IAFMD22 OHSMSPub 25012018
IAFMD22 OHSMSPub 25012018
IAFMD22 OHSMSPub 25012018
Issue 1
(IAF MD 22:2018)
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
The International Accreditation Forum, Inc. (IAF) facilitates trade and supports
regulators by operating a worldwide mutual recognition arrangement among
Accreditation Bodies (ABs) in order that the results issued by Conformity Assessment
Bodies (CABs) accredited by IAF members are accepted globally.
Accreditation reduces risk for business and its customers by assuring them that
accredited CABs are competent to carry out the work they undertake within their scope
of accreditation. ABs that are members of IAF and the CABs they accredit are required
to comply with appropriate international standards and the applicable IAF application
documents for the consistent application of those standards.
ABs that are signatories to the IAF Multilateral Recognition Arrangement (MLA) are
evaluated regularly by an appointed team of peers to provide confidence in the
operation of their accreditation programs. The structure and scope of the IAF MLA is
detailed in IAF PR 4 – Structure of IAF MLA and Endorsed Normative Documents.
The IAF MLA is structured in five levels: Level 1 specifies mandatory criteria that apply
to all ABs, ISO/IEC 17011. The combination of a Level 2 activity(ies) and the
corresponding Level 3 normative documents is called the main scope of the MLA, and
the combination of Level 4 (if applicable) and Level 5 relevant normative documents is
called a sub-scope of the MLA.
The main scope of the MLA includes activities e.g. product certification and
associated mandatory documents e.g. ISO/IEC 17065. The attestations made by
CABs at the main scope level are considered to be equally reliable.
The sub scope of the MLA includes conformity assessment requirements e.g.
ISO 9001 and scheme specific requirements, where applicable, e.g. ISO TS
22003. The attestations made by CABs at the sub scope level are considered to
be equivalent.
The IAF MLA delivers the confidence needed for market acceptance of conformity
assessment outcomes. An attestation issued, within the scope of the IAF MLA, by a
body that is accredited by an IAF MLA signatory AB can be recognized worldwide,
thereby facilitating international trade.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
TABLE OF CONTENTS
0. INTRODUCTION ................................................................................................................ 6
1. SCOPE ............................................................................................................................... 7
2. NORMATIVE REFERENCES ............................................................................................. 7
3. TERMS AND DEFINITIONS ............................................................................................... 7
4. PRINCIPLES ...................................................................................................................... 7
5. GENERAL REQUIREMENTS ............................................................................................ 8
6. STRUCTURAL REQUIREMENTS ...................................................................................... 8
7. RESOURCE REQUIREMENTS .......................................................................................... 8
8. INFORMATION REQUIREMENTS ..................................................................................... 8
9. PROCESS REQUIREMENTS ............................................................................................ 9
9.1 Pre-certification Activities ............................................................................................ 9
9.2 Planning Activities ..................................................................................................... 10
9.3 Initial Certification...................................................................................................... 10
9.4 Conducting Audits ..................................................................................................... 10
9.5 Certification Decision ................................................................................................ 11
9.6 Maintaining Certification ............................................................................................ 11
9.7 Appeals ..................................................................................................................... 11
9.8 Complaints ................................................................................................................ 11
9.9 Client Records .......................................................................................................... 11
10. MANAGEMENT SYSTEM REQUIREMENTS FOR CERTIFICATION BODIES ............ 11
APPENDIX A (normative) - SPECIFIC KNOWLEDGE AND SKILLS FOR CERTIFICATION
FUNCTIONS IN OH&SMS ....................................................................................................... 12
APPENDIX B (normative) - DETERMINATION OF AUDIT TIME OF OCCUPATIONAL
HEALTH AND SAFETY MANAGEMENT SYSTEMS............................................................... 14
APPENDIX C (normative) - LEGAL COMPLIANCE AS A PART OF ACCREDITED OH&SMS
CERTIFICATION...................................................................................................................... 27
APPENDIX D (normative) - SCOPE OF ACCREDITATION.................................................... 31
APPENDIX E (normative) - WITNESSING ACTIVITIES FOR THE ACCREDITATION OF
OCCUPATIONAL HEALTH AND SAFETY MANAGEMENT SYSTEMS (OH&SMS)
CERTIFICATION BODIES ....................................................................................................... 37
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Issue No 1
Prepared by: IAF Technical Committee
Approved by: IAF Members Date: 28 December 2017
Issue Date: 25 January 2018 Application Date: 25 January 2018
Name for Enquiries: Elva Nilsen
IAF Corporate Secretary
Telephone: +1 613 454-8159
Email: secretary@iaf.nu
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
The term “should” is used in this document to indicate recognised means of meeting the
requirements of the standard. A Conformity Assessment Body (CAB) can meet these in
an equivalent way provided this can be demonstrated to an Accreditation Body (AB).
