iso9001-2015 audit checklist - stm quality.co.uk - … · web viewoccupational health and safety...

Occupational Health and Safety Gap Analysis for OHSAS 18001:2007Q# OHSAS 18001 Clause Audit Question Audit Evidence

4 OH&S management system requirements4.1 General Requirements

4.1q1 The organization shall establish, document, implement, maintain and continually improve an OH&S management system in accordance with the requirements of this OHSAS Standard and determine how it will fulfil those requirements.

Show me how the OH&S management system was established and implemented. How is it maintained? Where is it documented? How does it fulfil requirements of 18001?

Documented OH&S Management system.

4.1q2 The organization shall define and document the scope of its OH&S management system.

How was the scope defined? Where is this documented?

4.2 OH&S Policy4.2q1 Top management shall define and authorize the

organization’s OH&S policy and ensure that within the defined scope of its OH&S management system it:a) is appropriate to the nature and scale of the organization’s OH&S risks;b) includes a commitment to prevention of injury and ill health and continual improvement in OH&S management and OH&S performance;c) includes a commitment to at least comply with applicable legal requirements and with other requirements to which the organization subscribes that relate to its OH&S hazards;d) provides the framework for setting and reviewing OH&S objectives;e) is documented, implemented and maintained;f) is communicated to all persons working under the control of the organization with the intent that they are made aware of their individual OH&S obligations;g) is available to interested parties; andh) is reviewed periodically to ensure that it remains relevant and appropriate to the organization.

Has top management defined and authorized the OH&S policy? Is there a link to the scope of the OH&S?Is it appropriate to the nature and scale of the organization’s risks?Is there a commitment to prevention of injury and ill health?Is there a commitment to continual improvement?Does it include commitment to comply with legal and other requirements as a minimum?What is the framework for setting and reviewing objectives?Where is the policy documented?Is it implemented and maintained? How?How is this communicated? How are people made aware of their individual OH&S obligations?How is it made available to interested parties?Is it reviewed periodically? When was the last review?

Documented OH&S Policy

4.3 Planning4.3.1 Hazard identification, risk assessment and determining controls

4.3.1q1 The organization shall establish, implement and maintain a procedure(s) for the ongoing hazard identification, risk assessment, and determination of necessary controls.

What is the procedure for ongoing hazard identification?Are risk assessments evident? Is the hierarchy of controls determined and reiterated?

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.3.1q2 The procedure(s) for hazard identification and risk

assessment shall take into account:a) routine and non-routine activities;b) activities of all persons having access to the workplace (including contractors and visitors);c) human behaviour, capabilities and other human factors;d) identified hazards originating outside the workplace capable of adversely affecting the health and safety of persons under the control of the organization within the workplace;e) hazards created in the vicinity of the workplace by work-related activities under the control of the organization;NOTE 1 It may be more appropriate for such hazards to be assessed as an environmental aspect.f) infrastructure, equipment and materials at the workplace, whether provided by the organization or others;g) changes or proposed changes in the organization, its activities, or materials;h) modifications to the OH&S management system, including temporary changes, and their impacts on operations, processes and activities;i) any applicable legal obligations relating to risk assessment and implementation of necessary controls (see also the NOTE to 3.12);j) the design of work areas, processes, installations, machinery/equipment, operating procedures and work organization, including their adaptation to human capabilities.

Does the procedure(s) consider:Routine and non-routine activities?All persons having access, including visitors and contractors?Human behaviour, capabilities and other human factors?Hazards from outside of the workplace capable of affecting the H&S of people within the workplace?Hazards created near the workplace by work-related activities (neighbours events, meteorological, geological, transportation etc.?)Infrastructure, equipment and materials?Changes or proposed changes within the organization, activities or materials? (Look at the change management process).Modifications to the OH&S management system and their impacts on operations, processes or materials (Look at the change management process).Legal obligations relating to risk assessment and implementation of controls (considering legal requirements beyond the immediate workplace).Design of work areas, processes, installations, machinery & equipment, operating procedures and work organization including adaptation to human capabilities.

