Mark Hammar
October 2, 2019
If you are implementing an Occupational Health & Safety Management System (OHSMS) using the ISO 45001:2018 standard requirements, you are likely considering having your OHSMS certified when implementation is done. If so, you may wonder what needs to be done to successfully prepare for the certification auditor after the OHSMS is implemented. In fact, it is helpful to be clear what certification is to begin with.
For an overview of all the steps for implementing and certifying your OHSMS, see the article: 12 steps for implementation and certification against ISO 45001.
It would be helpful to quickly discuss the difference between implementation and certification. Implementation is the process you go through to create all of the rules, policies, processes and procedures needed to meet the requirements of ISO 45001:2018, and to meet the needs of your organization. These are then established by ensuring that everyone in your organization knows what they need to do.
Certification is separate from implementation. It comes as a bit of a surprise to many people to find out that there is not a requirement in ISO 45001:2018 to have a third-party certification body conduct an audit and confirm that the organization has successfully implemented the requirements of the standard. There are many good reasons to have a third-party auditor look at your system, including the benefit of having someone outside your organization identifying ways to improve. Below is what the certification auditors will expect of your OH&SMS before they perform their audit.
If you have chosen to go through the certification process, there are a few things that will need to be completed before the auditors come to perform their final certification audit. The auditors will already have done their stage 1 documentation audit, where they have reviewed your documentation to ensure that it meets the requirements of the standard. After this, you will need also to take care that the following is ensured:
All processes implemented – As not all processes are documented, you will need to ensure that all the processes you need within the OHSMS are in place. It is expected that you have established each process (set the process rules), implemented each process (ensured the rules are known and are monitored) and are maintaining each process (making sure that when rules change people know, and new people are informed of the rules). It is not acceptable to have incomplete processes.
OHSMS settled – In order to audit you will need to have adequate records to demonstrate how your processes work. For this reason, certification auditors will want you to have used your OHSMS for a period of time to collect the records necessary to demonstrate this. This timeframe is different for each certification body, but often ranges from a minimum of 4 months to 8 months with some as long as 12 months.
All processes audited – One of the key processes to evaluate your OHSMS performance is the internal audit. The certification auditors will expect that you have done this internal audit review for all of your processes before they come and do their audits.
Management review completed – Another important OHSMS evaluation is the management review. It is expected that you will have performed at least one management review of the OHSMS to verify effectiveness and efficiency and to assess resource allocation.
Corrective actions taken – It is very likely that you will have found nonconformities in the processes during this time through internal audits, management reviews and process monitoring. When these nonconformities are found, it is expected that you will have taken corrective actions to remove the nonconformity and prevent it from happening again.
Improvements demonstrated – What are you doing to make your OHSMS better? Corrective actions are one method of improvement, but you should also be able to demonstrate progress on your OH&S objectives and other ways of addressing opportunities for improvement in your OH&S processes.
As with many things in life, if you are not properly prepared you will have problems. The activities you need to do before certification are important because they ensure your OH&SMS is working before you bring in an outside party to verify your implementation. While these tasks take some time, they will help you to catch some problems that could prevent you from passing the certification audit and delay final certification. You don’t want the certification auditors to be occupied by finding issues you should have found yourself when they could be pointing out real problems you may not have noticed.
Since you are paying to have the certification audit, make sure it provides the best information possible to help improve the OHSMS.
For help on getting ready for the certification audit, see this free white paper: What to expect at the ISO certification audit: What the auditor can and cannot do.