The term “shall” is used in this document to indicate those provisions which, reflecting
the requirements of the relevant standard, are mandatory.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
0. INTRODUCTION
This document is mandatory for the consistent application of ISO/IEC 17021-1:2015 for
the accreditation of Certification Bodies providing certification of Occupational Health
and Safety Management Systems (OH&SMS). All clauses and Annexes of ISO/IEC
17021-1:2015 continue to apply and this document does not supersede any of the
requirements of that standard. This document not only applies for certification to
OHSAS 18001 but shall also be used for certification to other OH&SMS such as the
upcoming ISO 45001 and other standards. National legislation will prevail in case of
conflict with this document.
This document also includes five mandatory appendices which introduce specific
OH&SMS requirements to the following ISO, IAF and EA documents:
Specific criteria are identified by the letter ”G” followed with a reference number that
incorporates the related requirements clause in ISO/IEC 17021-1:2015.
In all cases a reference in the text of this document to "clause XX" refers to a clause in
ISO/IEC 17021-1:2015 unless otherwise specified.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
1. SCOPE
No additional requirement.
2. NORMATIVE REFERENCES
No additional requirement.
4. PRINCIPLES
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
5. GENERAL REQUIREMENTS
The key interests may include the additional parties mentioned in clause G.4.1.2.
6. STRUCTURAL REQUIREMENTS
No additional requirement.
7. RESOURCE REQUIREMENTS
For Occupational Health and Safety management systems, the term “technical area” is
related to commonalities of processes or services and their associated hazards which
can expose workers to OH&S risks.
8. INFORMATION REQUIREMENTS
G 8.5.3 The legally enforceable arrangements shall also require that the certified
client informs the Certification Body, without delay, of the occurrence of a serious
incident or breach of regulation necessitating the involvement of the competent
regulatory authority.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
9. PROCESS REQUIREMENTS
The application shall contain details of personnel working on, as well as working away
from the organisation’s premises.
G 9.1.4 The audit time of OH&SMS audits shall be determined in accordance with
Appendix B of this document.
If the client provides services at another organisation’s premises, the CAB shall verify
that the client’s OH&SMS covers these offsite activities (notwithstanding the OH&SMS
obligations of the other organization). In determining the time to be spent for audit, the
CAB shall consider to audit periodically any organization site where these employees
work. Whether all sites shall be audited will depend on various factors such as OH&S
risks associated with the activities therein performed, contract agreements, being
certified by another accredited CAB, internal audit system, statistics on accidents and
near misses. The justification for such decision shall be recorded.
Where there are multiple sites not covering the same activities, processes and OH&S
risks, sampling is not appropriate.
When sampling is permitted the CB shall ensure that the sample of sites to be audited is
representative of processes, activities and OH&S risks that exist in the organization to
be audited.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
G 9.2.1.2 b) For the determination of the ability of the management system to ensure
the client meets applicable statutory, regulatory and contractual requirements, the
approach described in Appendix C shall be applied.
G.9.2.1.3 The OH&SMS shall include activities, products and services within the
organization’s control or influence that can impact the organization’s OH&SMS
performance.
Temporary sites, for example, construction sites, shall be covered by the OH&SMS of
the organization that has control of these sites, irrespective of where they are located.
No additional requirement.
i) the management with legal responsibility for Occupational Health and Safety,
ii) employees' representative(s) with responsibility for Occupational Health and
Safety,
iii) personnel responsible for monitoring employees' health, for example, doctors
and nurses. Justifications in case of interviews conducted remotely shall be
recorded,
iv) managers and permanent and temporary employees.
