ISO 45001:2018 OH& S management system

Occupational Health and Safety Management System

The ISO 45001 standard provides a framework for managing the prevention of work-related injuries, ill health, and death. The intention of this international standard is to improve and provide a safe and healthy workplace for workers and other persons who may be interacting with the organization. This includes the development and implementation of an OH&S policy and objectives which take into account applicable legal requirements and other requirements to which the organization subscribes. Organizations worldwide recognize the need to provide a safe and healthy working environment, reduce the likelihood of accidents and demonstrate they are actively managing risks. ISO 45001 is the international standard for occupational health and safety will provide an internationally accepted framework that will help protect employees as well as protecting the longevity and health of an organization. The standard is flexible and can be adapted to manage occupational health and safety in a wide range of organizations including; large organizations and enterprises, small and medium-sized enterprises, public and not-for-profit organizations. Although organizations tend to use generic health and safety guidelines or national and consortia standards, none of these demonstrate global conformity. There was a worldwide need to harmonize health and safety management systems using an international standard and sharing best practices. This can be seen at local, national, regional, and global levels – applying to both developing and developed countries. With an international standard to refer to, together with the right infrastructure and training, organizations will be able to address these risks better in the future.

This standard does not state specific criteria for OH&S performance, nor does it provide a specific method for the design of the OH&S Management System. This International Standard is applicable to any organization that wishes to:

  • establish, implement and maintain an OH&S Management System to improve occupational health and safety, eliminate or minimize OH&S risks (including system deficiencies), take advantage of OH&S opportunities, and address OH&S Management System nonconformities associated with its activities;
  • continually improve its OH&S performance and achieve its OH&S objectives;
  • assure itself of the conformity to the OH&S policy;
  • demonstrate conformity with the requirements of this International Standard.

According to ISO 45001, the Occupational Health and Safety Management System is part of the organization’s overall management system used to achieve the OH&S policy. The intended outcomes of the OH&S Management System are to provide a safe and healthy workplace for all employees/workers. Consequently, effective OH&S management promotes business efficiency, reduces costs, and makes good business sense.
According to ISO 45001, a worker is defined as a person performing work or work-related activities under the control of the organization, for instance, individuals perform work or work-related activities under various arrangements; paid or unpaid at a regular or temporary, intermittent or seasonal, casual or on a part-time basis. ISO 45001 is the first Occupational Health and Safety Management System standard to be fully compliant with the new guidelines of the Annex SL and to have a common content structure and terms and definitions to other management system standards. This means that ISO 45001 is fully aligned with all other management systems (related) standards that have also adopted the Annex SL framework.
This international standard does not address issues such as product safety, property damage, or occupational health and safety impacts; it addresses the risk that the working environment and/ or conditions pose to workers, visitors, vendors, and other relevant interested parties. ISO 45001 can be used entirely or partially to systematically improve the OH&S management system. However, claims of conformity to this standard are not acceptable unless all of the standard’s requirements, without exclusion, are incorporated into an organization’s OH&S Management System.


The world that we live in has experienced rapid changes in technology, competition, economy, education, and so on. It is constantly evolving and advancing, and so are human expectations and demands. In order to compete in a continuously changing world, organizations need to establish a variety of approaches to keep up with industry trends. Consequently, organizations have to adapt in order to succeed in these fast-paced and complex environments. These changes often involve multinational supply chains and those operations that organizations’ have outsourced. The differences between nations, organizations, and societies also form part of these complexities. Therefore, effective management is crucial and of a high priority at the board-level.
For an organization, it is not sufficient to only be profitable, it is also important for them to have reliable systems of internal controls covering those risks related to occupational health and safety, the environment, and the reputation of the business. Each organization is responsible for the health and safety of its employees and others who may be affected by its activities. Organizations need to operate ethically, as well as, comply with the respective laws in these matters.

Statistics published by the ILO (International Labour Organization) indicate that: “more than 2.78 million deaths occur annually due to occupational accidents or work-related diseases, in addition to 374 million non-fatal injuries and illnesses, many of which result in extended absences from work.” Seemingly, this enormous number of affected workers is of very high concern to organizations and society as a whole. These statistics are clear evidence that organizations around the world need to implement health and safety management systems. Likewise, the health and safety of workers are increasingly becoming a priority for most nations and societies.
Furthermore, according to certain estimations – over 40 million new jobs will be created annually by 2030, following the world’s population growth. Therefore, reducing the number of incidents that may result in high numbers of deaths (even by a small percentage) would be considered a great achievement. However, as a consequence, there will be a high demand for “best practice” standards to assist organizations with improvements in health and safety. These trends led to the need for the development of a recognized standard in all geographical areas, states, cultures, and jurisdictions, as a reference point for health and safety management; promoting better communication on common issues.
The ISO’s aspiration is that “the ISO name and the recognition will give further credibility to the new Standard and lead to even wider adoption of health and safety management systems in the workplace.” Correspondingly, following a standard for occupational health and safety will help organizations reduce accidents and occupational diseases, avoid costly prosecutions, reduce insurance costs, enhance the public image & business reputation, and establish a positive culture for the organization where all stakeholders see that their needs are taken into account. ISO 45001 is the new international standard for Occupational Health and Safety Management Systems published by the International Organization for Standardization (ISO). It is a voluntary standard that organizations can adopt to establish, implement, maintain and improve their Occupational Health and Safety Management Systems (OH&S MS).
ISO 45001 is an international standard for occupational health and safety (OH&S) that derives from OHSAS 18001. It provides a framework for managing the prevention of work-related injuries, ill health, and/or death; thereby providing a safe and healthy workplace. OHSAS 18001 required from organizations, regardless of their size, type, and/or activities, to prevent injuries and deaths. ISO 45001 sets the background for continual improvement in health and safety management based on the following principles:

  • Provide safe and healthy working conditions to prevent work-related injury and ill health;
  • Satisfy applicable legal requirements and other requirements;
  • Control OH&S risks by using a hierarchy of controls;
  • Continually improve the OH&S management system to enhance the organization’s performance;
  • Ensure the participation of workers and other interested parties in the OH&S MS.

