Introduction to ISO 45001:2018 Occupational Health and Safety Management System Standard ISO 45001:2018, here on referred to as ISO 45001, is the world s first international standard dealing with health and safety at work. The new standard offers a single, clear framework for all organisations wishing to improve OH&S performance. The standard has been developed taking into account the requirements of (BS) OHSAS 18001, the International Labour Organisation's (ILO)-OSH Guidelines, various national standards and the ILO's international labour standards and conventions. Starting at the top management of an organisation, the standard aims to provide a safe and healthy workplace for employees and visitors. To achieve this, it is crucial to control all factors that might result in illness, injury, and in extreme cases death. While ISO 45001 draws on (BS) OHSAS 18001, the former benchmark for OH&S, it is a new and distinct standard, not a revision or update. Organisations will therefore need to revise their current thinking and work practices in order to maintain compliance. The ISO 45001 publication date (12 March 2018) marks the start of the three year migration* period which ends in March 2021. Organisations certified to (BS) OHSAS 18001 will need to achieve migration to ISO 45001 from (BS) OHSAS 18001 during this period. * Note: ISO 9001:2015 and ISO 14001:2015 required a transition period for certification bodies and their registered clients because previous versions of both standards existed. ISO 45001 is a new standard not a revision or update and as such has been described as a migration process rather than transition. Page 1 of 7
Structure of ISO 45001:2018 ISO 45001 follows the Annex SL framework and high level structure found in the revised ISO 9001, ISO 14001, and ISO 27001 standards. This means that organisations with multiple management systems who wish to integrate or align them, should find this to be an easier task. Clauses 1 to 3 of the standard set out its scope of application, normative references and terms and definitions. Clauses 4 to 10 contain the requirements to be met during implementation. Clause 4 sets the context for the OHSMS (internal and external issues and requirements of interested parties). Clause 5 defines the leadership requirements which drives the plan, do, check, act (PDCA) cycle embodied in the framework of the standard. Clauses 6 to 10 follow the PDCA cycle as follows: Plan clause 6 (Planning) Do clause 7 (Support) and clause 8 (Operation) Check clause 9 (Performance evaluation) Act clause 10 (Improvement). In addition to the ten high level clauses, the standard contains an annex that provides useful guidance which elaborates on the intent of the requirements of the standard. OH&S-specific requirements The main OH&S specific requirements seen in ISO 45001 (in addition to the generic Annex SL requirements) are related to: Participation and consultation of workers Identification of applicable legislation and regular verification of compliance Identification and evaluation of OH&S hazards Internal and external communication Operational control of hazards and management of change Control of outsourcing, procurement and contractors Emergency preparedness and response Continual improvement of the organisation s OH&S performance. Most of the above elements were part of (BS) OHSAS 18001. In ISO 45001 they have been revised and upgraded to fit into a more strategically position within an organisations management system. Page 2 of 7
Key Differences between (BS) OHSAS 18001 and ISO 45001 There are many differences between (BS) OHSAS 18001 and ISO 45001, but the key message is that ISO 45001 concentrates on the interaction between an organisation and its business environment while (BS) OHSAS 18001 was focused on managing OH&S hazards and other internal issues only. The standards also diverge in other ways including: ISO 45001 is process-based (BS) OHSAS 18001 is procedure-based ISO 45001 is dynamic in all clauses (BS) OHSAS 18001 is not ISO 45001 considers both risk and opportunities (BS) OHSAS 18001 deals exclusively with risk ISO 45001 includes the views of interested parties (BS) OHSAS 18001 does not. These points represent a significant shift in the way health and safety management is perceived. OH&S is no longer treated as a silo part of an organisation, but must be viewed within the perspective of running a sound and sustainable organisation. Although the two standards differ in their approach, organisations that have established a management system in accordance with (BS) OHSAS 18001 will find the existing system a solid platform for migrating to ISO 45001. Overview of New Requirements and Concepts found in ISO 45001 Context of the Organisation and Scope of the OHSMS Clauses 4.1 and 4.2 relate to the context of the organisation and the need to identify any external and internal issues that may affect the OHSMS ability to deliver its intended results. Organisations are required to identify any external and internal issues that may affect the ability of their OHSMS to deliver its intended outcomes. These outcomes are the continual improvement of OH&S performance, fulfilment of legal and other requirements, and achievement of OH&S objectives. The risks identified in clauses 