4.3.1q3 The organization’s methodology for hazard identification and risk assessment shall:a) be defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive; andb) provide for the identification, prioritization and documentation of risks, and the application of controls, as appropriate.

Is the method for hazard identification and risk assessment defined with respect to scope, nature and timing?Is it proactive?Does it provide for the identification, prioritization and documentation of risks and application of controls?

4.3.1q4 For the management of change, the organization shall identify the OH&S hazards and OH&S risks associated with changes in the organization, the OH&S management system, or its activities, prior to the introduction of such changes.

Are hazards and risks identified prior to changes in the organization, the OH&S management system or its activities?Evidence that these are identified prior to and not after the event.

4.3.1q5 The organization shall ensure that the results of these assessments are considered when determining controls.

How are risk assessment results considered when determining controls?

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.3.1q6 When determining controls, or considering changes

to existing controls, consideration shall be given to reducing the risks according to the following hierarchy:a) elimination;b) substitution;c) engineering controls;d) signage/warnings and/or administrative controls;e) personal protective equipment.

How is the hierarchy considered? What evidence can you show of this?

4.3.1q7 The organization shall document and keep the results of identification of hazards, risk assessments and determined controls up-to-date.

Where are the documented results of hazard identification, risk assessments and determined controls? Are they up to date?

Documented results of hazard identification, risk assessment and determined controls.

4.3.1q8 The organization shall ensure that the OH&S risks and determined controls are taken into account when establishing, implementing and maintaining its OH&S management system.

How are the risks and controls taken into account when establishing, implementing and maintaining the OH&S management system?

NOTE 2 For further guidance on hazard identification, risk assessment and determining controls, see OHSAS 18002.

4.3.2 Legal and other requirements4.3.2q1 The organization shall establish, implement and

maintain a procedure(s) for identifying and accessing the legal and other OH&S requirements that are applicable to it.

What is the procedure for identifying and accessing legal and other requirements?

4.3.2q2 The organization shall ensure that these applicable legal requirements and other requirements to which the organization subscribes are taken into account in establishing, implementing and maintaining its OH&S management system.

Demonstrate that applicable legal requirements are taken into account.

4.3.2q3 The organization shall keep this information up-to-date.

Demonstrate that this information is current.

4.3.2q4 The organization shall communicate relevant information on legal and other requirements to persons working under the control of theorganization, and other relevant interested parties.

How do you communicate relevant legal and other requirements to the organization and also to other interested parties i.e. visitors, contractors etc.?

4.3.3 Objectives and programme(s)4.3.3q1 The organization shall establish, implement and

maintain documented OH&S objectives, at relevant functions and levels within the organization.

What are the documented OH&S objectives? How are they maintained?

Documented OH&S objectives.

4.3.3q2 The objectives shall be measurable, where practicable, and consistent with the OH&S policy, including the commitments to the prevention ofinjury and ill health, to compliance with applicable legal requirements and with other requirements to which the organization subscribes, and to continual improvement.

Are the objectives measureable? What information is there? Are they consistent with the OH&S policy? Does this include commitment to prevent injury and ill health? Are they compliant to applicable legal requirements? Do they demonstrate continual improvement?

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.3.3q3 When establishing and reviewing its objectives, an

organization shall take into account the legal requirements and other requirements to which the organization subscribes, and its OH&S risks. It shall also consider its technological options, its financial, operational and business requirements, and the views of relevant interested parties.

How are legal requirements and OH&S risks taken into account when establishing and reviewing objectives?How are technological options, financial, operational and business requirements and view of relevant interested parties considered when reviewing objectives?

4.3.3q4 The organization shall establish, implement and maintain a programme(s) for achieving its objectives. Programme(s) shall include as a minimum:a) designation of responsibility and authority for achieving objectives at relevant functions and levels of the organization; andb) the means and time-frame by which the objectives are to be achieved.

Where is the programme for achieving the objectives? Does this include as a minimum, the designation of responsibility and authority for achieving objectives? Does it include the means and time-frame for achieving the objectives?

4.3.3q5 The programme(s) shall be reviewed at regular and planned intervals and adjusted as necessary, to ensure that the objectives are achieved.