The new ISO 45001 standard brings real benefits to those who will use it. The standard is designed to be applicable to any organization, and its requirements are intended to be incorporated in any management system, regardless of the organization’s size or sector; whether it is a small business, large organization or even a non-profit organization, a charity, an academic institution or a governmental department. Having in place a systematic approach to manage health and safety will bring benefits to both the people and the organization. Ultimately, good health and safety is good business. The standard is also intended for organizations with small or low-risk operations, as well as, for organizations with high-risk operations. This standard states that successful health and safety management depends on the following:

  • Leadership and commitment of top or senior management;
  • Promotion of a healthy and safety culture within the organization;
  • Participation of workers and/or other representatives in the OH&S Management System;
  • Identification of hazards and control of risks;
  • Allocation of the necessary resources;
  • Integration of the health and safety management system into appropriate processes;
  • Alignment of the health and safety policies with the strategic objectives of the organization;
  • Continuous evaluation and monitoring of the health and safety management system in regards to performance improvement.

Goals of  ISO 45001 Standard

As with the other safety management consensus standards, the goals of ISO 45001 are to provide guidance for the development of a framework where injuries, property damage, and other loss causing incidents can be mitigated. The stated goals of ISO 45001 are:

  • Develop an OH&S policy
  • Have leadership demonstrate their commitment to safety
  • Establish systematic processes for safety management
  • Conduct hazard identification efforts
  •  Create operational safety controls
  • Increase awareness and knowledge for employees about safety.
  •  Evaluate OH&S performance and develop plans to improve continuously
  •  Establish the necessary competencies
  • Create and foster an OH&S culture within the organization
  • Ensure employees participate fully and meaningful in the safety process
  • Meet all legal and regulatory requirements

ISO 45001 – The benefits

Similar to other management system standards, ISO 45001 emphasizes effectiveness, efficiency, and continual improvement. Organizations will have a wide range of benefits from using this standard, including:

  • Globalization: ISO 45001 puts your organization in an elite category of businesses, as it is an internationally recognized standard.
  • Improvement in business performance: The implementation of an Occupational Health and Safety Management System based on ISO 45001 reduces workplace illnesses and injuries, and, in turn, increases productivity.
  • Best practice creation: It provides consistency and establishes “best practices” for occupational health and safety throughout the organization.
  • Hazard & risk identification: Conducting risk assessments in a systematic manner, improve the quality of the assessment.
  • Lower insurance premiums: Having a recognized system in place provides an apron for attracting lower insurance premiums.
  • Improvements in efficiency: The implementation of an OH&S Management System contributes to the reduction of accident rates, absenteeism levels, and downtime, all of which improve the efficiency levels of internal operations.
  • Establishment of a safe working environment: Promotes the safety of all persons being affected by the organization’s activities.
  • Monitoring & measurement: Promotes management oversight through the provision of key performance indicators (KPI’s) in the measurement of the Occupational Health and Safety Management System performance levels.
  • Focus: A culture that focuses on the “prevention of problems” rather than on the “detection of problems” is much more effective and rewarding to employees.
  • Continual improvement: Encourages continual improvement, e.g. the adoption of the “zero accident” concept.


At the outset, ISO 45001 explains the founding principle of PLAN, DO, CHECK, ACT (PDCA). This principle is the methodology that guides the various performance aspects of the standard. PDCA is the idea of continual improvement that was made popular by Edward Deming, often considered the father of modern quality control theory, and fosters the standard of detailed actions that provide a platform for continual improvement across the organization. This is a critical concept as it establishes the model for continual, as opposed to continuous, improvement. This concept of continual improvement is repeated throughout the standard. “Continual improvement” is an umbrella concept that incorporates elements of continuous improvement. The distinction between continual and continuous improvement is fine, but an important one. Continual Improvement is defined as “recurring activity to enhance performance”. Continual does not mean continuous, so the activity does not need to take place in all areas simultaneously. Continuous Improvement is defined as “on-going and endless without interruption.” By its very nature, business activities often have numerous starts and stops. Business activities are best managed by regular and routine evaluations. Thus the concept of continual improvement is better suited to an organizational environment than the concept of continuous improvement.

Clause 1: Scope

ISO 45001 provides a set of requirements for an OH&S system that will assist an organization to foster an environment that is safe and healthy. The standard is applicable to any organization regardless of size, operations, objectives, and outcomes. It includes the development of an OH&S policy that meets best practices and legal requirements. The scope of ISO 45001 includes:

  1. Creation of an OH&S policy that reinforces the objectives of the organization while taking into account its internal and external contexts.
  2. Establishment, implementation, and maintenance of an OH&S management system.
  3. Continual improvement of OH&S performance.
  4. Assured conformity to the OH&S policy.
  5. Demonstration of compliance with this ISO Standard

ISO 45001 does not provide specific criteria for OH&S performance. It does allow for the integration of other similar aspects of health and safety such as wellness, non-occupational health, and wellbeing. The scope does not include ideas of product safety, public safety, environmental protection, and quality. ISO 45001 can be used in part or in total to improve OH&S management systems; however, claims of conformity with ISO 45001 are only acceptable if the standard has been completely adopted without any exclusions.

Clause 3: Terms and Definitions

ISO 45001 contains a large “Terms and Definitions” glossary spanning seven pages which offer key descriptions and terminologies that organizations should consider adopting into their safety lexicon, especially those that are considering or are in ISO 45001 compliance process. Standardization of this language will allow for a common understanding of actions, concepts, and outcomes throughout all business units, locations, facilities, and departments of the organization.

Clause 4: Context of the Organization

Clause 4 of ISO 45001 provides a definition of the context of the organization and explains how this context must be used to understand organizational objectives. The context of the organization is the key consideration to be taken when developing and implementing the OH&S mission statement, OH&S policy statement, and objectives. Context is defined as the purpose that the organization is attempting to achieve and the external and internal issues that will impact the ability to achieve the intended outcome. The key elements to the context of the organization include:

  • Interested parties, in addition to workers (ISO 45001 defines managers, supervisors, and senior leaders as “workers”)
  • Needs and expectations of workers and other interested parties
  • Legal requirements
  • Differences in needs between managerial and non-managerial workers

When developing the OH&S management system, the organization will take into account the internal and external issues, the requirements of workers, and the work that is being performed. The context of the organization must be documented and the documentation must be available.

