ISO 45001:2018 Clause 8 Operation

8 Operation

Clause 8: Operation provides guidance on the operational planning and control requirements relating to the OH&S management system. Once it has gained an understanding of its OH&S hazards, the organization should implement the operational controls that are necessary to manage the risks associated with its activities and comply with applicable health and safety legal requirements. The organization can plan, implement and control its operational processes by establishing operating criteria and control the processes in accordance with these operating criteria. This clause deals with the execution of the plans and processes that are the subject of previous clauses. Operational planning and controls should be established to meet the requirements of the OH&S management system including controls to reduce OH&S risks to levels as low as reasonably practical. Operational controls can use a variety of methods, for example, the introduction of method statements or safe systems of work, preventative maintenance regimes, inspection programmes and regular reviews on the competency of workers. Controls can combine several steps such as hazard elimination, replacing the dangerous with non-dangerous, implementing protective measures or providing and ensuring the use of personal protective equipment. Change needs to be planned for in a systematic manner, ensuring they do not introduce new or unforeseen hazards or risks. At the same time, organizations should use the process to identify OH&S opportunities to reduce risks. Procurement and outsourcing controls are required to ensure that outsourced processes affected are controlled and to evaluate and control the procurement of goods before their introduction. Contractors also need to be considered as they can involve different types and levels of OH&S risks. An organization can use a variety of tools for managing contractors’ health and safety performance, including pre-qualification criteria and assessment. The organization must ensure that the requirements of its OH&S management system are met by its contractors and their workers and this needs to include OH&S criteria for selection of contractors. Arrangements with regards to emergency preparedness and response are also a feature of this clause.
This clause forms the heart of the ISO 45001 standard and addresses the program content necessary to have a successful OH&S management system that meets the intent of the standard. The specific topics discussed in this section include:

1. General provisions: such as the means for creating and managing documentation.
2. Hierarchy of controls: to utilize the most effective means of risk reduction within the organization.
3. Management of change: to ensure that when planned changes occur they are managed to control risk
4. Outsourcing: to make certain risk controls are adequate for all outsourced processes
5. Procurement: to validate all incoming materials and services conform to the system requirements
6. Contractors: to communicate and control internal risks to third parties and evaluate risks they may introduce into the workplace
7. Emergency preparedness and response: to identify potential emerging risks and develop specific and customized plans with key stakeholders to minimize these risks

8.1 Operational planning and control

8.1.1 General

The organization must plan, implement, control and maintain the processes needed to meet requirements of the OH&S management system and to implement the actions determined in Clause 6. The organization should establish the criteria for the processes. The organization must implement the control of the processes in accordance with the criteria. It must maintain and retain documented information to the extent necessary to have confidence that the processes have been carried out as planned. It must adapt its work as per the need of workers. At multi-employer workplaces, the organization shall coordinate the relevant parts of the OH&S management system with the other organizations.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Operational planning and control of the processes need to be established and implemented as necessary to enhance occupational health and safety, by eliminating hazards or, if not practicable, by reducing the OH&S risks to levels as low as reasonably practicable for operational areas and activities. Examples of operational control of the processes include:

1. the use of procedures and systems of work
2. ensuring the competence of workers
3. establishing preventive or predictive maintenance and inspection programmes
4. specifications for the procurement of goods and services
5. application of legal requirements and other requirements or manufacturers’ instructions for equipment
6. engineering and administrative controls
7. adapting work to workers; for example, by
   • defining, or redefining, how the work is organized
   • the induction of new workers
   • defining, or redefining, processes and working environments
   • using ergonomic approaches when designing new, or modifying, workplaces, equipment, etc.

Operational Planning and Control is the method in which the organization determines what is required for each process and the method in which requirements are controlled to ensure workers are protected from harm. Operational Planning and Control is achieved by identifying the criteria for each process which may include:

• The boundaries of each process and how they interact
• What resources are required to manage the process including leadership, equipment, time, human (competency and training aspects) and financial
• What documented information is required to aid management of the process including procedures and safe systems of work
• The method in which changes to the process are planned and controlled including unintended events
• Application of legal and other requirements or manufacturer’s instructions for equipment
• Engineering controls, for example, interlocked guards and exhaust systems

