Due to the new structure and risk focus of the standard, there are no preventive action requirements in this clause. The organization should react accordingly to nonconformities and incidents, and take action to control, correct them, cope with their consequences, and eliminate their source so as to prevent recurrences. However, there are some new more detailed corrective action requirements. The first is to react to incidents or nonconformities and take action in a timely manner, to control and correct these and deal with the consequences. Root cause analysis can be used to explore all possible factors associated with an incident or nonconformity by asking what happened and why it happened. The second is to determine whether similar incidents or nonconformities exist, or could potentially occur, leading to appropriate corrective actions across the whole organization if necessary. Although the concept of preventive action has evolved there is still a need to consider potential nonconformities, albeit as a consequence of an actual nonconformity. The requirement for continual improvement has been extended to continually improve the suitability and adequacy of the OH&S management system as well as its effectiveness through continual improvement objectives. Clause 10, the final major section, delineates the concept of continual improvement within the context of specific activities. Any organization wishing to adopt the principles of ISO 45001 must have a plan for addressing nonconformities in a timely manner. Organizations should take direct action to control conditions and deal with consequences. Nonconformities can be identified from investigations, audits, or other events. The corrective actions should be evaluated and the results should be documented. To achieve continual improvement, the organization shall have an OH&S management system that:

1. Prevents the occurrence of incidents and nonconformities
2. Promotes a positive OH&S culture
3. Enhances OH&S performance

10.1 General

The organization must determine opportunities for improvement and must implement necessary actions to achieve the intended outcomes of its OH&S management system.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The organization should consider the results from analysis and evaluation of OH&S performance, evaluation of compliance, internal audits, and management review when taking action to improve. Examples of improvement include corrective action, continual improvement, breakthrough change, innovation, and re-organization.

From the results discussed in Clause 9 Management Review including the analysis and evaluation of OH&S performance, internal auditing, and feedback from worker engagement, Non-conformity & corrective action, Incident investigation & corrective action, Accident investigation & corrective action, and Compliance obligations including output from the introduction of the new regulation. Several different methods of capturing improvement opportunities may be designed in the system based on the structure, activities, and risk within the business discussed in Clause 4 and 6. The organization must actively seek out and, where possible, realize opportunities for improvement that will facilitate the achievement of the intended outcomes of the OH&S management system. The organization should consider the results from analysis and evaluation of its OH&S performance, evaluation of compliance, internal audits, and management review when taking actions to improve its performance. Improvement can arise from corrective action, continual improvement, breakthrough change, innovation, and re-organization.

Outputs from management reviews, internal audits, and compliance and performance evaluations should all be used to form the basis for improvement actions. Improvement examples could include corrective action, reorganization, innovation, and continual improvement programs. The chosen methods must consider the following:

• Means of reporting including incidents to the right groups of workers and interested parties
• The timescale of reporting
• How the information is going to be recorded as documented information, for example, near-miss report cards, accident reports, defect reports, reports to senior leadership
• Using workers to participate in investigations to determine root cause analysis
• A structured system to prevent reoccurrence
• Hierarchy of control measures to reduce risk as far as is reasonably practicable
• Assessment of OH&S risks prior to the introduction of a corrective action to prevent the introduction of new hazards
• Training and competence for workers and interested parties on the means of reporting OH&S hazards, incidents and opportunities for improvement

10.2 Incident, nonconformity and corrective action

The organization shall establish, implement and maintain a process(es), including reporting, investigating, and taking action, to determine and manage incidents and nonconformities. When an incident or a nonconformity occurs, the organization should react in a timely manner to the incident or nonconformity and take action to control and correct it to deal with the consequences.  With the participation of workers and the involvement of other relevant interested parties, the organization must evaluate the need for corrective action to eliminate the root cause of the incident or nonconformity, in order that it does not recur or occur elsewhere. The organization must investigate the incident or review the nonconformity, determine the causes of the incident or nonconformity. The organization must also determine if similar incidents have occurred, nonconformities exist, or if they could potentially occur. As appropriate it must also review the existing assessments of OH&S risks and other risks. It must also determine and implement any action needed, including corrective action, in accordance with the hierarchy of controls and the management of change. It must also assess OH&S risks that relate to new or changed hazards, prior to taking action. It must review the effectiveness of any action taken, including corrective action. It must make changes to the OH&S management system, if necessary. Corrective actions should be appropriate to the effects or potential effects of the incidents or nonconformities encountered. The organization should retain documented information as evidence of the nature of the incidents or nonconformities and any subsequent actions are taken and also of the results of any action and corrective action, including their effectiveness. The organization must communicate this documented information to relevant workers, and, where they exist, workers’ representatives, and other relevant interested parties. The reporting and investigation of incidents without undue delay can enable hazards to be eliminated and associated OH&S risks to be minimized as soon as possible.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Separate processes may exist for incident investigations and nonconformities reviews, or these may be combined as a single process, depending on the organization’s requirements. Examples of incidents, nonconformities, and corrective actions can include, but are not limited to:

1. Incidents: same level fall with or without injury; broken leg; asbestosis; hearing loss; damage to buildings or vehicles where they can lead to OH&S risks;
2. nonconformities: protective equipment not functioning properly; failure to fulfil legal requirements and other requirements; or prescribed procedures not being followed;
3. corrective actions:  eliminating hazards; substituting with less hazardous materials; redesigning or modifying equipment or tools; developing procedures; improving the competence of affected workers; changing frequency of use; using personal protective equipment.

Root cause analysis refers to the practice of exploring all the possible factors associated with an incident or nonconformity by asking what happened, how it happened, and why it happened, to provide the input for what can be done to prevent it from happening again. When determining the root cause of an incident or nonconformity, the organization should use methods appropriate to the nature of the incident or nonconformity being analyzed. The focus of root cause analysis is prevention. This analysis can identify multiple contributory failures, including factors related to communication, competence, fatigue, equipment, or procedures. Reviewing the effectiveness of corrective actions refers to the extent to which the implemented corrective actions adequately control the root causes.

The organization should have a process in place for reporting and investigating incidents and other nonconformities, and for taking action to correct them and deal with their consequences. Separate processes may exist for incident investigations and nonconformities reviews, or these may be combined as a single process.  It is imperative that root cause analysis is carried out on the incident or nonconformity in order to take appropriate action to prevent a recurrence. Examples of incidents and nonconformities include but are not limited to:

• Incidents: near misses, injuries and ill-health, and damage to property or equipment that could lead to OH&S risks; such as a broken leg, asbestosis, hearing loss;
• Nonconformities: protective equipment not functioning properly; failure to fulfill legal requirements; prescribed processes or procedures not being followed; contractor behaving in an unsafe manner on-site.

When an incident or nonconformity occurs, the organization must react in a timely manner, act to control and correct it and deal with the consequences. It must evaluate the need for corrective action to eliminate the root cause of the incident or nonconformity in order to ensure that it does not recur or occur elsewhere in the organization by:

• Investigating the incident or reviewing the nonconformity;
• Finding out what caused the incident or nonconformity;
• Finding out if similar incidents have occurred, if nonconformities exist, or if they could potentially occur.

The evaluation of the need for corrective action should be carried out with the active participation of workers and the involvement of other relevant interested parties. The aim of an incident investigation is to determine what happened, why it happened, and what can be done to prevent it from happening again. This means not only considering the immediate causes, but also the underlying or root causes and taking corrective action to address these causes. Almost all incidents have multiple causes. These can be related to a range of factors, including human behavior and competency, the nature of the tasks and processes, equipment, or management of the organization. The investigation should identify all areas that need improvement including improvements to the OH&S management system and propose appropriate corrective actions.

The level of investigation should be proportionate to the potential health and safety consequences of the incident. The incident should be recorded and reported internally and, where appropriate, reported externally to regulatory bodies such as the HSA/HSE /the Safety, Health, and Welfare at Work. Where practicable, the investigation should be led by a person independent of the activities being assessed and should include a worker or workers’ representative. In addition, the organization should

• Review existing OH&S risk assessments for continued suitability (e.g. did the risk assessment anticipate the occurrence of the incident or nonconformity);
• Decide on and implement any action needed, including corrective action, in accordance with the hierarchy of controls  and the management of change;
• Assess OH&S risks that relate to new or changed hazards, prior to taking action;
• Review the effectiveness of any action taken, including corrective action (e.g. the extent to which the implemented corrective actions adequately control the root cause); Make changes to the OH&S management system, if necessary such as updating a process map or procedure.

Examples of corrective actions (as indicated by the hierarchy of controls) include, but are not limited to:

• Eliminating hazards;
• Substituting with less hazardous materials;
• Redesigning or modifying equipment or tools;
• Developing and implementing procedures or improving processes;
• Improving the competency of affected workers;
• Changing the frequency of use of equipment, etc.;
• Using personal protective equipment.

Corrective actions should be appropriate to the effects or potential effects of the incidents or nonconformities encountered.

Root cause analysis refers to the practice of exploring all of the possible factors associated with an incident or nonconformity by ascertaining what happened, how it happened, and why it happened, to provide input for what can be done to prevent it from happening again. When determining the root cause of an incident or nonconformity, the organization should use methods appropriate to the nature of the incident or nonconformity being analyzed. The focus of root cause analysis is prevention. Root cause analysis can identify multiple contributory failures, including factors related to communication, competence, fatigue, equipment, or documentation. While root cause analysis is being performed, the organization may also have to undertake immediate but temporary actions to prevent the occurrence of the same nonconformity or incident. This would form part of the corrective action. The organization should retain documented information as evidence of:

• The nature of the incidents that occurred or nonconformities encountered, and any subsequent actions taken;
• The results of any actions and corrective actions taken, including their effectiveness.

The organization should communicate this documented information to relevant workers, and where they exist, workers’ representatives, and other relevant parties. It is worth noting that the investigation and reporting of incidents without undue delay can enable hazards to be eliminated and associated OH&S risks to be minimized as soon as possible.

Unlike ISO 9001 Quality and ISO 14001 Environmental management systems, ISO 45001 introduces ‘Incident’ alongside nonconformity and corrective action. Clause 3 ‘Terms of Definition’ within the standard provides the parameters in which ‘incident’ can be interpreted and reported. An ‘incident’ is an occurrence that does not result in an injury and/or ill health. Therefore, the organization must implement a system of reporting that captures events that have not necessarily been foreseen within processes of the management system. Often these are referred to as ‘near misses’, ‘near-hit, or a ‘close call’. When a near miss is reported there may be a process in which during the investigation the findings are recorded within a non-conformance report. Prevention of incidents and elimination of hazards is a key facet of the OH&SManagement System, and this is specifically addressed in the definition of organizational context and assessing risks and opportunities. Taking action to correct and control problems when they occur, and then to investigate and take corrective action for the root causes of these problems when it is necessary, are critical to prevent recurrence of process nonconformity. The basic example process of reporting an incident leading to non-conformance, corrective action and continuous improvement

10.3 Continual improvement

The organization shall continually improve the suitability, adequacy, and effectiveness of the OH&S management system, by enhancing OH&S performance. It must promote a culture that supports an OH&S management system. It must promote the participation of workers in implementing actions for the continual improvement of the OH&S management system. It must communicate the relevant results of continual improvement to workers, and, where they exist, workers’ representatives. It should be maintaining and retaining documented information as evidence of continual improvement.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Examples of continual improvement issues include, but are not limited to:

1. new technology;
2. good practices, both internal and external to the organization;
3. suggestions and recommendations from interested parties;
4. new knowledge and understanding of occupational health and safety-related issues;
5. new or improved materials;
6. changes in worker capabilities or competence;
7. achieving improved performance with fewer resources (i.e. simplification, streamlining, etc.).

The concept of continual improvement is embodied in all management systems based on annex SL such as ISO 9001, ISO 14001, ISO 27001, ISO 22301, and of course ISO 45001. The opportunities for continual improvement must be reported. It may come from new technology.  non-conformances, failures, and any other IMS issues. This system is successful by identifying, establishing, and maintaining OH&S objectives and processes based on relevant risks. Involving top management and all levels of the organization, these processes should be evaluated upon completion for the purpose of continual improvement. Now, it is important to clarify that continual improvement differs from continuous improvement, especially considering that the two potentially could be used interchangeably. To avoid misunderstandings, this clarification is provided under the Terms and definitions section of Annex A in ISO 45001:2018. According to ISO 45001:2018, continuous indicates duration without interruption, while continual indicates duration that occurs over a period of time with intervals of interruption. The latter certainly seems more suitable for the processes of a system intended to safeguard employees from injury and illness, since these processes are implemented before they are evaluated under the Plan-Do-Check-Act cycle. ISO 45001:2018 recommends that organizations evaluate their completed OH&S processes for continual improvement, not continuous.

Through all of the actions to improve the overall OH&SManagement System, the organization can achieve enhanced OH&S performance and promote a culture that supports worker participation in making the OH&SManagement System better. Improvements can be initiated by any employee when any of the following issues are identified:

1. To initiate a change to the IMS.
2. To initiate improvement to the performance and effectiveness of the IMS.
3. When an innovation or improvement opportunity is identified.
4. When a non-conformance is identified at any time.
5. When a discrepancy, non-conformance or improvement is identified during auditing.
6. When a customer complaint or any significant customer feedback is received (including compliments).

Actions which an organization might take with a view to achieving continual improvement in the suitability, adequacy, and effectiveness of its OH&S management system include:

• Enhancing OH&S performance;
• Promoting a culture that provides support to the OHSMS;
• Promoting the participation of workers in the identification and implementation of actions for continual improvement of the OHSMS;
• Communicating the relevant results of continual improvement to workers, and where they exist, workers’ representatives;
• Maintaining and retaining documented information as evidence of continual improvement

The organization must establish a system that involves the monitoring, measurement, analysis, and evaluation of its OH&S performance. It should decide what to measure and how, for instance, accidents or worker competence. Moreover, internal audits must be established along with regular management reviews, in order to see the progress made towards the achievement of OH&S objectives and the fulfillment of ISO 45001 requirements. Performance evaluation is a constructive process that aims to improve an organization’s operation and is crucial to the ‘Plan, Do, Check and Act’ model prescribed by ISO 45001. These processes should help achieve and support organizational strategy and goals. Clause 9, Performance Evaluation, provides an in-depth discussion regarding the criteria for evaluating the overall performance of the OH&S management system. The primary themes of this section focus on the means of process evaluation and documentation of evaluations. The importance of documentation (and how records and data are retained), as well as document dissemination, are performance themes both in ISO 45001 in general and in this section in particular. This section tends to be more specific than some of the others and includes a detailed discussion of documentation requirements, internal audit protocols, and relevancy and applicability of measurements within the organization. The key attributes of this section include:
1. Following applicable legal requirements and documentation are followed
2. Measuring operational risks and hazards
3. Evaluating the effectiveness of operational controls
4. Establishing the timeline for conducting the measures
5. Planning for analysis, evaluation, and communication of the results
6. Calibrating and verifying the accuracy of all equipment
7. Retaining documentation of all measures
8. Auditing the OH&S Management System, the OH&S Policy, OH&S Objectives, and the 45001 requirements
9. Establishing the frequency of audits and account for significant changes to the organization, performance improvements, risks, and opportunities
10. Ensuring the competence of auditors
11. Communicating findings to management, workers, and worker representatives
12. Taking action to address identified nonconformities
13. Retaining audit results as evidence of the completion of the audit
14. Reviewing audit findings and corrective actions by top management
15. Ascertaining that corrective actions, worker engagement, and opportunities for continual improvement are in place
The most important objectives of the Performance Evaluation section are ensuring the adequacy of the current OH&S management system and measuring that OH&S objectives are met. These are, essentially, the only measures of success.