The organization is free to define the scope of the OH&S Management System but must determine the external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its OH&S Management System, such as:

  • The needs and expectations of workers and other interested parties;
  • Determining its scope in terms of organizational units, functions, and physical boundaries;
  • The effect of its activities, products, and services;
  • Applicable legal, regulatory and other requirements to which the organization will comply.
clause 4

The standard defines “interested parties” as a “person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity.”

4.1 Understanding the organization and its context

This clause is found in all ISO management system standards, and it requires the organization to determine all internal and external issues that may be relevant to the achievement of the objectives of the OH&S Management System itself. This includes all elements which are, and maybe capable of, affecting these objectives and outcomes in the future. The organization must understand:

  • the issues both positive and negative that needs consideration in establishing OH&S
  • the opportunity to identify external and internal factors and interested parties that effect intended outcomes of OH&S
  • the external context – cultural, social, political, key trends in the industry
  • the internal context- governance, policies, objectives, culture, trends

4.2 Understanding the needs and expectations of interested parties

The standard now requires the organization to assess who the interested parties are in terms of its OH&S Management System, what their needs and expectations may be, and consequently, if any of these should become compliance obligations. The organization must understand the needs and expectations of

  • external interested parties determined by the organization relevant to OH&S.
  • managerial and non-managerial workers.
  • other interested parties – legal and regulatory authorities, includes workers, customers, and clients.
  • Applicable legal requirements.

4.3 Determining the scope of the OH&S Management System

The scope and boundaries of the OH&S Management System must now be thoroughly examined and defined considering the aforementioned interested parties and their needs, plus resulting compliance obligations. Also requiring consideration are the OH&S Management System functions and physical boundaries, and all products, services, and activities, including the organization’s ability to exert control on external factors, with the results of the whole definition included in the OH&S Management System and kept critically as “documented information.” While determining the scope the organization must

  • Clarify the boundaries of OH&S
  • Consider external and internal factors
  • Consider the requirements of interested parties
  • Consider the work-related activities performed
  • Ensure the scope should address hazards and potential risk

4.4 OH&S Management System

The standard indicates that an OH&S Management System should be established to achieve the desired outcomes by using interacting processes to deliver continual improvement. The ultimate objective is to improve the organization’s occupational health & safety performance. The Organization must:

  • Establish, implement, maintain and continually improve OH&S
  • The process needed and interactions – integrate requirements into various business operations e.g. design & development and procurement

Clause 5: Leadership and Worker Participation

The terms “leadership” and “top management” are used interchangeably throughout ISO 45001. The responsibilities of leadership and top management include:

  • Take overall responsibility and accountability for worker protection.
  • Ensure the OH&S policy relates to the context and is compatible with the strategic direction of the organization.
  • Integrate the OH&S management system into larger business processes.
  • Provide resources for the OH&S management system.
  • Ensure participation by workers in the OH&S system.
  • Communicate the OH&S system and ensure the organization conforms to it.
  • Promote the OH&S system to address nonconformities and ensure continual improvement.
  • Create a culture that drives the organizational support for the OH&S System

Since top management is responsible for the OH&S system, the elements required to be included in the OH&S management system are detailed within the leadership and worker participation section. The elements include the written commitments for safety; the framework for the OH&S system; obligations to meet legal requirements; continual improvement for OH&S performance; establishment of a risk control strategy; and most importantly; worker involvement. The policy must be documented, communicated with workers, reviewed periodically, and available to other parties. Other key considerations for leadership and worker participation include training, communication, worker participation support, employee engagement, and the establishment of audit programs.

Top management shall demonstrate leadership and commitment with respect to their overall responsibility and accountability for the protection of workers and with respect to the integration of the OH&S Management System processes and requirements into the organization’s business processes. The engagement of top management is essential in order to support the organization through the provision of resources and to promote continual improvement. Furthermore, top management must demonstrate leadership through supporting other management roles in enhancing the OH&S management system, and to ensure continual improvement is achieved by dealing with nonconformities, risks and hazards, and the identification of opportunities for improvement. An important responsibility of the top management is to establish, implement and maintain the OH&S policy, and to ensure that it is communicated within the organization and shared with relevant interested parties.
Consultation and participation of workers
Appropriate involvement of staff in:

  • Hazard identification;
  • Risk assessment and determination of controls;
  • Incident investigation;
  • Development and review of the OH&S policies and objectives;
  • Consultation and representation on OH&S matters;
  • Consultation with contractors, when there are changes that affect their OH&S.

5.1 Leadership and commitment

This clause reminds the user that the organization and top management retain responsibility for the performance of all internal and external performance factors at all times. It, therefore, makes perfect sense that the Occupational Health & Safety Policy and objectives are aligned with each other and with the strategic policies and overall direction of the business, including integration with other business systems, where applicable. Provision must be made for resources to ensure that the OH&S Management System can be operated efficiently, and top management must ensure that the people with responsibility within the OH &S Management System have the correct support, training, and guidance to complete their tasks effectively. Communication is also critical from a leadership perspective, and communication methods and frequencies must be defined and established for both internal and external interested parties. In summary, it is the responsibility of the leadership of the organization to show an enhanced level of leadership, involvement, and co-operation in the operation of the OH&S Management System. The organization must

  • Have more focus to demonstrate leadership and commitment
  • Take overall responsibility and accountability for the protection of workers
  • Ensure the active participation of workers, worker representation using consultation
  • Consider the need to establish H&S committees
  • Identify and removal of barriers to participation
  • Have continual improvement of OH&S
  • Be developing, leading and promoting a culture supporting OH&S