Clause 8.1 of the ISO 45001 standard deals with operational planning and control, which can be defined as a function that “helps to check the errors and to take corrective action so that deviations from standards are minimized and stated goals of the organization are achieved in the desired manner.” It is, therefore, obvious that operational control is absolutely critical to the performance of any management system, even the best practices, policies, and procedures in the world can become ineffective for lack of discipline and operational control to ensure they have the desired effect. Operational control is critical and can come in several different forms. If, for example, you have an ISO 45001 system, you will have requirements for risk assessment, internal audits, and so forth. Your level of operational control should determine that these happen in a timely and regular fashion and that actions and outputs from these functions are undertaken in the correct manner to ensure your system yields the improvement it needs. To achieve this we can

• Use an OH&S planning diary to help you ensure that operational control is maintained. If we create an electronic version, we can share it with the team and allow everyone to see when tasks and events are scheduled. One can even use a traffic light type of rule (red/yellow/green) to signify that actions from that particular events are complete and closed off. This not only displays an organization’s high level of operational control but also its commitment to openness and employee engagement.
• Create an “Operational Control Log” for document system. Make it part of the OH&S team’s responsibility at its periodic meetings to ensure that all operational control functions are up to date and all tasks set are completed. Review, modify, and improve after every meeting, ensuring that employee and stakeholder input is taken into account. Stakeholder involvement is viewed as an increasingly important part of an organization’s operational control these days. Consider using your corrective action process if tasks slip and operational control are seen to be less effective than desired.
• Ensure that the delegated OH&S representative reports on the level of operational control back to both the Health & Safety and Management Teams. If, for example, internal audit and risk assessments are not undertaken and completed on time, then the level of operational control is insufficient and your OH&S performance will undoubtedly suffer.

The standard specifically mentions operational control in terms of purchasing, change management, contractors, outsourcing, and your own policies and procedures. As long as operational control is considered and written into your own policies when constructed, then you can use the methodologies shown above to manage the internal control overall and ensure your OH& S system functions in a timely and efficient manner. In a nutshell, define methods and responsibilities and process, monitor, review, and adjust. It sounds a lot like the traditional “Plan-Do-Check-Act” cycle, and it very much is, but with some tricks to ensure we keep our processes and tasks in check.

Clearly, the benefits of having operational control from a strategic point of view – like planning and policy are vital, but using tips like these that ensure your OH&S performance is never allowed to slip out of scope can be extremely helpful, too. If we can join the two together successfully, then one should have an OH& S system that is efficient, accurate, and that provides you with the data required to allow to perform corrective action and improvement diligently. Assuming excellent operational control also can be a positive for employee morale: for example, if you commit to assessing risk in an internal situation in June and it is not done until July, what does that say to your employees about the organization’s prioritization of health and safety and concern for their well-being? Demonstrating your operational control can also be vital for your stakeholders and shareholders, too – who wants to do business with an organization that lacks this quality? Implement your plan today, as it’s a vital part of delivering safety and well-being for your people in the short and long term.

The organization must also consider the adaptation of the work environment to ensure it is suitable and sufficient for all workers. Adaptation in broad terms may be the induction of new workers or ergonomically changed processes to protect workers from harm and improve process efficiency.

8.1.2 Eliminating hazards and reducing OH&S risks

The organization must establish, implement and maintain processes for the elimination of hazards and reduction of OH&S risks.  The “hierarchy of control” to be followed are : 

1. eliminate the hazard;
2. substitute with less hazardous processes, operations, materials or equipment;
3. use engineering controls and reorganization of work;
4. use administrative controls, including training;
5. use adequate personal protective equipment.

In many countries, the organization is required to provide personal protective equipment (PPE) at no cost to workers.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The hierarchy of controls is intended to provide a systematic approach to enhance occupational health and safety, eliminate hazards, and reduce or control OH&S risks. Each control is considered less effective than the one before it. It is usual to combine several controls in order to succeed in reducing the OH&S risks to a level that is as low as reasonably practicable. The following examples are given to illustrate measures that can be implemented at each level.