4.1. and 4.2 need to be considered and addressed in clause 6. Many organisations will have tackled or will be tackling the issue of context and interested party issues as part of the ISO 9001:2015 / ISO 14001:2015 transition process therefore the existing processes and methods used should be helpful when implementing ISO 45001. Organisations are also required to determine the relevant needs and expectations of the relevant interested parties i.e. those individuals and organisations that can affect, be affected by, or perceive themselves to be affected by, organisation s decisions or activities. Obviously, workers are the key interested party. Clause 4.3 requires organisations to define the scope of the OHSMS, which sets the boundaries, functions and the activities, products and services within the organisations control or influence that can have an impact on its OH&S performance. The boundaries for the scope of the system are determined by the organisation s context, recognising that it is not acceptable for organisations to subcontract risk without exercising a duty of care. Page 3 of 7
Leadership and Worker Participation Clause 5 requires top management to demonstrate that they engage in key OHSMS activities, as opposed to simply ensuring that these activities occur. This means that there is a need for top management to be seen by all workers as actively involved in the operation of the OHSMS and be accountable for its results. Top management are required to develop, lead and promote a culture of safety at work, and protect workers from reprisals when reporting incidents. While there is no requirement in ISO 45001 for a management representative, this does not prevent organisations from choosing to retain this role. It should be noted that some of the responsibilities traditionally assigned to the management representative by top management will now need to be undertaken directly by top management themselves. As workers are the key interested party, they will need to be fully engaged by the OHSMS. Unlike other standards ISO 45001 requires organisations to establish, implement and maintain processes for consultation and participation of workers (and where they exist, workers representatives) at all applicable levels and functions in the development, planning, implementation, performance evaluation and actions for improvement of the OHSMS. Everyone is classed as a worker. That includes top management and contractors. All are subject to risk when undertaking their day-to-day activities, and it is not acceptable to use external resources without ensuring that the requirements of the OHSMS are met by contractors and their workers. Risk Based Thinking Clause 6 requires organisations to demonstrate that they have determined, considered and, where deemed necessary, taken action to address any risks and opportunities that may affect (either positively or negatively) the ability of their OHSMS to deliver its intended outcomes. These risks can be categorised at two levels: A. Policy level, usually managed by the top management and related to the organisation s strategic planning and views, and B. Operational level, which are those directly related to the workers operational health and safety, and already addressed by (BS) OHSAS 18001. Clause 6 also requires the organisation to identify hazards (sources of potential to cause injury or ill health) associated with its operational processes throughout the organisation. While identifying hazards organisations should take into account the definition of workplace in that it is not limited to the site where organisations perform their activities. Workplace also covers any place under the full or partial control of the organisation where workers need to be present or go for work purposes. Finally clause 6 also requires that organisations have a process to determine and have access to legal and other requirements applicable to the OHSMS and to determine how these requirements apply within the OHSMS. While references to preventive action no longer exist, the core concept of identifying and addressing potential sources of harm very much remains. Page 4 of 7
Communication Clause 7 now requires that organisations develop and implement a process to determine those matters relating to the management system on which it wishes to communicate, when it will communicate, the target audience and the method of delivery. Organisations need to take into account the legal and other requirements which may affect communication needs. The communication needs to ensure that: The communication is reliable and consistent with the information generated by the OHSMS All communications received are responded to and Documented information is retained as evidence of communications as appropriate. Operations Clause 8 requires organisations to operate safe processes by: a) Managing temporary and permanent changes under controlled condition b) Ensuring that outsourced processes are controlled c) Controlling the procurement of products and services, and d) Ensuring that contractors and their workers meet the requirements of the OHSMS. It is important to note that in ISO 45001 outsourcing refers to the employment of an external organisation to perform one or more processes in the OHSMS. This