Should Identified Hazards and Risks necessarily have Linkage with Legal Requirements?

S

samsung

#1
During a recent initial audit of OHSAS, the CB auditor insisted that the identified hazards and the associated risks must show linkage with the applicable legal/ regulatory requirements but I don't feel it's required by OHSAS 18001.

What's your opinion on this issue?

Thanks.
 
Elsmar Forum Sponsor

Stijloor

Staff member
Super Moderator
#2
Re: Should the identified hazards/risks necessarily have linkage with legal requireme

During a recent initial audit of OHSAS, the CB auditor insisted that the identified hazards and the associated risks must show linkage with the applicable legal/ regulatory requirements but I don't feel it's required by OHSAS 18001.

What's your opinion on this issue?

Thanks.
Did the auditor cite a specific requirement?

Stijloor.
 
S

samsung

#3
Re: Should the identified hazards/risks necessarily have linkage with legal requireme

Did the auditor cite a specific requirement?

Stijloor.
It was reported as a minor NC under clause 4.3.1 (i). We did have arguments over the requirements but the auditors didn't move. Finally we accepted the NC but under protest.
 

somashekar

Staff member
Super Moderator
#4
Re: Should the identified hazards/risks necessarily have linkage with legal requireme

He is right from the planning angle of the OHSAS within the 4.3.1 i)
Depending on the hazard identified and risk assessed, certain type of incidents are reportable to the factories inspector in the prescribed format, and this control must be within the plan, if such risks are listed.
As I gather, a monthly return of accidents is to be submitted to the department, even if no accidents have occured (nil return) and perhaps this control can also be a part in the OHSAS planning as a part of legal obligation.
This again is a "shall"requirement as said in the 4.3.1
 
S

samsung

#5
Re: Should the identified hazards/risks necessarily have linkage with legal requireme

He is right from the planning angle of the OHSAS within the 4.3.1 i)
Depending on the hazard identified and risk assessed, certain type of incidents are reportable to the factories inspector in the prescribed format, and this control must be within the plan, if such risks are listed.
As I gather, a monthly return of accidents is to be submitted to the department, even if no accidents have occured (nil return) and perhaps this control can also be a part in the OHSAS planning as a part of legal obligation.
This again is a "shall"requirement as said in the 4.3.1
In 14001, it's pretty clear that the applicable legal requirements need to be aligned with the identified significant aspects but as far as OHSAS matters, I'm not sure whether a similar requirement does apply.

Although our procedure (for Hazard Identification & Risk Assessment) does commit to take into account all the applicable legal requirements while carrying out the risk assessment and devising appropriate controls but so far we haven't linked those requirements to the identified hazards/ risks in much detail as expected by the auditor.

As you mentioned, incident reporting & submission of returns is addressed in compliance evaluation which the auditor found OK in terms of establishment of procedure as well as compliance in practice.
 

Paul Simpson

Trusted Information Resource
#6
Re: Should the identified hazards/risks necessarily have linkage with legal requireme

He is right from the planning angle of the OHSAS within the 4.3.1 i)
Oh no he isn't. :nope: I'll cover this below with the excerpt from 18001. It is a common misconception and I have clashed with a few auditors who will swear blind that it is required. So - 'Show me the shall!'
Depending on the hazard identified and risk assessed, certain type of incidents are reportable to the factories inspector in the prescribed format, and this control must be within the plan, if such risks are listed.
This could indeed be the case but lets be clear: No legal obligation affects the identification of hazards and there is no requirement to cross refer to legisaltion in the hazard identification / risk control measures procedure (whether documented or not ;))
As I gather, a monthly return of accidents is to be submitted to the department, even if no accidents have occured (nil return) and perhaps this control can also be a part in the OHSAS planning as a part of legal obligation.
Again this may be a valid legal obligation and should be covered in the way the organization demonstrates it complies with legal reguirements (clause 4.5.2 of 18k)
This again is a "shall"requirement as said in the 4.3.1
OK, somashekar I'll be interested to see the shall! :)

18001 Clause 4.3.1. i said:
any applicable legal obligations relating to risk assessment and
implementation of necessary controls (see also the NOTE to 3.12);
So this requirement in clause 4.3.1 says that as part of the hazard identification and risk assessment process the organization needs to take into account the above. So if there is a legal requirement for risk assessment (as here in the UK) then your procedure (documented or not) must comply with that requirement.
 
