Step 1: Learn about and understand the Standard
If you want to manage health and safety in your organization well, you will need a systematic framework to start with. The ISO 45001 Standard, Occupational health and safety management systems – Requirements with guidance for use, is an ISO international standard providing such a framework. It helps any type of organization to prevent work related deaths, injuries and illnesses, to meet legal requirements, and to systematically improve safety performance, and to reach the set OH&S objectives. Although an independent audit by a certification body of your safety management system against the ISO 45001 standard is not obligatory, it is the only way to ensure Certification. Alternatively, one can choose for Self-Declaration of Conformance, to avoid the associated costs of Certification . Business partners may require or prefer suppliers and contractors which hold an ISO 45001 compliant OH&S certificate.
ISO 45001:2018 replaces the British Standards Institution’s OHSAS 18001, which will be withdrawn at the end of the three years transition period on March 12, 2021. There is little time left for transition to ISO 45001 for organizations which are certified according to OHSAS 18001, although an extension of 6 months has been granted due to the challenges posed by COVID-19.
The standard uses the same High Level Structure as the quality management standard ISO 9001:2015 and the environmental standard ISO 14001:2015, as defined in Annex L, former Annex SL. The High Level Structure starts with three introductory information Clauses, followed by seven Clauses based on the Plan – Do – Check – Act cycle.
Clause 1: Scope
Clause 2: References (to associated guidelines, none)
Clause 3: Terms and definitions
Clause 4: Context of the organization
Clause 5: Leadership and worker participation
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement
The PDCA cycle ensures continual improvement of the management system.
How does the new ISO 45001 differ from OHSAS 18001?
ISO 45001 focuses on processes, the whole organization and different stakeholders as well as emphasis in both risks and opportunities. OHSAS 18001 is procedure-based, did not consider interested parties outside the own organization, and deals exclusively with risk.
Interaction with the outside world
The ISO 45001 standard contains a new requirement: the context of the organization (Clause 4) needs to be determined. The context of the organization means the issues that are relevant for the organizations purpose and which have a positive or negative impact on the intended results of OH&S management system. Examples of issues are the legal, political or competitive environment, changes in this environment, as well as suppliers, partners, new technologies or resources. Not on only the needs and expectations of workers but also the requirements of other interested parties (such as clients, shareholders, suppliers, people affected by the organizations activities) shall be determined. Needs and expectations could become in the future legal requirements. Together with work related activities, products and services, the issues and requirements determine the scope of the OH&S management system. This scope shall be documented. In practice the ISO 45001 standard requires the organization to review its interaction with the outside world and the future, while OHSAS 18001 focused more on the own organization, its own site(s) and people present there, and current legal requirements.
While OHSAS 18001 focused in practice on the own employees, contractors, and visitors at the organization’s workplace, ISO 45001 includes workers of external providers, contractors, individuals, agency workers, and other persons to the extent the organization shares control over their work or work-related activities (Clause 3.3). Contractors, hired personnel and even suppliers shall be included in the safety management as part of the scope. Top management is also included as workers. OHSAS 18001 required only to inform the employees about the organizations safety policy, legal and other safety requirements, consequences and their own role, while ISO 45001 requires consultation and participation of non-managerial workers. It requires to take in to account their needs and expectations. ISO 45001 specifies in detail where consultation and participation of workers is required: see clause 5.4. of the standard.
OHSAS 18001 only covers negative risks (risk in OHSAS 18001 defined as the combination of probability and consequences of a hazardous event), while ISO 45001 defines risk as the effect of uncertainty, and effect, which can be both positive and negative. That’s why ISO 45001 introduces the term occupational health and safety opportunity, circumstances that can lead to improvement of the occupational health and safety performance.
Outside the scope
ISO 45001, alike OHSAS 18001, does not include product safety, property damage or environmental impact beyond the risks to workers and other relevant interested parties. The focus in ISO 45001 remains on occupational risks and opportunities. See clause 1 of the standard.
Some new or considerably modified clauses in ISO 45001 compared to OHSAS 18001
Clause 4: The context of the organization
Clause 4.1: Understanding the organization and its context
One first need to identify all relevant internal and external issues that influences the organizations ability to achieve it intended performance of its OH&S management system. See Annex A.4.1 for a large list of examples. There are several methods to identify those, such as a SWOT analysis (SWOT: Strengths, Weaknesses, Opportunities and Threats), or a PESTLE analysis (PESTLE: Political, Economic, Social, Technological, Legal, and Environmental), using e.g. workshops.
Clause 4.2: Needs and expectations of workers and other interested parties
The organization shall identify in addition to the workers, the other interested parties relevant for the organization’s OH&S management system. Interested parties are persons or organizations that can affect, be affected by, or even perceive itself to be affected by a decision or activity (Clause 3.2). Then, the needs and expectations, of the workers and those parties as well as the existing or potential future legal requirements related to those needs and expectations need to be identified. This results in a set of requirements.