Show that the programme is reviewed at regular and planned intervals. Are objectives being met?

4.4 Implementation and operation4.4.1 Resources, roles, responsibility, accountability and authority

4.4.1q1 Top management shall take ultimate responsibility for OH&S and the OH&S management system.

Demonstrate how top management take ultimate responsibility for OH&S and the management system.

4.4.1q2 Top management shall demonstrate its commitment by:a) ensuring the availability of resources essential to establish, implement, maintain and improve the OH&S management system;NOTE 1 Resources include human resources and specialized skills, organizational infrastructure, technology and financial resources.b) defining roles, allocating responsibilities and accountabilities, and delegating authorities, to facilitate effective OH&S management; roles, responsibilities, accountabilities, and authorities shall be documented and communicated.

Has top management demonstrated commitment to the implementation and operation of the OH&S?How are resources made available?Are roles defined?Are responsibilities and accountabilities defined?Are they documented?How are they communicated?

4.4.1q3 The organization shall appoint a member(s) of top management with specific responsibility for OH&S, irrespective of other responsibilities, and with defined roles and authority for:a) ensuring that the OH&S management system is established, implemented and maintained in accordance with this OHSAS Standard;b) ensuring that reports on the performance of the OH&S management system are presented to top management for review and used as a basis for improvement of the OH&S managementsystem.

Is a member of top management appointed with specific responsibilities for OH&S?Do they have authority for maintaining the OH&S management system? Is it in accordance with this standard?Are performance reports presented to top management for review?Is the performance reports used as a basis for improvement?

Q# OHSAS 18001 Clause Audit Question Audit EvidenceNOTE 2 The top management appointee (e.g. in a large organization, a Board or executive committee member) may delegate some of their duties to a subordinate management representative(s)while still retaining accountability.

4.4.1q4 The identity of the top management appointee shall be made available to all persons working under the control of the organization.

Are all persons aware of the top management appointee? How is this done? Sample of persons to prove this.

4.4.1q5 All those with management responsibility shall demonstrate their commitment to the continual improvement of OH&S performance.

How have those with management responsibility demonstrated commitment to the continual improvement of OH&S performance?

4.4.1q6 The organization shall ensure that persons in the workplace take responsibility for aspects of OH&S over which they have control, including adherence to the organization’s applicable OH&S requirements.

How are persons in the workplace taking responsibility for controllable aspects of OH&S? How is adherence to OH&S requirements demonstrated?

4.4.2 Competence, training and awareness4.4.2q1 The organization shall ensure that any person(s)

under its control performing tasks that can impact on OH&S is (are) competent on the basis of appropriate education, training or experience, and shall retainassociated records.

Demonstrate that persons performing tasks that can impact on OH&S are competent on the basis of education, training or experience. What records are there to this effect?

Training records

4.4.2q2 The organization shall identify training needs associated with its OH&S risks and its OH&S management system. It shall provide training or takeother action to meet these needs, evaluate the effectiveness of the training or action taken, and retain associated records.

How are training needs identified that are associated with OH&S risks? What training or other action has been taken?How has the effectiveness of this been determined? What records do you have to show this?

Training needs records

4.4.2q3 The organization shall establish, implement and maintain a procedure(s) to make persons working under its control aware of:a) the OH&S consequences, actual or potential, of their work activities, their behaviour, and the OH&S benefits of improved personal performance;b) their roles and responsibilities and importance in achieving conformity to the OH&S policy and procedures and to the requirements of the OH&S management system, including emergency preparedness and response requirements (see 4.4.7);c) the potential consequences of departure from specified procedures.

What is the procedure to make people aware of the OH&S consequences of their work, behavior and benefits of improved personal performance? Are people aware of their roles, responsibilities and importance in achieving conformity to the OH&S policy? Are they aware of their roles and responsibilities in meeting the requirements of the OH&S management system, including emergency preparedness and response requirements? Are they aware of the potential consequences from not following the procedure?

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.4.2q4 Training procedures shall take into account differing

levels of:a) responsibility, ability, language skills and literacy; andb) risk.

Do the training procedures take into account differing levels of responsibility, ability, language skills and literacy and risk?