1. Elimination: removing the hazard; stopping using hazardous chemicals; applying ergonomics approaches when planning new workplaces; eliminating monotonous work or work that causes negative stress; removing fork-lift trucks from an area.
2. Substitution: replacing the hazardous with less hazardous; changing to answering customer complaints with online guidance; combating OH&S risks at source; adapting to technical progress (e.g. replacing solvent-based paint by water-based paint); changing slippery floor material; lowering voltage requirements for equipment.
3. Engineering controls, reorganization of work, or both: isolating people from hazard; implementing collective protective measures (e.g. isolation, machine guarding, ventilation systems); addressing mechanical handling; reducing noise; protecting against falls from height by using guard rails; reorganizing work to avoid people working alone, unhealthy work hours and workload, or to prevent victimization.
4. Administrative controls including training: conducting periodical safety equipment inspections; conducting training to prevent bullying and harassment; managing health and safety coordination with subcontractors’ activities; conducting induction training; administrating forklift driving licences; providing instructions on how to report incidents, nonconformities and victimization without fear of retribution; changing the work patterns (e.g. shifts, of workers); managing a health or medical surveillance programme for workers who have been identified as at-risk (e.g. related to hearing, hand-arm vibration, respiratory disorders, skin disorders or exposure); giving appropriate instructions to workers (e.g. entry control processes).
5. Personal protective equipment (PPE): providing adequate PPE, including clothing and instructions for PPE utilization and maintenance (e.g. safety shoes, safety glasses, hearing protection, gloves).

The organization should apply the hierarchy of control measures for the elimination of hazards and the reduction of OH&S risks.   The hierarchy of controls provides a structured approach to eliminating hazards and reducing or controlling OH&S risks. This approach involves prioritizing control actions in a sequential manner. Each control is considered less effective than the one above it. It is customary to combine several controls in order to effectively reduce the OH&S risks to a level that is as low as reasonably practicable. Having chosen the methodology for risk assessment determined in clause 6.0, the organization will use the ‘Hierarchy of Controls’ outlined in section 6 to eliminate or reduce hazards to the lowest practicable risk. It is essential that when conducting risk assessment workers, including external providers, are competent. On completion of risk, assessment results should be communicated with those workers directly affected within the operation and to aid the development of control measures. Workers need to be included in the process of assessment and other system elements. When deciding what is reasonably practicable, best practices and technological options should be considered, in addition to financial, operational and business requirements. If new or improved controls are required, their selection should be in accordance with the hierarchy of controls whereby priority is given to the elimination of hazards, where practicable, followed by risk reduction (either by reducing the likelihood of occurrence or potential severity of injury or harm), with the adoption of PPE as the last resort. The organization must establish a process and determine controls for achieving a reduction in OH&S risks using the following hierarchy:

• Hazard elimination: Avoiding risks and adapting work to workers, (integrating health safety and ergonomics when planning new workplaces, and creating a physical separation of traffic between pedestrians and vehicles). Removing the hazard; discontinuing the use of hazardous chemicals, applying ergonomic approaches when planning new workplaces such as the use of mechanized instead of manual packaging; eliminating monotonous work practices; removing fork-lift trucks from an area.
• Substitution: Replacing the dangerous with the lesser or non-dangerous (replacing solvent-based paint with water-based paint). Replacing the hazardous with less hazardous such as replacing solvent-based paint by water-based paint, changing slippery floor tiles, or lowering voltage, pressure or temperature requirements for equipment.
• Engineering controls: Implementing collective protective measures (isolation, machine guarding, ventilation, noise reduction, etc.). Isolating people from hazard; implementing collective protective measures (e.g. isolation, machine guarding, ventilation systems); addressing mechanical handling; reducing noise; protecting against falls from height by using guard rails; reorganizing work to avoid lone working, unhealthy work hours, workload; reducing the effect of monotonous work by rotating workers.
• Administrative controls: Giving appropriate instructions to workers (lock-out processes, induction, forklift driving licenses, etc.). Conducting periodic safety equipment inspections; conducting training to prevent bullying and harassment; managing health and safety coordination with subcontractors’ activities; conducting induction training; providing instruction on how to report incidents and nonconformities; changing the work patterns (e.g. shifts) of workers; managing a health or medical surveillance programme for workers who have been identified as at-risk (related to hearing, hand-arm vibration, respiratory disorders, etc.); giving appropriate instructions to workers (e.g. entry control processes, emergency); safety signs
• Personal protective equipment (PPE): Providing PPE and instructions for PPE use/ maintenance (safety shoes, safety glasses, hearing protection, chemical and liquid-resistant gloves, electrical protection gloves, etc.).  Providing adequate PPE, including clothing and instructions for PPE utilization and maintenance (e.g. safety shoes, safety glasses, hearing protection, gloves).

In applying the hierarchy of controls consideration should be given to the relative costs, risk-reduction benefits and reliability of the available options.

