Interesting Discussion Legal compliance as part of ISO 45001 accredited certification. Major OSHA penalties in the USA.

Sidney Vianna

Post Responsibly
Leader
Admin
As we move forward transitioning from OHSAS 18001 to ISO 45001 certification, it is interesting to note that the IAF has recently released a new edition of the IAF Mandatory Document 22 - Application of ISO/IEC 17021-1 for the Certification of Occupational Health and Safety Management Systems (OH&SMS) . In the document, we have an Appendix A that deals with the subject of legal compliance and it's implications and expectations as it relates to accredited certification of organizations occupational health & safety management systems. In part, the document states:

While certification of an OH&SMS against the requirements of the applicable OH&SMS standard is not a guarantee of legal compliance (neither is any other means of control, including government or other type of control and/or legal compliance inspections or other forms of certification or verification), it is a proven and efficient tool to achieve and maintain such legal compliance.

It is recognised that accredited OH&SMS certification shall demonstrate that an independent third-party (Certification Body) has evaluated and confirmed that the organisation has a demonstrably effective OH&SMS to ensure the fulfilment of its policy commitments including legal compliance.

Ongoing or potential non-compliances with the applicable legal requirements might show a lack of management control within the organisation and its OH&SMS and the conformity with the standard should be carefully reviewed.

Further down in the document, we read this interesting paragraph:
Any organization failing to demonstrate their initial or ongoing commitment to legal compliance, shall not be certified or continued to be certified as meeting the requirements of an OH&SMS standard by the Certification Body.

In the USA, one of the regulatory bodies enforcing compliance with occupational health and safety is OSHA. In their website, they have a page dedicated to list cases where enforcement penalties over US$40,000 exist. There are a few cases where the initial penalty is way north of US$1,000,000 and the information could be perused @ Enforcement Cases with Initial Penalties of $40,000 or Above | Occupational Safety and Health Administration

Any OHSMS CB auditor performing audits to OHSAS 18001, ISO 45001 or any other OHSMS standard in the USA, should become acquainted with that information.

For some of the pundits out there who like to use examples of certified organizations caught in regulatory non-compliance instances, this should clarify the issue.
 

Attachments

  • IAF MD22 Issue 2.pdf
    302.8 KB · Views: 244

Jen Kirley

Quality and Auditing Expert
Leader
Admin
It is a delicate line to walk: I am not supposed to be a compliance auditor, but am expected to identify gaps in what is required and what has been recognized as required, and effective controls implemented. My answer has often been to say "Let's look it up" and research it together with the client. Evaluation of compliance is often poorly understood as the technical review required to verify controls meet the codes. I can't leave the client to do a half-baked job or leave unattended gaps.
 

Sidney Vianna

Post Responsibly
Leader
Admin
My answer has often been to say "Let's look it up" and research it together with the client.
Now, THAT is a delicate line. When a CB auditor engages in helping the registrant in determining legal compliance, that could lead to a threat to objectivity. It is UP to the registrant to figure out how to attain and maintain reg. compliance. The CB auditor should not find him/herself "assisting" the registrant with that critical task. In my opinion, of course.
 

Randy

Super Moderator
A toughy mainly because the vast majority of auditors have less real 1st hand knowledge and understanding of OHS regulatory compliance requirements and fulfillment than a cow has in the making of buttermilk. In essence the auditor is going to be thrust into determining whether or not the "auditee/organization" is violating a presumed or even guessed at regulatory obligation/requirement based on that auditors opinion for simple regulations like Process Safety, Ionizing Radiation, Electrical Safety (Subpart S), and Subpart Z for example in US OSHA regulations.

I'm not just tossing this around, this is an honest concern. I don't have a problem delving into the OHS legal environment, but then again I've a degree in OHS, I've 30+ years in OHS, I just did an additional 32 hours of US OSHA regulatory training just this year alone (OSHA 511), I've been certified to teach the OSHA 30 Hr Trainer course (OSHA 501), I've got over 200 class hours in Radiation Safety, over 100 in Ergonomics/Human Factors, along with Hazwoper, Anhydrous Ammonia-Hydrogen Sulfide specific, Explosives Safety and a ton of other stuff.

With all that I don't think it's my place as a 3rd party systems auditor to say...Nope, you're violating the law because of XXX......and documenting such....... in doing so it just seems like I'm going to become part of the compliance and the evaluation of compliance process stepping away from objectivity/impartiality.

And in all honesty, nobody, nobody is ever going to be 100% compliance all the time, it just isn't going to happen, no how, no way because there will always be one uncontrollable hazard...The individual! It's not going to happen.

Under MD22 the process would be to deny recommendation because someone wasn't wearing earplugs, or eye protection or a work rest was more that 1/8" from a grinder, or a SDS was not available? Really?

Maybe I'm reading it wrong, but I just don't think that's the real intent.

Commitment, Identification, Control, Review, Correction/Improvement
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Now, THAT is a delicate line. When a CB auditor engages in helping the registrant in determining legal compliance, that could lead to a threat to objectivity. It is UP to the registrant to figure out how to attain and maintain reg. compliance. The CB auditor should not find him/herself "assisting" the registrant with that critical task. In my opinion, of course.
I agree.
 

Sidney Vianna

Post Responsibly
Leader
Admin
Maybe I'm reading it wrong, but I just don't think that's the real intent.
Yes, you are misreading it.

Setting an analogy with ISO 9001 in the quality management system world:

producing a nonconforming product should not be grounds to deny any organization certification to ISO 9001; however,
  • KNOWINGLY and WILLFULLY shipping nonconforming products to customers should lead to de-certification proceedings.
  • KNOWINGLY and WILLFULLY placing unsafe products in the market place should lead to de-certification proceedings.
  • KNOWINGLY and WILLFULLY ignoring regulatory requirements because the potential fines are lower than the potential profit should lead to de-certification proceedings.

So and, yes, the job of a competent CB auditor is not easy, in terms of determining if violations, noncompliance, offenses are premeditated and willful. But we MUST not ignore the issue. And that's why, the commoditization of management system certification, which leads to assembly-line approach to audits MUST stop.
 

Henria

OSH Officer
Hello !

IAF don't require (in accordance with ISO 45001) the auditor to ensure that the company complies with its applicable OHS legal requirements. IAF just draws attention to the interest of the auditor in questioning the ability of the company (through its OHSMS) to move towards this legal compliance, so that OHSMS certification is also a presumption of this ability.

In any case, the OHSMS auditors have neither knowledge nor means (audit duration) to audit OHS legal compliance to OHS* legal requirements of the country where a company is located.
* hundreds pages of OHS legal requirements, while ISO 45001 has only 16 pages of requirements.

Cordialy.
 

tony s

Information Seeker
Trusted Information Resource
There's another statement to clarify "failing to demonstrate their initial or ongoing commitment to legal compliance, shall not be certified or continued to be certified". It says "Deliberate or consistent non-compliance shall be considered a serious failure to support the policy commitment to achieving legal compliance and shall preclude certification or cause an existing OH&SMS standard certificate to be suspended, or withdrawn".
 

Sidney Vianna

Post Responsibly
Leader
Admin
That's right. From an external auditor standpoint, it would be very difficult to reach a conclusion that a regulatory noncompliance was deliberate, unless someone confesses to it or somebody blows the whistle. But consistent noncompliance is much easier to establish.

Problem is: we have a number of spineless third party auditors out there who would not have the courage to trigger certificate revocation proceedings.
 
Top Bottom