4.4.3 Communication, participation and consultation4.4.3.1 Communication

4.4.3.1q1

With regard to its OH&S hazards and OH&S management system, the organization shall establish, implement and maintain a procedure(s) for:a) internal communication among the various levels and functions of the organization;b) communication with contractors and other visitors to the workplace;c) receiving, documenting and responding to relevant communications from external interested parties.

Where is the procedure for internal communication within the organization? Does it consider communication to contractors and other visitors to the workplace?How is external communication received, responded to and documented?

Documented response to and from external parties

4.4.3.2 Participation and consultation4.4.3.2q1

The organization shall establish, implement and maintain a procedure(s) for:a) the participation of workers by their:• appropriate involvement in hazard identification, risk assessments and determination of controls;• appropriate involvement in incident investigation;• involvement in the development and review of OH&S policies and objectives;• consultation where there are any changes that affect their OH&S;• representation on OH&S matters.

What is the procedure that shows participation of workers by appropriate involvement in hazard identification, risk assessment and determination of controls?Does it allow for appropriate involvement in incident investigation? Does it allow for involvement in the development and review of OH&s policies and objectives?Does it allow for consultation where there are any changes that affect their OH&S? Do they get representation on OH&S matters?

4.4.3.2q2

Workers shall be informed about their participation arrangements, including who is their representative(s) on OH&S matters.b) consultation with contractors where there are changes that affect their OH&S.

How are workers informed about participation arrangements? Do they know who their representative on OH&S matters is? Are they aware of consultation with contractors where there are changes that affect their OH&S?

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.4.3.2q3

The organization shall ensure that, when appropriate, relevant external interested parties are consulted about pertinent OH&S matters.

Demonstrate that relevant external interested parties are consulted about pertinent OH&s matters, where appropriate.

4.4.4 Documentation4.4.4q1 The OH&S management system documentation

shall include:a) the OH&S policy and objectives;b) description of the scope of the OH&S management system;c) description of the main elements of the OH&S management system and their interaction, and reference to related documents;d) documents, including records, required by this OHSAS Standard; ande) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of processes that relate to the management of its OH&S risks.

Does the management system documentation include?The OH&S policy and objectives?A description of the scope of the OH&S management system?Descriptions of the main elements and their interaction?Reference to related documents?Documents and records required by this standard?Documents and records determined to be necessary to ensure effective planning, operation and control of processes relating to management of OH&S risks?

Documented OH&S policy and objectives, scope, description of the main elements and their interaction, reference to related documents, records as required by the standard, documents and records determined as necessary.

NOTE It is important that documentation is proportional to the level of complexity, hazards and risks concerned and is kept to the minimum required for effectiveness and efficiency.4.4.5 Control of documents

4.4.5q1 Documents required by the OH&S management system and by this OHSAS Standard shall be controlled. Records are a special type of document and shall be controlled in accordance with the requirements given in 4.5.4.

How are documents controlled?How are records controlled?

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.4.5q2 The organization shall establish, implement and

maintain a procedure(s) to:a) approve documents for adequacy prior to issue;b) review and update as necessary and re-approve documents;c) ensure that changes and the current revision status of documents are identified;d) ensure that relevant versions of applicable documents are available at points of use;e) ensure that documents remain legible and readily identifiable;f) ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the OH&S management system are identified and their distribution controlled; andg) prevent the unintended use of obsolete documents and apply suitable identification to them if they are retained for any purpose.

What is the procedure for:Approving documents prior to issue?Reviewing, updating and re-approving documents?Ensuring changes and revision status is identified?Ensures relevant versions of applicable documents are available at points of use?Ensures documents are legible and readily identifiable?Ensures external documents are identified and distribution controlled?Prevents to unintended use of obsolete documents?

4.4.6 Operational control4.4.6q1 The organization shall determine those operations

and activities that are associated with the identified hazard(s) where the implementation of controls is necessary to manage the OH&S risk(s). This shall include the management of change (see 4.3.1).

How are operations and activities determined that are associated with identified hazards, where the implementation of controls is necessary? Does it include change management?