5.2 Occupational Health & Safety Policy

The top management has the responsibility to establish the previously mentioned Occupational Health & Safety Policy, which is appropriate for the organization in terms of the size, scope, activities, and ambitions of the organization, and provides a formal framework for setting objectives. Obviously, the policy should include a commitment to eliminate hazards and reduce risks, to prevent workplace injury, and to consult with workers. Meeting compliance and regulatory factors is clearly another key element, and a method of capturing and recording this must be established. Finally, and vitally, the Occupational Health & Safety Policy must provide a commitment to the continual improvement of the OH&S Management System and its results. Critically, the Occupational Health & Safety Policy must be maintained as documented information, be communicated within the organization, and be available to all interested parties, as appropriate. The Organization must have a

  • OH&S policy set of principles and an overall sense of direction.
  • OH&S policy on consultation with workers at all levels and communicated.
  • Commitment to providing safe and healthy working conditions.
  • Prevention of injury and ill-health.
  • Policy appropriate to the size and context of the organization.
  • Specific nature of it OH&S risk and OH & S opportunities.
  • The mechanism for communication of policy

5.3 Organizational Roles, responsibilities and authorities

The standard states that it is the responsibility of top management to ensure that roles, responsibilities, and authorities are delegated and communicated effectively. The responsibility shall also be assigned to ensure that the OH&S Management System meets the terms of the 45001:2018 standard itself and that the performance of the OH&S Management System can be reported accurately to top management. The Organization must ensure that

  • Workers at each level assume the responsibility which they have control.
  • The relevant roles have been assigned within OH&S.
  • Organizational roles, responsibilities, and authorities are communicated at all levels within the organization.
  • Organizational roles, responsibilities, and authorities are maintained as documented information

5.4 Consultation and participation of workers

When it comes to the health & safety of workers, it is vital that these same workers are consulted about the OH&S Management System and participate in implementing the processes necessary to secure a safe workplace. To this end, the organization needs to determine the processes necessary to consult with workers at all levels of the organization in all aspects of development, planning, implementation, performance evaluation, and improvement actions of the OH&S Management System. The Organization must:

  • Establish, implement, maintain processes for consultation and participation in developing, planning, evaluation and actions for improvement in OH&S.
  • Provide mechanisms, time, training and resources necessary for participation.
  • Provide timely access to clear, understandable and relevant information on OH&S.
  • Identify and remove obstacles or barriers to participation and minimize those that cannot be removed.
  • Have an additional emphasis on the participation of non-managerial workers in OH&S.
  • Have an additional emphasis on the inclusion of non-managerial workers in consultation.
  • Provide training at no extra cost to workers and provision of training during working hours.

Clause 6: Planning

Clause 6 describes the actions necessary to address risk and opportunity. Activity planning must take place within the context of the organization. The planning process must ensure that the OH&S management system is designed to achieve its intended outcomes and continually improve. Worker participation is cited as being a critical component in the planning phase. Additional considerations include operational risk, legal requirements, and other opportunities to improve the OH&S management system. This section outlines the need for hazard identification by the organization for both routine and non-routine activities, emergency situations, people and behavior, work area design, work environment under the control of the organization, and situations not under organizational control. Additional points of assessment include changes to process and operations, past incidents and their causes, and social/economic factors. The major sub-sections in Clause 6 include:

  1. Hazard Identification
  2. Assessment of OH&S Risks
  3. Identification of OH&S Opportunities
  4. Determination of Legal Requirements
  5. Planning to Take Action
  6. The setting of OH&S Objectives
  7. Planning to Achieve Objectives

The planning phase is a comprehensive part of the ISO 45001 standard, requiring a detailed understanding of operations. By following this section, the organization can create a very deliberate and effective set-up to sustain the OH&S management system and ensure it continually improves. This is one of the most critical clauses since it is related to the establishment of strategic objectives and guiding principles for the Occupational Health and Safety Management System as a whole. The OH&S objectives, which can be integrated with other business functions, are the expression of the intent of the organization to treat the risks identified. When determining the risks and opportunities that need to be addressed, the organization shall take into account:

  • OH&S hazards and their associated risks, and opportunities for improvement;
  • Applicable legal requirements and other requirements;
  • Risks and opportunities related to the operation of the OH&S Management System that can affect the achievement of the intended outcomes.

6.1 Actions to address risks and opportunities

6.1.1 General

This clause replaced “preventive action” in the previous OHSAS 18001 standard. The current standard states that the organization should establish, implement, and maintain the processes needed to address the requirements of the whole of the planning section itself. When planning the OH&S Management System, considerations need to be made regarding the context of the organization (section 4.1) and the needs and expectations of interested parties (section 4.2), as well as the scope of the OH&S Management System. Risk and opportunity must be considered with respect to these elements, as well as legal and regulatory issues, and the organization’s Occupational Health & Safety hazards themselves. This outcome needs to ensure that the OH&S Management System can meet its intended outcomes and objectives, that any external factors that may affect performance are avoided, and that continual improvement can be achieved.

In terms of emergency situations, the organization is required to determine any situations that may occur and have a resulting occupational health & safety risk. Again, it is vital that documented information is retained concerning the risks and opportunities considered and addressed in the planning phase in order to satisfy the terms of the clause. While planning for actions to address risks and opportunities, the organization must

  • take into consideration the Organizational Context (4.1), needs and expectations of Interested parties (4.2) and Organizational Scope (4.3)
  • Prevent or reduce undesired effects.
  • Achieve its intended outcome.
  • make the assessment of risk and opportunities arising out of changes in Organization. (whether planned or unplanned).
  • Maintain documented information – risks, opportunities, and processes needed to have confidence in risk management.