8.1.3 Management of change

The organization must establish processes for implementation and control of planned temporary and permanent changes that impact OH&S performance. The changes can include new products, services, and processes, or changes to existing products, services, and processes, including changes in work locations and surroundings, work for the organization, working conditions, equipment, and workforce. It can include changes to legal requirements and other requirements, the changes in knowledge or information about hazards and OH&S risks, and developments in knowledge and technology. The organization is to review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. Changes can result in risks and opportunities.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The objective of management of change process is to enhance occupational health and safety at work, by minimizing the introduction of new hazards and OH&S risks into the work environment as changes occur (e.g. with technology, equipment, facilities, work practices and procedures, design specifications, raw materials, staffing, standards or regulations). Depending on the nature of an expected change, the organization can use an appropriate methodology (e.g. design review), for assessing the OH&S risks and the OH&S opportunities of the change. The need to manage change can be an outcome of the planning

It is recognized that accidents can occur when processes deviate from defined established control measures. This may include changes competent supervision and workers or the introduction of new materials, machinery and processes. The organization must define and implement a process which considers change throughout the business. This may be a written policy which accounts for different scenarios based on risk and opportunity. The change process may be supported by a documented system to acknowledge the issue and receipt of the notification to ensure it is communicated and understood. Notification of change may be supported by training and competence requirements. Change process could incorporate a mechanism to assess and prevent the introduction of new hazards. Examples of events where management of change might be necessary include but this is not exhaustive:

Change event	Method of Management
Loss of knowledgeable competent member of staff	Organization of re-training of an existing member of staff supported with an external provider until the employee is competent.
First aider absent	Temporarily train staff in alternative means of receiving first aid treatment including neighbouring businesses and emergency services.
Introduction of a new piece of machinery	Appoint a Project Manager to coordinate implementation including risk assessment, instruction, training, supervision. Provision of risk assessment and installation method statement from an external provider. Development of control documents based on manufacturers recommendations.
Flood within a building	Appointed a competent representative to conduct a risk assessment and coordinate the relocation of staff to a safe environment.
Introduction of new software	Project management coordination, presentations and toolbox talks, competence and awareness training.

The organization is required to establish a process for the implementation and control of planned temporary and permanent changes that influence its OH&S performance such as:

• New products, processes or services;
• Changes to work locations, working conditions, processes, procedures, equipment, or the company’s organizational structure;
• Changes to applicable legal and other requirements;
• Changes in knowledge or information concerning hazards and associated risks
• Developments in knowledge and technology

The company is required to control both temporary and permanent changes, to review the consequences of unintended changes and, where applicable, to take action to mitigate any adverse effects that might arise as a result of the occurrence of the change. The overall purpose of the management of change process is to minimize the introduction of new hazards and risks into the workplace as a result of changes in:

• Technology
• Plant and equipment
• Facilities
• Work practices and procedures
• Design specifications
• Raw materials
• Company personnel
• Standards or regulations

Depending on the nature of any anticipated change, the company must use a suitable methodology for assessing the risks and the opportunities that might arise as a result of the change. The company must ensure that new, unforeseen hazards are not introduced, or the risk profile increased as a result of the introduction of the change. Where the company decides to implement the change, it must ensure that all affected employees are properly informed and are competent to cope with the change. The management of change process should include consideration of the following questions to ensure that any new or changed risks are acceptable:

• Have new hazards been created?
• What are the risks associated with the new hazards?
• Have the risks from other hazards changed?
• Could the changes adversely affect existing risk controls?
• Have the most appropriate controls been chosen, bearing in mind usability, acceptability and both the immediate and long-term costs?

8.1.4 Procurement

8.1.4.1 General

The organization must establish, implement and maintain processes to control the procurement of products and services in order to ensure their conformity to its OH&S management system.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The procurement processes should be used to determine, assess and eliminate hazards, and reduce OH&S risks associated with, for example, products, hazardous materials or substances, raw materials, equipment, or services before their introduction into the workplace. The organization’s procurement processes should address requirements for, for example, supplies, equipment, raw materials, and other goods and related services purchased by the organization to conform to the organization’s OH&S management system. The process should also address any needs for consultation and communication. The organization should verify that equipment, installations, and materials are safe for use by workers by ensuring:

1. equipment is delivered according to specification and is tested to ensure it works as intended;
2. installations are commissioned to ensure they function as designed;
3. materials are delivered according to their specifications;
4. any usage requirements, precautions or other protective measures are communicated and made available.