4.4.6q2 For those operations and activities, the organization shall implement and maintain:a) operational controls, as applicable to the organization and its activities; the organization shall integrate those operational controls into its overall OH&S management system;b) controls related to purchased goods, equipment and services;c) controls related to contractors and other visitors to the workplace;d) documented procedures, to cover situations where their absence could lead to deviations from the OH&S policy and the objectives;e) stipulated operating criteria where their absence could lead to deviations from the OH&S policy and objectives.

For those operations and activities, how are: Operational controls integrated into the OH&S management system?Controls related to purchased goods, equipment and services?Controls related to contractors and visitors?

Is there a procedure to cover situations where the absence of operational controls could lead to deviations from the OH&S policy and objectives?

What operating criteria is stipulated where the absence of operational controls could lead to deviations from the OH&S policy and objectives?

Documented procedures to cover situations where the absence of operational controls could lead to deviations from the policy and objectives.

4.4.7 Emergency preparedness and response4.4.7q1 The organization shall establish, implement and

maintain a procedure(s):a) to identify the potential for emergency situations;b) to respond to such emergency situations.

What is the procedure that identifies the potential for emergency situations and for the response to emergency situations?

4.4.7q2 The organization shall respond to actual emergency situations and prevent or mitigate associated adverse OH&S consequences.

What responses to actual emergency situations are there? How do these prevent or mitigate adverse OH&S consequences?

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.4.7q3 In planning its emergency response the

organization shall take account of the needs of relevant interested parties, e.g. emergency services and neighbours.

How are the needs of relevant interested parties taken into account when planning emergency response?

4.4.7q4 The organization shall also periodically test its procedure(s) to respond to emergency situations, where practicable, involving relevant interested parties as appropriate.

What tests have been performed to test this procedure?

4.4.7q5 The organization shall periodically review and, where necessary, revise its emergency preparedness and response procedure(s), in particular, after periodical testing and after the occurrence of emergency situations (see 4.5.3).

What reviews and revisions have been made to the emergency preparedness and response procedure, in particular after the testing and occurrence of emergency situations?

4.5 Checking4.5.1 Performance measurement and monitoring

4.5.1q1 The organization shall establish, implement and maintain a procedure(s) to monitor and measure OH&S performance on a regular basis. This procedure(s) shall provide for:a) both qualitative and quantitative measures, appropriate to the needs of the organization;b) monitoring of the extent to which the organization’s OH&S objectives are met;c) monitoring the effectiveness of controls (for health as well as for safety);d) proactive measures of performance that monitor conformance with the OH&S programme(s), controls and operational criteria;e) reactive measures of performance that monitor ill health, incidents (including accidents, near-misses, etc.), and other historical evidence of deficient OH&S performance;f) recording of data and results of monitoring and measurement sufficient to facilitate subsequent corrective action and preventive action analysis.

What is the procedure to monitor and measure OH&S performance? Does it provide for:Qualitative and quantitative measures?Monitoring to the extent that the OH&S objectives are met?Monitoring the effectiveness of controls for health and well as safety?Proactive performance measures that monitor conformance with the OH&S programmes, controls and operational criteria?Reactive measures of performance that monitor ill health, incidents, accidents, near-misses and other historical evidence?Recording of data and results sufficient to facilitate corrective and preventative action analysis?

4.5.1q2 If equipment is required to monitor or measure performance, the organization shall establish and maintain procedures for the calibration and maintenance of such equipment, as appropriate. Records of calibration and maintenance activities and results shall be retained.

Is there any equipment used to monitor or measure OH&S performance?Is there a calibration procedure for calibration and maintenance of this equipment?What records of calibration and maintenance is kept?

Calibration records

4.5.2 Evaluation of compliance

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.5.2.1

4.5.2.1q1

Consistent with its commitment to compliance [see 4.2c)], the organization shall establish, implement and maintain a procedure(s) for periodically evaluating compliance with applicable legal requirements (see 4.3.2).

Wh\at is the procedure for evaluating compliance with applicable legal requirements?

4.5.2.1q2

The organization shall keep records of the results of the periodic evaluations.

What records are kept of periodic evaluations?