G 9.4.5.3 The Certification Body shall have procedures detailing the actions to be
taken in the event that it discovers a non-compliance with relevant regulatory
requirements. These procedures shall include a requirement that any such non-
compliances are immediately communicated to the organization being audited.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
No additional requirement.
9.7 Appeals
No additional requirement.
9.8 Complaints
No additional requirement.
No additional requirement.
No additional requirement.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
This Appendix will be superseded when the future ISO/IEC TS 17021-10 for OH&SMS
comes into force.
The following clauses A.1.n refer to the criteria of knowledge and skills listed in the first
column and specified under the letter X in the other columns of Table A.1, for each
certification function. Such criteria are explained in more detail with reference to the text
following the table referenced by the number in parenthesis.
A.1.2 Knowledge of audit principles, practices and techniques shall include ISO/IEC
17021-1:2015, guidance provided in this document:
OH&S terminology,
OH&S legislation valid in countries where the Certification Body is conducting
audits,
applicable standards for OH&S management system certification (such as
OHSAS 18001, upcoming ISO 45001 or other standards),
methods for monitoring, measurement, analysis to evaluate the OH&S
performance, and the conformance of the OH&S management system,
surveys and other evaluation tools, and
OH&S risk assessments methodologies and guidance.
The level of knowledge shall be sufficient to fulfil the different requirements specified in
§ A.2.3, A.3.2 and A.4.1 for each certification function.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
The level of knowledge shall be sufficient to fulfil the different requirements specified in
§ A.2.5, A.3.4 and A.4.3 for each certification function.
The level of knowledge shall be sufficient to fulfil the different requirements specified in
§ A.2.6 and A.4.4 for each certification function.
A.1.7 Language skills appropriate to all levels within the client organization:
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
This Appendix is mandatory for the consistent application of the relevant clauses of
ISO/IEC 17021-1:2015 and the additional requirements of IAF-MD5:2015 for audits of
occupational health and safety management systems.
all clauses herein amended incorporate all relevant existing requirements of the
related clauses of IAF-MD5:2015, and
all clauses not amended are not included in this Appendix unless needed to
ensure a better understanding of the related amended clauses (e.g. clauses B.5
and B.6 referred by amended clause B.3.2).
B.1 DEFINITIONS
The effective number of personnel consists of all personnel (permanent, temporary, and
part-time) involved within the scope of certification including those working on each
shift. When included within the scope of certification, it shall also include
contractors/subcontractors personnel performing work or work-related activities that are
under the control or influence of the organization, that can impact on the organization’s
OH&SMS performance.
For OH&SMS, the provisions specified in this document are based on three primary
complexity categories based on the nature, number and severity of the OH&S risks of
an organization that fundamentally affect the audit time (See Table OH&SMS 2).
B.2 APPLICATION
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
B.2.3.1 The effective number of personnel as defined above is used as a basis for
the calculation of audit time for OH&SMS. Considerations for determining the effective
number of employees include part-time personnel, those working on shifts,
administrative and all categories of office staff, and similar or repetitive processes (see
B.2.3.4). “In case of seasonal operations (e.g. harvesting activities, holiday villages and
hotels, etc,) the calculation of the effective number of personnel shall be based on the
personnel typically present in peak season operations.” Reductions due to employment
of large numbers of unskilled personnel shall not be made without consideration of the
associated risk (see B.2.3.6).
The CAB shall determine the timing of the audit which will best assess the effective
implementation of the OH&SMS for the full scope of the client activities, including the
need to audit outside normal working hours and various shift patterns. This shall be
agreed with the client.
The CAB should ensure that any variation in audit time does not compromise the
effectiveness of audits (see also clause B 3.7).