The purchase of goods and services is a requirement for any business to function. The standard requires the organization to put controls in place to ensure those purchased goods and services do not introduce hazards and expose workers to harm including contractors. This clause has been written to ensure that the organization does not use the corporate veil, to escape overall responsibility for achieving the intended outcome of their health and safety management system while engaging in outsourcing, engaging contractors and procurement. This clause again must be read in conjunction with clause 5.4, giving workers and their representatives the right to participation and consultation through these processes. Procurement processes should be used to control potential hazards and reduce OH&S risks associated with the purchase and introduction of products, hazardous chemicals, raw materials, equipment, and ancillary services into the workplace.  The process should also address the need for consultation and communication on the procurement process with interested parties such as workers, contractors, and visitors. The organization should ensure that purchases are safe for use by workers by confirming that:

• Equipment is supplied in accordance with a technical specification such as CE-marking and, where appropriate, is tested to ensure that it functions as intended;
• Equipment is supplied in accordance with legal requirements;
• Where appropriate, risk assessments are carried out in advance of the use of the equipment;
• Installations are commissioned to ensure that they function as designed;
• Materials are supplied in accordance with technical specifications;
• Usage requirements, precautions or other protective measure are communicated and made available to workers, contractors and others who could be adversely affected.

8.1.4.2 Contractors

The organization should coordinate its procurement processes with its contractors, to identify hazards and to assess and control the OH&S risks, arising from the contractors’ activities and operations that impact the organization, the organization’s activities and operations that impact the contractors’ workers, contractors activities and operations that impact other interested parties in the workplace. The organization shall ensure that the requirements of its OH&S management system are met by contractors and their workers. The organization’s procurement processes must define and apply occupational health and safety criteria for the selection of contractors. It can be helpful to include the occupational health and safety criteria for the selection of contractors in the contractual documents.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The need for coordination recognizes that some contractors (i.e. external providers) possess specialized knowledge, skills, methods, and means. Examples of contractor activities and operations include maintenance, construction, operations, security, cleaning and a number of other functions. Contractors can also include consultants or specialists in administrative, accounting and other functions. Assignment of activities to contractors does not eliminate the organization’s responsibility for the occupational health and safety of workers. An organization can achieve coordination of its contractors’ activities through the use of contracts that clearly define the responsibilities of the parties involved. An organization can use a variety of tools for ensuring contractors’ OH&S performance in the workplace (e.g. contract award mechanisms or pre-qualification criteria which consider past health and safety performance, safety training, or health and safety capabilities, as well as direct contract requirements). When coordinating with contractors, the organization should give consideration to the reporting of hazards between itself and its contractors, controlling worker access to hazardous areas, and procedures to follow in emergencies. The organization should specify how the contractor will coordinate its activities with the organization’s own OH&S management system processes (e.g. those used for controlling entry, for confined space entry, exposure assessment, and process safety management) and for the reporting of incidents. The organization should verify that contractors are capable of performing their tasks before being allowed to proceed with their work; for example, by verifying that:

1. OH&S performance records are satisfactory;
2. qualification, experience and competence criteria for workers are specified and have been met (e.g. through training
3.  Resources, equipment, and work preparations are adequate and ready for the work to proceed.

A robust procurement process is essential to control product and services inputs into an organization. Inputs may include raw materials for products, equipment including machinery, consumables such as cleaning products and workers conducting maintenance as part of a service agreement. The organization is required to develop a process which should include an assessment of the impact on the safety of products and services prior to purchase. This may include obtaining product or material safety data from an external provider or by conducting a risk assessment. Risk assessment with an external provider may be considered during activities such as the purchase and installation of machinery. The assessment would identify potential hazards and suitable control measures to protect both organizational workers and contractors. Within the process, consider the delivery of products to ensure they are inspected against specified requirements prior to release. Consideration must also be made to ensure those products and services are legally compliant. This may be through the assessment of material safety data sheets, declarations of conformity or business registration with trade associations. Personnel who are responsible for procurement must ensure they utilize competent workers to assist with assessments and to communicate safety information relating to product or service. Health and safety information may include material safety data sheets, training, competency requirements and instructions for use.

The organization must coordinate its procurement process with its contractors, in order to identify hazards and to assess and control the OH&S risks arising from:

• Contractors’ activities and operations that impact or have the potential to impact the organization;
• The organization’s activities and operations that impact or have the potential to impact contractors’ workers;
• Contractors’ activities and operations that impact or have the potential to impact other interested parties in the workplace such as visitors or the public.