Records of evaluation of compliance to legal requirements.

NOTE The frequency of periodic evaluation may vary for differing legal requirements.4.5.2.2

4.5.2.2q1

The organization shall evaluate compliance with other requirements to which it subscribes (see 4.3.2). The organization may wish to combine this evaluation with the evaluation of legal compliancereferred to in 4.5.2.1 or to establish a separate procedure(s).

How is compliance with other requirements evaluated? Is this evaluation combined with the evaluation of legal compliance, or is there a separate procedure?

4.5.2.2q2

The organization shall keep records of the results of the periodic evaluations.

What records are there of periodic evaluations?

Records of evaluation of compliance to other requirements.

NOTE The frequency of periodic evaluation may vary for differing other requirements to which the organization subscribes.4.5.3 Incident investigation, nonconformity, corrective action and preventive action4.5.3.1 Incident Investigation

4.5.3.1q1

The organization shall establish, implement and maintain a procedure(s) to record, investigate and analyse incidents in order to:a) determine underlying OH&S deficiencies and other factors that might be causing or contributing to the occurrence of incidents;b) identify the need for corrective action;c) identify opportunities for preventive action;d) identify opportunities for continual improvement;e) communicate the results of such investigations.

What is the procedure to record, investigate and analyse incidents? Does it:Determine underlying OH&S deficiencies and other factors that might cause or contribute to the occurrence of incidents?Does it identify the need for corrective action? Does it identify opportunities for preventive action and continual improvement? How are the results of investigations communicated?

4.5.3.1q2

The investigations shall be performed in a timely manner.

Demonstrate that investigations are performed in a timely manner.

4.5.3.1q3

Any identified need for corrective action or opportunities for preventive action shall be dealt with in accordance with the relevant parts of 4.5.3.2.

How do you identify the need for corrective and preventive actions?

4.5.3.1q4

The results of incident investigations shall be documented and maintained.

Where are your documented results of incident investigations?

Documented incident investigations.

4.5.3.2 Nonconformity, corrective action and preventive action

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.5.3.2q1

The organization shall establish, implement and maintain a procedure(s) for dealing with actual and potential nonconformity(ies) and for taking corrective action and preventive action. Theprocedure(s) shall define requirements for:a) identifying and correcting nonconformity(ies) and taking action(s) to mitigate their OH&S consequences;b) investigating nonconformity(ies), determining their cause(s) and taking actions in order to avoid their recurrence;c) evaluating the need for action(s) to prevent nonconformity(ies) and implementing appropriate actions designed to avoid their occurrence;d) recording and communicating the results of corrective action(s) and preventive action(s) taken; ande) reviewing the effectiveness of corrective action(s) and preventive action(s) taken.

What is the procedure for dealing with actual and potential nonconformities and for taking corrective and preventive action?Does it define requirements for:Identifying and correcting nonconformities and taking actions to mitigate consequences?Investigating nonconformities, determining cause and taking actions to prevent recurrence?Evaluating need for actions to prevent nonconformities and implement appropriate actions to avoid recurrence?Recording and communicating results of corrective and preventive actions taken?Reviewing effectiveness of corrective and preventive actions?What evidence is there that this procedure is maintained?

Records of communicating results of corrective and preventive actions.

4.5.3.2q2

Where the corrective action and preventive action identifies new or changed hazards or the need for new or changed controls, the procedure shall require that the proposed actions shall be taken through a risk assessment prior to implementation.

Does the procedure require that where new or changed controls are required there is a risk assessment undertaken prior to implementation?

4.5.3.2q3

Any corrective action or preventive action taken to eliminate the causes of actual and potential nonconformity(ies) shall be appropriate to themagnitude of problems and commensurate with the OH&S risk(s) encountered.

How is the corrective or preventive action deemed appropriate to the magnitude of the problem?

4.5.3.2q4

The organization shall ensure that any necessary changes arising from corrective action and preventive action are made to the OH&Smanagement system documentation.

Have any necessary changes arising from corrective and preventive actions been documented within the OH&S management system?