6.1.2 Hazard identification and assessment of risks and opportunities

ISO 45001:2018 asks organizations to consider, in a proactive manner, all occupational health & safety hazards within the organization’s control. Changes or planned future changes to services also have to be taken into account, as do any abnormal situations that may arise that are reasonable for the organization to predict–for example, if you are about to launch a new product that needs radically new production processes or materials. Again, the organization needs to maintain documented information on this clause and its elements, and communication to the appropriate levels with effective frequency needs to be planned and undertaken. In terms of documented information, if you ensure that all actual and associated risks, the criteria you use to define them, and your significant occupational health & safety risks are documented, then you will satisfy the terms of this clause. It has the following Sub-clauses hazard identification assessment of OH&S risk and other risks to the OH&S management system assessment of OH&S opportunities and other opportunities Hazard identification: 

While identifying the hazards in a proactive manner the organization must consider:

  • Past incidents, emerging trends
  • Routine & non-routine activities and situations
  • Emergency Situations
  • Human factors
  • Other issues – design, situations in the vicinity of the workplace, situations not controlled by organizations
  • Changes or proposed changes
  • Change in knowledge
  • How work is organized, social factors, workload, work hours, leadership and culture Assessment of OH&S risk and other risks to the OH&S management system

The organization must assess OH&S risks from hazards identified. While Assessing the OH&S risks the Organization must take into account the issues from context 4.1 & the needs and expectations of interested parties 4.2. It must define the methodology and criteria for Assessing OH&S risks. The Methodologies and criteria must be maintained and retained as documented information assessment of OH&S opportunities and other opportunities

The Organization must identify OH&S Opportunities to enhance OH&S performance. While identifying OH&S opportunities the Organization must take into account:

  • Planned changes
  • Opportunities to eliminate or reduce risk
  • Opportunities to adapt work, work organization and work environment to workers
  • Opportunities for improving the OH&S management system

6.1.3 Determination of legal and other requirements

This is a relatively straightforward, but obviously vital part of the ISO 45001:2018 standard. The organization must decide what legal and other requirements are related to its occupational health & safety hazards and how to best access them, decide how they apply to the organization, and take them into consideration when establishing, operating, and delivering continual improvement through the OH&S Management System. Documented evidence needs to be recorded for these obligations, also. The Organization must

  • Determine and have access to up to date legal requirements
  • Determine how these applications and will be communicated
  • Take into account when establishing, implementing
  • Maintain and retain documented information

6.1.4 Planning Actions

In this clause, the standard states that the organization shall plan to take actions to address its occupational health & safety hazards, risks, and opportunities, and compliance obligations, all of which we have discussed above. These also need to be implemented into the organization’s OH&S Management System and associated business processes. The task of evaluating the effectiveness of these actions also must be considered, with technological, financial, and operational considerations all taken into account.  In this clause the organization is expected to:

  • Address risk and opportunities ( &
  • Address applicable legal requirements (6.1.3)
  • Emergency preparedness emergency situation (8.2)
  • Integrate actions to other business processes  – Business Continuity,
  • Financial or HR
  • Eliminating hazards and reducing OH&S risk (8.1.2)
  • Consider the Best practice into the action

6.2 Occupational health & safety objectives and planning to achieve them

6.2.1 Occupational health & safety objectives

The standard advises that occupational health & safety objectives should be established at appropriate levels and intervals, having considered the identified occupational health & safety hazards, risks and opportunities, and compliance obligations. The characteristics of the set objectives are important, too: they need to be consistent with the organization’s Occupational Health & Safety Policy, measurable where possible, able to be monitored, communicated effectively, and be such that they can be updated when circumstances require. Once more, it is mandatory that documented information is kept outlining this process and its outputs. To maintain and improve the OH&S management system and OH&S performance, while establishing OH&S objective the Organization must

  • Take into account the results of the assessment of OH&S risk and opportunities and other risks and opportunities.
  • Take into account outputs of consultation with workers and workers representative.
  • Objectives are measurable or capable of evaluation.
  • Objectives are clearly communicated

6.2.2 Planning to achieve occupational health & safety objectives

The standard advises on the elements that need to be determined to ensure that objectives can be achieved. This can be thought of in terms of what needs to be done when it needs to be done, what resources are required to achieve it, who is responsible for the objectives being achieved, how results are to be measured and progress ensured, and consideration on how these objectives can be implemented within existing business systems. While Planning to achieve OH&S objectives the organization must consider the following:

  • What will be done?
  • What resources will be required?
  • Who will be responsible?
  • When completed?
  • How measured through indicators if practicable, monitored and frequency?
  • How actions will be integrated into overall business processes?
  • Maintain and retain documented information?

Clause 7: Support

Clause 7 of ISO 45001 discusses the resources and support needed to be successful with the OH&S management system. “Support” means that the organization has achieved a level of competence among its workers and systems to successfully drive the outcomes of the OH&S plan. It also discusses the need to establish awareness of the OH&S policy, communicate information about the OH&S management system, outline with whom the information should be shared, manage documentation including tracking of updates, and control information and ensure its accessibility and accuracy. Essentially, the support system provides an overview of how the organization must support the OH&S management system. Successfully managing an Occupational Health and Safety Management System relies heavily on having the necessary resources for each task. This includes having competent staff with the appropriate training, support services, and effective information and communication means. The organization will determine what documented information is necessary for the success of the system. Documented information is a new term in the standard, which means the information can be in any format, media, or from any source. Moreover, internal and external information must be communicated throughout the organization and must be gathered, disseminated, and understood by those receiving it. The decisions that need to be made are:

  • On/about what to inform?
  • When to inform?
  • Who to inform?
  • How to inform?
  • How to receive and maintain documented information and how to respond to relevant incoming communications?

Respectively, the terms ‘document and record’ became obsolete in the new standard, which uses the term ‘documented information’ instead, for the purpose of maximizing the confidence to share information through any media.

7.1 Resources

Simply put, the standard advises the organization that the resources required to achieve the stated objectives and show continual improvement must be made available. The Organization must determine resources and provide resources needed for OH&S. Resources can include HR, natural resources, infrastructure, and technology. Human resources include – diversity, skills, and knowledge.