Contractor activities include the full gamut of services provided to organizations including maintenance, construction, facilities, security, cleaning, waste management and a number of other functions. Contracting activities can also encompass consultants, accountants, administrators, and other specialist service providers. The organization must ensure that the requirements of its OH&S management system are met by contractors and their workers. The procurement process should define and apply occupational health and safety criteria in the selection of contractors, ideally in contract documents or service level agreements (SLAs). How the organization manages often diverse and complex relationships with contractors can vary, depending on the nature and extent of the service provided and the hazards and risks associated with it. When co-coordinating with contractors, the organization should consider the reporting of hazards between itself and its contractors, controlling worker access to hazardous areas, and procedures to follow in emergencies. The organization should specify how the contractor will coordinate its activities with the organization’s own OH&S management system processes (e.g. those used for lock-out tag-out, confined space entry, exposure assessment, and process safety management, etc.) and for the reporting of incidents.

The organization must verify that contractors are capable of performing their tasks before being allowed to proceed with their work, by, for example:

• Reviewing the contractor’s OH&S management system documentation such as risk assessments, procedures/work instructions/method statements, OH&S manual/Safety Statement;
• Confirming that the contractor’s OH&S performance records are satisfactory (review HSA/HSE prosecutions, notifiable accidents or dangerous occurrences, improvement or prohibition notices);
• Assessing the contractor’s understanding of its OH&S legal and other obligations;
• Determining that qualification, experience and competence criteria for workers are specified and have been met (e.g. through training);
• Resources, equipment, and work preparations are adequate and ready for the work to proceed;
• Checking the contractor’s emergency and evacuation plans and procedures and level of preparedness in the event of an emergency;
• Reviewing the contractor’s process for incident investigation, and reporting of nonconformities and corrective actions;
• Assessing contractor OH&S consultation, communication, and participation with any of its workforce and other relevant interested parties including the organization;

8.1.4.3 Outsourcing

The organization shall ensure that outsourced functions and processes are controlled. The organization shall ensure that its outsourcing arrangements are consistent with legal requirements and other requirements and with achieving the intended outcomes of the OH&S management system. The type and degree of control to be applied to these functions and processes shall be defined within the OH&S management system.
NOTE Coordination with external providers can assist an organization to address any impact outsourcing has on its OH&S performance.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

When outsourcing the organization needs to have control of the outsourced functions and processes to achieve the intended outcomes of the OH&S management system. In the outsourced functions and processes, the responsibility for conforming to the requirements of this document is retained by the organization. The organization should establish the extent of control over outsourced function(s) or processes based upon factors such as:

• the ability of the external organization to meet the organization’s OH&S management system requirements.
• the technical competence of the organization to define appropriate controls or assess the adequacy of controls.
• the potential effect the outsourced process or function will have on the organization’s ability to achieve the intended outcome of its OH&S management system.
• the extent to which the outsourced process or function is shared.
• the capability of the organization to achieve the necessary control through the application of its procurement process.
• opportunities for improvement.

In some countries, legal requirements address outsourced functions or processes.

Outsourcing (or sub-contracting) is the employment of an external organization to perform one or more processes in the OHSMS. This can include system processes (e.g. internal auditing, etc.) as well as operational processes (e.g. welding, recruitment, component sterilization, etc.).  Many businesses use the services of contractors (external providers) to fulfil gaps in processes and to complete tasks requiring specialist knowledge. The standard requires the organization to conduct an assessment on those contractors including due diligence competency checks. The organization may consider the use of contractor selection criteria to ensure services are within the scope of the task. The organization must be satisfied there is a process to protect contractors (workers) and other workers who may be exposed to hazards due to their activities. During the procurement process, written agreements may be established between the organization and contractor specifying the organization’s rules. This may be supported by risk assessments and method statements conducted by both parties with the communication of results. It is key that necessary checks have been made to ensure contractors are competent and may, in some circumstances, require confirmation of compliance to legal requirements. For example, certification to work on electrical switchgear or to work on a gas boiler. Once the procurement process has been completed it is good practice to support site activities with an induction programme. This will provide contractor workers with an understanding of the rules including any specific requirements, for example, site hazards, authorized areas, near-miss reporting processes, safe walking routes, emergency action plans, supervision and required permits to work.