4.5.4 Control of Records4.5.4q1 The organization shall establish and maintain

records as necessary to demonstrate conformity to the requirements of its OH&S managementsystem and of this OHSAS Standard, and the results achieved.

What records exist to demonstrate conformity to the requirements of the OH&S standard, and for the results that are achieved? Do they collectively demonstrate conformity to the OH&S management?

Records to demonstrate conformity to the standard.

4.5.4q2 The organization shall establish, implement and maintain a procedure(s) for the identification, storage, protection, retrieval, retention and disposal of records.

What is the procedure for the identification, storage, protection, retrieval, retention and disposal of records?

4.5.4q3 Records shall be and remain legible, identifiable and traceable.

Are records legible, identifiable and traceable?

4.5.5 Internal Audit

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.5.5q1 The organization shall ensure that internal audits of

the OH&S management system are conducted at planned intervals to:a) determine whether the OH&S management system:1) conforms to planned arrangements for OH&S management, including the requirements of this OHSAS Standard; and2) has been properly implemented and is maintained; and3) is effective in meeting the organization’s policy and objectives;b) provide information on the results of audits to management.

Where are the internal audits of the OH&S management system? Are they at planned intervals? Do they determine if the system:Conforms to planned arrangements?Has been properly implemented and maintained?Is effective in meeting the OH&S policy and objectives?Provides information of the results of audits to management?

4.5.5q2 Audit programme(s) shall be planned, established, implemented and maintained by the organization, based on the results of risk assessments of the organization’s activities, and the results of previous audits.

Has the audit programme been planned, established, implemented and maintained and is it based on the results of risk assessments and the results of previous audits?

4.5.5q3 Audit procedure(s) shall be established, implemented and maintained that address:a) the responsibilities, competencies, and requirements for planning and conducting audits, reporting results and retaining associatedrecords; andb) the determination of audit criteria, scope, frequency and methods.

What is the OH&S audit procedure? Does it address:The responsibilities, competencies and requirements for planning and conducting audits, reporting results and retaining records?Does it determine the audit criteria, scope, frequency and methods?

4.5.5q4 Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.

Do auditors conduct audits of their own areas of responsibility? Is there an internal auditor list and are the selected to ensure impartiality?

4.6 Management review4.6q1 Top management shall review the organization’s

OH&S management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. Reviews shall include assessingopportunities for improvement and the need for changes to the OH&S management system, including the OH&S policy and OH&S objectives.Records of the management reviews shall be retained.

Where are the minutes from the last management review? How often are they conducted? Do they include assessment of opportunities for improvement and need for changes to the OH&S management system? Does this include changes to the OH&S policy and objectives?

Management review records.

Q# OHSAS 18001 Clause Audit Question Audit Evidence4.6q2 Input to management reviews shall include:

a) results of internal audits and evaluations of compliance with applicable legal requirements and with other requirements to which the organization subscribes;b) the results of participation and consultation (see 4.4.3);c) relevant communication(s) from external interested parties, including complaints;d) the OH&S performance of the organization;e) the extent to which objectives have been met;f) status of incident investigations, corrective actions and preventive actions;g) follow-up actions from previous management reviews;h) changing circumstances, including developments in legal and other requirements related to OH&S; andi) recommendations for improvement.

Do the inputs to the management review include:Results of internal audits?Evaluations of compliance with legal and other requirements?Results of participation and consultation?Communications from external parties including complaints?The OH&S performance?The extent to which objectives have been met?Status of incident investigations, corrective and preventive actions?Follow up actions from previous management reviews?Changing circumstances including developments in legal and other requirements relating to OH&S?Recommendations for improvement?

4.6q3 The outputs from management reviews shall be consistent with the organization’s commitment to continual improvement and shall include any decisions and actions related to possible changes to:a) OH&S performance;b) OH&S policy and objectives;c) resources; andd) other elements of the OH&S management system.

Do the outputs from the management review include decisions and actions related to possible changes to:OH&S performance?OH&s policy and objectives?Resources?Other elements of the OH&S management system?

4.6q4 Relevant outputs from management review shall be made available for communication and consultation (see 4.4.3).

Are the results from management review made available for communication and consultation?