ISO 45001 - Misconceptions and compliance evaluation
09 December 2019
NQA’s Principal Assessor for OHS Management Systems – Terry Fisher discusses the evaluation of compliance within ISO 45001:2018 and the common misconceptions that may occur within the clauses.
Evaluation of compliance within OHS systems is often a weakness and in many cases where I have audited, the process is not fully understood.
Before I talk about what it is, let me firstly say what it isn’t...
There is a common misconception that clause 9.1.2 is all about ensuring that the legal register is up to date and that all recently amended legislation has been included or updated.
This is covered in the ISO 45001, ‘Determination of legal requirements and other requirements’ under clause 6.1.3.
ISO 45001:2018 clause 6.1.3. has three main requirements:
Identify and have access to up to date applicable compliance obligations - This is the important first step of making sure that you know all of the legal and other requirements related to the OHS system that are applicable to your organisations hazards and OHS risks.
Remember that these can originate at a local, regional, national, or even international level depending on the activities of your company. If you don’t know that a specific requirement exists, how likely are you to be able to comply?
Determine how these obligations apply to your organization - Equally as important as knowing that a requirement exists is the understanding of how /or what does that requirement mean to your organisation or knowing if it actually applies to your situation and if so, what are the obligations it places on you.
Whilst there is no formal requirement to have a legal register as such, the standard requires that documented information regarding legal and other requirements is maintained and updated to reflect changes.
Consider the Legal and Other requirements when implementing, maintaining and improving the OHS management system - This element can be very important in relation to internal changes and also future external proposed change eg; legislation - to be implemented or local working agreements with workers.
So, once you have determined your Compliance Obligation / Legal and Other requirements, now you must evaluate your compliance. Here you must plan and implement a process to evaluate if you meet legal and other requirements that are applicable to your business.
ISO 45001; Clause 9.1.2 - Evaluation of compliance
This process needs to include:
Frequency of compliance evaluation: How and how often you are going to check to see if you meet the requirements of a particular item of legislation / obligation will vary, but your process needs to determine how often you will check each requirement for the status of compliance.
E.g. you may need to continually monitor the operation and performance of an LEV system connected to a process to ensure workers are not exposed to the hazardous emissions from that process.
Other requirements may be subject to statutory inspection i.e. lifting equipment within the UK.
The system must be able to confirm this has effectively been completed and any actions required have been implemented.
Evaluate compliance and take action: As an organization, you need to make an assessment against the applicable requirements or other commitments to see if you meet these requirements. You may need to take any action necessary to become compliant if you are not.
The system is designed to help you be aware of and deliver your policy commitments to compliance.
Maintain the knowledge and understanding of your compliance status: In other words, know if you actually comply with your requirements. If a requirement changes, you need to know about it and know if the change affects your compliance with relevant obligation.
If you make a change in your operation, you may need to evaluate whether you continue to meet all requirements, both during and after the change, even if you are not yet due to do this according to your regular schedule.
Documented Information: The evaluation needs to be supported by documented information of the compliance evaluation results, for the use of you, your management system, internal auditors and any relevant interested party or external certification auditor who will need to see it as part of an assessment.
Organizations meeting the compliance requirements of ISO 45001:2018 should be in a far better position to understand their compliance risks and the benefits from being able to demonstrate to stakeholders, that they are fulfilling their commitments, whether they are statutory or other requirements in line with the policy commitments.
Certification Body auditors are required to audit conformity of an OHS system against the requirements of ISO 45001:2018.
They are not required to make a direct evaluation of legal compliance since this is the requirement for the organization itself, but they are required to ensure the process of evaluation is being effectively implemented as part of the management system.
The auditor is not permitted or expected to conduct a compliance audit, which would be the role of the regulator or an auditor/inspector contracted specifically for this purpose. Nor will a management systems auditor make statements with regard to the overall compliance status of a client organisation.
System migration – OHSAS 18001 to ISO 45001
We are now more than halfway through the migration period which is scheduled to end in March 2021.
Don’t leave it to the last few months or weeks before migrating your system. Give yourselves as much time as possible to avoid a last minute crisis and potential loss of registration.
If you need any support from NQA please feel free to contact us at firstname.lastname@example.org or call us on 0800 052 2424.
For ISO 45001 training to help you through the migration please click here.