S

samsung

#7
Re: Should the identified hazards/risks necessarily have linkage with legal requireme

In principle, I agree with Boris :agree1:. 4.3.1 (i) does require that you take into account (planning stage) all the applicable "legal obligations relating to risk assessment & implementation of necessary controls". So if there is a legal requirement, e.g. for putting up an 'emergency shut off device' on a moving machine, you must specify it as one of the controls for minimizing the risk resulting from the moving machines.
 

somashekar

Staff member
Super Moderator
#8
Re: Should the identified hazards/risks necessarily have linkage with legal requireme

Hi BorisS and Samsung.
No big disagreements with what has been explained. If you have indeed complied with your legal requirements, and the auditor has evaluated and agreed (as Samsung said : which the auditor found OK in terms of establishment of procedure as well as compliance in practice.)
Its perhaps for this the minor NC is written out as these are practised effectively, but do not appear in the planning. (Plan as I can see is the hazard and risk evaluation)
... and here is the "shall" ... in the OHSAS 18001:2007
4.3 Planning
4.3.1 Hazard identification, risk assessment and determining controls
The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.
The procedure(s) for hazard identification and risk assessment shall take into account:
 

Paul Simpson

Trusted Information Resource
#9
Re: Should the identified hazards/risks necessarily have linkage with legal requireme

Hi BorisS and Samsung.
No big disagreements with what has been explained. If you have indeed complied with your legal requirements, and the auditor has evaluated and agreed (as Samsung said : which the auditor found OK in terms of establishment of procedure as well as compliance in practice.)
Its perhaps for this the minor NC is written out as these are practised effectively, but do not appear in the planning. (Plan as I can see is the hazard and risk evaluation)
OK. As I understand it there is no non-compliance with the demonstration of compliance with legal requirements (4.5.2) but with the hazard identification and risk assessment process (4.3.1). So just for clarity it appears the auditor has misinterpreted 18k (as many do in my experience) to require a cross reference in the risk assessments to relevant legislation. There may be some benefit in doing so - up to the company to decide - but there is no NC with a requirment in the standard.

... and here is the "shall" ... in the OHSAS 18001:2007
4.3 Planning
4.3.1 Hazard identification, risk assessment and determining controls
The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.
The procedure(s) for hazard identification and risk assessment shall take into account:
Again thanks for these but there is nothing in there that says risk assessments must refer to relevant legislation. :nope:
 