Clause 4.3: The scope of the OH&S management system
The third thing required is documentation of the products, services and work-related activities (operations) that can impact the organization’s OH&S performance. Based on the issues, requirements, and operations, the actual scope of the OH&S management system shall be documented. The scope shall be factual and representative for the organization.
Clauses 5.1, 5.2 and 5.3: Leadership
The top management leadership and commitment to the OH&S management is still more emphasized in the new ISO 45001 standard compared to the OHSAS 18001 standard. A list of duties for the top management can be found in clause 5.1, and can be summarized as follows:
- Accept responsibility and accountability for providing safe and healthy workplaces and prevention of work-related injury and ill health
- Establish an OH&S policy (see Clause 5.2) and related OH&S objectives in line with the organization’s strategy and the standards requirements
- Ensure that the OH&S management system achieves its objectives.
- Promote continual improvement (PDCA cycle).
- Integrate the OH&S management system into the organization’s business processes
- Make sure that competent resources are available to develop and maintain the OH&S management system. Assign responsibility for ensuring that the OH&S management system conforms the standard, and that the performance of the OH&S management system is reported to the top management (see Clause 5.3)
- Support managers in demonstrating leadership.
- Build an organizational culture that supports the OH&S policy and objectives.
- Protect workers from retaliation when reporting incidents and hazards
- Communicate to the workers and other interested parties of the importance of effective OH&S management and following the OH&S management system requirements.
- Ensure processes for consultation and participation of workers, and functioning health and safety committees.
The top management shall be able to provide proof that these duties are fulfilled, by providing documentation.
Clause 5.4: Consultation and participation of workers
A culture of open communication shall be created by the top management and supported by the middle and lower management. A combination of leadership training, existing and new processes and tools, and removal of barriers to participation help the people in the organization to achieve an open and secure safety culture, where workers can express their views freely, and their input is appreciated. Timely and easy access to clear, understandable information about the OH&S management system shall be guaranteed.
This clause sets out a separate list where consultation of non-managerial workers, and where participation of workers is required. Basically, items where workers might have specific knowledge or experience, of which directly affects the workers require participation of non-managerial workers, such as identification of hazards, investigating incidents, determining control measures, or determining their training needs. Management system level items, such as the needs and expectations of interested parties, the OH&S policy, organizational roles, etc. (see Clause 5.4) require consultation of non-managerial workers.
Clause 6.1: Actions to address risks and opportunities
The risks and opportunities that need to be addressed are based on the scope (clause 4.3), requirements (clause 4.2), issues (clause 4.1), the legal and other requirements (6.1.3) and opportunities for eliminating hazards or reducing risks (22.214.171.124).
Hazards shall be identified (126.96.36.199), and risks shall be accessed (188.8.131.52). The standard requires an ongoing and pro-active process for hazard identification shall be maintained, and defines which processes shall be taken into account, however, expects the organization to ensure that the process is comprehensive, and leaves it to the organization which method for hazard and opportunity identification is used. Often, a group session (typically 2 – 6 persons) including workers and managers representing the relevant disciplines, and a safety professional, using together a documented hazard identification method (e.g. software tools), typically a combination of sufficiently comprehensive checklists or keywords and brainstorming while focusing on a subset based on the risks and opportunities that need to be addressed is a good approach. An open mind at this stage is important.
Risk assessment and evaluation requires analytical thinking, a different mindset than the open mind / brainstorming approach. One could therefore consider the working group to do the risk assessment separate from the hazard identification. The risk assessment shall be done systematically. It shall be based on an organization specific predefined risk classification methodology(ies) and criteria (see 184.108.40.206). Typically, a risk matrix with severity and probability is used.
It is always preferred to reduce the severity of a hazard, by applying inherent safety rules; these can be also OH&S opportunities. Use the hierarchy of controls:
- elimination of the hazard (Trevor Kletz, 1978: what you don’t have, can’t leak).
- substitution of the hazard for a less hazardous one, in other words, reduce the hazard by applying inherent safety:
- reducing amount of hazardous materials (minimize),
- use less hazardous materials or processes (substitute),
- use less hazardous conditions and reduce consequences by smart lay-out (moderate),
- simply the work process or material flow (simplify) and
- allow the design to handle upsets without damage (error tolerance). For example, using stronger parts, closing in the hazardous process and adding secondary containment, install automatic sprinklers, explosion panels, etc.
- use engineering controls
- adding instrumentation and controls (probability reduction)
- adding detectors, alarms, automatic safety systems, sprinklers, etc. (probability reduction)
- ensure emergency preparedness for identified hazards such as loss of containment, fires and explosions, for example presence of firefighting equipment, fire detection and alarm, and training of personnel.
- use sprinklers, detectors and alarms, fire water monitors etc. (active protection, consequence limitation)
- use administrative controls
- procedures, checklists, including training, testing, maintenance and regular exercises
- use adequate PPE - personal protective equipment (separation)
Legal requirements and other requirements applicable to the organization’s hazards shall be followed. The order of actions considered shall be always as above: elimination, substitution, engineering controls, administrative controls. PPE is not the first solution, to consider managing a hazard, although it may be the only feasible solution.
