalter
- Hohnen, P., Hasle, P. ‘Making work environment auditable – A ‘critical case’ study of certified occupational health and safety management systems in Denmark‘, Safety Science, Vol. 49, Issue 7, August 2011, p. 1022-29. Available at: http://www.sciencedirect.com/science/article/pii/S0925753510002833
Links for future reading
CCOHS – Canadian Centre for Occupational Health and Safety, ‘CSA Z1000-06 Occupational Health and Safety Management - Canada’s First Consensus-Based Occupational Health And Safety Management Standard‘(2011). Retrieved on 27 April 2011, from: http://www.ccohs.ca/headlines/text190.html
EU-OSHA – European Agency for Safety and Health at Work. ’The ise of occupational health and safety management system in the Member States of European Union’. Luxembourf Office for Official Publications of European Comunities, 2002. Available at: http://osha.europa.eu/en/publications/reports
HSE – Health and Safety Executive, Successful health and Safety management. HS(G)65., 2nd Edition, 1997, HSE Books, London, 1997. Available at: http://www.hsebooks.co.uk
HSE – Health and Safety Executive, Safety performance indicators. Retrieved 19 June 2011, from: http://www.hse.gov.uk/opsunit/.
RSC – Royal Society of Chemistry, Note on Occupational health and safety management systems (2011). Retrieved 27 April 2011, from: http://www.rsc.org/images/OHMS260209_tcm18-38058.pdf
Wikipedia – The Free Encyclopedia, Certification (19 June 2011), Retrieved 19 June 2011, from: http://en.wikipedia.org/wiki/ Certification
Wikipedia – The Free Encyclopedia, Occupational safety and health (19 June 2011), Retrieved 19 June 2011, from: http://en.wikipedia.org/wiki/Occupational_safety_and_health
Wikipedia – The Free Encyclopedia, Safety in Australia (19 June 2011), Retrieved 19 June 2011, from: http://en.wikipedia.org/wiki/Safety_in_Australia