How to Become ISO 45001 Certified

Clause 6.1: Actions to address risks and opportunities

Picking up right where we left off, it’s time to discuss Clause 6. The risks and opportunities addressed at this stage are based on the scope (clause 4.3), requirements (clause 4.2), issues (clause 4.1), legal, and other requirements (6.1.3), as well as opportunities for eliminating hazards or reducing risks (6.1.2.3).  

Hazards must be identified (6.1.2.1), and risks must be assessed (6.1.2.2). This standard requires an ongoing and pro-active process for hazard identification, which must be maintained and define which processes will be taken into account.  

Typically, a group session (2 – 6 people) includes workers and managers representing the relevant disciplines as well as a safety professional. During the session, they will use a documented hazard identification method (e.g. software tools). A good approach to take is a combination of comprehensive checklists or keywords, in addition to focusing on a subset based on the risks and opportunities that need to be addressed. 

Remember: an open mind during this time is very important.  

A risk assessment must be done systematically at this point and should be based on your organisation’s specific risk classification methodologies and criteria (see 6.1.2.2). Usually, a risk matrix with severity and probability is used.  

It’s always preferred to reduce the severity of a hazard, by applying inherent safety rules; these can also be OH&S opportunities. You can use the following hierarchy of controls:    

• Elimination of the hazard (Trevor Kletz, 1978: What You Don't Manage Will Leak).  
• Substitution of the hazard for a less hazardous one. In other words, reduce the hazard by applying inherent safety:   

• reducing the number of hazardous materials (minimise) 
• use less hazardous materials or processes (substitute) 
• use less hazardous conditions and reduce consequences with a smart lay-out (moderate) 
• simplify the work process or material flow (simplify) and  
• allow the design to handle upsets without damage (error tolerance). For example, using stronger parts, closing in the hazardous process and adding secondary containment, installing automatic sprinklers, explosion panels, etc.  

• Use Engineering Controls  

• adding instrumentation and controls (probability reduction)  
• adding detectors, alarms, automatic safety systems, sprinklers, etc. (probability reduction)  
• ensure emergency preparedness for identified hazards such as loss of containment, fires and explosions. For example, the presence of firefighting equipment, fire detection and alarm, and training of personnel.  
• use sprinklers, detectors and alarms, fire water monitors etc. (active protection, consequence limitation)  

• Use Administrative Controls  

• procedures, checklists, including training, testing, maintenance and regular exercises  
• use adequate PPE - personal protective equipment (separation)  

Legal requirements and other requirements applicable to the organisation’s hazards must be followed. The order of actions considered must always be outlined as seen above: elimination, substitution, engineering controls, and administrative controls.

Keep in mind: PPE is not the first solution to mitigating a hazard, although in some cases, it may be the only feasible solution.  

Risk Matrix

Keep the risk matrix as simple as possible... This will help avoid long discussions about how each risk should be categorised. It also ensures the results of your risk assessment are independent of the team conducting them. A simple 3 x 3 risk matrix should suffice for occupational risk classification in many cases.  

The severity of an occupational hazard is dependent on the organisation and processes.  You can think of the classification like this:  

• Hazards with potentially permanent or serious consequences for employees can be classified as severe.  
• Hazards potentially causing considerable harm, and sick leave for an employee are classified as medium.  
• Hazards causing temporary and minor discomfort or small injuries not requiring medical treatment or sick leave, can be classified as minor.  

Instead of using absolute probabilities such as once per year, once every ten years, etc. you can use three levels of control on the other axis[1]:  

1. Hazard is sufficiently controlled / no problems have occurred 
2. Control could be improved / problems have occurred 
3. Severe problems controlling the hazard / problems occur often  

This will determine whether additional measures are required. It’s relatively simple to evaluate practical occupational hazards based on these criteria.   

The 3 x 3 risk matrix looks like this: 

Preventive measures are necessary for the medium, major and unbearable risks in this risk matrix. 