9.1 Monitoring, measurement, analysis and performance evaluation

9.1.1 General

The organization must establish, implement and maintain processes for monitoring, measurement, analysis and performance evaluation. The organization has to determine what needs to be monitored and measured. The organization must determine up to what extent the legal requirements and other requirements are fulfilled. The organization must monitor and measure its activities and operations related to identified hazards, risks, and opportunities, its progress towards achievement of the organization’s OH&S objectives and the effectiveness of operational and other controls. The organization must determine the methods for monitoring, measurement, analysis and performance evaluation, as applicable, to ensure valid results. It must also determine the criteria against which the organization will evaluate its OH&S performance and when the monitoring and measuring shall be performed. It must also determine when the results from monitoring and measurement shall be analyzed, evaluated and communicated. The organization must evaluate the OH&S performance and determine the effectiveness of the OH&S management system. The organization must ensure that monitoring and measuring equipment is calibrated or verified as applicable, and is used and maintained as appropriate. There can be legal requirements or other requirements (e.g. national or international standards) concerning the calibration or verification of monitoring and measuring equipment. The organization must retain appropriate documented information as evidence of the results of monitoring, measurement, analysis and performance evaluation and on the maintenance, calibration or verification of measuring equipment.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

In order to achieve the intended outcomes of the OH&S management system, the processes should be monitored, measured and analyzed.

1. Examples of what could be monitored and measured can include, but are not limited to:
   1. occupational health complaints, the health of workers (through surveillance) and work environment;
   2. work-related incidents, injuries and ill health, and complaints, including trends;
   3. the effectiveness of operational controls and emergency exercises, or the need to modify or introduce new controls;
   4. competence.
2. Examples of what could be monitored and measured to evaluate the fulfillment of legal requirements can include, but are not limited to:
   identified legal requirements (e.g. whether all legal requirements have been determined, and whether the organization’s documented information of them is kept up-to-date);
   collective agreements (when legally binding);
   the status of identified gaps in compliance.
3. Examples of what could be monitored and measured to evaluate the fulfillment of other requirements can include, but are not limited to:
   1.  collective agreements (when not legally binding);
   2. standards and codes;
   3. corporate and other policies, rules and regulations;
   4. insurance requirements.
4. Criteria are what the organization can use to compare its performance against.
   1.  Examples are benchmarks against:
      • other organizations;
      • standards and codes;
      • the organization’s own codes and objectives;
      • OH&S statistics.
   2. To measure criteria, indicators are typically used; for example:
      •  if the criterion is a comparison of incidents, the organization may choose to look at frequency, type, severity or number of incidents; then the indicator could be the determined rate within each one of these criteria.
      • if the criterion is a comparison of completion of corrective actions, then the indicator could be the percentage completed on time.

Monitoring can involve continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected. Monitoring can be applied to the OH&S management system, to processes, or controls. Examples include the use of interviews, reviews of documented information, and observations of work being performed. Measurement generally involves the assignment of numbers to objects or events. It is the basis for quantitative data and is generally associated with the performance evaluation of safety programs and health surveillance. Examples include the use of calibrated or verified equipment to measure exposure to a hazardous substance or the calculation of the safe distance from a hazard. The analysis is the process of examining data to reveal relationships, patterns, and trends. This can mean the use of statistical operations, including information from other similar organizations, to help draw conclusions from the data. This process is most often associated with measurement activities. Performance evaluation is an activity undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve the established objectives of the OH&S management system.

The organization not only has to measure occupational health & safety progress, but it should also consider its significant hazards, compliance obligations, and operational controls when tackling this clause. The methods established should have considerations to ensure that the monitoring and measuring periods are aligned with the needs of the OH&SManagement System for data and results, that the results are accurate, consistent, and can be reproduced, and that the results can be used to identify trends. It should also be noted that the results should be reported to the personnel with the authority and responsibility to initiate action on the basis of the outputs themselves. The organization should have a systematic approach for measuring and monitoring its OH&S performance on a regular basis, as an integral part of its management system. The organization needs to monitor and measure the following in order to determine the performance of the OHSMS and evaluate its effectiveness:

• The extent to which legal and other requirements are fulfilled including, where applicable, all applicable OH&S legislation, collective agreements, standards, and codes and insurance requirements;
• Characteristics of activities and operations related to the identified hazards, risks, and opportunities;
• Progress in the achievement of the organization’s OH&S objectives;
• Effectiveness of operational and other controls.

This includes the determination of the criteria against which the organization’s OH&S performance will be evaluated, including appropriate indicators. Criteria are what the organization uses to compare its performance against (e.g. benchmarking its OH&S performance against other organizations, standards or codes, etc.). To measure criteria, indicators are used. For example, if the criterion is a comparison of incidents, the organization could choose to look at frequency, type, severity, or a number of incidents; the indicator could be the determining rate within each one of these criteria. The organization must select appropriate methods for monitoring, measurement, analysis, and performance evaluation in order to ensure valid results, decide when the monitoring and measurement will be performed and when the results from monitoring and measurement will be analyzed, evaluated, and communicated.

The organization must ensure that monitoring and measurement equipment such as sampling pumps, noise monitors, toxic gas detection equipment, is calibrated or verified and that it is correctly used and maintained. Insofar as measuring and monitoring are concerned, the organization should use both reactive and proactive measures of performance but should mainly focus on proactive measures in order to drive OH&S performance improvement. Examples of proactive measures include:

• Assessment of compliance with legal and other requirements;
• Evaluation of the effectiveness of OH&S training;
• Use of worker surveys to evaluate OH&S culture and related worker satisfaction;
• Completion of statutory and other inspection schedules;
• The extent to which programmes have been implemented;
• The effectiveness of the worker consultation and participation process;
• Use of health screening.

Examples of reactive measures include:

• Occurrence and rates of notifiable accidents and dangerous occurrences;
• Lost time incident rates;
• Monitoring of ill health;
• Actions required following assessments by regulatory bodies such as the HSA/HSE.

The organization must retain appropriate documented information as evidence of the results of monitoring, measurement, analysis, and evaluation and of the maintenance, calibration, or verification of measuring instruments. An organization should check, review, inspect and observe its planned activities to ensure they are occurring as intended. An organization must make sure they have determined the appropriate processes so they can evaluate how well they are performing based on risk and opportunities. Monitoring generally indicates processes that can check whether something is occurring as intended or planned. The tables below provide examples of monitoring and specific control measures:

Any equipment used to determine the measurement ‘indicator’ should be calibrated and maintained so that a high degree of confidence is gained in the credibility of data. The standard also requires the organization to implement a process to evaluate legal and other compliance including:

• The frequency and method of evaluation
• If action is needed, the process in which it will be evaluated and implemented
• Maintain knowledge and understanding of its compliance status
• Retain documented information to support the evaluation of legal and other requirements

9.1.2 Evaluation of compliance

The organization must establish, implement and maintain the processes for evaluating compliance with legal requirements and other requirements. The organization must determine the frequency and methods for the evaluation of compliance and must evaluate compliance and take action if needed. It must maintain knowledge and understanding of its compliance status with legal requirements and other requirements. It must retain documented information on the compliance evaluation results.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The frequency and timing of compliance evaluations can vary depending on the importance of the requirement, variations in operating conditions, changes in legal requirements and other requirements, and the organization’s past performance. An organization can use a variety of methods to maintain its knowledge and understanding of its compliance status.

There is an ever-increasing amount of legislation intended by the government to ensure that we manage issues such as health and safety in the workplace and our impacts on the environment in order to protect human health and the environment from harm. There is also a range of legislation designed to give some security of personal information, intellectual property, and organizational records to both public and private sector businesses whose information and networks are important business assets. The standard recognizes that evaluation requirements will vary from organization to organization based on factors such as size, compliance obligations, sector worked in, past history and performance, and so on, but suggests that regular evaluation is always required. If the result of a compliance evaluation reveals that a legal requirement is unfulfilled, the organization needs to assess what action is appropriate, possibly up to contacting a regulatory body and agreeing on a course of action for repair. This agreement will now see this obligation become a legal requirement. Where non-compliance is identified by the OH&SManagement System and corrected, it does not automatically become a non-conformity. But exactly what legislation is there that applies to your organization, how does it apply and why do you need to evaluate it.

Firstly it is worth looking at compliance in more detail. Compliance is not an option. If we don’t comply then we could be operating outside of the law. Not only can this lead to penalties and fines, but poor compliance can also lead to:

• Increased health and safety incidents, environmental accidents and pollution.
• Increased downtime, clean up costs and fines
• Increased insurance premiums and regulatory inspections
• Workforce concerns and industrial relations issues
• Reduced ability to meet customer requirements
• Damage to reputation and possible lost business
• Individual prosecution and corporate manslaughter and/or dismissal

The legislation provides regulators with specific duties and powers and enables the regulators to take enforcement action to mitigate the consequence of site closures and suspension or revocation of permits. For example, in 2005/2006 the HSE issued 6400 enforcement notices and prosecuted in over 1010 cases. Magistrates and courts are coming under increasing pressure to impose ever more stringent penalties. With this in mind, there is increasing pressure on organizations from various sources to improve and ensure compliance. In practice, you may consider putting a list of compliance obligations within a spreadsheet as outlined under clause 6 of this document. Periodically this process should be audited within the internal audit program to ensure all compliance obligations have been fulfilled. Audit results including compliance status should be communicated to senior leadership within the organization. Any outstanding or pending requirements can be actioned by the leadership team. This will ensure compliance to obligations and reduction in risk including potential prosecution. So how can you evaluate compliance? There are essentially three approaches:

1. The Passive Approach

The passive approach means an organization sits back and waits for things to happen. It relies solely on feedback from regulators, employees, and members of the public. Typically few resources are allocated and compliance efforts are minimized and tend to be focused on current areas of concern. The drawback of this approach is that it may well be unrepresentative of the true level of compliance, the outcome of which being the increased likelihood of a non-compliant event that could lead to unforeseen prosecutions.

2. The Reactive Approach

The reactive approach is taken when an organization acts only when a situation of non-compliance is brought to light. There may be some internal and external evaluation and auditing but this usually relies on a sampling basis. It is similar to the passive approach in that typically few resources are allocated. The drawback of this approach is that it may not be sufficiently comprehensive. It tends to only pick up problems after the event. Although actions are taken to manage compliance these are typically only implemented after the event once the non-compliance has been identified. Therefore an organization following the reactive approach may incur increased costs, both financial and time, in addressing the non-compliance as opposed to preventing it from occurring.

3 The Proactive Approach

An organization following the proactive approach will seek to actively identify the compliance position and establish processes to ensure on-going compliance status is maintained. The proactive approach is typically system-based and integrates compliance into everyday business practices. The management system may be one of three types:

• Internal bespoke Compliance Management System
• Management System based on a recognized standard such as ISO 14001, OHSAS 18001, ISO 9001 and ISO 27001
• Third party certified Management Systems such as ISO 14001, OHSAS 18001, ISO 9001 and ISO 27001 (certification to which can only be awarded based on a legal complaint system)

Management systems provide the mechanisms to identify upfront compliance requirements and ensure appropriate controls are in place to positively manage compliance status. They cannot guarantee against a non-compliance occurring but should ensure that the system in place quickly identifies the non-compliance status and corrects it. Following the proactive system-based approach will enable an organization to:

• Make a commitment to compliance
• Identify current legal and other requirements specific to the organization and be aware of pending legislation and its impact on the organization well in advance.
• Understand the full implications of all applicable legislation and incorporate the requirements into business practices.
• Keep information up-to-date.
• Identify compliance criteria.
• Establish a framework to address and control the identified compliance requirements.
• Provide a mechanism for the on-going review, evaluation, and reporting of compliance performance

One area of particular importance is the reference to the control mechanism employed within the organization to manage that element of the legal requirements. By including this in your system for compliance management immediately increases the transparency of the legal management system and ensures that there is an effective control mechanism in place for each of the key requirements. Controls will not always be procedures but may include site inspections, monitoring equipment, or designating responsibilities. Typically through a management system, there will be a number of different steps to the management of compliance:

Step 1 – Commitment to Legal Compliance

Evaluation Essentially this requires the agreement from top management that this is required and their commitment to providing the necessary resources including staff, finance, and IT support to carry out the evaluation and to take action to resolve areas of non-compliance.

Step 2 – Identification of Legal Requirements

Having secured top management commitment to evaluating compliance, the next step is to identify the legal requirements such as codes of practice and guidance notes. Legal requirements can take many forms including:

• Legislation, regulations, and statutes
• Directives
• Permits, licenses or other forms of authorization as Orders issued by regulatory bodies.
• Judgments of courts or administrative tribunals
• Treaties, conventions, and protocols

There are many different ways an organization can go about identifying legal requirements. These are all valuable sources. However, the most important thing is what you do with the information you identify. Typically the identification of legal requirements leads to the production of a legal register. A typical legal register would include:

However, this format will not be sufficient to enable effective evaluation of compliance within the management system.

Step 3 – Identification of Compliance Criteria

To ensure the use of a legal register is effective, consideration should be given to also using the document as a mechanism to:

• Evaluate the legislation to determine which components are applicable, e.g. discharge of trade effluent from the effluent plant.
• Establish the relevance of the legislation to the organization – identify which activities are completed on site that falls within the scope of the legislation e.g. a license is required for the discharge of trade effluent

The above is referred to as the compliance criteria and without a good understanding of what these criteria are for your organization, it will be very difficult to undertake an effective evaluation of compliance. The legal register should be a ‘live’ document and be useful to the organization. It may also identify:

• Installation Activity
• Regulation
• Regulator
• Description of Regulation
• Relevance to the organization — compliance criteria
• Responsible Persons
• Reference to other parts of the management system e.g. environmental aspects, health and safety hazards, objectives and targets
• Reference to the license, permit, authorization or notification
• Further information (e.g. codes of practice)
• Operational Controls

Additional columns might be as follows:

This type of register can provide a clear understanding of the relationship between legislation and organizations’ activities, products, and services. Also, it can be used as an awareness-raising tool, but more importantly, it provides a clear audit trail for the internal audit function to undertake their evaluation of legal compliance.

