Interesting Discussion Legal compliance as part of ISO 45001 accredited certification. Major OSHA penalties in the USA.

Sidney Vianna

Post Responsibly
Staff member
Admin
#1
As we move forward transitioning from OHSAS 18001 to ISO 45001 certification, it is interesting to note that the IAF has recently released a new edition of the IAF Mandatory Document 22 - Application of ISO/IEC 17021-1 for the Certification of Occupational Health and Safety Management Systems (OH&SMS) . In the document, we have an Appendix A that deals with the subject of legal compliance and it's implications and expectations as it relates to accredited certification of organizations occupational health & safety management systems. In part, the document states:

While certification of an OH&SMS against the requirements of the applicable OH&SMS standard is not a guarantee of legal compliance (neither is any other means of control, including government or other type of control and/or legal compliance inspections or other forms of certification or verification), it is a proven and efficient tool to achieve and maintain such legal compliance.

It is recognised that accredited OH&SMS certification shall demonstrate that an independent third-party (Certification Body) has evaluated and confirmed that the organisation has a demonstrably effective OH&SMS to ensure the fulfilment of its policy commitments including legal compliance.

Ongoing or potential non-compliances with the applicable legal requirements might show a lack of management control within the organisation and its OH&SMS and the conformity with the standard should be carefully reviewed.
Further down in the document, we read this interesting paragraph:
Any organization failing to demonstrate their initial or ongoing commitment to legal compliance, shall not be certified or continued to be certified as meeting the requirements of an OH&SMS standard by the Certification Body.
In the USA, one of the regulatory bodies enforcing compliance with occupational health and safety is OSHA. In their website, they have a page dedicated to list cases where enforcement penalties over US$40,000 exist. There are a few cases where the initial penalty is way north of US$1,000,000 and the information could be perused @ Enforcement Cases with Initial Penalties of $40,000 or Above | Occupational Safety and Health Administration

Any OHSMS CB auditor performing audits to OHSAS 18001, ISO 45001 or any other OHSMS standard in the USA, should become acquainted with that information.

For some of the pundits out there who like to use examples of certified organizations caught in regulatory non-compliance instances, this should clarify the issue.
 

Attachments

Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#2
It is a delicate line to walk: I am not supposed to be a compliance auditor, but am expected to identify gaps in what is required and what has been recognized as required, and effective controls implemented. My answer has often been to say "Let's look it up" and research it together with the client. Evaluation of compliance is often poorly understood as the technical review required to verify controls meet the codes. I can't leave the client to do a half-baked job or leave unattended gaps.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#3
My answer has often been to say "Let's look it up" and research it together with the client.
Now, THAT is a delicate line. When a CB auditor engages in helping the registrant in determining legal compliance, that could lead to a threat to objectivity. It is UP to the registrant to figure out how to attain and maintain reg. compliance. The CB auditor should not find him/herself "assisting" the registrant with that critical task. In my opinion, of course.
 

Randy

Super Moderator
#4
A toughy mainly because the vast majority of auditors have less real 1st hand knowledge and understanding of OHS regulatory compliance requirements and fulfillment than a cow has in the making of buttermilk. In essence the auditor is going to be thrust into determining whether or not the "auditee/organization" is violating a presumed or even guessed at regulatory obligation/requirement based on that auditors opinion for simple regulations like Process Safety, Ionizing Radiation, Electrical Safety (Subpart S), and Subpart Z for example in US OSHA regulations.

I'm not just tossing this around, this is an honest concern. I don't have a problem delving into the OHS legal environment, but then again I've a degree in OHS, I've 30+ years in OHS, I just did an additional 32 hours of US OSHA regulatory training just this year alone (OSHA 511), I've been certified to teach the OSHA 30 Hr Trainer course (OSHA 501), I've got over 200 class hours in Radiation Safety, over 100 in Ergonomics/Human Factors, along with Hazwoper, Anhydrous Ammonia-Hydrogen Sulfide specific, Explosives Safety and a ton of other stuff.

With all that I don't think it's my place as a 3rd party systems auditor to say...Nope, you're violating the law because of XXX......and documenting such....... in doing so it just seems like I'm going to become part of the compliance and the evaluation of compliance process stepping away from objectivity/impartiality.

And in all honesty, nobody, nobody is ever going to be 100% compliance all the time, it just isn't going to happen, no how, no way because there will always be one uncontrollable hazard...The individual! It's not going to happen.