Responsibility for conforming to the requirements of the ISO 45001 is vested in the organization, because the outsourced process remains part of the organization’s OHSMS, including the necessary controls exerted on the outsourced process for OH&S purposes. The organization must establish appropriate controls both to ensure that the external provider understands what is required of it and to give itself an assurance that these are being pursued in a responsible way. The organization must verify that its outsourcing arrangements are compliant with legal requirements and are consistent with achieving the intended outcomes of the OH&S management system. The type and degree of control to be applied to outsourced functions and processes must be defined within the OH&S management system and should be based on criteria such as:

• The ability of the external organization to meet the organization’s OH&S management system requirements;
• The technical competence of the organization to identify hazards, assess risks, determine appropriate controls and understand its obligations vis a vis OH&S legislation;
• The potential effect the outsourced processes may have on the organization’s ability to achieve the intended outcomes of its OHSMS;
• The extent to which the outsourced process or function is shared;
• The capability of the organization to achieve the necessary controls through the application of its procurement process;
• Opportunities for improvement.
• Controls can include contractual requirements, training, inspections and risk assessments.

The standard requires the organization to maintain documented information relating to the procurement of products and services including contractor arrangements. Below is a list of examples of documented information considered for retention:

• Risk assessment and method statements between the organization and contractor
• Material safety data sheets
• Email exchanges relating to safety aspects
• Certificates of conformity – Harnesses, guarding, emergency stops, PPE
• Contractor permits and licenses
• Completed external provider questionnaires
• Worker training records

8.2 Emergency preparedness and response

The organization must establish, implement and maintain processes needed to prepare for and respond to potential emergency situations. The organization must establish a planned response to emergency situations, including the provision of first aid. It must provide training for the planned response. It must periodically test and exercise the planned response capability. The organization must evaluate performance and, as necessary, revising the planned response, including after testing and in particular after the occurrence of emergency situations. It must communicate and provide relevant information to all workers on their duties and responsibilities. It must be communicating relevant information to contractors, visitors, emergency response services, government authorities and, as appropriate, the local community. It must take into account the needs and capabilities of all relevant interested parties and ensuring their involvement, as appropriate, in the development of the planned response. The organization shall maintain and retain documented information on the processes and on the plans for responding to potential emergency situations.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Emergency preparedness plans can include natural, technical and man-made events that occur inside and outside normal working hours.

This Clause deals with emergency preparedness and response and is one of the most critical clauses of the standard. Having a defined and efficient process in the event of an incident or accident can be central to ensuring that the effect is mitigated and reduced. Therefore, while preventing incidents and accidents is the primary concern of an OHSAS system, responding to them and ensuring an emergency response plan is in place is equally important. So, given that most organizations will have employees and contractors, visitors, partners, and neighbours and will have to call on emergency services in the event of an accident, it is clear that there are many stakeholders to consider and make provisions for if your emergency response plan is to be truly effective.

Emergency preparedness and response is a key element in the mitigation of occupational health & safety risk. The standard informs us that it is the responsibility of the organization to be prepared, and a number of elements should be considered and planned for. Actions to mitigate incidents must be developed, as well as internal and external communication methods and appropriate methods for emergency response. Consideration of varying types of occupational health & safety incidents needs to be made, as do root cause analysis and corrective action procedures to respond to incidents after they occur. Regular emergency response testing and relevant training need to be considered and undertaken, and assembly routes and evacuation procedures defined and communicated. Lists of key personnel and emergency agencies (think clean-up agencies, local emergency services, and local occupational health & safety offices or agencies) should be established and made available, and it is often good practice to form partnerships with similar neighbouring organizations with whom you can share mutual services and provide help in the event of an occupational health & safety incident. Planning for unexpected events is a good all-around organizational discipline. The risk assessment process, for ISO 45001 identification of hazards, may have highlighted potential emergency situations with possibly catastrophic consequences. Therefore, it is necessary to put control measures in place to mitigate these potential events. Once emergency situations have been identified, which may involve workers at every level of the organization, a plan needs to be formulated and tested. Check that emergency preparedness and response has been tested within the internal audit plan. Testing emergency response plans are critical to raise awareness of potential events and ensure control measures function including supervision, individual responsibilities, the suitability of training and communication. Below are some examples of when emergency plans will be required:

Event	Recommendation
Provision of first aid	Testing of first aid response, consider shift patterns, availability of equipment and competent staff, etc.
Evacuation drill	Method of raising the alarm, contacting the emergency services, accountability of workers, staged evacuation, changes in building layout, etc.
Bomb Threat	Raising the alarm, what to do with workers – stay put or evacuate to a safe area, keeping away from windows, controlled method of raising the alarm.
Chemical spillage	Raising the alarm, evacuation, containment, availability of Material Safety Data Sheets.