Step 4 – Compliance Performance Evaluation

Having identified relevant legislation, the compliance criteria, and related operational controls, the next step is to develop a process for checking legal compliance. Use the information from the register to review current practices against the identified legal requirements applicable to your organization. You might want to consider developing a checklist for each item of legislation that the organization has identified. Objective evidence will need to be gathered in order to evaluate compliance. Compliance performance evaluation can be carried out by:

•  Monitoring against performance indicators – trend analysis to predict and prevent non-compliance e.g. amount of mercury discharged on a monthly basis versus the early figure specified within the discharge consent or noise emissions limits.
• Reviewing risk assessments.
• Undertaking physical inspections e.g. of the status of oil storage facility or of wearing of relevant personal protective equipment (PPE)
• Undertaking Management Systems audits.
• Compliance verification against procedural and legal requirements.
• Independent verification (e.g. in the case of compliance to a GHG permit)

Conducting a compliance performance evaluation will help you to:

• Identify any regulatory non- compliances
• Determine whether existing controls are adequate to help prevent regulatory non-compliance including those related to abnormal and emergency situations.
• Identify areas where further information is required to track or confirm compliance, any opportunities for improvement
• Proactively manage an organization’s compliance status

There has been much discussion about what constitutes an ‘Evaluation of compliance’. What is clear is that there is no one method or definitive answer but more of a suite of tools that can be used when completing the evaluation. Therefore it is important that the outcomes of the evaluations are brought together to enable trend analysis and the overall compliance status to be determined.

Step 5 – Compliance and Review Reporting

A compliance review is more than just monitoring. Routine monitoring may not check compliance with all requirements and limits of a permit or consent. Monitoring of an indicator to demonstrate improvement (such as the quantity of monthly hazardous waste arising’s) will not check compliance with all applicable waste legislation (such as whether hazardous waste documentation identifies waste streams correctly). However, the results of monitoring can be input into the evaluation process. Likewise, a true evaluation of compliance is more than just systems auditing as systems audits tend to have broad scopes, are not specifically focused on legal compliance, assess too small a sample of data, and are too infrequent to demonstrate system effectiveness. However, the results of audits can be input into the evaluation process and are still a valuable tool.

Step 6 – Compliance Verification

So, compliance verifications are also necessary. Compliance verifications use compliance detail from the legal register and legal documents, such as permits, to create comprehensive checklists. Compliance verifications can be targeted, topic specific, more frequent, and risk-based. Compliance verification will:

• Identify compliance tasks and their frequency
• Ensure availability of sufficient
• competent resource
•  Allocate time and resources on a risk basis

Regardless of which methods are used  – it is essential that appropriate records are held of the outcome of the evaluation process.

Step 7 – Compliance Reporting

So what do you do with the results of the evaluation? Compliance reporting is a systematic activity using information from monitoring, system auditing, verification, and feedback from interested parties (such as regulators). Using this data enables you to confidently, and accurately, report on your compliance status to top management (policy and decision-makers) for the identification of future legislative trends, areas of strengths and weaknesses, and opportunities for improvement. Reporting should be undertaken at a frequency appropriate to the risks and should seek to answer the questions, posed by top management, ‘how compliant have we been, are we now, and will we be, with legal and other requirements?’

Step 8 –  Define an Action Plan

Define an action plan for addressing the issues identified in the gap analysis. The action plan might include the:

• Allocation of specific clear roles and responsibilities for compliance.
• Communication or. the relevance of the requirements at all levels.
• Revision of procedures include operational criteria
• Provision of relevant training

Step 9 – Repeat the process

In order to maintain legal compliance, this evaluation process needs to be repeated on a regular basis. This
provides the opportunities for continuous improvements and enables you to keep up to date, if not ahead of, regulatory developments. There is no right or wrong way to the evaluation of compliance. There are different methods for evaluating compliance. Choose the approach that best suits your business based on size, type, and complexity. We would, however, recommend using a system-based approach to identify legal requirements and establish appropriate controls. A legal Register can be an effective tool to help evaluate and verify compliance. Determine the measures needed to develop a compliance framework, including frequency and resources, and the frequency of review and reporting should be systematic and risk-based. Provide comprehensive reports to top management for decisions on future policy and objectives, and for corporate assurance. Evaluation of compliance is a key component of an effective system to deliver continued legal compliance. A management system will not guarantee compliance as it can not predict the future! It will, however, provide the framework for an organization to manage its compliance status and improve its capability to deliver regulatory compliance.

9.2 Internal audit

9.2.1 General

The organization must conduct internal audits at planned intervals. This will provide information on whether the OH&S management system is conforming to the organization’s own requirements for its OH&S management system, including the OH&S policy and OH&S objectives and also to the requirements of ISO 45001:2018. It also provides information if the OH&S management system is effectively implemented and maintained.

9.2.2 Internal audit programme

The organization, must plan, establish, implement and maintain audit programs including the frequency, methods, responsibilities, consultation, planning requirements, and reporting, which shall take into consideration the importance of the processes concerned and the results of previous audits. It must define the audit criteria and scope for each audit. It must select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. It must ensure that the results of the audits are reported to relevant managers; ensure that relevant audit results are reported to workers, and, where they exist, workers’ representatives, and other relevant interested parties. It must take action to address nonconformities and continually improve its OH&S performance. It must retain documented information as evidence of the implementation of the audit program and the audit results.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The extent of the audit program should be based on the complexity and level of maturity of the OH&S management system. An organization can establish objectivity and impartiality of the internal audit by creating processes that separate auditors’ roles as internal auditors from their normal assigned duties or the organization can also use external people for this function.

An internal audit is a systematic method to check organizational processes and requirements, as well as those detailed in the ISO 45001 standard. This will ensure the processes in place are effective and the procedures are being adhered to. An internal audit in ISO 45001 not only serves as a function to meet the terms of the standard, as explained above, but also a real opportunity to improve your OH&SMS (Operational Health and Safety Management System), and therefore reduce the risk of accidents in your workplace while improving employee wellbeing. Internal audits and auditors should be independent and have no conflict of interest over the audit subject, the standard reminds us, and it should be noted that non-conformities should be subject to corrective action. When considering the results of previous audits, the results of previous internal and external audits and any previous non-conformities and resulting actions to repair them should be taken into account. The 45001:2018standard refers us to ISO 19011for the internal audit program, but when you are establishing your program there are several rules you can subscribe to in order to ensure that your program is effective. Base your internal audit frequency on what is reasonable for your organization in terms of size, the sector you operate in, compliance obligations, and risk to the health and safety of workers. Decide what is reasonable for you, whether that is bi-annually, quarterly, or whatever you deem suitable. Keep in mind that this schedule can be changed, preferably through management review and leadership guidance, in the event of changes that necessitate extra internal audit activity. The internal audit program will aid the organization to achieve the OH&S objectives and targets. It helps:

• Monitor compliance with policy and objectives.
• Provide evidence that all necessary checks are carried out.
• Ensure all current legislative and other requirements are met.
• Assess the effectiveness of risk management.
• Worker engagement leading to a positive safety culture.
• Identify improvement using ‘fresh eyes’ to review a process.
• Aid continual improvement.

The organization must conduct internal audits at planned intervals to provide information on whether the OH&S management system conforms to the organization’s own requirements for its OH&S management system, including the OH&S policy and OH&S objectives and the requirements of ISO 45001.  In addition, the audit allows the organization to determine if its OH&S management system is effectively implemented and maintained. The extent of the audit program should be based on the complexity and level of maturity of the OH&S management system. The organization must plan, establish, implement and maintain an audit program, which contains information on:

• The frequency that audits are conducted;
• The methodology/protocol used (should be in general conformance with the requirements of ISO 19011:2011 Guidelines for auditing management systems;
• Who is responsible for managing and conducting audits;
• What consultation takes place with auditees and the general workforce;
• How the audits are planned and implemented;
• The format for reporting audits.

The planning of the internal audit program must recognize the importance of the processes concerned and the results of previous audits.  This would be reflected in the audit programme being based on the results of the risk assessments of the organisation’s activities and the results of previous audits, which in turn would guide the organization in determining the frequency of audits of particular activities, areas or functions and what parts of the OH&S management system should be given attention. The OH&S management system audits should cover areas and activities within the scope of the OHSMS as defined by clause 4.3 of the standard and also assess conformity to ISO 45001. The organization must define the audit scope and audit criteria for each audit. Audit evidence should be evaluated against the audit criteria to generate the audit findings and conclusions. Audit evidence should be verifiable. Prior to conducting the audit, the auditors should review appropriate OH&S management system documented information, and the results of prior audits. This information should be used by the organization in planning for the audit.

The organization must select auditors and conduct audits to ensure objectivity and the impartiality of the audit process. It can establish objectivity and impartiality of the internal audit process by creating a process that separates auditors’ roles as internal auditors from their normal assigned duties. Alternatively, it can utilize the services of external companies to conduct its internal audit program. After the audit is complete the auditors must ensure that the results of the audits are reported to relevant managers. In addition, relevant audit results must be reported to workers; where they exist, to workers’ representatives, and to other relevant interested parties. The organization must take action to address nonconformities in a timely and efficient manner and continually improve its OH&S performance. The audit report should be clear, precise, and comprehensive. The organization must retain documented information as evidence of the implementation of the audit program and the audit results.

It also points out how previous audit results and outputs from risk assessment can provide inputs for the internal audit itself. Given that you have a date for your internal audit – whether this is being carried out by an internal or external auditor – what should you bear in mind to prepare? Firstly, you must consider how you prepare for your internal audit. Does your organization have an adequately trained auditor? Internal audits must be conducted by competent staff with a degree of impartiality to the area being audited. A risk-based approach can be applied to areas being audited with an increased focus on higher-risk activities. Internal audits must be planned with an expectation of each process being audited at regular intervals. In addition to planned audits, unplanned audits may be conducted in reaction to problematic areas, near-miss reports, or incident data with a focus on accident prevention. It is beneficial to communicate audit results to applicable interested parties including workers and set realistic completion timescales for identified ‘opportunities for improvement’ or ‘nonconformities’. Top Management must be aware of deficiencies within the system to ensure the necessary resources can be allocated to mitigate the findings. Audit results will be reviewed as part of the management review process. ISO 45001, like most other ISO standards, contains a clause that outlines how organizations should perform internal audits. Internal audits should meet the planned measures of the OHSMS System and the audit outputs should be made available. You should establish and plan your internal audit schedule, based on the results of previous audits and risk assessments. Although it is sensible and standard, as are other clauses in ISO 45001, the internal audit should be approached with more care than, for instance, the comparable clauses in ISO 9001 (Quality Management) or ISO 14001 (Environmental Management). This is because an ineffective OHSMS audit could endanger the welfare of your employees. The organization should plan its internal audits at regular intervals. It should, however, be noted that accidents, incidents, risk assessments, or stakeholder input can all be used to initiate internal audits beyond the regular schedule. This would be the case if the organization feels it would be beneficial to the overall health and safety performance. Let’s look at when who, and how the ISO 45001 system internal audit should be performed.

When: Internal audit should be done at planned intervals, or whenever it is deemed required, or beneficial to your ISO 45001 system.
Who: The standard requires that the internal auditor must be impartial and objective. Auditor selection is critical. The auditor must be experienced and, if possible, formally trained. The auditor must also be aware of the company’s OHSMS Policy, objectives, and performance. As the internal audit process is so critical, many organizations use external advice from an expert for internal audit purposes.
How: All relevant information in terms of “input” to the process should be available to the internal auditor. The auditor will also need OHSAS performance outputs, risk assessment information and results, desired OHSMS objectives, and stakeholder input.
Why: A logical question to ask at this stage would be “Why?” Apart from being a requirement of the ISO 45001 standard, internal audits should be seen as key drivers in the continual improvement cycle. It is also critically important as a preventive measure for health and safety in the workplace. Anyone interacting with the auditor should therefore always provide truthful and accurate information during the audit. An accurate assessment creates an opportunity for suggestions for improvement based on past and current data.

The ISO 45001 standard requires that management should have access to the results of any internal audits. This enables the top management team to make decisions on actions that need to be taken based on the results from the internal audit. In terms of continual improvement, it is however also helpful if the auditor makes suggestions based on the audit itself, as they have had direct experience and interactions with the procedures and processes during the audit. This will give the management team a more balanced view of the audit’s effectiveness and the validity of the results. This will create a bigger chance of continual improvement and output that could potentially prevent incidents and accidents. It is obviously necessary that the process is documented, including findings, outcomes, and actions, as the internal audit takes its place in the improvement cycle. Make sure that internal audits are always thorough, honest, and accurate. Use the “plan, do, check, act” methodology to ensure that the proposed actions are implemented, effective, and maintained. Once you have done this, you can be sure that the results of the internal audit are truly effective. The principles of ISO 19011 which addresses system auditing can also help you with regard to structuring your audit. So, what other elements do we need to consider when undertaking the internal audit? Let us consider:

• Remember, the internal audit will show your ability to meet the requirements of the standard itself (or some of it, depending on the scope of the audit). Ensure you and your organization have met all requirements of the standards, including management review, risk assessment, and emergency response. Bear in mind that any non-conformities will be reported and you should consider using your corrective action process to rectify any identified non-conformities. Concentrate on hazard and risk identification. Though closely related, hazard and risk are not the same things. ISO 45001 defines a hazard as a “source or situation with a potential to cause injury and ill health”. In other words, what features of your processes have the ability to harm individuals? This could be a hazardous chemical you need to use in a process or a machine that has a pinch point that needs to be guarded to protect the people who need to use it. It could also be an office position that requires certain actions that over time could lead to repetitive strain injuries. An OH&S risk is defined as the “combination of the likelihood of occurrence of a work-related hazardous event or exposure and the severity of the injury and ill health that can be caused by the event or exposures”. So, the hazard is the feature of the process that can harm an individual, and the risk is the likelihood that it will happen along with how to sever the consequences will be. This should be a key element of most internal audit examinations, and the identification of both, as well as mitigation of risk,  are key to maintaining an effective OH&SMS.
• Ensure your corrective action process is effective. The steps to take once corrective action is initiated in your OH&SMS, we looked at the step by step process for ensuring corrective action with respect to ensuring that root causes of problems were correctly identified and eradicated. While prevention is preferable to cure in any OH&SMS, an effective system must have an effective corrective action process. It is likely that this will be examined closely in most internal audits.
• Ensure your team is ready. Ensuring your team has satisfied these clauses can be vital to your internal audit. Keep in mind that no OH&SMS can flourish without employee knowledge, commitment and buy-in. Ensure that your team is involved in the preparation for, and execution of the internal audit. This can help your OH&SMS flourish and your internal audit is successful.
• Rehearse for your external audit. Remember that your internal audit is an opportunity to prepare and rehearse for your external certification audit. There are several ways you can do this, using the information in the article What questions should you expect from the ISO 45001 auditor? should help you prepare your OH&SMS and your own team for both the internal and likely forthcoming external audit.
• Ensuring your OH&SMS benefits. As stated, the internal audit is not only a dry run for your external certification audit in terms of the conformance of your OH&SMS. It is also a huge opportunity for improvement. Use the information in How to create an internal audit checklist for your Health & Safety management system to ensure you cover all the elements required in the standard itself. Record your results, and clearly outline any corrective action or improvements made. This will serve as evidence and ensure you have a record of action and improvement for your next audit, whether internal or external. Treat your internal audit as a measure of conformity, an opportunity to improve and a rehearsal for your external audit. Doing this will ensure that real value can be derived from this mandatory part of ISO 45001.