Under MD22 the process would be to deny recommendation because someone wasn't wearing earplugs, or eye protection or a work rest was more that 1/8" from a grinder, or a SDS was not available? Really?

Maybe I'm reading it wrong, but I just don't think that's the real intent.

Commitment, Identification, Control, Review, Correction/Improvement
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#5
Now, THAT is a delicate line. When a CB auditor engages in helping the registrant in determining legal compliance, that could lead to a threat to objectivity. It is UP to the registrant to figure out how to attain and maintain reg. compliance. The CB auditor should not find him/herself "assisting" the registrant with that critical task. In my opinion, of course.
I agree.
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#6
Maybe I'm reading it wrong, but I just don't think that's the real intent.
Yes, you are misreading it.

Setting an analogy with ISO 9001 in the quality management system world:

producing a nonconforming product should not be grounds to deny any organization certification to ISO 9001; however,
  • KNOWINGLY and WILLFULLY shipping nonconforming products to customers should lead to de-certification proceedings.
  • KNOWINGLY and WILLFULLY placing unsafe products in the market place should lead to de-certification proceedings.
  • KNOWINGLY and WILLFULLY ignoring regulatory requirements because the potential fines are lower than the potential profit should lead to de-certification proceedings.

So and, yes, the job of a competent CB auditor is not easy, in terms of determining if violations, noncompliance, offenses are premeditated and willful. But we MUST not ignore the issue. And that's why, the commoditization of management system certification, which leads to assembly-line approach to audits MUST stop.
 
#7
Hello !

IAF don't require (in accordance with ISO 45001) the auditor to ensure that the company complies with its applicable OHS legal requirements. IAF just draws attention to the interest of the auditor in questioning the ability of the company (through its OHSMS) to move towards this legal compliance, so that OHSMS certification is also a presumption of this ability.

In any case, the OHSMS auditors have neither knowledge nor means (audit duration) to audit OHS legal compliance to OHS* legal requirements of the country where a company is located.
* hundreds pages of OHS legal requirements, while ISO 45001 has only 16 pages of requirements.

Cordialy.
 

tony s

Information Seeker
Trusted Information Resource
#8
There's another statement to clarify "failing to demonstrate their initial or ongoing commitment to legal compliance, shall not be certified or continued to be certified". It says "Deliberate or consistent non-compliance shall be considered a serious failure to support the policy commitment to achieving legal compliance and shall preclude certification or cause an existing OH&SMS standard certificate to be suspended, or withdrawn".
 

Sidney Vianna

Post Responsibly
Staff member
Admin
#9
That's right. From an external auditor standpoint, it would be very difficult to reach a conclusion that a regulatory noncompliance was deliberate, unless someone confesses to it or somebody blows the whistle. But consistent noncompliance is much easier to establish.

Problem is: we have a number of spineless third party auditors out there who would not have the courage to trigger certificate revocation proceedings.
 