This issue normally only applies in countries with a low level of technology where
temporary unskilled personnel may be employed in considerable numbers to replace
automated processes. Under these circumstances, a reduction in effective personnel
may be made for other certification schemes (QMS, EMS). This reduction is in principle
to be regarded as not applicable to OH&SMS since the employment of temporary
unskilled personnel can be a source of OH&S risks. If, in exceptional cases, a reduction
is made the justification for doing so shall be recorded and made available to the AB at
assessment.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
B.3.1 The methodology used as a basis for the calculation of audit time of OH&SMS
for an initial audit (Stage 1 + Stage 2) involves the understanding of tables of Annex C
of Appendix B. Annex C is based upon the effective number of personnel (see Clause
B.2.3 for guidance on the calculation of the effective number of personnel) and the
category of OH&S risk associated with the business sector of the organization and does
not provide a minimum or maximum audit time. Table OH&SMS 2 shows the linkage
between business sectors and OH&S complexity categories based on OH&S risks.
Note: Normal practice is that time spent for Stage 2 exceeds time spent for Stage 1.
B.3.2 Using a suitable multiplier, the same table and figure may be used as the base
for calculating audit time for surveillance audits (Clause B.5) and recertification audits
(clause B.6).
B.3.3 The CAB shall have processes that provide for the allocation of adequate time
for auditing of relevant processes of the client. Experience has shown that apart from
the number of personnel, the time required to carry out an effective audit depends upon
other factors for OH&SMS. These factors are explored in more depth in clause B.8.
B.3.4 This mandatory document lists the provisions which should be considered when
establishing the amount of time needed to perform an audit. This and other factors need
to be examined during the CAB’s application review process, and after Stage 1 and
throughout the certification cycle and at recertification for their potential impact on the
determination of the audit time regardless of the type of audit. Therefore the relevant
tables OH&SMS 1 and OH&SMS 2 which demonstrate the relationship between
effective number of personnel and OH&S risk categories cannot be used in isolation.
These tables provide the framework for further audit planning and for making
adjustments to audit time for all types of audits.
B.3.6 For an OH&SMS audit it is appropriate to base audit time on the effective
number of personnel of the organization and nature, number and severity of the OH&S
risks of the typical organization in that industry sector. Tables OH&SM 1 and OH&SM 2
provide a framework for the process that should be used for planning. The audit time of
management systems should then be adjusted based on any significant factors that
uniquely apply to the organization to be audited.
B.3.7 The starting point for determining audit time of OH&SMSs shall be identified
based on the effective number of personnel, then adjusted for the significant factors
applying to the client to be audited, and attributing to each factor an additive or
subtractive weighting to modify the base figure. In every situation, the basis for the
establishment of audit time of OH&SMSs, including adjustments made, shall be
recorded. The CAB should ensure that any variation in audit time does not compromise
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
B.3.8 The audit time of OH&SMSs determined using the tables of this Appendix shall
not include the time of “auditors-in-training”, observers or the time of technical experts.
B.3.9 The reduction audit time of OH&SMSs shall not exceed 30% of the times
established from Table OH&SMS 1.
B.4.2 Table OH&SMS 1 provides a starting point for estimating the time of an initial
audit (Stage 1 + Stage 2) for OH&SMS.
B.4.5 Certification audits may include remote auditing techniques such as interactive
web-based collaboration; web meetings, teleconferences and/or electronic verification
of the client’s processes. These remote activities, which shall be limited to reviewing
documents/records and to interviewing staff and workers, shall be identified in the audit
plan. The time spent on these activities may be considered as contributing to the total
duration of management systems audits. If the CAB plans an audit for which the remote
auditing activities represent more than 30% of the planned on-site duration of
management systems audits, the CAB shall justify the audit plan and maintain the
records of this justification, which shall be available to an Accreditation Body for review
(see IAF MD4). Activities and OH&S risk controls cannot be remotely witnessed this
way.
Note 2: Regardless of the remote auditing techniques used, the client organization shall
be physically visited at least annually where such a physical location exists.
Note 3: It is unlikely that a Stage 2 audit will take less than one (1) audit day.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
B.5 SURVEILLANCE
During the initial three year certification cycle, audit time for surveillance audits for a
given organization should be proportional to the audit time spent on the initial
certification audit (Stage 1 + Stage 2), with the total amount of time spent annually on
surveillance being about 1/3 of the audit time spent on the initial certification audit. The
CAB shall obtain an update of client data related to its management system as part of
each surveillance audit. The planned audit time of a surveillance audit shall be reviewed
at least at every surveillance and recertification audit to take into account changes in the
organization, system maturity, etc. The evidence of review including any adjustments to
the audit time of management systems audits shall be recorded.