includes system processes as well as operational processes. In this case the responsibility for conforming to the requirements of the standard is retained by the organisation, because the outsourced process remains part of the organisations OHSMS including the necessary controls exerted on the outsourced process for OH&S purposes. The standard also requires organisations to establish, implement and maintain processes to prepare for emergency situations and to respond if they occur, including the provision of first aid. Organisations have to ensure that emergency plans are ready to be initiated and that they have the capability to respond effectively to emergency situations. In order to achieve this the planned response actions need to be tested, reviewed and revised if necessary. Improvement Improving the organisation s OH&S performance and the OHSMS (as two separate issues) was already required by (BS) OHSAS 18001. In ISO 45001, those requirements are stressed in several clauses in the standard as one of the expected outcomes of the OHSMS. Page 5 of 7
Documented Information As per clause 7.5 references to requirements for documents and records have been replaced by the term documented information, which has to be maintained in the case of documents and retained in the case of records. Control of documented information continues to be a requirement (clause 7.5.3). Organisations are required to maintain and/or retain the following in order to be compliant with ISO 45001: Scope of the OHSMS (clause 4.3) OH&S Policy (clause 5.2) Roles and responsibilities (clause 5.3) OH&S risks and OH&S opportunities (clause 6.1.1) Processes needed to address risks and opportunities (clause 6.1.1) Methodology and criteria for assessment of OH&S risks (clause 6.1.2) Applicable legal and other requirements (clause 6.1.3) OH&S objectives and plans (clause 6.2.2) Records of training, skills, experience and qualifications (evidence of competence) (clause 7.2) Communication (clause 7.4) Operational controls (clause 8.1.1) Emergency preparedness and response process (clause 8.6) Monitoring and measurement results (clause 9.1) Calibration and verification of monitoring and measuring equipment (clause 9.1) Evaluation of compliance obligations (clause 9.1.2) Internal audit program (clause 9.2.2) Results of internal audits (clause 9.2.2) Results of the management review (clause 9.3) Incidents and nonconformities (clause 10.1) Results of corrective actions (clause 10.1) Exova BM TRADA Training and Support It is important that personnel within each organisation, particularly internal auditors understand the new standard requirements. Exova BM TRADA has a number of training offerings available to assist in training personnel to understand the requirements of ISO 45001 in greater detail. Details of the available training courses are as follows: CQI IRCA ISO 45001 Auditor Migration Course One Day 395 + VAT This workshop is aimed at existing BS (BS) OHSAS 18001: 2007 auditors and internal auditors who require migration of their skills to the new ISO 45001 standard. The workshop adopts a modular approach and incorporates a selfmanaged e-learning module and a classroom module which combines presentations and syndicate work. Page 6 of 7
ISO 45001 Awareness Workshop Half Day 195 + VAT This half day workshop is aimed at those who are directly involved in the planning, implementation or maintenance of an occupational health and safety management system and have knowledge of the current framework. The workshop will explore why the standard has been changed, identify the major and minor changes to requirements and discuss the migration critical path. Support documentation will be provided. All workshops will run from 10am 1pm followed by a networking lunch. Further information on the above training courses, including dates and locations can be found on our website. If you would like to book on one of the above courses or wish to discuss in-house training options please use our booking form or contact us via: Tel: 01494 569 841 Email: anne.seymour-durkin@exova.com ISO 45001 Further Reading This document was written sourcing information from ISO 45002-0:2018 - General Guidelines for the application of ISO 45001 and the Chartered Quality Institute (CQI) report titled ISO 45001:2018 Understanding the International Standard. As further reading both BS 45002-0:2018 and the CQI report ISO 45001:2018 Understanding the International Standard are both highly recommended. The Chartered Quality Institute (CQI) ISO 45001 report was written with input from ISO / PC 283 (the committee that developed ISO 45001) and: Provides a short overview of the standard, its application and how it compares with (BS) OHSAS 18001 Examines in detail, the content of ISO 45001, translating each clause into plain English and considers the implications from the perspective of those entrusted with overseeing the operation of OHSMS Summarises the benefits all interested parties will obtain from the application of ISO 45001. The Chartered Quality Institute (CQI) ISO 45001 report can be purchased from the CQI website by clicking here. BS 45002-0:2018 General Guidelines for the application of ISO 45001:2018 document can be purchased from the BSi website by clicking here Page 7 of 7