Thread starter Similar threads Forum Replies Date
G ISO 9001 Legal Compliance and Legal Register Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
A Risks and Opportunities associated to Legal Compliance - 6.1.3 ISO 14001:2015 Specific Discussions 4
S Evaluation of legal compliance to ISO 14001 and OHSAS 18001 ISO 14001:2015 Specific Discussions 18
S Airborne Survey Legal Compliance - OHSAS 18001 Occupational Health & Safety Management Standards 2
M Requirements for Site Inspections for Legal Compliance Miscellaneous Environmental Standards and EMS Related Discussions 7
B Environmental Legal Compliance Audit - Auditor from Michigan area Miscellaneous Environmental Standards and EMS Related Discussions 4
S How do you ensure compliance with 4.3.2 - Legal & other requirements? ISO 14001:2015 Specific Discussions 31
J Can Compliance to Legal Requirement be chosen as an EMS Objective? Miscellaneous Environmental Standards and EMS Related Discussions 9
A Different Methodologies for Verifying Legal Compliance Under ISO 22000:2005 Food Safety - ISO 22000, HACCP (21 CFR 120) 5
S Commitment and Compliance with Legal & Regulatory Requirements Miscellaneous Environmental Standards and EMS Related Discussions 2
tony wardle Periodic Evaluation of Legal Compliance - ISO 14001 - 4.5.2.1 - Legal Requirements ISO 14001:2015 Specific Discussions 22
J ISO 14001 Clauses 4.5.1 & 4.3.2 - Evidence of legal/customer requirements compliance ISO 14001:2015 Specific Discussions 4
M Monitor compliance or comply to Legal requirements Miscellaneous Environmental Standards and EMS Related Discussions 8
A Legal Manufacturer of a medical device Vs Legal Manufacturer of MDSW EU Medical Device Regulations 7
N Address of Legal Manufacturing Site in ISO 13485 certificates? ISO 13485:2016 - Medical Device Quality Management Systems 1
A Donating sterilizing gel - Is it legal in Europe? EU Medical Device Regulations 1
A MDR Article 22 applicability - Legal manufacturer EU Medical Device Regulations 6
Q Legal Manufacturing Address Change – multiple registrations at same address 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
J Complaints and not the legal manufacturer? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 20
Ronen E Legal counselling and Medical Devices Regulatory Affairs Other Medical Device Regulations World-Wide 2
A What if Contract Manufacturers does not have an ISO 13485 certificate? Where will the NB audit take place, at legal mfg. site or contract mfg. site? Other Medical Device Regulations World-Wide 3
G QMS requirements for legal manufacturer when outsourcing manufacturing process Other Medical Device Regulations World-Wide 22
S Necessity of Legal Register to conform to ISO 9001, ISO 14001, IATF 16949 ISO 14001:2015 Specific Discussions 6
M End of Life or Device transfer regulations for Legal Manufacturer Other Medical Device Regulations World-Wide 1
S Legal Manufacturer FDA Reporting Obligations for Using New Contract Sterilization Site Other Medical Device Regulations World-Wide 0
R In this type of Legal Manufacturer-CMO arrangement, what happens to the DHR? ISO 13485:2016 - Medical Device Quality Management Systems 1
J What are a Taiwanese Medical device subcontractor's legal responsibilities with Taiwan regulations? Other Medical Device Regulations World-Wide 2
B Interesting Discussion The legal aspects of Customer Specific Requirements (Contract Law). IATF 16949 - Automotive Quality Systems Standard 12
D EU MDR - Contract Manufacturer vs Legal Manufacturer EU Medical Device Regulations 4
C Legal or Regulatory Requirements as identified in our Environmental Aspects ISO 14001:2015 Specific Discussions 9
C Legal requirement for same indications as in Country of Origin Other Medical Device Regulations World-Wide 4
B Quality Policy does not include a commitment to comply with legal requirements Quality Management System (QMS) Manuals 5
J Medical Devices sourced from Contract Manufacturers - Who is the legal manufacturer? EU Medical Device Regulations 13
amjadrana Legal Representation in Canada (Medical Devices) Canada Medical Device Regulations 1
R Is it legal to attend a trade show while you have a 510(k) application pending? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
M Bankrupt Legal Manufacturer and Its Products EU Medical Device Regulations 8
H Who is the Legal / Labeled Manufacturer? (Contract Manufacturers shipping to the EU) ISO 13485:2016 - Medical Device Quality Management Systems 1
L ISO 14001:2004 - Legal and Other Requirements ISO 14001:2015 Specific Discussions 4
B List of Legislation - Legal Register for ISO14001 ISO 14001:2015 Specific Discussions 3
A Is the Labour Code one of the legal requirements of ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
S Definition Legal Hold Notice - What is a Legal Hold Notice? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
B Taiwan Medical Device registration - Production or legal office Other Medical Device Regulations World-Wide 6
K ISO 9001:2015 and its Legal Ramifications ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
S What is the Legal Limits of Fungi in Poultry Feed Food Safety - ISO 22000, HACCP (21 CFR 120) 2
R Legal Register - Does anyone have an example of a legal register? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
somashekar Applying legal requirements in hazardous waste management. Miscellaneous Environmental Standards and EMS Related Discussions 1
A Active Implantable Medical Devices - Legal Traceability Requirements ISO 13485:2016 - Medical Device Quality Management Systems 7
O Medical Devices - Legal Manufacturer and Real Manufacturer EU Medical Device Regulations 5
J Legal source to purchase a copy of the 9001:2015 Draft ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C Battery Powered Beauty Products minimum Legal Certifications Requirements CE Marking (Conformité Européene) / CB Scheme 7
Similar threads


















































Top Bottom