Note: It is unlikely that a surveillance audit will take less than one (1) audit day.
B.6 RECERTIFICATION
The audit time for the recertification audit should be calculated on the basis of the
updated information of the client and is normally approximately 2/3 of the audit time that
would be required for an initial certification audit (Stage 1 + Stage 2) of the organization
if such an initial audit were to be carried out at the time of recertification (i.e. not 2/3 of
the original time spent on the initial audit). The audit time of management systems shall
take account of the outcome of the review of system performance (ISO/IEC 17021-1).
The review of system performance does not itself form part of the audit time for
recertification audits.
Note: It is unlikely that a recertification audit will take less than one (1) audit day.
B.8.1 The additional factors that shall be considered include but are not limited to:
a. complicated logistics involving more than one building or location where work
is carried out. e.g., a separate Design Centre shall be audited,
b. staff speaking in more than one language (requiring interpreter(s) or
preventing individual auditors from working independently),
c. very large site for the number of personnel (e.g., a forest),
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Any decision taken in relation to the requirements of this clause shall be recorded.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Note 1: Subtractive factors may be used once only for each calculation for each client
organization.
Note 2: Additional factors to consider when calculating the audit time of integrated
management systems are addressed in IAF MD 11.
B.9.2 Temporary sites could range from major project management sites to minor
service/installation sites. The need to visit such sites and the extent of sampling shall be
based on an evaluation of the risks of failure of the OH&SMS to control OH&S risks
associated with the client's operations. Sites included in sampling should represent the
client’s scope of certification, sizes and types of activities and processes, type of
hazards involved and associated OH&S risks, and stages of projects in progress.
B.9.3 Typically on-site audits of temporary sites would be performed. However, the
following methods could be considered as alternatives to replace only those parts of on-
site audits not related to witness the operational control and other OH&SMS activities:
i) interviews or progress meetings with the client and/or its customers in person
or teleconference,
ii) document review of temporary site activities,
iii) remote access to electronic site(s) that contain records or other information
that is relevant to the assessment of the OH&SMS and the temporary site(s),
iv) use of video and teleconference and other technology that enable effective
auditing to be conducted remotely.
B.10.1 In the case of an OH&SMS system operated over multiple sites the CAB
shall establish if site sampling is permitted or not, based on the evaluation of the level of
OH&S risks associated with the activities and processes carried out in each site
included in the scope of certification. Records of such evaluations and rationale of
decisions taken shall be made available to the AB at assessment.
B.10.2 The requirements for OH&SMS multiple site certification, both when
sampling is permitted and when sampling is not permitted, are covered in more detail by
the different scenarios provided in the new IAF MD 1 document for auditing and
certification of a management system managed by a multi-site organization, in which all
references to IAF MD5 requirements shall be understood as amended by this Appendix
B.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Until its coming into force, the respective requirements of IAF MD 1:2007 and MD
19:2016 continue to apply.
The proportion of the total time spent on each site shall take into account situations
where certain management system processes are not relevant to the site.
B.11.2 The CAB will audit and evaluate the effectiveness of the organization's
OH&SMS in managing any supplied activity and the risk this poses to OH&S
performance of its own activities and processes and conformity requirements. This may
include gathering feedback on the level of effectiveness from suppliers, based:
on the criteria applied by the organization for the evaluation, selection, monitoring
of performance and re-evaluation of these external providers based on their ability
to provide functions or processes in accordance with specified requirements, in
compliance with the legal requirements, and
on the risk that the external providers can adversely affect the organization’s
ability to control its own OH&S risks.
B.11.4. The CAB should be able to establish this during the preparation of the
certification programme and further verify it during the initial audit, and before every
surveillance and recertification audit.
