ISO 45001 – risks and opportunities for safe operations

Author : David Goodfellow, TÜV SÜD

16 May 2023

‘ISO 45001 - occupational health and safety (OH&S) management systems’ is an international standard that specifies requirements for an OH&S management system. The standard is intended to help organisations across the world to develop a framework that improves safety, reduces workplace risks and creates safer working conditions. After 31 March 2021, it replaced OHSAS 18001 which was the primary OH&S standard used internationally and by over 100,000 organisations worldwide.

Image: Shutterstock

(Click here to view article in digital edition)

To survive in today’s competitive global marketplace, organisations must proactively manage all types of risk to the business, and OH&S is no exception. The consequences of poor OH&S management are far-reaching, resulting in loss of experienced people, extended absences, business interruption, legal action and rising insurance premiums. The physical and mental integrity of an organisation’s workers are therefore central to its reputation and commercial performance.

Furthermore, all organisations have both a moral and legal responsibility to ensure the health of their employees by providing them with a safe working environment. This includes either minimising their exposure to hazards or equipping them with the appropriate understanding and tools to mitigate risk. Developing a robust OH&S management system should therefore be viewed as an opportunity, rather than a financial and administrative inconvenience.

A new OH&S approach

ISO 45001 is the first international standard to provide a comprehensive framework for management systems addressing OH&S issues. The standard sets out the requirements for an OH&S management system and includes an implementation guide. This enables organisations to proactively improve OH&S performance, as well as provide a safe and healthy working environment that prevents work-related injury and ill health. By providing a comprehensive management system targeted at mitigating negative effects of the physical, mental and cognitive condition of employees, contracted employees, leased personnel and visitors, ISO 45001 also assists an organisation to fulfil its legal requirements.

ISO 45001 is designed to place a proactive and preventative emphasis on risk control factors, by identifying and assessing the likelihood of hazards in the workplace. It can be implemented by any size of organisation in any industry and can be integrated into other health and safety programmes. ISO 45001 certification formalises and documents a comprehensive and effectively implemented system, to prove that an organisation has taken appropriate measures to mitigate hazardous situations.

High level structure

ISO 45001 uses the ‘high level structure’ (HLS), so that it has a common framework with other management systems, such as ISO 9001 and ISO 14001, and can be integrated with other management systems already in operation. This makes it easier for organisations to pool their certifications within an integrated management system, delivering significant cost savings as it improves application, simplifies implementation and eliminates duplication.

Organisations will therefore find it much easier to incorporate their OH&S management system into core processes, support processes and management processes, while encouraging senior management to become more involved.

The Plan-Do-Check-Act (PDCA) cycle is outlined in ISO 45001 and will help organisations to continually improve performance, as it can be applied to individual processes and to the OH&S management system as a whole:

Plan:

Image: TÜV SÜD

- Determine and assess OH&S risks and opportunities, alongside other risks and opportunities

- Establish OH&S objectives and processes that support the organisation’s OH&S policy

Do:

- Implement the relevant OH&S processes as planned

- Eliminate hazards and reduce OH&S risks

- Prepare for and respond to potential emergency situations

Check:

- Monitor and measure activities and processes against the OH&S policy and report the results

- Evaluate compliance

- Review the organisation’s OH&S management system

Act:

- Take actions to continually improve the OH&S performance to achieve the intended outcomes

- Report, investigate and take action to determine and manage incidents and nonconformities

Requirements

ISO 45001 requirements are described in sections 4 – 10.

Image: TÜV SÜD

Clause 4 – Context of the organisation

ISO 45001 requires the organisation to identify the external and internal issues that will have an impact on the intended outcomes of the OH&S management system. This includes understanding the needs and expectations of both workers and other interested parties. The term ‘workers’ means personnel performing work or work-related activities that are under the control of the organisation – not just employees. At this stage, the scope of the OH&S management system must be agreed so that its boundaries are clear in terms of how far the system will apply, for example if it is part of a larger parent organisation.

Clause 5 - Leadership and worker participation

This relates to the involvement of top management and how they must demonstrate leadership and commitment to the organisation’s OH&S management system. It lists 13 specific requirements, including having overall accountability for the protection of workers, and spearheading a culture that supports the OH&S management system, which in itself must be compatible with the strategic direction of the organisation. A key requirement for an organisation is to establish, implement and maintain an OH&S policy. The consultation and participation of workers is also required.

Clause 6 – Planning

The first part of Clause 6 covers action that should be taken to identify and address hazards, risks and opportunities. The second part looks more specifically at how planning should be implemented to accomplish OH&S objectives. Action must be planned to address risks and opportunities, legal and other requirements, as well as preparation and response to emergency situations.

Clause 7 – Support

The OH&S plan must be actioned by a competent person who is supported by the appropriate level of resource. There is also a requirement to retain evidence of workers’ competence in terms of how it could impact OH&S performance, while ensuring appropriate education and training, as well as raising awareness about OH&S issues.

A communication process must make workers aware of the OH&S policy and the hazards, alongside risks that relate to them. It must also have a process for communicating information relevant to the OH&S management system, both internally and externally. Documented evidence of these practices is also required, referred to as ‘documented information’.

Clause 8 – Operation

David Goodfellow, TÜV SÜD

This covers how plans and processes, outlined in the other clauses, should be executed. This includes processes that eliminate hazards and reduce OH&S risks using the standard’s “hierarchy of controls”. This clause also includes managing change, procurement processes and preparedness for responding to emergency situations. Procurement activities must cover the control of contractors, as well as outsourced processes and activities.

Clause 9 – Performance evaluation

To give an indication of how the OH&S management system is performing, organisations must ascertain what must be measured and monitored, by whom and with what frequency. Documented evidence must be retained, and top management is responsible for reviewing the organisation’s OH&S management system.

Clause 10 – Improvement

The organisation must identify opportunities for improvement. Emphasis is given to the reporting and investigating of incidents, accidents and nonconformities. ISO 45001 also contains detailed corrective action requirements. This includes taking action to correct incidents or nonconformities, and determining whether similar incidents or nonconformities have the potential to occur elsewhere in the organisation, as well as taking the appropriate corrective actions.

ISO 45001 vs OHSAS 18001

Although ISO 45001 is a completely new standard, its foundations already exist within OHSAS 18001. Companies that have already implemented an occupational health and safety management system in accordance with OHSAS 18001, and actively apply it in everyday company practice, can therefore expect a smooth transition to ISO 45001.

Nevertheless, there are some fundamental differences. While OHSAS 18001 focused on managing internal issues and OH&S hazards, ISO 45001 is based on the interaction between the organisation and its external business environment. Furthermore, ISO 45001 includes the consideration of opportunities, as opposed to the purely risk-based thinking of OHSAS 18001. On an overall level, the perception of OH&S has shifted from procedure-based to process-based thinking, thereby recognising workplace safety as a prerequisite for the long-term success of any organisation.

The success of an OH&S management system largely relies on the commitment of the organisation’s top management. Once an organisation has that, it is ready to start the ISO 45001 implementation process. Before a certification audit can take place, the organisation must have implemented and documented the effectiveness of the management system and compliance to the standard requirements. When the management system has matured sufficiently and its effect can be thoroughly proven, the certification process can be initiated.

About the author:

David Goodfellow, UK Business Assurance Manager at TÜV SÜD, a product testing and certification organisation. David has worked in the certification industry for many years and in 2022, achieved a distinction for Master of Business Administration at the University of Strathclyde Business School. One of his main areas of expertise is ISO Certification (including ISO 14001, ISO 45001 and ISO 90001 certification) and he is also heavily involved with audit services and audit training.