7.2 Competence

Employee competence must meet the terms of the ISO 45001:2018 standard by ensuring that the people given responsibility for OH&S Management System tasks are capable and confident. Related to this, it stands to reason that the experience, training, and/or education of the individual must be of the required standard, and that any necessary training is identified and delivered –with measurable actions taken externally or internally to ensure that this level of competence exists. Predictably, this process and its outputs need to be recorded as documented information for the OH&S Management System. The organization must ensure:

  • Workers are competent that impact on OH&S performance.
  • Competence is appropriate for education, training, and experience.
  • Criteria for each role are established.
  • Workers are evaluated periodically to ensure continued competence for their roles.
  • Appropriate documented information as evidence of competence is retained.

7.3 Awareness

Awareness is closely related to competence in the standard. Employees must be made aware of the Occupational Health & Safety Policy and its contents, any current and future impacts that may affect their tasks, what their personal performance means to the OH&S Management System and its objectives, including the positives or improved performance, and what the implications of poor performance may be to the OH&S Management System. Additionally, the standard demands that workers be aware that they can remove themselves from work situations that they consider to be a danger to their life or health. Workers must be:

  • Made aware of OH&S policy
  • The implication of not conforming with OH&S requirements
  • Information and outcomes of investigations of relevant incidents
  • OH&S hazards and risk relevant for them

7.4 Communication

7.4.1 General

Processes for internal and external communication need to be established and recorded as documented information within the OH&S Management System. The key elements that need to be decided, actioned, and recorded are what needs to be communicated, how it should be done, who needs to receive the communication, and at what intervals it should be done. It should be noted here that any communication outputs should be consistent with related information and content generated by the OH&S Management System for the sake of consistency.

7.4.2 Internal communication

The standard advises the organization that information should be communicated at various levels and with various frequencies as deemed suitable and that the organization must ensure that the nature and frequency of communication allow continual improvement to result from the communication process itself.

 7.4.3 External communication

Once again, the organization is advised by the standard to ensure that communication relevant to the OH&S Management System takes place as per the established process, with the goal of ensuring that compliance obligations and objectives are met.

7.5 Documented information

7.5.1 General

“Documented information,” which you will have seen mentioned several times during this guide, refers to the documents and records that are necessary for the OH&S Management System. The requirements are designed to allow each organization to have the ability to shape documented information to their own requirements in general, with the exception of the mandatory components mentioned specifically in the standard and, therefore, this guide. The ISO 45001:2018 standard advises us that the OH&S Management System should include all documented information that it declares mandatory, and anything viewed as critical to the OH&S Management System and its operation. It should also be noted that the amount of documented information that an organization requires would differ according to the size, operating sector, and complexity of compliance obligations faced by the business.

7.5.2 Creating and updating

The standard advises that documentation created by the OH&S Management System needs to include appropriate identification, description, and format so that it is can be easily understood what the documented information is for. There is also a need to review and approve the documented information for suitability and accuracy before release.

7.5.3 Control of documented information

The standard advises that documentation created by the OH&S Management System should be available and fit for purpose where and when needed, reasonably protected against damage or loss of integrity and identity and that the processes of distribution, retention, access, retrieval, preservation and storage, control and disposition are adequately provided for. It should be noted that documented information from external sources should be similarly controlled and handled, and that viewing and editing access levels should be carefully considered and controlled.

The clause, where there is a reference to documented information, are

4.3, 5.2, 5.3, 6.1.1,,6.1.3, 6.2.2, 7.2, 7.4, 7.5.1. 7.5.3, 8.1.1., 8.2, 9.1.1, 9.1.2, 9.2.2, 9.3, 10.1 & 10.2

List of documents required by ISO 45001:2018

The ISO 45001 standard provides us with some insight about what documents are required. Compared to OHSAS 18001, there are not too many changes, but the documentation requirements are easier to manage, following the logic of the new versions of other ISO standards. Of course, the standard does not explicitly mention documents and records, but uses the term “documented information.” The following represents a list of documents that you need to maintain in order to comply with ISO 45001:

  • The scope of the OH&S MS (clause 4.3)
  • OH&S management system (clause 4.4)
  • Leadership and commitment (clause 5.1)
  • OH&S policy (clause 5.2)
  • Organizational roles, responsibilities, and authorities (clause 5.3)
  • Actions to address risks and opportunities (clause 6.1)
  • Assessment of OH&S risks and other risks to the OH&S management system (clause
  • Determination of legal requirements and other requirements (clause 6.1.3)
  • Planning to achieve OH&S objectives (clause 6.2.2)
  • Competence (clause 7.2)
  • Communication (clause 7.4)
  • Operational planning and control (clause 8.1)
  • Contractors (clause
  • Emergency preparedness and response (clause 8.2)
  • Monitoring, measurement, analysis and performance evaluation (clause 9.1)
  • Evaluation of compliance (clause 9.1.2)
  • Internal audit (clause 9.2)
  • Management review (clause 9.3)
  • Incident, nonconformity and corrective action (clause 10.2)
  • Continual improvement (clause 10.2)

Other supporting documents
Apart from the abovementioned list of documents, there are additional supporting documents that can be used to facilitate the operation of a management system. Thus, the following documents are commonly used:

  • Procedure for determining the context of the organization and interested parties (clauses 4.1 and 4.2)
  • Procedure for identification and evaluation of OH&S management system risks and opportunities (clauses 6.1.1 and 6.1.2)
  • Procedure for competence, training, and awareness (clauses 7.2 and 7.3)
  • Procedure for communication (clause 7.4)
  • Procedure for document and record control (clause 7.5)
  • Procedure for internal audit (clause 9.2)
  • Procedure for management review (clause 9.3)

The standard also emphasizes that it is important to demonstrate the effectiveness of the OH&S Management System, rather than to simply draft endless theoretical procedures.