Not applicable.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Not applicable.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Note 1: Audit time is shown for high, medium and low OH&SM risk audits.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Complexity
category of Business sector
OH&S risk
boards, treatment/impregnation of wood
paper production and paper products excluding pulping
non-metallic processing and products covering glass, ceramics, clay, etc.
general mechanical engineering assembly
manufacturing of metallic products
surface and other chemically based treatment for metal fabricated products
excluding primary production and for general mechanical engineering
(depending on the treatment and the size of the component could be high)
production of bare printed circuit boards for electronics industry
rubber and plastic injection moulding, forming and assembly
electrical and electronic equipment assembly
manufacturing of transport equipment and their repairs - road, rail and air
(depending on the size of the equipment, could be high)
recycling, composting, landfill (of non-hazardous waste)
water abstraction, purification and distribution including river management
(note commercial effluent treatment is graded as high)
fossil fuel wholesale and retail (depending on the amount of fuel, could be
high)
transport of passengers (by air, land and sea)
transport and distribution of non-dangerous goods (by land, air and water)
industrial cleaning, hygiene cleaning, dry cleaning normally part of general
business services
research & development in natural and technical sciences (depending on the
business sector could be high). Technical testing and laboratories
hotels, leisure services and personal services excludes restaurants
education services (depending on the object of teaching activities could be
high or low)
corporate activities and management, HQ and management of holding
companies
Low
wholesale and retail (depending on the product, could be medium or high,
e.g. fuel)
general business services except industrial cleaning, hygiene cleaning, dry
cleaning and education services).
transport and distribution - management services with no actual fleet to
manage
engineering services (could be medium depending on type of services)
telecommunications and post office services
restaurants and campings
commercial estate agency, estate management
research & development on social sciences and humanities
public administration, local authorities
financial institutions, advertising agency
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
The provisions specified in this document are based on three primary complexity
categories of OH&S risks based on the nature and severity of the OH&S risks of an
organization that fundamentally affect the auditor time. These are:
High – OH&S risks with significant nature and severity (typically the construction
industry, heavy manufacturing or processing type organizations),
Medium – OH&S risks with medium nature and severity (typically light
manufacturing organizations with some significant risks), and
Low – OH&S risks with low nature and severity (typically office based
organizations).
Table OH&SMS 1 covers the above three complexity categories of OH&S risks.
Table OH&SMS 2 provides the link between the three complexity categories of OH&S
risks above and the industry sectors that would typically fall into that category.
The CAB should recognize that not all organizations in a specific sector will always fall
in the same OH&S risk category. The CAB should allow flexibility in its contract review
procedure to ensure that the specific activities of the organization are considered in
determining the complexity categories of OH&S risks.
The CAB shall document all cases where they have lowered the complexity category of
OH&S risks of an organization in a specific business sector.
Note: The complexity category of OH&S risk of an organization may also be associated
with the consequences of a failure of the OH&SMS to control the risk:
High – where failure to manage the risk could put life at risk or result in serious
injury or illness,
Medium – where failure to manage the risk could result in injury or illness, and
Low – where failure to manage the risk may result in minor injury or illness.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
C.0 INTRODUCTION
C.01 Considering the various viewpoints, the following definition for “legal compliance”
is used: “Conformity with the law, in such a way that the intended outcome is realised.”
C.1.1 Through the certification assessment process, a Certification Body shall evaluate
an organisation's conformity with the requirements of an OH&SMS standard as they
relate to legal compliance and shall not grant certification until conformity with these
requirements can be demonstrated.
C.1.2 With respect to the balance between review of documents and records and the
evaluation of the OH&SMS implementation during operational activities (e.g. tour of
facilities and other work sites), the Certification Body shall ensure that an adequate
audit of the effectiveness of the OH&SMS is undertaken.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
C.1.3 There is no formula to define what the relative proportions should be, as the
situation is different in every organisation. However, there are some indications that too
much of the audit time being dedicated to an office-based review is a problem that
occurs with some frequency. This could lead to an inadequate assessment of the
effectiveness of the OH&SMS with respect to legal compliance issues, and potentially to
poor performance being overlooked, leading to a loss of stakeholder confidence in the
certification process.
The Certification Body shall, through an appropriate surveillance program, assure that
conformity is being maintained during the certification cycle, normally three years. The
Certification Body auditors shall verify the management of legal compliance based on
the demonstrated implementation of the system and not rely only on planned or
expected results.