It is advisable to keep the risk matrix as simple as possible, or define clearly in the method how to specify the severity and initial probability range relevant to the risk matrix, to avoid long discussions in which box of the risk matrix the current risk belongs and to ensure that the risk assessment result is independent of the team performing the risk assessment.
A simple 3 x 3 risk matrix suffices for occupational risk classification in many cases. The severity of an occupational hazard is dependent on the organization and the processes. Hazards with potentially permanent or serious consequences for employees can be classified as severe. Hazards potentially causing considerable harm, and sick leave for an employee are in this matrix classified as medium. Hazards causing temporary and minor discomfort or small injuries not requiring a MD’s treatment or sick leave can be classified as minor.
Instead of using absolute probabilities such as once per year, once in ten years, etc. one can use instead three levels of control on the other axis :
- hazard is sufficiently controlled / no problems have occurred
- control could be improved / problems have occurred
- severe problems controlling the hazard / problems occur often
to determine whether additional measures are required. For practical occupational hazards, evaluation based on this criterium is relatively simple.
The 3 x 3 risk matrix would look like this:
Preventive measures are necessary for the medium, major and unbearable risks in this risk matrix.
More complex risk matrices (such as 5 x 5 matrix with logarithmic probabilities) and risk assessments methods are used in high risk industries.
Clauses 8.3, 8.4 and 8.5: Procurement, contractors and outsourcing
ISO 45001 requires process(es) to control the procurement of products and services to ensure their conformity to the organization’s OH&S management system. Defined OH&S criteria shall be applied for the selection of the contractors. Contractor workers shall follow the organization’s OH&S management system requirements, and hazards and risks related to the contractor’s activities on the own organization and the organization’s activities on the contractor’s shall be assessed and controlled. Some means to do that are:
- ISO 45001 certification information of the contractor, or
- Self-Declaration of Conformance to ISO 45001 by the contractor, and / or
- OH&S audits and observations by the customer or a third party of the contractor, and
- clear requirements in request for quotation and the contract on OH&S requirements including reporting, rules and safety meetings, and
- safety co-ordination meetings and documentation before starting the job
The following documents and records are mandatory in ISO 45001
Make sure that the following documentation exists:
- Scope of the OH&S management system (clause 4.3)
- OH&S policy (clause 5.2)
- Responsibilities and authorities within OH&SMS (clause 5.3)
- OH&S process for addressing risks and opportunities (clause 6.1.1)
- Methodology and criteria for assessment of OH&S risks (clause 220.127.116.11)
- OH&S objectives and plans for achieving them (clause 6.2.2)
- Emergency preparedness and response process (clause 8.2)
- OH&S risks and opportunities and actions for addressing them (clause 6.1.1)
- Legal and other requirements (clause 6.1.3)
- Evidence of competence (clause 7.2)
- Evidence of communications (clause 7.4.1)
- Plans for responding to potential emergency situations (clause 8.2)
- Results on monitoring, measurements, analysis and performance evaluation (clause 9.1.1)
- Maintenance, calibration or verification of monitoring equipment (clause 9.1.1)
- Compliance evaluation results (clause 9.1.2)
- Internal audit program (clause 9.2.2)
- Internal audit report (clause 9.2.2)
- Results of management review (clause 9.3)
- Nature of incidents or non-conformities and any subsequent action taken (clause 10.2)
- Results of any action and corrective action, including their effectiveness (clause 10.2)
- Evidence of the results of continual improvement (clause 10.3)
Steps to become certified
How does my organization become certified for ISO 45001? Consider taking the following steps:
- Learn about the standard
- Set up a competent, eager and representative project team and engage the team. Ensure training of the project team and internal auditors. Involve line management and workers representative.
- Perform a gap analysis of the existing OH&S management system compared to the ISO 45001 requirements. Do this, by aligning all the existing OH&S management system elements against the ISO 45001 standard and determine where the gaps are. Even if your organization is not certified according to OHSAS 18001, the national occupational health and safety legislation in your country requires your organization to have already many elements in place.
- Decide on the project plan, including date of migration audit in co-operation with the project team and your certification body representative
- Close the gaps. Typically, the gaps are the abovementioned novel clauses in this new ISO 45001 standard. Assign responsibilities for closing the gaps, document the process, inform and train your organization on the new processes and follow-up on the progress. Ensure, that the modified processes are implemented.
- Perform an internal audit and close any non-conformities before the migration audit
- Arrange the migration audit and achieve certification
- Keep up a smaller team to maintain and improve the OHS management system, including representatives of line management, workers, and internal auditors
Support and software
Good management and development of occupational safety in the 2020s requires digital processes and tools. A functional and easy-to-use digital solution enables all employees to contribute to the safety of their own and their work environment. EcoOnline EHS software for managing occupational safety and health is designed specifically for these needs and is easy to implement with us. It helps to implement the ISO 45001 system, involve staff in its activities and take steps towards the next level of safety culture.
Want to hear more? Contact us to learn more about EcoOnline EHS.