Clause 8: Operation

Clause 8 forms the heart of the ISO 45001 standard and addresses the program content necessary to have a successful OH&S management system that meets the intent of the standard. The specific topics discussed in this section include:

  1. General provisions: such as the means for creating and managing documentation.
  2. Hierarchy of controls: to utilize the most effective means of risk reduction within the organization.
  3. Management of change: to ensure that when planned changes occur they are managed to control risk.
  4. Outsourcing: to make certain risk controls are adequate for all outsourced processes.
  5. Procurement: to validate all incoming materials and services conform to the system requirements.
  6. Contractors: to communicate and control internal risks to third parties and evaluate risks they may introduce into the workplace.
  7. Emergency preparedness and response: to identify potential emerging risks and develop specific and customized plans with key stakeholders to minimize these risks

This clause requires:

  • Operational planning and control on multi-employer workplaces; whereby the organization shall implement a process for coordinating the relevant parts of the OH&S management system with other organizations. This clause includes the requirement to reduce risks by implementing a “Hierarchy of Control” approach as used by the European Union Legislation. In that regard, this is a system of prioritization which ranks hazard elimination as the preferred control down through a series of controls which are less effective.
  • Eliminating hazards and reducing OH&S risks requires the organization to establish, implement and maintain a process(es) for the elimination of hazards and reduction of OH&S risks. In order to ensure that this is done properly, the organization shall use appropriate controls.
  • Management of Change requires the organization to establish a process for the implementation and control of planned changes so that the introduction of new products, processes, services or work practices do not bring with them any new hazards.
  • Procurement requires the organization to establish, implement and maintain a process for the control of procurement services so as to ensure that they conform to the requirements of the standard. In addition, the standard requires the organization to coordinate the procurement processes with its contractors and to identify the risks that arise from the contractors’ activities. Furthermore, the organization should ensure that outsourced processes which have an impact on its health and safety management system are appropriately controlled.
  • Emergency preparedness and response requires the organization to identify emergency situations and maintain a process to prevent or minimize OH&S risks from potential emergencies.

8.1 Operational control and planning

While the standard acknowledges that operational control will greatly depend on the size, nature, compliance obligations, and occupational health & safety hazards of an organization, the scope are given to the individual organization to plan and ensure the desired results are achieved. The methods suggested by the standard are that processes should be designed in such a way that consistency is guaranteed and error eliminated, technology is used to improve control, and it is ensured that personnel is trained and competent. Processes should be performed in an agreed and prescribed manner; those processes should be measurable, and the documented information should match the requirements to ensure operational control. An essential part of operational control lies in eliminating hazards and reducing OH&S risks. This can be carried out through a hierarchy of controls, from the elimination of the hazard to the use of personal protective equipment. Change in the OH&S Management System also needs to be managed in order to maintain the integrity of the OH&S performance. Procurement, including contractors and outsourcing of functions and processes, must also be considered and controlled. Appropriate measures must be taken to define and control the competency of outsourced service suppliers, including their effect on the OH&S Management System processes. As ever, opportunities for improvement must always be considered and identified. The standard also recognizes that the degree of control the organization has over an outsourced product or service can vary from absolute, if taking place onsite, to very little, if the activity takes place remotely. However, it is suggested that there are factors that, nonetheless, should be considered. As expected, compliance obligations should be considered and controlled, all direct and associated occupational health & safety risks should be evaluated and controlled, as should risks and opportunities associated with the provision of the service itself.

8.1.1. General

During Operation Planning and Control, the organization must

  • Establishing criteria for processes
  • Implementing control defined in criteria
  • Keeping documented information as the absence of documented information could lead to deviations
  • Adapting work to workers including induction of new workers

8.1.2 Eliminating hazards and reducing OH&S risks

The Organization must establish a process and determine controls for achieving the reduction in OH&S risks using the following hierarchy of Controls;

  • Eliminate
  • Substitute
  • Engineering controls
  • Administrative controls
  • Provide and ensure the safe use of PPE

Provision of PPE  should be at no extra cost to workers

8.1.3 Management of Change

The Organization must establish a process for the implementation and control of planned changes. Changes may include:

  • Work processes
  • Legalization
  • Knowledge and information about hazards and related OH&S risk
  • Developments in knowledge and technology

Changes must be controlled to mitigate against adverse impact on OH&S

8.1.4 Procurement Procurement

The organization must establish a process to control the procurement of products and services to ensure conformity with its OH&S Management System Contractors

  • The organization must establish a process to coordinate with contractors for hazard identification and access controls to OH&S risks from contractor activities
  • The requirements of the OH&S management system must be met by contractors and their workers
  • The organization must establish the OH&S criteria for selection of contractors Outsourcing

The organization must ensure outsourced functions and processes are controlled. The Outsourced arrangements must be consistent with legal requirements. It should be integral to the organization’s ability to operate. There must be controls to achieve the intended outcome of the OH&S management system

8.2 Emergency preparedness and response

Emergency preparedness and response is a key element in the mitigation of occupational health & safety risk. The standard informs us that it is the responsibility of the organization to be prepared, and a number of elements should be considered and planned for. Actions to mitigate incidents must be developed, as well as internal and external communication methods and appropriate methods for emergency response. Consideration of varying types of occupational health & safety incidents needs to be made, as do root cause analysis and corrective action procedures to respond to incidents after they occur. Regular emergency response testing and relevant training need to be considered and undertaken, and assembly routes and evacuation procedures defined and communicated. Lists of key personnel and emergency agencies (think clean-up agencies, local emergency services, and local occupational health & safety offices or agencies) should be established and made available, and it is often good practice to form partnerships with similar neighboring organizations with whom you can share mutual services and provide help in the event of an occupational health & safety incident. To establish an Emergency  preparedness and response process the organization must

  • Identify potential emergency situations
  • Assess OH&S risks associated with these
  • Establish Preventative controls
  • Plan response to emergency situations including the provision of first aid
  • Conduct periodic testing and exercise of emergency response capabilities
  • Evaluate and revise plans
  • Communicate information relevant to their duties
  • Conduct Training
  • Identity Needs and capabilities of interested parties
  • Maintain and retain documented information

Clause  9: Performance Evaluation

Performance Evaluation provides an in-depth discussion regarding the criteria for evaluating the overall performance of the OH&S management system. The primary themes of this section focus on the means of process evaluation and documentation of evaluations. The importance of documentation (and how records and data are retained), as well as document dissemination, are performance themes both in ISO 45001 in general and in this section in particular. The organization must establish a system that involves the monitoring, measurement, analysis, and evaluation of its OH&S performance. It should decide what to measure and how, for instance, accidents or worker competence. Moreover, internal audits must be established along with regular management reviews, in order to see the progress made towards the achievement of OH&S objectives and the fulfillment of ISO 45001 requirements.