C.1.6 If the facilities and work areas are subject to closure the OH&S risks change, as
there may no longer be the same risks to employees, but there may be new risks
applicable to members of the public (e.g. in case of lack of suitable maintenance and
surveillance activities). The Certification Body shall verify that the management system
continues to meet the OH&SMS standard and to be effectively implemented in respect
of the closed facilities and work areas, and, if not, suspend the certificate.
C.2.2 The organisation shall be able to demonstrate that it has achieved compliance
with the legal OH&S requirements that are applicable to it through its own evaluation of
compliance prior to the Certification Body granting certification.
C.2.3 Where the organization may not be in legal compliance, it shall be able to
demonstrate it has activated an implementation plan to achieve full compliance within a
declared date, supported by a documented agreement with the regulator, wherever
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
possible for the different national conditions. The successful implementation of this plan
shall be considered as a priority within the OH&SMS.
C.2.4 Exceptionally the Certification Body may still grant certification but shall seek
objective evidence to confirm that the organization’s OH&SMS:
C.2.5 Through the requirements of ISO/IEC 17021-1, clause 9.4.8.3 a) and the
intended outcomes being explicitly stated in the applicable OH&SMS standard, the
Certification Body shall ensure that its audit reports contain a statement on the
conformity and the effectiveness of the organization’s OH&SMS together with a
summary of the evidence with regards to the capability of the OH&SMS to meet its
compliance obligations.
C.3 SUMMARY
C.3.3 It should be stressed that Certification Body auditors are not inspectors of the
OH&S regulator. They should not provide "statements" or "declarations" of legal
compliance. Nevertheless, they can "verify the evaluation of legal compliance" in order
to assess conformity with the applicable OH&SMS standard.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
C.3.7 In order to maintain the confidence of interested parties and stakeholders in the
above attributes of the accredited certification of an OH&SMS, the Certification Body
shall ensure that the system has demonstrated effectiveness before granting,
maintaining or continuing certification.
C.3.8 The OH&SMS can act as a tool for dialogue between the organisation and its
OH&S regulators and form the basis for a trusting partnership, replacing historical
adversarial "them and us" relationships. OH&S regulators and the public should have
confidence in organizations with an accredited OH&SMS standard certificate and be
able to perceive them as being able to constantly and consistently manage their legal
compliance.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
D.1 The accredited scope of an OH&S Certification Body shall be expressed in terms
of one or more elements from the list of economic activities reported in the Annex of the
Document IAF-ID1:2014, as amended for OH&SMS in the following table.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Note 1: Examples of common hazards are not supposed to be included in the scope of
accreditation.
Note 2: No risk level has been assigned for each IAF code. Each AB would be
responsible to define the risk level of each scope taking into account the local
legislation, the OH&S hazards and the requirements defined in Appendix B.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Note 3: Sections T and U from NACE Rev 2 including the NACE codes 97, 98, and 99
are not included in the table.
Note 4: The use of OH&S scopes to describe “technical areas” for an OH&SMS, as
referred to in ISO/IEC 17021-1:2015, clause 7.1.2., is limited. While scope 11 “Nuclear
Fuel” might constitute a legitimate descriptor for a technical area, few of the other
headings would do so.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Consistent with IAF MD 17 (which is fully applicable), this Appendix specifies the
witnessing to be performed in Occupational Health and Safety Management Systems
(OH&SMS).
All the IAF codes (see IAF ID1) have been merged into a series of technical clusters for
OH&SMS deemed relevant for the purpose of this document.
The specific approach for sampling of scopes is detailed in section 4 of IAF MD17.
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Each AB can decide to designate different critical codes within each technical cluster,
according to national regulations, local market conditions and effective use.
End of IAF Mandatory Document Application of ISO/IEC 17021-1 for the Certification of
Occupational Health and Safety Management Systems (OH&SMS)
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1
Further Information:
For further Information on this document or other IAF documents, contact any
member of IAF or the IAF Secretariat.
For contact details of members of IAF see the IAF website: http://www.iaf.nu
Secretariat:
Issued: 25 January 2018 Application Date: 25 January 2018 IAF MD 22:2018 Issue 1