What evidence will the auditor require?

As stated above, the auditor’s main function is to ensure that your documentation, processes, and actions comply with the ISO 45001 standard, and that evidence can be produced to prove this. So, if we think from that point of view there are some questions he/she is almost certain to ask:

• Are all the clauses in the standard met? From the moment the auditor enters your organization’s premises, this will be what he/she is tasked to find out. It is normal that the auditor will break the clauses and requirements down an element at a time, but the final requirement will be to ensure that compliance versus the standard is there. For example, can you ensure that all of your mandatory documentation is covered?  Ensure that you have a copy of the standard, know it well, and have carefully worked through it to be sure your organization complies.
• Have you held a management review? This is the critical starting point for your OH&SMS in terms of ensuring that there is top management input and that objectives are established correctly, as well as having the ability to ensure that the cycle of review and improvement exists when your OH&SMS is running.
• Have you recorded incidents, accidents, and near misses? And, if so, do you have evidence to show that you have undertaken the correct processes after an accident, and have a process whereby action is taken to prevent near misses from being repeated and becoming accidents in the future?
• Are your processes consistent? You will need to prove that your processes – whether documented or not – are consistent internally in the way they are used and that they meet the terms of the standard. This also leads to the question regarding whether the effectiveness of processes has been reviewed, which will encourage continual improvement – the element that underpins the standard itself.
• Have you completed the critical functions of the OH&SMS? Have you assessed risks and hazards correctly? Have you performed corrective action in the cases where something has gone wrong? Have you completed internal audits with satisfactory outcomes and actions to guarantee improvement to your OH&SMS? Have you documented these accurately as evidence? These elements are all central to running a successful OH&SMS, you can be sure the auditor will focus on these to a large extent; therefore, it is wise to prepare. Also, be sure to remember that while these elements are critical, they only make up part of the clauses you will be audited against!
• Can you demonstrate competence, awareness, and evidence of training? Especially in matters of health and safety, it is critical that your team can demonstrate that they are aware of processes, communications that may have taken place, and are generally aware enough to operate safely within your organization. Ensure that your employees realize that it is very likely that the auditor will come and speak to them, and instruct them on how to react. There is no need to be nervous, but being articulate, truthful, and honest will help greatly.
• Can you demonstrate improvement? As stated previously, this is necessary to demonstrate your organization’s compliance with ISO 45001. It is therefore certain that the auditor will ask a member of the team about how this is obtained and evidenced. Be prepared for this.
• How you can make the audit smoother for your organization and people. It is wise to remember that the auditor is trying to help you pass, not trying to make you fail. Anticipating the questions he will ask will undoubtedly help you to prepare your employees and ensure that they are less nervous, as well as helping you to ensure that you have all your respective boxes ticked in terms of meeting the clauses of the standard. Remember that the auditor is trying to help you make sure your organization remains a safe place to work, not trying to trip you up. Lastly, should the auditor have any observations or recommendations during the audit, be sure that you take them on board and use them to help you improve your OH&SMS.

9.3 Management review

Top management must review the organization’s OH&S management system, at planned intervals, to ensure its continuing suitability, adequacy, and effectiveness. The management review must consider the status of actions from previous management reviews. The changes in external and internal issues that are relevant to the OH&S management system including the needs and expectations of interested parties, legal requirements, and other requirements and risks and opportunities. It must consider the extent to which the OH&S policy and the OH&S objectives have been met. It must also consider the information on the OH&S performance such as trends in: 

1. incidents, nonconformities, corrective actions, and continual improvement;
2. monitoring and measurement results;
3. results of the evaluation of compliance with legal requirements and other requirements;
4. audit results;
5. consultation and participation of workers;
6. risks and opportunities;

The input to Management Review must also consider the adequacy of resources for maintaining an effective OH&S management system, relevant communications with interested parties, and opportunities for continual improvement. The outputs of the management review must include decisions related to the continuing suitability, adequacy, and effectiveness of the OH&S management system in achieving its intended outcomes and continual improvement opportunities. It must include the need for any changes to the OH&S management system, the resources, and y action needed. It must also consider the opportunities to improve integration of the OH&S management system with other business processes and any implications for the strategic direction of the organization. Top management must communicate the relevant outputs of management reviews to workers, and to workers representative where they exist. The organization shall retain documented information as evidence of the results of management reviews.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The terms used in relation to management review should be understood as:

1. “suitability” refers to how the OH&S management system fits the organization, its operation, its culture, and business systems.
2. “adequacy” refers to whether the OH&S management system is implemented appropriately’
3. “effectiveness” refers to whether the OH&S management system is achieving the intended outcome.

The management review topics listed in 9.3  need not be addressed all at once; the organization should determine when and how the management review topics are addressed.

This clause requires reviews of the suitability, adequacy, and effectiveness of the OHSMS to be undertaken by top management at planned intervals. It should be noted that, contrary to popular belief, the management review does not have to be done all at once; it can be a series of high-level or board meetings with topics tackled individually, although it should be on a strategic and top management level. Complaints from interested parties should be reviewed by top management, with resultant improvement opportunities identified. It should be remembered that the management review generally is the one function that must be carried out accurately and diligently to ensure that the function of the OH&SManagement System and all resulting elements can follow suit. It goes without saying that all details and data from the management review must be documented and recorded to ensure that the OH&SManagement System can follow the specific requirements and general strategic direction for the organization detailed there. Management reviews are the opportunity for senior management to critically evaluate the performance of the OH&S management system to ascertain if it continues to be:

Suitable: does the management system fit the organization, its operation, its culture and business systems;
Adequate: is the management system implemented appropriately;
Effective: has the management system achieved its intended outcomes.

The management review should consider the following:

• The status of actions from previous management reviews;
• Changes in internal and external issues that can impact on the OH&S management system such as risks and opportunities, the needs and expectations of relevant interested parties and legal and other requirements;
• The adequacy of resources for maintaining an effective OH&S management system;
• Relevant communications with internal and external interested parties;
• Opportunities for continual improvement.

The reviews should also include information on the organization’s OH&S performance including trends in:

• The achievement of OH&S objectives;
• Incidents, nonconformities, and corrective actions;
• Monitoring and measurement;
• The evaluation of compliance with legal and other requirements;
• Internal and external audits;
• Consultation and participation of workers;
• Risks and opportunities.

The management reviews should be carried out on a regular basis (e.g. quarterly, semi-annually, or annually). Partial management reviews of the performance of the OHSMS can be held at more frequent intervals, if appropriate. Different reviews can address different elements of the overall management review. The management review process should not just evaluate historical trends but should aspire to improve the OH&S performance of the organization through the initiation of improvement actions. Conclusions that should be drawn at the end of the management review process related to:

• The continuing suitability, adequacy, and effectiveness of the OH&S management system in achieving its intended outcomes;
• Opportunities for continual improvement;
• Any need for changes to the OH&S management system;
• Additional resources needed;
• Any actions needed;
• Opportunities to improve the integration of the OH&S management system with other business processes such as environment, quality, business continuity, etc.
• Any implications for the strategic direction of the organization.
• Top management must communicate relevant outputs from the management reviews to workers, and where they exist, workers’ representatives.

The organization must retain documented information as evidence of the results of the management reviews. Management Review is an essential element of the Occupational Health and Safety Management System. The aim of the review is for Top Management to assess the performance of the management system to ensure it has been effective and suitable for the needs of the business, ultimately preventing injury or harm to workers. The management review is also a planned activity to review objectives including compliance and to set new objectives. Usually, management review meetings are conducted annually, however many organizations conduct management reviews every six months or quarterly to track the performance of the system. If more frequent meetings are conducted, often the meeting agenda is reduced with the full agenda occurring annually. The table on the following page provides an overview of prescribed management review agenda requirements:

On completion of the management review meeting, the organization must decide with senior leadership and support, what is needed to continuously improve OH&S and satisfy the standard. The following points outline the Management Review Meeting output requirements:

• Provide a wide-ranging conclusion to the continuing stability, adequacy, and effectiveness in achieving its intended outcomes
• Identify continuous improvement opportunities
• Identify any required changes to the OH&S management system
• Identify required resources
• Identify any actions needed
• Identify any integration improvements with other business processes. This may be further harmonization with ISO 9001 or ISO 14001 management systems
• Any implications to the strategic direction of the business. This is a broad scope requirement to capture any topic to improve the OH&S management system

The organization is required to record the meeting minutes within documented information. This information must be communicated to the relevant interested parties and where applicable worker representatives. It is good practice to transfer management review objectives into a separate document with identified key performance indicators, expected completed timescales, and delegated responsibilities. These objectives may be communicated via the organization’s email or placed on notice boards.

Section 7 of ISO 45001 discusses the resources and support needed to be successful with the OH&S management system. “Support” means that the organization has achieved a level of competence among its workers and systems to successfully drive the outcomes of the OH&S plan. It also discusses the need to establish awareness of the OH&S policy, communicate information about the OH&S management system, outline with whom the information should be shared, manage documentation including tracking of updates, and control information and ensure its accessibility and accuracy. Essentially, the support system provides an overview of how the organization must support the OH&S management system. Successfully managing an Occupational Health and Safety Management System relies heavily on having the necessary resources for each task. This includes having competent staff with the appropriate training, support services, and effective information and communication means. The organization will determine what documented information is necessary for the success of the system. Documented information is a new term in the standard, which means the information can be in any format, media, or from any source. Moreover, internal and external information must be communicated throughout the organization and must be gathered, disseminated, and understood by those receiving it. The decisions that need to be made are:

• On/about what to inform?
• When to inform?
• Who to inform?
• How to inform?
• How to receive and maintain documented information and how to respond to relevant incoming communications?

Respectively, the terms ‘document and record’ became obsolete in the new standard, which uses the term ‘documented information’ instead, for the purpose of maximizing the confidence to share information through any media.

7.1 Resources

The organization must determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the OH&S management system.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Examples of resources include human, natural, infrastructure, technology, and financial. Examples of infrastructure include the organization’s buildings, plant, equipment, utilities, information technology, and communications systems, and emergency containment systems.

The organization must initially determine and provide the resources necessary to establish, implement, maintain and continually improve its OH&S management system. The identification, procurement, and provision of resources are the prerogative of senior management, and their absence or diminution can be a limitation on the effectiveness of the OH&SMS. Examples of resources include:

• Human;
• Natural;
• Infrastructure;
• Technology

Examples of infrastructure include:

• Buildings;
• Plant;
• Equipment;
• Utilities;
• Information technology;
• Communications systems;
• Emergency containment systems.

Resources should be provided in a timely and efficient manner. Resource allocations should consider the organization’s current and future needs. Resources will be required to fulfill the requirements identified during the planning stages of the system to maintain continuous improvement. These include human, natural, infrastructure (buildings, plant, equipment, utilities, emergency containment systems) technological, and financial resources. It is essential that the allocation of resources has full support from Top Management, under the requirements of Clause 5, to drive the maintenance of a safe and healthy work environment. As part of identifying resources, the organization needs to look at the information produced in Section 6 to acknowledge the risk, opportunities, and resulting objectives. They then need to allocate sufficient resources to mitigate or manage them. Simply put, the standard advises the organization that the resources required to achieve the stated objectives and show continual improvement must be made available.

7.2 Competence

The organization must determine the necessary competence of workers that affects or can affect its OH&S performance. It must ensure that workers are competent including the ability to identify hazards on the basis of appropriate education, training, or experience and where applicable, take actions to acquire and maintain the necessary competence, and evaluate the effectiveness of the actions taken. It must take retain appropriate documented information as evidence of competence. Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons, or the hiring or contracting of competent persons.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The competence of workers should include the knowledge and skills needed to appropriately identify the hazards and deal with the OH&S risks associated with their work and workplace. In determining the competence for each role, the organization should take into account things such as:
a) the education, training, qualification, and experience necessary to undertake the role and the re-training necessary to maintain competence;
b) the work environment;
c) the preventive and control measures resulting from the risk assessment process(es);
d) the requirements applicable to the OH&S management system;
e) legal requirements and other requirements;
f) the OH&S policy;
g) the potential consequences of compliance and noncompliance, including the impact on the worker’s health and safety;
h) the value of the participation of workers in the OH&S management system based on their knowledge and skill;
i) the duties and responsibilities associated with the roles;
j) individual capabilities, including experience, language skills, literacy, and diversity;
k) the relevant updating of the competence made necessary by context or work changes.
Workers can assist the organization in determining the competence needed for roles.
Workers should have the necessary competence to remove themselves from situations of imminent and serious danger. For this purpose, it is important that workers are provided with sufficient training on hazards and risks associated with their work. As appropriate, workers should receive the training required to enable them to carry out their representative functions for occupational health and safety effectively. In many countries, it is a legal requirement to provide training at no cost to workers.

The organization must determine the competency requirements for those workers that affect, or could affect its OH&S performance. This requirement also pertains to workers operating under the control of the organization such as contractors, agency workers, etc. Once these competency requirements have been determined the organization must then ensure that those workers possess the necessary competence, including the ability to identify hazards, on the basis of appropriate education, training, or experience. It is imperative that all workers have the knowledge and skills required to identify the hazards and manage the OH&S risks associated with their work and workplace. If workers are deemed not to be competent, the organization is required to take action (e.g. refresher/remedial training, recruitment of additional personnel, or hiring/contracting of external expertise) in order to acquire the necessary competence.  The actions taken to raise competence to the required level need to be evaluated for effectiveness by means of the following mechanisms:

• Interlocution of the workers on their understanding of their competence to perform the relevant tasks following the prescribed training;
• Assessment of competence of the workers by observing them undertake the relevant tasks following the prescribed training;
• Peer review or supervision following the required training.

The organization must determine competence requirements for individual tasks and should consider the following factors in its deliberations:

• The education, training and experience required to undertake the role and the re-training necessary to maintain competence;
• The work environment;
• The preventive and control measures arising from the risk assessment process;
• The requirements applicable to the OH&S management system;
• The potential consequences of compliance and non-compliance, including the impact on the worker’s health and safety;
• The duties and responsibilities associated with the roles;
• The complexity and requirements of operating procedures and work instructions;
• The results from incident investigations;
• Legal and other requirements;
• The necessary updating of the competence made necessary by context or work changes;
• Individual capabilities, including experience, language skills, literacy, and diversity.