This section tends to be more specific than some of the others and includes a detailed discussion of documentation requirements, internal audit protocols, and relevancy and applicability of measurements within the organization. The key attributes of this section include:

  1. Following applicable legal requirements and documentation are followed.
  2. Measuring operational risks and hazards.
  3. Evaluating the effectiveness of operational controls.
  4. Establishing the timeline for conducting the measures.
  5. Planning for analysis, evaluation, and communication of the results.
  6. Calibrating and verifying the accuracy of all equipment.
  7. Retaining documentation of all measures.
  8. Auditing the OH&S Management System, the OH&S Policy, OH&S Objectives and the 45001 requirements.
  9. Establishing the frequency of audits and account for significant changes to the organization, performance improvements, risks, and opportunities.
  10. Ensuring the competence of auditors.
  11. Communicating findings to management, workers, and worker representatives.
  12. Taking action to address identified nonconformities.
  13. Retaining audit results as evidence of the completion of the audit.
  14. Reviewing audit findings and corrective actions by top management.
  15. Ascertaining that corrective actions, worker engagement, and opportunities for continual improvement are in place

The most important objectives of the Performance Evaluation section are ensuring the adequacy of the current OH&S management system and measuring that OH&S objectives are met. These are, essentially, the only measures of success.

9.1 Monitoring, measuring, analysis, and evaluation

9.1.1 General

The organization not only has to measure occupational health & safety progress, but it should also consider its significant hazards, compliance obligations, and operational controls when tackling this clause. The methods established should have considerations to ensure that the monitoring and measuring periods are aligned with the needs of the OH&S Management System for data and results; that the results are accurate, consistent, and can be reproduced; and that the results can be used to identify trends. It should also be noted that the results should be reported to the personnel with the authority and responsibility to initiate action on the basis of the outputs themselves.

9.1.2 Evaluation of compliance

The standard recognizes that evaluation requirements will vary from organization to organization based on factors such as size, compliance obligations, sector worked in, past history and performance, and so on, but suggests that regular evaluation is always required. If the result of a compliance evaluation reveals that a legal requirement is unfulfilled, the organization needs to assess what action is appropriate, possibly up to contacting a regulatory body and agreeing on a course of action for repair. This agreement will now see this obligation become a legal requirement. Where non-compliance is identified by the OH&S Management System and corrected, it does not automatically become a non-conformity.

9.2 Internal Audit

9.2.1 General

Internal audits and auditors should be independent and have no conflict of interest over the audit subject, the standard reminds us, and it should be noted that non-conformities should be subject to corrective action. When considering the results of previous audits, the results of previous internal and external audits and any previous non-conformities and resulting actions to repair them should be taken into account.

9.2.2 Internal audit program

The 45001:2018 standard refers us to ISO 19011 for the internal audit program, but when you are establishing your program there are several rules you can subscribe to in order to ensure that your program is effective. Base your internal audit frequency on what is reasonable for your organization in terms of size, the sector you operate in, compliance obligations, and risk to the health and safety of workers. Decide what is reasonable for you, whether that is bi-annually, quarterly, or whatever you deem suitable. Keep in mind that this schedule can be changed, preferably through management review and leadership guidance, in the event of changes that necessitate extra internal audit activity.

9.3 Management Review

It should be noted that, contrary to popular belief, the management review does not have to be done all at once; it can be a series of high-level or board meetings with topics tackled individually, although it should be on a strategic and top management level. Complaints from interested parties should be reviewed by top management, with resultant improvement opportunities identified. It should be remembered that the management review generally is the one function that must be carried out accurately and diligently to ensure that the function of the OH&S Management System and all resulting elements can follow suit. It goes without saying that all details and data from the management review must be documented and recorded to ensure that the OH&S Management System can follow the specific requirements and general strategic direction for the organization detailed there.

Clause 10: Improvement

Clause 10, the final major section, delineates the concept of continual improvement within the context of specific activities. Any organization wishing to adopt the principles of ISO 45001 must have a plan for addressing nonconformities in a timely manner. Organizations should take direct action to control conditions and deal with consequences. Nonconformities can be identified from investigations, audits, or other events. The corrective actions should be evaluated and the results should be documented. To achieve continual improvement, the organization shall have an OH&S management system that:

  1. Prevents the occurrence of incidents and nonconformities.
  2. Promotes a positive OH&S culture.
  3. Enhances OH&S performance

The organization should react accordingly to nonconformities and incidents, and take action to control, correct them, cope with their consequences, and eliminate their source so as to prevent recurrences.


10.1 General

Outputs from management reviews, internal audits, and compliance and performance evaluations should all be used to form the basis for improvement actions. Improvement examples could include corrective action, reorganization, innovation, and continuous improvement programs.

10.2 Nonconformity and corrective action

Prevention of incidents and elimination of hazards is a key facet of the OH&S Management System, and this is specifically addressed in the definition of organizational context (4.1) and assessing risks and opportunities (6.1). Taking action to correct and control problems when they occur, and then to investigate and take corrective action for the root causes of these problems when it is necessary, are critical to prevent recurrence of process nonconformity. The organization must

  • React to incidents in a timely manner.
  • Take direct action to control and correct.
  • Evaluate the root cause
  • Determine action
  • Review of assessment of OH&S risks prior to taking action
  • Communicate documented information to relevant workers

Reporting of incidents without delay can assist in the removal of hazard

10.3 Continual improvement

Through all of the actions to improve the overall OH&S Management System, the organization can achieve enhanced OH&S performance and promote a culture that supports worker participation in making the OH&S Management System better. The organization must:

  • Enhance OH&S performance
  • Promote a positive OH&S culture
  • Promoting the participation of workers in implementing actions
  • Communicate results
  • Retain documented information

5 thoughts on “ISO 45001:2018 OH& S management system

Leave a Reply