[Updated below with UKAS response.]

The other day I wrote that BSI had issued a certificate to ISO 45001, the new occupational safety and health standard, within minutes of the standard being released. That should be impossible, of course, under normal international accreditation rules.

We now find out that yes, it is impossible, and to get around that BSI just went around the accreditation rules entirely, while the accreditation bodies just nod their head in agreement. I missed this entirely, but if you read the careful wording of the recent announcement by construction firm Morgan Sindall (here), they don’t actually use the word “certified” at all. Look what they do say:

Morgan Sindall is pleased to be amongst the first companies worldwide to have been independently assessed by BSI to achieve conformity to ISO 45001 Occupational Health and Safety.

and

Morgan Sindall should be delighted that they are amongst the first to achieve conformity to the standard with BSI.

The word they use instead is “conformity,” and I had previously just chalked that up the fact that few people writing press releases ever understand the differences between words like certification, accreditation, conformity or compliance. Apparently, however, Morgan Sindall knows the difference and was likely coached by BSI in the crafting of its press release.

Read this letter of explanation from UKAS on the matter:

In terms of the UKAS position on ISO 45001, any UKAS accredited certification body who currently holds accreditation for HSMS for 18001 will need to be subject to an assessment and grant of accreditation for ISO 45001 before they may issue a UKAS accredited certificate.

We have as you may be aware also stated that based on our understanding of the IAF Resolution on unaccredited certificates, advised that no unaccredited certificates to ISO 45001 may be issued.  However, following detailed consideration of the views of various stakeholders and discussions at recent forums and events it has been agreed that UKAS accredited bodies may issue unaccredited certificates to ISO 45001. A technical bulletin to this effect will be placed on our website today and a copy sent to all UKAS accredited certification bodies.

In relation to the above UKAS has confirmed that BSI have not issued a certificate to ISO 45001. They have issued a letter of conformity only, and this does not breach accreditation requirements.

BTW, BSI is accredited by both UKAS and ANAB, so I’m not at all clear anymore which of the Accreditation Bodies should be working this issue. But UKAS jumped into the fray, so I am focusing on them. Still, ANAB has the same responsibility, and I have reached out to them for an answer.

Go back and notice two sentences from the UKAS statement. First, that “be aware that based on our understanding of the IAF Resolution … no unaccredited certificates to ISO 45001 may be issued.” Then, in the very next sentence, UKAS writes, “it has been agreed that UKAS accredited bodies may issue unaccredited certificates to ISO 45001.

That totally violates IAF Resolution 2015-14, which states:

The General Assembly, acting on the recommendation of the Technical Committee, resolved that IAF Accreditation Body members shall have legally enforceable arrangements with their accredited CABs that prevents the CAB from issuing non-accredited management systems certificates in scopes for which they are accredited. [Emphasis added].

UKAS then provides BSI a legal loophole saying they didn’t issue a “certificate” per se anyway, they issued a “letter of conformity.” And that language — “conformity” — matches what appeared on the bullshit announcement by Morgan Sindall.

That’s likely pertinent: technically, UKAS isn’t accredited to issue ISO 45001 yet, since everything they did prior was under BS OHSAS 18000, not 45001. So that means they can do whatever they want up until the point they get accredited. But the IAF and their customers, like BSI, are trying to have it both ways: they treat the move from OHSAS 18000 to ISO 45001 as a “transition” between like accreditations when it suits their purposes, then treat them as entirely separate accreditations when it doesn’t.

As if solely to protect BSI, UKAS issued a “Technical Bulletin” on this matter on March 19th, seven days after the press release by Morgan Sindall and the issuance of BSI’s dubious “letter of conformity”:

Click to enlarge

Remember, UKAS has only one job: to oversee the registrars’ compliance with accreditation standards. But because they are paid by the companies that they are tasked with overseeing, they can’t actually carry out that duty, and have to twist and turn to defend every violation by their paying CB clients, of which BSI is likely the largest. They also justify their position on a statement that no one can ever verify: that they based this on feedback from “various stakeholders and discussions at recent forums and events.

What stakeholders? What events? Where were these held? When? Dates, places? Nada. We are just supposed to trust UKAS on this.

Taken another angle, this just means that BSI just became the world’s largest issuer of unaccredited certificates, no matter what they call them. Which means — wait for it — that BSI is now the largest certificate mill in the world.

Ironically, UKAS and ANAB are helping blur the distinction between the certificate mills and the accredited registrars, making their end products nearly equally dubious and untrustworthy. And IAF proves again that all its doing is publishing “resolutions” that it has no power to enforce anyway.

And remember, Morgan Sindall is a construction firm. Scary.

UPDATE April 4 2018:

UKAS’ Jackie Burton has replied with the following:

The IAF resolution 2015-14 states the following:

The General Assembly, acting on the recommendation of the Technical Committee, resolved that IAF Accreditation Body members shall have legally enforceable arrangements with their accredited Conformity Assessment Bodies (CABs) that prevent the CAB from issuing non-accredited management systems certificates in scopes for which they are accredited.”

UKAS, following feedback from stakeholders has discussed the above resolution with its Peers at the European Co-operation for Accreditation (EA). During this discussion it was agreed that the above IAF resolution on non-accredited certificates cannot apply to brand new standards such as ISO 45001, this is because no one is currently accredited to certify against it.

On the basis of the above, UKAS issued an updated technical bulletin to confirm that unaccredited certificates to ISO 45001 may now be issued. Such a policy change by UKAS was in the interests of global harmonisation and is in line with the agreement/consensus reached with our Peers.

Once UKAS accredited certification bodies have been assessed and have been successfully accredited for this new standard they will not be permitted to issue unaccredited certificates as the IAF resolution will then apply.

Your recent emails to UKAS have indicated that any response provided on this matter may be placed in the public domain, we would ask that if you choose to place this response in the public domain you include our response in full.

My response to Ms. Burton was as follows:

The UKAS TB did not describe the situation as you did below, however. It made no mention of the fact that CBs can issue unaccredited certs for scope they are not yet accredited for. It instead said accredited CBs can issue unaccredited certs…period. It invites UKAS CB to become certificate mills, and gives the unaccredited mills a justification to exist.

Furthermore, it doesn’t explain how historically UKAS has looked the other way in cases where the CBs issued “immediate” certs for standards they WERE accredited for, such as the ISO 9001 certs that were issued within minutes of the new standard’s publication, or the similar cases for ISO 14001.

Next, it appears IAF/UKAS want to have it both ways: they treat ISO 45001 as an “upgrade” standard by allowing companies to undergo 18000>45001 “migration” audits per IAF MD 21, allowing the new certs to be issued during “routine surveillance.” But then IAF/UKAS treat it as a “new” standard to justify allowing CBs to issue unaccredited certs.  This contradiction further cripples the image of the scheme as being trustworthy, and makes it clear the rules can be bent to the will of the CBs, to ensure the flow of revenue upwards.

Finally, it matters not at all how much “stakeholder feedback” UKAS, IAF or EA get, stakeholders cannot trump official, published rules. If stakeholders are allowed to dictate the rules, then there’s really no reason to have a UKAS or IAF at all. You are inviting anarchy.

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.