The organization should pay particular attention to the competency requirements attached to personnel performing the following tasks:

• Identifying hazards and conducting risk assessments;
• Conducting audits;
• Performing occupational exposure or noise assessments;
• Carrying out incident investigations;
• Performing tasks that have associated with the significant hazards and associated high risks.

When competence is acquired through training, the organization’s training process should include:

• Identification of training needs;
• Preparation of a training plan or programme to address identified training needs;
• Delivery of the training;
• Evaluation of the effectiveness of the training;
• Documentation, monitoring, and review of the training received.

Workers should be encouraged to assist the organization in ascertaining the competence needed for their respective roles. The organization is required to retain appropriate documented information as evidence of its employees’ competence such as training records.

Employee competence must meet the terms of the ISO 45001:2018 standard by ensuring that the people given responsibility for OH&SManagement System tasks are capable and confident. Related to this, it stands to reason that the experience, training, and/or education of the individual must be of the required standard, and that any necessary training is identified and delivered – with measurable actions taken externally or internally to ensure that this level of competence exists. Predictably, this process and its outputs need to be recorded as documented information for the OH&SManagement System. An organization working effectively and efficiently must have competent workers. In terms of OH&S, it is essential that workers have access to information and have been suitably trained to prevent accidents or ill health to themselves and others. Competence can include consideration for:

• Capability to fulfil the task based on defined job roles and a clear understanding of the required OH&S aspects
• Defined methods of recruitment with consideration for temporary or agency workers
• Awareness of hazards associated with the environment and processes
• Legal requirements
• Individual capabilities including experience, language skills, literacy and diversity

The diversity of activities within the organization will determine the level of training required to fulfill competence. Training Gaps are usually identified with the development of new processes, for example, the introduction of new machinery or in achieving compliance with regulatory requirements. No matter how big or small the organization is, training records are essential as reference and evidence of the fulfillment of competence. Consider an overview training matrix identifying fulfilled training gaps including refresher training dates. In addition, consider individual training records with signatory evidence from the worker to acknowledge completion and understanding of training including hazard awareness. The organization must also consider the competence of external providers including the procurement of contractors conducting tasks on site. The organization’s procurement process may provide the structure for management of external providers; including evidence of capability, competence, and on-site, this may be supported with site induction training. Either internally or externally, the organization’s Top Management must be confident that mechanisms are in place to provide workers with suitable and sufficient competency-based OH&S training. The organization must train all workers to be competent in the ability of hazard identification. It is core to being able to participate in applying the hierarchy of control and to understand when to exercise their right to cease unsafe work.

7.3 Awareness

Workers should be aware of the OH&S policy and OH&S objectives. Workers should be aware of how they can contribute to the effectiveness of the OH&S management system, including the benefits of improved OH&S performance. The worker must be aware of the implications and potential consequences of not conforming to the OH&S management system requirements. They must be aware of the incidents and the outcomes of investigations that are relevant to them. They must be aware of the hazards, OH&S risks, and actions determined that are relevant to them. They must be aware of their ability to remove themselves from work situations that they consider presenting an imminent and serious danger to their life or health, as well as the arrangements for protecting them from undue consequences for doing so.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

In addition to workers (especially temporary workers), contractors, visitors and any other parties should be aware of the OH&S risks to which they are exposed.

Awareness is closely related to competence in the standard. Employees must be made aware of the Occupational Health & Safety policy and its contents, any current and future impacts that may affect their tasks, what their personal performance means to the OH&SManagement System and its objectives, including the positives or improved performance, and what the implications of poor performance may be to the OH&SManagement System. Additionally, the standard demands that workers be aware that they can remove themselves from work situations that they consider to be a danger to their life or health. Awareness of the requirements of the OH&S system is critical to both internal and external workers. There must be a clear understanding of the organization’s H&S Policy including the requirement for individuals to protect themselves and others from exposure to hazards. Awareness training starts before work commencement for both internal and external workers and may include:

• OH&S Policy and requirements
• Hazards associated with the environment and processes
• Means to report incidents and receive information following the investigation
• Means to report near misses or safety-critical defects
• Structure of supervision
• Provision of information including Safe Systems of Work or Work Instructions
• A clear understanding that there are no recriminations for reporting hazards or precautionary removal of individuals from exposure to harm which is life-threatening. This must be actively encouraged as part of a positive safety culture. It is recommended there is evidence of awareness training.

The right to cease unsafe work without reprisals or victimization etc. is set out in ISO 45001, requiring the organization to make their workers aware of their ability to cease work where they consider a serious and imminent hazard to their health or life exists. Clause 7.3 also requires the organization to make workers aware of the arrangements in the health and safety management system that protect workers from consequences that are undue in exercising this basic right at work. If the application of the hazard identification and elimination processes leaves workers still considering themselves in imminent and serious danger, then ceasing unsafe work is the only option. Likewise, if a new hazard suddenly arises, that presents an imminent and serious danger, then ceasing unsafe work is the only option. This does not mean walking off the job entirely, in fact, an essential part of ceasing unsafe work is reporting the hazard to management and quickly negotiating a resolution to the reasonable concern. This can include an interim measure, pending a permanent resolution. This clause also requires that workers are made aware of the organization’s:

• Outcomes of relevant incidents and their investigations,
• Outcomes of the application of the risk management processes in clause 6 & 8, for hazards, health and safety risks and determining control measures.

7.4 Communication

7.4.1 General

The organization must establish, implement and maintain the process(es) needed for the internal and external communications relevant to the OH&S management system. The organization needs to communicate internally among the various levels and functions of the organization, among contractors and visitors to the workplace, and among other interested parties.  The organization must determine what it will communicate when to communicate,  with whom to communicate, and among other interested parties. While communicating, the organization must take into account diversity aspects such as gender, language, culture, literacy, disability. The organization must ensure that the views of external interested parties are considered in establishing its communication processes. When establishing its communication processes, the organization must take into account its legal requirements and other requirements. The organization must ensure that OH&S information to be communicated is consistent with information generated within the OH&S management system, and is reliable. The organization should respond to relevant communications on its OH&S management system. The organization must retain documented information as evidence of its communications, as appropriate.

7.4.2 Internal communication

The organization must internally communicate as appropriate information relevant to the OH&S management system among the various levels and functions of the organization, including changes to the OH&S management system. It must ensure its communication process enables workers to contribute to continual improvement.

7.4.3 External communication

The organization must externally communicate information relevant to the OH&S management system, as established by the organization’s communication processes, and taking into account its legal requirements and other requirements.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The communication process(es) established by the organization should provide for the gathering, updating, and dissemination of information. It should ensure that relevant information is provided, received, and is understandable to all relevant workers and interested parties.

The organization must establish, implement and maintain a process or processes for internal and external communications relevant to the OH&S management system, which provides for the gathering, updating, and dissemination of information and which encompasses the following:

• What topics to communicate on;
• When to communicate;
• With whom to communicate (e.g. internally within the organization and/or externally with contractors, visitors, and other interested parties);
• How to communicate.

Communications should be appropriate, comprehensible, and intelligible for the audience at which it is aimed and take into account diversity aspects such as gender, language, culture, literacy, and disability. The organization should also take into account legal and other requirements and ensure that the information to be communicated is consistent with information generated within the OH&S management system and is reliable. Information transmitted by internal or external communications, of interest to relevant interested parties, must be available when required.

It is critically important to effectively communicate information about OH&S risks and the OH&S management system, including changes to the OH&SMS, at various levels and between various functions of the organization. This should include information relating to:

• Management’s commitment to the OH&S management system;
• The identification of hazards and risks;
• OH&S objectives and programmes to achieve them;
• Incident investigation;
• Progress in eliminating hazards and associated OH&S risks;
• Operational changes that might impact the OH&S management system;
• Progress with consultation and participation of workers;

The organization should have a process in place for receiving, documenting, and responding to relevant communications from external interested parties, where appropriate. Paramount to this is the development and maintenance of a process for communicating with contractors and other visitors to the workplace. The extent of this communication should be related to the OH&S risks faced by these parties and will be further considered in clause 8.1.4.2 of the standard. Service level agreements (SLAs), contracts, and pre-project OH&S planning meetings are often used to communicate OH&S issues to external providers such as contractors, but the organization should also use methods such as on-site induction to raise OH&S awareness amongst contractors’ workers. In addition to communicating about specific OH&S requirements relating to on-site and off-site activities, the following should also be taken into account when communicating with external providers, particularly contractors:

• Information about a contractor’s OH&S management system;
• Legal and other requirements that impact on the method or extent of communication;
• Previous OH&S performance and history of notifiable incidents;
• The use of multiple contractors at the workplace;
• Emergency response;
• The need for alignment of the contractor’s OH&S practices with those of the organization and other contractors at the workplace;
• The need for additional consultation and/or contractual provisions relating to high-risk tasks;
• Reporting of OH&S performance, incidents, nonconformities, and corrective actions; Arrangements for regular communications.

For visitors such as delivery companies, clients, members of the general public and service providers specific OH&S information needs to be communicated as follows:

• OH&S requirements relevant to their visit;
• Evacuation procedures and responses to alarms;
• Traffic controls;
• Access controls and escort function;
• Details relating to the wearing of personal protective equipment (PPE).

External communication processes often include the identification of a designated contact person from within the organization. This allows for appropriate information to be communicated in a timely and consistent manner. This can be especially important in emergency situations where regular updates are required to be delivered in a clear and unambiguous manner.

Processes for internal and external communication need to be established and recorded as documented information within the OH&S Management System. The key elements that need to be decided, actioned, and recorded are what needs to be communicated, how it should be done, who needs to receive the communication, and at what intervals it should be done. It should be noted here that any communication outputs should be consistent with related information and content generated by the OH&S Management System for the sake of consistency. The standard advises the organization that information should be communicated at various levels and with various frequencies as deemed suitable and that the organization must ensure that the nature and frequency of communication allow continual improvement to result from the communication process itself. Once again, the organization is advised by the standard to ensure that communication relevant to the OH&S Management System takes place as per the established process, with the goal of ensuring that compliance obligations and objectives are met.

Defined channels of communication are key to the success of the OH&S management system. It is recommended that there is a clear policy on communication endorsed by Top Management identifying the process of communication. The organization will need to determine:

7.5 Documented information

7.5.1 General

The organization must have Document Information (documents and records) as required by ISO 45001:2018 and also those determined by the organization as being necessary for the effectiveness of the OH&S management system. The extent of documented information for an OH&S management system can differ from one organization to another due to the size of the organization and its type of activities, processes, products, and services. It can be due to the need to demonstrate fulfillment of legal requirements and other requirements; the complexity of processes and their interactions; the competence of workers.

7.5.2 Creating and updating

When creating and updating documented information, the organization must ensure appropriate identification and description (e.g. a title, date, author, or reference number) and format (e.g. language, software version, graphics) and media (e.g. paper, electronic); It must also ensure appropriate review and approval for suitability and adequacy.

7.5.3 Control of documented information

Documented information required by the OH&S management system must be controlled to ensure that it is available and suitable for use, where and when it is needed. It must be adequately protected from loss of confidentiality, improper use, or loss of integrity. For the control of documented information, the organization shall address the following activities:

• distribution, access, retrieval, and use;
• storage and preservation, including preservation of legibility;
• control of changes (e.g. version control);
• retention and disposition.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the OH&S management system should be identified, as appropriate, and controlled. Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information. Access to relevant documented information includes access by workers, and, where they exist, workers’ representatives.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

It is important to keep the complexity of the documented information at the minimum level possible to ensure effectiveness, efficiency, and simplicity at the same time. This should include documented information regarding planning to address legal requirements and other requirements and on evaluations of the effectiveness of these actions. The actions described in 7.5.3 are particularly aimed at preventing the unintended use of obsolete documented information. Examples of confidential information include personal and medical information.

“Documented information,”  refers to the documents and records that are necessary for the OH&S Management System. The requirements are designed to allow each organization to have the ability to shape documented information to their own requirements in general, with the exception of the mandatory components mentioned specifically in the standard and, therefore, this guide. The ISO 45001:2018standard advises us that the OH&SManagement System should include all documented information that it declares mandatory, and anything viewed as critical to the OH&SManagement System and its operation. It should also be noted that the amount of documented information that an organization requires would differ according to the size, operating sector, and complexity of compliance obligations faced by the business. The standard advises that documentation created by the OH&SManagement System needs to include appropriate identification, description, and format so that it is can be easily understood what the documented information is for. There is also a need to review and approve the documented information for suitability and accuracy before release. The standard advises that documentation created by the OH&SManagement System should be available and fit for purpose where and when needed, reasonably protected against damage or loss of integrity and identity and that the processes of distribution, retention, access, retrieval, preservation and storage, control, and disposition are adequately provided for. It should be noted that documented information from external sources should be similarly controlled and handled, and that viewing and editing access levels should be carefully considered and controlled.

It is important for top management to ensure that the OHSMS processes are carried out as planned and the desired results are achieved. Capturing key pieces of information in documented form can assist in this effort. Documenting how the system works helps personnel responsible for its implementation understand what they need to do and how to do it. Where a number of people are performing a process, documenting the steps can ensure consistency in the results. Documenting decisions made, OHSMS activities performed and the resulting outcomes provides evidence to demonstrate conformity to requirements and the effective implementation of the OH&S management system. Mandatory documents include the documented information required by ISO 45001 and additional information identified by the organization as necessary for the effective operation of its OH&S management system. The extent of documented information for an OH&S management system can differ from one organization to another due to:

• The size of the organization and the type of activities, processes, products or services it is engaged in.
• The need to demonstrate fulfilment of legal and other requirements.
• The complexity of the organization’s processes and how they interact.
• The competence of workers.

ISO 45001 has moved from prescriptive requirements for specific ‘documents’ and ‘records’ towards the more inclusive term ‘documented information’. This allows the organization to customize its occupational health and safety documentation to better reflect its particular circumstances. There are now basically two types of documented information; “living” documents that describe how things are done within the OHSMS, and “static” records that reflect results of some activity at a particular point in time. Whether in electronic or paper format, the correct and current versions of living documents, be they procedures, work instructions, process maps, plans, or programs, need to be available to those who use them. This requires the organization to have a process to create these documents and control their revision. Records of results need to be created, reviewed, and retained for a period of time. The organization should attempt to keep the complexity of the documented information at the minimum level necessary to ensure contemporaneous effectiveness, efficiency, and simplicity. It should be noted that an Occupational Health and Safety Manual is no longer required by ISO 45001, but most organizations are likely to persevere with it as an integral part of their OH&S management system

When creating and updating documented information, the organization must ensure appropriate:

• Identification and description (e.g. a title, date, author or reference number);
• Format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
• Review and approval for suitability, adequacy, and effectiveness.