Thread starter Similar threads Forum Replies Date
S Severity of 9 or 10 should be identified as Special characteristic? FMEA and Control Plans 10
T 510(k) submission - Which name should I use in the submission? Other US Medical Device Regulations 3
N ISO 19011:2018 - 5.4.2 "...audit program should engage in appropriate continual development..." Training - Internal, External, Online and Distance Learning 4
G Should I perform Gage R&R only at the beginning of a new project? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
DuncanGibbons Should the requirements FAA/EASA Part 21 be addressed within the QMS and AS9100D quality manual? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
M Should 510(k) Predicates be Actively Listed Devices? Other US Medical Device Regulations 12
B Why the Greek god Hephaestus should have done a design FMEA (DFMEA) on his giant robot APQP and PPAP 1
J On PFMEA for danger labels - Label always should be assigned severity 10 ? FMEA and Control Plans 3
H Who should be listed as the manufacturer/distributor on the box? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 15
M MDR, RED and LVD - Should our device comply with them? EU Medical Device Regulations 2
BeaBea How Many Processes should be created for each Department? Process Maps, Process Mapping and Turtle Diagrams 5
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
S Should safety checks be included in the Control Plan? IATF 16949 - Automotive Quality Systems Standard 5
M Which incubation condition should be selected to recover both bacteria and fungus effectively Miscellaneous Environmental Standards and EMS Related Discussions 3
D Is there a specific location for PPE such as safety glass holders and glove dispensers should be mounted Occupational Health & Safety Management Standards 10
Robert Stanley Which Registrar Should I Choose for ISO 9001:2015 registration? Registrars and Notified Bodies 10
M Who should receive the bills from suppliers and vendors, account payable or procurement? Consultants and Consulting 4
V IATF 16949 8.4.1 Control of externally provided processes, products and services - Should the CB be on our Approved Supplier List? IATF 16949 - Automotive Quality Systems Standard 10
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Received a Major finding during IATF Surveillance audit for loss of BIQS Level 3 (more than 6 SPPS in 6 months)...how should we address SYSTEMIC CA? IATF 16949 - Automotive Quality Systems Standard 11
J Organization merger. Should we keep two separate ISO 13485 certificates? ISO 13485:2016 - Medical Device Quality Management Systems 6
S Companies that maintain your machine should be in ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
S Use of "Shall" versus "Should" in Procedures ISO 13485:2016 - Medical Device Quality Management Systems 21
D Class II medical device - When should a complaint be closed? Customer Complaints 6
Sidney Vianna IATF 16949 News Presentations from the latest IATF Stakeholder Event - Expectation that IATF 16949 certification should equate with product quality. Misguided? IATF 16949 - Automotive Quality Systems Standard 7
L Clause 0.4 of ISO 9001 and EHS - Where should I stop the inclusion of EHS in my QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Ed Panek Part 11 Self Certify Memo - What else should it cover? Qualification and Validation (including 21 CFR Part 11) 5
H Should I mention machine/Equipment password In SOP? Qualification and Validation (including 21 CFR Part 11) 4
D How long should we keep the spare parts available for our medical device, after we have stopped the production? ISO 13485:2016 - Medical Device Quality Management Systems 0
H Statistical Techniques Procedure - What should be included Document Control Systems, Procedures, Forms and Templates 4
Q How should I analyze measurement correlation between me and customer? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 12
Sidney Vianna Interesting Discussion ISO 9001:2024 - What should be changed in the next Edition of ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 82
N Should it even be on the hazard analysis (software)? FMEA and Control Plans 2
V Which batches should or could be considered for design validation and design verification? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
L A Taiwan company want to sell Class I medical device (510(k) exempt) on Amazon, should we register with FDA? US Food and Drug Administration (FDA) 4
M Routine testing of medical electrical systems - What specific electrical safety tests should be performed? IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
G ISO 17025:2017 7.1.2 - Should I produce a document for the customer? ISO 17025 related Discussions 8
F Quality Objectives - Where in the QMS Quality Objectives should be located ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
P ISO 80369-7 standard - Interpreting which Parts should be in scope Other Medical Device Related Standards 7
V Who should define and own the Design and Development Plan and how to maintain the updates and revisions. ISO 13485:2016 - Medical Device Quality Management Systems 2
A How should the Medical Device OEMs be declared to ANVISA? Other Medical Device Regulations World-Wide 0
D Should "Waste" be included as Output in SIPOC Chart? Process Maps, Process Mapping and Turtle Diagrams 8
N Control plan evaluation methods - Which methods should be carried over from the PFMEA? FMEA and Control Plans 3
A PFMEA - How long should the recommended actions remain in the recommended actions column? APQP and PPAP 3
M Should Quality be an independent organization in aerospace company? Quality Manager and Management Related Issues 25
S Should there be a SOP on Cybersecurity? ISO 14971 - Medical Device Risk Management 1
B AS9102 FAI & Lower Level Drawings - How should we perform the FAI? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
I Imaging Services - Which standard should we be certified to? ISO 13485:2016 - Medical Device Quality Management Systems 4
D Design FMEA for a component - Should I make the following assumptions? FMEA and Control Plans 7

Similar threads

Top Bottom