The emergency response process should address all of the following:

• Establishing a planned response to emergency situations, including the provision of first-aid. Qualified first aid people: who are they, where are they, and is everyone aware of them? These people are likely to be central to lessening the effect of an emergency situation, so the more of them you have, the better. The more quickly and accurately an employee can reach them, the more chance there is of effectively dealing with a potential emergency situation before it escalates.
• Fire extinguisher and chemical spill kits: are they clearly signposted and are employees informed of any changes?
• Emergency contact numbers: they need to be clearly outlined in your plan, in the event someone needs to access them swiftly.
• Evacuation plan: whether in case of fire, chemical spillage, or natural disaster, is everyone aware of the protocol?
• The employee next of kin details: informing anyone of an accident is an unpleasant task, but it is good practice to ensure that your records are accurate and up to date.
• Responsibilities and communication: does your plan clearly identify who is responsible for decision making and communicating to any stakeholders in the event of the emergency plan is activated?
• Return to work process: your plan should indicate who decides when it is safe to go back to work, and that person can then initiate the process whereby investigation, risk assessment, and corrective action can be implemented to drive improvement and prevent reoccurrence.
• Providing training for the planned response;
• Periodically testing the organization’s capability to respond to the potential emergency;
• Evaluating the organization’s performance and, as necessary, revising the planned response, including after testing and, in particular, after the occurrence of an emergency situation;
• Communicating and providing relevant information to all workers on their duties and responsibilities;
• Communicating relevant information to contractors, visitors, emergency response services, government bodies and, where appropriate, the local community;
• Taking into account the needs and capabilities of all relevant interested parties and ensuring their involvement, as appropriate, in the development of the planned response.

When identifying potential emergency situations, consideration should be given to emergencies that can occur subject to both normal and abnormal conditions (e.g. operation start-up or shut-down, construction activities, etc.). Involving stakeholders in the construction of your emergency preparedness and response plan is a positive thing. Inviting your local fire service, for instance, to participate in your plan construction can give you added expertise and insight into what they deem to be achievable and sensible, thereby lessening the impact should an emergency occur. Likewise, why not invite business partners and contractors to contribute to your emergency plan? You will benefit from the sharing of information, educate your partners, and hopefully construct an emergency plan that is a combination of shared knowledge. How the potential emergency situations will impact all personnel within and/or in the immediate vicinity of the workplace should be assessed by the organization, particularly those with special needs such as people with limited mobility, vision or hearing. The emergency preparedness and response process should focus on the prevention of ill-health and injury to all personnel including workers, contractors, visitors, neighbours, members of the general public and emergency services personnel and should take account of applicable OH&S legislation. The process should be clear and concise and should be understandable to personnel within the organization with specific duties and responsibilities during an emergency such as fire wardens. The emergency preparedness and response process should consider the following:

• Identification of potential emergency situations and locations;
• Details of the actions to be taken by personnel during the emergency;
• Evacuation;
• Organizational roles, responsibilities, and authorities of personnel with specific roles during an emergency such as fire-wardens, first-aid staff, spillage response personnel and members of the emergency response team (ERT);
• Interface and communication with emergency services;
• Communication with workers, regulatory bodies and other relevant interested parties such as workers’ families, neighbours, the local community and the media;
• Information deemed necessary to facilitate the emergency response process such as plant layout drawings, identification, and location of emergency response equipment, identification, and location of hazardous chemicals and wastes, utility shut-off locations and contact information for emergency response providers;
• Review of emergency response equipment and materials;
• Emergency responses training;
• Periodic testing of emergency preparedness and response process;
• Review and revision of process, where appropriate.

The organization should maintain and retain documented information on the emergency preparedness and response process and on any plans for responding to potential emergency situations. No, ISO 45001 also requires you to test, review, and improve your plan wherever practical and possible. Therefore, it is necessary to state in your plan how and how often you will test your plan, what methods you use to review that output, and how you improve it. Again, feedback from all stakeholders is very useful here, so don’t hesitate to involve stakeholders in this process to ensure that you get the best possible response and feedback to assist in your improvement cycle. Set a schedule to review your plan regularly, and ensure that you consider accidents, incidents, and legislation changes when you do so. If you can encourage stakeholder engagement and feedback, expert advice, and good communication allied to learning from the past, your organization will be well positioned to lessen the impact should an unfortunate situation occur.