The organization is required to control documented information in order to ensure that it is available where needed and that it is suitable for use. It must also be adequately protected against improper use, loss of integrity, and loss of confidentiality. With reference to documented information, the organization must make decisions on its:

• Distribution, access, retrieval, and use;
• Storage and preservation;
• Control of any changes;
• Retention and disposal.

The organization is also required to identify any documented information of external origin that is considered essential for the planning and operation of its OH&S management system and ensure that it is controlled. All of the controls described are primarily aimed at preventing unintended use of obsolete documented information. As with all management systems, the extent of documented information will vary depending on the size, scope, and complexity of processes within the organization. A practical approach to the development and control of documented information will assist in business protection as well as providing sources of information for workers relating to hazard identification. Consider a risk-based approach to the level of documented information required including consideration for literacy and language. Documented information is not restricted to hard copy and will appear in a variety of media including electronic format, emails, and web-based. Below is a selection of the variety of documented information:

It’s essential to have a robust but simple system of control for documented information. This will ensure workers are always aware of the latest requirements relating to OH&S. In support of the latest revision of documented information, there must be the means to communicate the latest policies, practices, and work instructions. As previously indicated documented information will come from internal and external sources.
Below are suggested means of controlling both internal and external documented information:

Internal

• Develop a document reference system within the header or footer e.g. Maintenance Procedure No. 1 – MP01, Maintenance Form 01 – MF01, etc
• Identify the revision status, revision date and author within the document footer
• Use the same document control methodology for electronic documents and data
• Develop a spreadsheet identifying the reasons why previous revisions have been updated
• Determine the method of the issue for documented information with consideration for recovery of pre-modified documented information and communication
• Archive in electronic format previous revisions of documents based on risk ensuring there is a means of backing up and recovering data
• Determine and identify in the spreadsheet the intended document retention timescale. This may be based on legal requirements such as insurance documentation

External

• Determine what should be communicated and retained based on risk.
• Consider scanning to reduce reliance on paper
• Maintain the integrity of archived documentation

Remember to create a simple system to use for all to understand and access accordingly. Consider supporting the chosen method with an instructional procedure with applicable training.

List of documents required by ISO 45001:2018

The ISO 45001 standard provides us with some insight into what documents are required. Compared to OHSAS 18001, there are not too many changes, but the documentation requirements are easier to manage, following the logic of the new versions of other ISO standards. Of course, the standard does not explicitly mention documents and records, but uses the term “documented information.” The following represents a list of documents that you need to maintain in order to comply with ISO 45001:

Other supporting documents
Apart from the abovementioned list of documents, there are additional supporting documents that can be used to facilitate the operation of a management system. Thus, the following documents are commonly used:

• Procedure for determining the context of the organization and interested parties (clauses 4.1 and 4.2)
• Procedure for identification and evaluation of OH&S management system risks and opportunities (clauses 6.1.1 and 6.1.2)
• Procedure for competence, training, and awareness (clauses 7.2 and 7.3)
• Procedure for communication (clause 7.4)
• Procedure for document and record control (clause 7.5)
• Procedure for internal audit (clause 9.2)
• Procedure for management review (clause 9.3)

The standard also emphasizes that it is important to demonstrate the effectiveness of the OH&S Management System, rather than to simply draft endless theoretical procedures.

Clause 6 describes the actions necessary to address risk and opportunity. Activity planning must take place within the context of the organization. The planning process must ensure that the OH&S management system is designed to achieve its intended outcomes and continually improve. Worker participation is cited as being a critical component in the planning phase. Additional considerations include operational risk, legal requirements, and other opportunities to improve the OH&S management system. This section outlines the need for hazard identification by the organization for both routine and non-routine activities, emergency situations, people and behavior, work area design, work environment under the control of the organization, and situations not under organizational control. Additional points of assessment include changes to process and operations, past incidents and their causes, and social/economic factors. The major sub-sections in Clause 6 include:

1. Hazard Identification
2. Assessment of OH&S Risks
3. Identification of OH&S Opportunities
4. Determination of Legal Requirements
5. Planning to Take Action
6. The setting of OH&S Objectives
7. Planning to Achieve Objectives

The planning phase is a comprehensive part of the ISO 45001 standard, requiring a detailed understanding of operations. By following this section, the organization can create a very deliberate and effective set-up to sustain the OH&S management system and ensure it continually improves. This is one of the most critical clauses since it is related to the establishment of strategic objectives and guiding principles for the Occupational Health and Safety Management System as a whole. The OH&S objectives, which can be integrated with other business functions, are the expression of the intent of the organization to treat the risks identified. When determining the risks and opportunities that need to be addressed, the organization shall take into account:

• OH&S hazards and their associated risks, and opportunities for improvement;
• Applicable legal requirements and other requirements;
• Risks and opportunities related to the operation of the OH&S Management System that can affect the achievement of the intended outcomes.

6 Planning

6.1 Actions to address risks and opportunities

6.1.1 General

When planning for the OH&S management system, the organization must consider the relevant internal and external issues(4.1),  the needs and expectations of workers and other interested parties (4.2), and the scope of its OH&S management system(4.3) and determine the risks and opportunities. The organization must give assurance that the OH&S management system can achieve its intended outcomes, prevent, or reduce, undesired effects and achieve continual improvement. When determining the risks and opportunities to the OH&S management system and its intended outcomes that need to be addressed, the organization shall take into account its hazards; OH&S risks, and other risks; OH&S opportunities and other opportunities; legal requirements, and other requirements. The organization, in its planning process, must determine and assess the risks and opportunities that are relevant to the intended outcomes of the OH&S management system associated with changes in the organization, its processes, or the OH&S management system. In the case of planned changes, permanent or temporary, this assessment must be undertaken before the change is implemented. The organization must record its risks and opportunities; the processes and actions needed to determine and address its risks and opportunities to the extent necessary to have confidence that they are carried out as planned.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Planning is not a single event but an ongoing process, anticipating changing circumstances and continually determining risks and opportunities, both for the workers and for the OH&S management system.
Undesired effects can include work-related injury and ill health, noncompliance with legal requirements and other requirements, or damage to reputation.
Planning considers the relationships and interactions between the activities and requirements for the management system as a whole.
OH&S opportunities address the identification of hazards, how they are communicated, and the analysis and mitigation of known hazards. Other opportunities address system improvement strategies.

Examples of other opportunities to improve OH&S performance:

a) inspection and auditing functions;
b) job hazard analysis (job safety analysis) and task-related assessments;
c) improving OH&S performance by alleviating monotonous work or work at a potentially hazardous pre-determined work rate;
d) permit to work and other recognition and control methods;
e) incident or nonconformity investigations and corrective actions;
f) ergonomic and other injury prevention-related assessments.

Examples of other opportunities to improve OH&S performance:

• integrating occupational health and safety requirements at the earliest stage in the life cycle of facilities, equipment or process planning for facilities relocation, process re-design or replacement of machinery and plant.
• integrating occupational health and safety requirements at the earliest stage of planning for facilities relocation, process re-design or replacement of machinery and plant.
• using new technologies to improve OH&S performance.
• improving the occupational health and safety culture, such as by extending competence related to occupational health and safety beyond requirements or encouraging workers to report incidents in a timely manner.
• improving the visibility of top management’s support for the OH&S management system.
• enhancing the incident investigation process(es).
• improving the process(es) for worker consultation and participation.
• benchmarking, including consideration of both the organization’s own past performance and that of other organizations.
• collaborating in forums that focus on topics dealing with occupational health and safety.

The current standard states that the organization should establish, implement, and maintain the processes needed to address the requirements of the whole of the planning section itself. When planning the OH&S Management System, considerations need to be made regarding the context of the organization (section 4.1) and the needs and expectations of interested parties (section 4.2), as well as the scope of the OH&S Management System.
Risk and opportunity must be considered with respect to these elements, as well as legal and regulatory issues, and the organization’s Occupational Health & Safetyhazardsthemselves. This outcome needs to ensure that the OH&SManagement System can meet its intended outcomes and objectives, that any external factors that may affect performance are avoided, and that continual improvement can be achieved.
In terms of emergency situations, the organization is required to determine any situations that may occur and have resulted in occupational health & safety risks. Again, it is vital that documented information is retained concerning the risks and opportunities considered and addressed in the planning phase in order to satisfy the terms of the clause. Planning is an integral part of all elements of an OH&S management system. Effective planning is concerned with prevention by identifying, eliminating, and controlling hazards and risks. This is particularly important when dealing with health risks, which might only become apparent after a long gestation period. Planning should be a collaborative effort involving personnel throughout the organization. This co-operation is eminently suitable for demonstrating and gaining commitment to continual improvement and promoting a positive health and safety culture throughout the organization. Planning for the OH&S management system is an ongoing process and is undertaken in order:

• To determine the risks that can affect the OH&S performance of the organization;
• To manage these risks;
• To identify opportunities to improve OH&S performance and the OH&S management system.

When planning for the OH&S management system, the organization should take into account the following:

• The organization and its context;
• The needs and expectations of workers and other interested parties;
• The scope of the OH&S management system.

Planning should be proportionate to the level of risk identified. While the organization should consider all potential risks to its OH&S performance it should focus on those hazards which are most likely to occur and/or have the greatest impact. The company should concentrate on those opportunities that can realistically be acted upon, with priority given to those that are most likely to improve performance. Examples of opportunities to improve OH&S performance include the following:

• Identification of hazards, how they are communicated, analyzed and controlled;
• Enhancing the inspection and auditing functions;
• Introduction of job safety analysis and task-related assessments;
• Modification of working processes including the alleviation of monotonous and repetitive work;
• Implementation of permit-to-work processes;
• Incident or nonconformity investigations and corrective actions;
• Implementation of ergonomic and other injury prevention-related assessments;
• Integration of occupational health and safety considerations at the earliest stage in the design life cycle of plant and equipment;
• Integration of occupational health and safety considerations at the earliest stage in planning for facilities relocation, and/or process redesign;
• Introduction of new technology;
• Improvement of the occupational health and safety culture of the organization;
• Enhancing the visibility of top management’s support for the OH&S management system;
• Enhancing the incident investigation process;
• Improving worker consultation and participation;
• Benchmarking of the organization’s OH&S performance against that of other organizations;
• Collaborating in forums that review issues relating to occupational health and safety.

The organization must maintain documented information on:

• Risks and opportunities;
• The process and actions needed to determine and address its risks and opportunities to the extent necessary to have confidence that they are carried out as planned.

6.1.2 Hazard identification and assessment of risks and opportunities

6.1.2.1 Hazard identification

The organization should establish, implement and maintain processes for hazard identification that is ongoing and proactive. The organization must take into account how work is organized, social factors including workload, work hours, victimization, harassment, and bullying, leadership, and the culture in the organization. The routine and non-routine activities and situations, including hazards arising from infrastructure, equipment, materials, substances, and the physical conditions of the workplace; product and service design, research, development, testing, production, assembly, construction, service delivery, maintenance, and disposal; human factors; how the work is performed. The organization must consider past relevant incidents, internal or external to the organization, including emergencies, and their causes. They must also consider potential emergency situations. It must also include those people :

1. with access to the workplace and their activities, including workers, contractors, visitors, and other persons;
2. in the vicinity of the workplace who can be affected by the activities of the organization;
3. workers at a location not under the direct control of the organization;

Other issues including the design of work areas, processes, installations, machinery/equipment, operating procedures, and work organization, including their adaptation to the needs and capabilities of the workers involved. The situations occurring in the vicinity of the workplace caused by work-related activities under the control of the organization. The situations not controlled by the organization and occurring in the vicinity of the workplace can cause injury and ill health to persons in the workplace. It must include actual or proposed changes in organization, operations, processes, activities, and OH&S management system; It must also include changes in knowledge of, and information about, hazards.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The ongoing proactive identification of hazards begins at the conceptual design stage of any new workplace, facility, product, or organization. It should continue as the design is detailed and then comes into operation, as well as being ongoing during its full life cycle to reflect current, changing, and future activities.
While this document does not address product safety (i.e. safety to end-users of products), hazards to workers occurring during manufacture, construction, assembly, or testing of products should be considered.
Hazard identification helps the organization recognize and understand the hazards in the workplace and to workers, in order to assess, prioritize and eliminate hazards or reduce OH&S risks.
Hazards can be physical, chemical, biological, psychosocial, mechanical, electrical, or based on movement and energy.
The list of hazards given in 6.1.2.1 is not exhaustive.
NOTE The numbering of the following list items a) to f) does not correspond exactly to the numbering of the list items given in 6.1.2.1.
The organization’s hazard identification process(es) should consider:
a) routine and non-routine activities and situations:

1. routine activities and situations create hazards through day-to-day operations and normal work activities;
2. non-routine activities and situations are occasional or unplanned;
3. short-term or long-term activities can create different hazards;

b) human factors:

1. relate to human capabilities, limitations and other characteristics;
2. information should be applied to tools, machines, systems, activities, and environment for safe, comfortable human use;
3. should address three aspects: the activity, the worker and the organization, and how these interact with an impact on occupational health and safety;

c) new or changed hazards:

1. can arise when work processes are deteriorated, modified, adapted or evolved as a result of familiarity or changing circumstances;
2. understanding how work is actually performed (e.g. observing and discussing hazards with workers) can identify if OH&S risks are increased or reduced;

d) potential emergency situations:

1. unplanned or unscheduled situations that require an immediate response (e.g. a machine catching fire in the workplace, or a natural disaster in the vicinity of the workplace or at another location where workers are performing work-related activities);
2. include situations such as civil unrest at a location at which workers are performing work-related activities which requires their urgent evacuation;

e) people:

1. those in the vicinity of the workplace who could be affected by the activities of the organization (e.g. passers-by, contractors or immediate neighbors);
2. workers at a location not under the direct control of the organization, such as mobile workers or workers who travel to perform work-related activities at another location (e.g. postal workers, bus drivers, service personnel traveling to and working at a customer’s site);
3. home-based workers, or those who work alone;

f) changes in knowledge of, and information about, hazards:

1. sources of knowledge, information and new understanding about hazards can include published literature, research and development, feedback from workers, and review of the organization’s own operational experience;
2. these sources can provide new information about the hazards and OH&S risks.

ISO 45001:2018 asks organizations to consider, in a proactive manner, all occupational health & safety hazards within the organization’s control. Changes or planned future changes to services also have to be taken into account, as do any abnormal situations that may arise that are reasonable for the organization to predict–for example, if you are about to launch a new product that needs radically new production processes or materials. Again, the organization needs to maintain documented information on this clause and its elements, and communication to the appropriate levels with effective frequency needs to be planned and undertaken. In terms of documented information, if you ensure that all actual and associated risks, the criteria you use to define them, and your significant occupational health & safety risks are documented, then you will satisfy the terms of this clause. The overall purpose of the risk assessment process is to evaluate the hazards that arise or might arise in the course of the organization’s activities, and ensure that the risks to people arising from these hazards are assessed, prioritized, and controlled to eliminate hazards or reduce risks to acceptable levels.