More complex risk matrices (such as 5 x 5 matrix with logarithmic probabilities) and risk assessments methods are used in high-risk industries. 

Clauses 8.3, 8.4 and 8.5: Procurement, contractors and outsourcing

ISO 45001 requires certain process(es) to control the procurement of products and services to ensure they align with your organisation’s OH&S management system. For instance, defined OH&S criteria must be applied for the selection of contractors.  

It’s important that contractors follow your organisation’s OH&S management system requirements, hazards, and risks related to their job tasks. This way processes are standardised across the workforce and consistent methods are used by all.  

Contractor activities must also be assessed and controlled. Consider the following ways you can do this: 

• ISO 45001 certification information of the contractor, or  
• Self-Declaration of Conformance to ISO 45001 by the contractor, and / or  
• OH&S audits and observations by the customer or a third party of the contractor, and  
• Clear requirements in request for quotation and the contract on OH&S requirements including reporting, rules and safety meetings, and  
• Safety coordination meetings and documentation before starting the job  

The following documents and records are mandatory in ISO 45001

Make sure that the following documentation exists during your ISO 45001 audit:

Mandatory documents:

• Scope of the OH&S management system (clause 4.3)
• OH&S policy (clause 5.2)
• Responsibilities and authorities within OH&SMS (clause 5.3)
• OH&S process for addressing risks and opportunities (clause 6.1.1)
• Methodology and criteria for assessment of OH&S risks (clause 6.1.2.2)
• OH&S objectives and plans for achieving them (clause 6.2.2)
• Emergency preparedness and response process (clause 8.2)

Mandatory records:

• OH&S risks and opportunities and actions for addressing them (clause 6.1.1)
• Legal and other requirements (clause 6.1.3)
• Evidence of competence (clause 7.2)
• Evidence of communications (clause 7.4.1)
• Plans for responding to potential emergency situations (clause 8.2)
• Results on monitoring, measurements, analysis and performance evaluation (clause 9.1.1)
• Maintenance, calibration or verification of monitoring equipment (clause 9.1.1)
• Compliance evaluation results (clause 9.1.2)
• Internal audit program (clause 9.2.2)
• Internal audit report (clause 9.2.2)
• Results of management review (clause 9.3)
• Nature of incidents or non-conformities and any subsequent action taken (clause 10.2)
• Results of any action and corrective action, including their effectiveness (clause 10.2)
• Evidence of the results of continual improvement (clause 10.3)

Between part 1 and part 2 of this blog series, we know there’s a lot of information to consume.

8 Steps to Become ISO Certified

Now that you’ve understood all the requirements, it’s time to consider how your organisation can become certified for ISO 45001.  We suggest taking the following steps: 

1. Learn about the standard. 
2. Set up a competent, eager and representative team who are engaged. Remember to involve line management and worker representatives. 
3. Perform a gap analysis of the existing OH&S management system compared to the ISO 45001 requirements. Do this by aligning all the existing OH&S management system elements against the ISO 45001 standard and determine where your gaps are. Even if your organisation is not certified according to OHSAS 18001, the national occupational health and safety legislation in your country requires your organisation to have many elements in place already. 
4. Decide on the project plan, including date of migration audit in cooperation with the project team and your certification body representative. 
5. Close the gaps. Typically, the gaps are the novel clauses mentioned above in this new ISO 45001 standard. Assign responsibilities for closing the gaps, document the process, inform and train your employees on the new processes, and follow-up on the progress. Ensure that the modified processes are implemented. 
6. Perform an internal audit and close any non-conformities before the migration audit.
7. Arrange the migration audit and achieve certification. 
8. Keep up a smaller team to maintain and improve your OHS management system, including line management, workers, and internal auditors.   

Ready to pursue your ISO 45001 certification? Access our ISO 45001 infographic below to make sure you haven't missed any vital elements!