Hazards have the potential to cause injury or ill-health. They need to be identified before the risks associated with these hazards can be assessed and, if no controls exist or existing controls are inadequate, effective controls should be implemented according to the hierarchy of controls. Hazard identification should aim to determine proactively all sources, situations, or acts (or a combination of these), arising from an organization’s activities, with a potential for harm in terms of injury or ill health. Examples include:

• Sources (e.g. moving machinery, radiation or energy sources);
• Situations (e.g. working in confined spaces, working at height);
• Acts (e.g. manual handling, wearing PPE).

Hazard identification should consider the different types of hazards in the workplace, including:

• Physical (e.g. slips, trips, and falls, entanglement, noise, vibration, harmful energy sources);
• Chemical (e.g. inhalation, contact with or ingestion of chemicals);
• Biological (e.g. contact with allergens or pathogens such as bacteria or viruses);
• Psychosocial (e.g. threat of physical violence, bullying or intimidation);

The organization’s hazard identification process should take account of the following:

• Routine and non-routine activities such as plant cleaning and maintenance, extreme weather conditions, refurbishment, and plant start-ups/shut-downs;
• Activities of all persons having access to the workplace including contractors, visitors, and home-based workers;
• Human behavior, capabilities, and other human factors;
• Identified hazards originating outside the workplace capable of adversely affecting the health and safety of a person under the control of the organization within the workplace;
• Hazards created in the vicinity of the workplace by work-related activities under the control of the organization;
• Infrastructure, equipment, and materials at the workplace, whether provided by the organization or others;
• Changes or proposed changes in the organization or its activities;
• Modifications to the OH&S management system, including temporary changes, and their impact on operations, processes, and activities;
• Any applicable legal obligations relating to risk assessment and the implementation of necessary controls;
• The design of work areas, processes, installations, machinery/equipment, operating procedures, and work organization, including their adaptation to human capabilities;
• Potential emergency situations;
• Changes in knowledge of, and information about, hazards;
• New or changed hazards.

Examples of items for inclusion in a hazard identification checklist:

1 Physical hazard

• Slippery or uneven ground
• Working at height
• Objects falling from the height
• Inadequate space to work
• Poor ergonomics (e.g. workplace design that does not take account of human factors)
• Manual handling
• Repetitive work
• Trappings, entanglement, burns and other hazards arising from the equipment
• Transport hazards, either on the road or on-premises/sites, while travelling or as a pedestrian (linked to the speed and external features of vehicles and the road environment)
• Fire and explosion (linked to the amount and nature of flammable material)
• Harmful energy sources such as electricity, radiation, noise or vibration (linked to the amount of energy involved)
• Stored energy, which can be released quickly and cause physical harm to the body (linked to the amount of energy)
• Frequently repeated tasks, which can lead to upper limb disorders (linked to the duration of the tasks)
• Unsuitable thermal environment, which can lead to hypothermia or heat stress
• Violence to staff, leading to physical harm (linked to the nature of the perpetrators)
• Ionizing radiation (from x- or gamma-ray machines or radioactive substances)
• Non-ionizing radiation (e.g. light, magnetic, radio-waves)

2 Chemical hazards
Substances hazardous to health or safety due to:

• Inhalation of vapours, gases, or particles
• Contact with or being absorbed through, the body
• Ingestion
• The storage, incompatibility, or degradation of materials

3 Biological hazards

Biological agents, allergens, or pathogens (such as bacteria or viruses), that might be:

• Inhaled
• Transmitted via contact, including by bodily fluids (e.g. needlestick injuries), insect bites, etc.
• Ingested (e.g. via contaminated food products)

4 Psychosocial hazards

Situations that can lead to negative psychosocial (including psychological) conditions, such as stress (including post-traumatic stress, anxiety, fatigue, depression, e.g.:

• Excessive workload
• Lack of communication or management control
• Workplace physical environment
• Physical violence
• Bullying or intimidation

Psychosocial hazard can arise from issues external to the workplace and can impact the OH&S of  Individuals or their colleagues.

Typical operation controls could include:

• Clarifying health and safety responsibilities and ensuring that the activities of everyone are well coordinated
• Ensuring everyone with responsibilities understands clearly what they have to do to discharge their responsibilities and ensure they have the time and resources to discharge them effectively
• Setting standards to judge the performance of those with responsibilities and ensure they meet them. It is important to reward good performance as well as to take action to improve poor performance
• Ensuring adequate and appropriate supervision, particularly for those who are learning and who are new to a job
  •  Elimination (modify a design, etc.)
  • Substitution (use a less hazardous material or reduce system energy, etc.)
  • Engineering controls (ventilation systems, interlocks, etc.)
  • Administrative controls, signage, warnings (safety signs, alarms, inspections, work permits, etc.)
  • Personal Protective Equipment (PPE) (safety glasses, harnesses, respirators, gloves, etc.
• Take account:
  • use of a hierarchy:
  • Combination of controls
  • Adapt work to an individual
  • Using measures that protect everyone, in preference to PPE
  • Typical basic types of human behaviour (lapses etc.)
  • Planned maintenance
  • Lack of familiarity
• Examples of areas in which OH&S risks typically arise, and examples of their associated control measures, include (general control measures):
  • Regular maintenance and repair of facilities, machinery.
  • Equipment to prevent unsafe conditions from developing
  • Housekeeping and maintenance of clear walkways
  • Traffic management (e.g. the management of the separation of vehicle and pedestrian movements)
  • Provision and maintenance of workstations
  • Maintenance of the thermal environment (temperature, air quality)
  • Maintenance of the ventilation systems and electrical safety systems
  • maintenance of emergency plans
  • Policy related to travel, bullying, sexual harassment, drug, and alcohol abuse, etc.
  • Training and awareness programmes relating to the use of particular controls (e.g. permit-to-work systems)
  • Access controls
• Occupational health:
  • Health surveillance
  • Pre-employment medical screening
  • Post-employment medicals
  • Worker support
  • Absence monitoring
  • Health promotion

EXAMPLE OF HAZARDS/RISKS ANALYSIS REGISTER

Internal OH&S risk  and Hazardous assessment guidelines

The term risk assessment appears in many different sets of Regulations: Control of Substances Hazardous to Health, Management of Health & Safety at Work, Manual Handling, Display Screen Equipment, Fire Safety, Noise, Vibration, etc. The process referred to in all of these pieces of legislation is identical. The aim of any risk assessment is to prevent accidents and injury. It requires all employers to examine their processes, equipment, workplaces, and work practices to highlight where the potential for accidents
exists. Once the hazards (anything which has the potential to cause harm) are identified, the risk assessment requires the employer to evaluate the risk. This involves looking at the hazard and considering how likely it is that it will cause injury as well as the possible severity of the injuries which could be caused. This is by no means an exact science, but by completing an assessment risks can be identified as high, medium, and low, which will allow priorities to be set for improvements.

• Identify the hazards – in relation to processes or the workplace.
• Identify who is at risk – consider employees and others.
• Identify any existing controls – have people been trained?
• Evaluate the risk – consider possible likelihood and severity.
• Take action to reduce the risk of accidents – consider long and short term action.
• Record all findings.
• Review – if there are any changes.
• Monitor – have improvements been implemented? If yes, have they worked?

The process is always the same. However, the actual specific items examined will differ depending on the type of risk assessment being completed. Managing Health & requires a general risk assessment of all work operations. From these more, specialist risk assessments will flow.

The organization must strive to carry out suitable and sufficient assessments of the OH&S risks to the health and safety of our employees. The significant findings of the assessments have to be recorded along with details of any groups of employees identified as being especially at risk. The contents of the assessments will be reviewed:

• If there is a reason to suspect that they are no longer valid.
• If there has been a significant change in the matters to which they relate
• Every three years if no review has occurred in the interim

The organization is required to provide information to employees on the results of the risk assessments. The information has to be comprehensible and relevant to: –

• The risks to their health and safety identified by the assessments.
• The preventative and protective.measures being taken by management to reduce or eliminate these risks.
• The identity of the competent persons nominated to implement H&S procedures and any other procedures to be followed in the event of serious and imminent danger.

1. Identifying Hazards

When seeking out and identifying hazards, adequate information is necessary and reference should be made to relevant sources such as:

• Legislation and approved codes of practice
• Health and Safety regulators (DOSH) Guidance
• Product information – manufacturer guidance
• Personal knowledge of managers, colleagues, and safety representatives
• Accident records
• Expert advice

In the simplest cases, hazards can be spotted by observation and questioning. They may be identified by individual activities, people, or work areas depending on the nature of the areas being assessed. Some tasks may be undertaken by several people in the same department, so an assessment covering the task or activities would be more appropriate than one covering each individual. Individual aspects of the people will need to be taken into account i.e. one person maybe 5 feet tall the other 6 feet 2 inches, therefore further risks may be applicable to one employee rather than the other.

2. Identify Those At Risk

In most cases, the person at risk will be the person actually involved in the work. It is, however, important to remember third parties including members of the public who could be affected by the hazard.

3. Are There Any Existing Controls?

Are there any existing controls which are already helping to reduce the risk of injury?

e.g. Have employees been trained? Is PPE worn? Are warning signs displayed?

Remember to include only those existing controls which are working efiectively. If you know that face masks are available, but they are not worn or are not suitable, then this is not an existing control measure.

4. Evaluating the Risk

Evaluating the risk involves judging the likelihood and the severity of the harm that may arise as a result of the hazard. Some risks will be insignificant either because the likelihood is very low, or because the severity of the injury is very low, or both.

Risk = Hazard Severity X Likelihood of Occurrence

A scoring system will be used to help in this process and is an essential part of a risk assessment.

5. Decide On Measures

The measures, which will be required to minimize or remove risk, need to be considered by applying a hierarchy of risk control measures. This is the important part of every risk assessment; as it is here where we are required to take action to reduce the risk of injury.

1. Eliminate the Risk i.e. Is it possible to stop using the chemical or piece of equipment?
2. Personal Protective Equipment (PPE) — Effective if not costly
3. Discipline
4. Substitute i.e. Can we use a less hazardous substance?
5. Engineering Controls at Source i.e. Guards and safety devices
6. Re-design workplace of task
7. Safe Systems Of Work i.e. Staff Operating Procedures which are communicated
8. Training & Supervision — if employees are trained supervision will be needed to ensure the training is followed
9. Warning Signs – these do not eliminate the risk but do raise awareness
10. Maintenance of equipment – to prevent accidents from using defective equipment
11. Good Housekeeping – having clear routes, safe storage

This is by no means an exhaustive list as certain specific controls will be needed to suit certain work areas.

6. Record the Assessment

It is a legal requirement for many countries with over five employees to record their assessments. Blank forms can be found in the QESH management system document set.

7. Review / 8. Monitor

The risk assessments will need to be monitored regularly. This will be completed by the Managing Director on at least an annual basis.

Risk Evaluation – Scoring system to be used

Severity (Worst Outcome)

Likelihood

6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management system

The organization shall establish, implement and maintain a process to assess OH&S risks from the identified hazards while taking into account the effectiveness of existing controls. The organization must determine and assess the other risks related to the establishment, implementation, operation, and maintenance of the OH&S management system. The organization’s methodologies and criteria for the assessment of OH&S risks shall be defined with respect to their scope, nature, and timing to ensure they are proactive rather than reactive and are used in a systematic way. Documented information shall be maintained and retained on the methodologies and criteria.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

An organization can use different methods to assess OH&S risks as part of its overall strategy for addressing different hazards or activities. The method and complexity of assessment do not depend on the size of the organization but on the hazards associated with the activities of the organization.
Other risks to the OH&S management system should also be assessed using appropriate methods.
Processes for the assessment of risk to the OH&S management system should consider day-to-day operations and decisions (e.g. peaks in workflow, restructuring) as well as external issues (e.g. economic change). Methodologies can include ongoing consultation of workers affected by day-to-day activities (e.g. changes in workload), monitoring and communication of new legal requirements and other requirements (e.g. regulatory reform, revisions to collective agreements regarding occupational health and safety), and ensuring resources meet existing and changing needs (e.g. training on, or procurement of, new improved equipment or supplies).

The organization must establish, implement and maintain a process to:

• Assess OH&S risks from the identified hazards, whilst taking into account the effectiveness of existing controls;
• Determine and assess the other risks related to the establishment, implementation, and maintenance of the OH&S management system.

An organization needs to apply the process of hazard identification and risk assessment to determine the controls that are necessary to reduce the risks of injury and/or ill health. The purpose of risk assessment is to address the hazards that might arise in the course of the organization’s activities and ensure that the risks to people arising from these hazards are assessed, prioritized and controlled.

This is achieved by:

• Developing a methodology for hazard identification and risk assessment;
• Identifying hazards;
• Estimating the associated risk levels, taking into account the adequacy of existing controls, based on an assessment of the likelihood of the occurrence of a hazardous event or exposure and the severity of the injury or ill health that can be caused by the event or exposure;
• Determining whether these risks are acceptable vis the organization’s legal obligations and its OH&S objectives;
• Determining the appropriate risk controls, where these are found to be necessary;
• Documenting the results of the risk assessment;
• Reviewing the hazard identification and risk assessment process on an ongoing basis.

The outputs from the risk assessment process should be used in the implementation and development of other parts of the OH&S management system such as competence, operational planning and control, and monitoring, measurement, analysis, and performance evaluation.

There is no single methodology for hazard identification and risk assessment that is suitable for all organizations. Hazard identification and risk assessment methodologies vary greatly across industries, ranging from simple assessments to complex numerical methods with extensive documentation.  Individual hazards might require that different methods be used, e.g. an assessment of long-term exposure to hazardous substances might need a different method from that taken for equipment safety or for assessing an office workstation. Each organization should choose the method that is appropriate to its scope, nature, and size. The chosen approach should result in a comprehensive methodology for the ongoing evaluation of the organization’s risks. Where the organization’s risk assessment uses descriptive categories for assessing severity or likelihood of harm, these should be clearly defined, e.g. clear definitions of terms such as “likely” and “unlikely” are needed to ensure that different individuals interpret them consistently.

The organization should consider risks to sensitive populations (e.g. pregnant employees) and vulnerable groups (e.g. young workers) as well as any particular susceptibilities of the individuals involved in performing particular tasks (e.g. the ability of an individual to read instructions). The risk assessment should involve consultation with, and participation by, workers and take into account legal and other requirements. Risk assessment should be conducted by personnel with competence in risk assessment methodologies and techniques and appropriate knowledge of the organization’s work activities. The organization should also consider risks that are not directly related to the health and safety of people, but which affect the OH&S management system itself and can have an impact on its intended outcomes.

Risks to the OH&S management system includes:

• Failure to understand the context of the organization;
• Failure to address the needs and expectations of relevant interested parties;
• Inadequate consultation and participation of workers;
• Inadequate planning or allocation of resources;
• An ineffectual audit programme;
• An incomplete management review;
• Poor succession planning for key roles;
• Poor engagement by top management.

6.1.2.3 Assessment of OH&S opportunities and other opportunities to the OH&S management system

The organization shall establish, implement and maintain processes to assess OH&S opportunities to enhance OH&S performance while taking into account planned changes to the organization, its policies, processes or its activities, and opportunities to adapt work, work for the organization and work environment to workers. The opportunities to eliminate hazards and reduce OH&S risks and other opportunities for improving the OH&S management system. OH&S risks and OH&S opportunities can result in other risks and other opportunities for the organization.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The process for assessment should consider the OH&S opportunities and other opportunities determined, their benefits and potential to improve OH&S performance.

The organization must establish, implement and maintain a process to assess:

• OH&S opportunities to enhance OH&S performance, while considering planned changes to the organization, its policies, processes or activities;
• Other opportunities for improving the OH&S management system.

Opportunities to improve OH&S performance can include:

• Consideration of hazards and risks when planning and designing facilities, processes, plant and equipment, and materials;
• Modification of working processes including the alleviation of monotonous and repetitive work;
• Introduction of new technology to ameliorate high-risk activities;
• Collaborating in forums that focus on issues relating to occupational health and safety.
• Introduction of job safety analysis and task-related assessments;
• Implementation of permit-to-work processes;
• Implementation of ergonomic and other injury prevention-related assessments;
• Improvement of the occupational health and safety culture of the organization;

Opportunities to improve the OH&S management system include:

• Enhancing the visibility of top management’s support for the OH&S management system;
• Improving worker consultation and participation in OH&S decision making;
• Enhancing the incident investigation process;
• Improving two-way communication on OH&S issues and promoting OH&S in the workplace;
• Expediting corrective actions to address OH&S nonconformities;
• Implementing OH&S objectives with the same passion as other business objectives;
• Improving competency in identifying hazards, dealing with OH&S risks and implementing appropriate controls;
• Adopting a risk assessment approach to conducting OH&S audits;
• Viewing workers at all levels as a key resource of the organization;
• Ensuring that the management review promotes a strategic and critical evaluation of the OH&S management system.

Risk / Opportunity of Internal Issues (Examples)

Risk / Opportunity of External Issues (Examples)

Risk / Opportunity of Requirement for Workers Requirements (Examples)

Risk / Opportunity of Requirement for Other interested Parties Requirements (Examples)

6.1.3 Determination of legal requirements and other requirements

The organization shall establish, implement and maintain processes to determine and have access to up-to-date legal requirements and other requirements that are applicable to its hazards, OH&S risks and OH&S management system. The organization must determine how these legal requirements and other requirements applicable to the organization and what needs to be communicated. It must take these legal requirements and other requirements into account when establishing, implementing, maintaining and continually improving its OH&S management system. The organization shall maintain and retain documented information on its legal requirements and other requirements and shall ensure that it is updated to reflect any changes. Legal requirements and other requirements can result in risks and opportunities for the organization.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

a) Legal requirements can include:

1. legislation (national, regional or international), including statutes and regulations;
2. decrees and directives;
3.  orders issued by regulators;
4. permits, licenses or other forms of authorization;
5. judgments of courts or administrative tribunals;
6. treaties, conventions, protocols;
7. collective bargaining agreements.

b) Other requirements can include:

1. the organization’s requirements;
2. contractual conditions;
3. employment agreements;
4. agreements with interested parties;
5. agreements with health authorities;
6. non-regulatory standards, consensus standards, and guidelines;
7. voluntary principles, codes of practice, technical specifications, charters;
8. public commitments of the organization or its parent organization.

The organization should have a process to determine and have access to health and safety legal requirements and other requirements applicable to its OHSMS and to determine how these requirements apply to the OHSMS. The organization needs to be confident that during the risk assessment process it is adhering to the latest applicable legal and other requirements. The legal and other requirements process of assessment will vary depending on the complexity of the business. Sources of information may be gathered in many ways including:

• Subscription to publisher legal update newsletters.
• Membership of trade associations
• Research via reputable government websites
• Use of competent consultants
• Competent employee membership of occupational health and safety institutes.
• Employee attendance of occupational health and safety training courses

Following the initial assessment of compliance obligations, the organization may consider placing the relevant information in a document. A spreadsheet may be useful for this purpose. A live document may include the following information and be referenced within individual risk assessments:

• Name and reference number of regulation/requirement.
• Revision status
• The date the regulation was last reviewed
• The competent person responsible for reviewing the requirement
• Area of the organization the requirement impacts including a short description of the activity and associated documented information
• A hyperlink or description of the source of information
• Name and customer / external provider contact details if relevant to ‘other requirement’
• Next review date

The process should cover:

• What are the organization’s legal and other requirements and how are they determined, accessed and kept up-to-date;
• How do these legal and other requirements applicable to the organization’s activities, processes, plant & equipment, workforce, hazard profile & associated OH&S risks, the overall OH&SMS, and its OH&S performance;
• How these legal and other requirements are taken into account when establishing, implementing, maintaining and continually improving the organization’s OH&S management system.

Legal requirements could include:

• Acts and statutory instruments such as the Safety, Health, and Welfare at Work Act 2005 and the Safety, Health and Welfare at Work (Chemical Agents) Regulations 2001;
• Licenses, permits and other forms of authorization such as the EPA Office of Radiological Protection license or Seveso establishment notification;
• Improvement or prohibition notices issued by HSA/HSE;
• EU Directives or Regulations.

Other requirements could include:

• Parent company protocols or policies;
• Collective bargaining agreements;
• Voluntary adherence to sector or trade body guidance documents;
• Contractual conditions;
• Employment agreements;
• Voluntary principles, codes of practice, technical specifications, charters;
• Public commitments of the organization or its parent company.

The organization must ensure that relevant workers know how to access information on legal and other requirements that are applicable to them. The organization is required to maintain and retain documented information on this process. This will ensure that the information is updated to reflect any changes to the organization’s health and safety profile. The organization must decide what legal and other requirements are related to its occupational health & safety hazards and how to best access them, decide how they apply to the organization, and take them. into consideration when establishing, operating, and delivering continual improvement through the OH&S Management System. Documented evidence needs to be recorded for these obligations, also.

6.1.4 Planning action

The organization shall plan actions to address these risks and opportunities; legal requirements and other requirements. It must prepare for and respond to emergency situations. It must also plan actions to integrate and implement the actions into its OH&S management system processes or other business processes. The organization must evaluate the effectiveness of these actions. The organization shall take into account the hierarchy of controls and outputs from the OH&S management system when planning to take action. When planning its actions, the organization shall consider best practices, technological options, and financial, operational, and business requirements.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The actions planned should primarily be managed through the OH&S management system and should involve integration with other business processes, such as those established for the management of the environment, quality, business continuity, risk, financial or human resources. The implementation of the actions taken is expected to achieve the intended outcomes of the OH&S management system.
When the assessment of OH&S risks and other risks has identified the need for controls, the planning activity determines how these are implemented in operation (see Clause 8); for example, determining whether to incorporate these controls into work instructions or into actions to improve competence. Other controls can take the form of measuring or monitoring (see Clause 9).
Actions to address risks and opportunities should also be considered under the management of change (see 8.1.3) to ensure there are no resulting unintended consequences.

The organization should ensure that specific plans are in place to:

• Address risks and opportunities that have been assessed as requiring further action;
• Address legal and other requirements;
• Prepare for and respond to emergency situations.

In this clause, the standard states that the organization shall plan to take actions to address its occupational health & safety hazards, risks, and opportunities, and compliance obligations, all of which we have discussed above. These also need to be implemented into the organization’s OH&SManagement System and associated business processes. The task of evaluating the effectiveness of these actions also must be considered, with technological, financial, and operational considerations all taken into account. The actions planned should primarily be managed through the OH&S management system and where appropriate should involve integration with other business processes and/or management systems such as quality, environment, business continuity, risk management, and financial or human resource management. When planning to take action the organization should take into account the hierarchy of controls common to risk management, which is detailed in section 8.1.2 of the standard and outputs from the OH&S management system. The actions planned can include establishing objectives (reference section 6.2 of the standard) or incorporating the action into other OHSMS processes such as documented procedures or improved competence. Actions to address risks and opportunities should also be considered under clause 8.1.3: management of change to ensure that there are no unintended consequences arising from the actions taken. Finally, the organization needs to evaluate the effectiveness of these actions.

6.2 OH&S objectives and planning to achieve them

6.2.1 OH&S objectives

The organization shall establish OH&S objectives at relevant functions and levels in order to maintain and continually improve the OH&S management system and OH&S performance. The OH&S objectives must be consistent with the OH&S policy. The objectives must be measurable (if practicable) or capable of performance evaluation. It must take into account

1. applicable requirements;
2. the results of the assessment of risks and opportunities;
3. the results of consultation with workers, and, where they exist, workers’ representatives;

The objectives must be monitored, communicated and be updated as appropriate.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Objectives are established to maintain and improve OH&S performance. The objectives should be linked to risks and opportunities and performance criteria that the organization has identified as being necessary for the achievement of the intended outcomes of the OH&S management system.
OH&S objectives can be integrated with other business objectives and should be set at relevant functions and levels. Objectives can be strategic, tactical, or operational:
a) strategic objectives can be set to improve the overall performance of the OH&S management system (e.g. to eliminate noise exposure);
b) tactical objectives can be set at facility, project, or process level (e.g. to reduce noise at source);
c) operational objectives can be set at the activity level (e.g. the enclosure of individual machines to reduce noise).

The measurement of OH&S objectives can be qualitative or quantitative. Qualitative measures can be approximations, such as those obtained from surveys, interviews, and observations. The organization is not required to establish OH&S objectives for every risk and opportunity it determines.

The organization should establish objectives in order to maintain and improve the OH&S management system and to achieve continual improvement in its OH&S performance.

When determining its OH&S objectives the organization must take into account:

• The results of the assessments of risk and opportunities;
• Applicable legal and other requirements;
• The results of consultation with workers and where applicable, their representatives.

OH&S objectives can be integrated with other business objectives such as quality or environment and should be set at relevant functions and levels as defined and decided upon by the organization.

The OH&S objectives should address both broad corporate OH&S issues and OH&S issues that are specific to individual functions and levels within the organization. It is a requirement of the standard to set achievable OH&S objectives with the means to periodically measure progress, demonstrating continuous improvement. Often objectives are set and reviewed at management review or locally at departmental or committee meetings. Once set, there must be a means to communicate objectives throughout the organization to support and generate a positive OH&S culture. If many requirements have been identified the organization may consider developing a documented Occupational Health and Safety Strategic Plan. The plan should be agreed on by senior leadership and include risk rating tasks, in order of priority, and the alignment with senior leadership responsible for overseeing the task.

The standard advises that occupational health & safety objectives should be established at appropriate levels and intervals, having considered the identified occupational health & safety hazards, risks and opportunities, and compliance obligations. The characteristics of the set objectives are important, they need to be consistent with the organization’s Occupational Health & safety policy, measurable where possible, able to be monitored, communicated effectively, and be such that they can be updated when circumstances require. Once more, it is mandatory that documented information is kept outlining this process and its outputs. Because the term “maintain and improve its OH&S management system” is used in this clause, the organization can set some objectives in order to maintain a certain level of performance and can set other objectives for the purpose of achieving an improvement in its OH&S performance. This means that in the case of the former, once a level of performance has been achieved and no further opportunity for improvement can be identified, the organization can set an objective that maintains that set level of performance until such time as new opportunities are identified. The OH&S objectives should be consistent with the OH&S policy and if practicable, be measurable or capable of performance evaluation. Ideally, the objectives should be specific, measurable, achievable, realistic, and time-oriented (SMART).

Typical examples of OH&S objectives include the following:

• Objectives to increase or reduce a numerical value such as reducing manual handling incidents by 10% or increasing VDU risk assessments by 20%.
• Objectives to introduce controls or eliminate hazards such as the introduction of LEV in a particular process or elimination of a particular hazardous substance from a process;
• Objectives to introduce less hazardous materials in specific products;
• Objectives to increase levels of worker satisfaction in relation to OH&S such as a reduction of workplace stress or an increase in worker participation in and consultation on OH&S issues;
• Objectives to increase awareness or competence in performing work tasks safety;
• Objectives to meet legal requirements prior to their enactment.

The objectives should be monitored, communicated, and be updated as appropriate. The organization is not required to establish OH&S objectives for every risk and opportunity it determines.

6.2.2 Planning to achieve OH&S objectives

When planning how to achieve its OH&S objectives, the organization must determine:

1. what will be done?
2. what resources will be required?
3. who will be responsible?
4. when it will be completed?
5. how the results will be evaluated, including indicators for monitoring?
6. how the actions to achieve OH&S objectives will be integrated into the organization’s business processes?

The organization must maintain and retain documented information on the OH&S objectives and plans to achieve them.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The organization can plan to achieve objectives individually or collectively. Plans can be developed for multiple objectives where necessary. The organization should examine the resources required (e.g. financial, human, equipment, infrastructure) to achieve its objectives. When practicable, each objective should be associated with an indicator that can be strategic, tactical or operational.

6.2.2 Planning to Achieve OH&S Objectives

The standard advises on the elements that need to be determined to ensure that objectives can be achieved. This can be thought of in terms of what needs to be done when it needs to be done, what resources are required to achieve it, who is responsible for the objectives being achieved, how results are to be measured and progress ensured, and consideration on how these objectives can be implemented within existing business systems. In order to achieve the objectives, a programme or programmes should be established. A programme is an action plan for achieving one or all of the OH&S objectives. The programme, at a minimum, should address the following:

• What is to be done;
• What resources (e.g. financial, human, equipment & infrastructure) will be required;
• Who will be responsible;
• When it will be completed;
• How the results will be evaluated, including indicators for monitoring.

The program should be reviewed at planned intervals, and adjusted as necessary, to ensure that the objectives are achieved. This review can be part of the management review process. The organization must maintain and retain documented information on the OH&S objectives and plans to achieve them.

A strategic OH&S plan is a live document and periodically should be reviewed to monitor progress to achieving objectives and continuous improvement. The document may include:

• Strategic prioritized topic
• Action, this could be conducting assessments according to compliance obligations such as a noise assessment
• The method in which the action can be achieved
• Resources required to achieve the action. For example human, equipment, financial and external provider expertise
• The key performance indicator to demonstrate achievement of the action
• General responsibility
• Top Management responsibility
• Timescale
• Risk rating (order of priority)

Examples for Objectives

Example of Derivation of Objectives from Risk and Opportunity

OH&S objective – OHS/Contractor (Sept 15th 20xx): To include a clear statement of OHS requirements in tenders/contracts. To be included by the end of Dec XX.

(What will be done)

• Workers’ Representative, Purchasing Supervisor, H&S Manager: To drafl a statement of OH&S requirements to be included in tenders/contracts. (Before the end of September 20xx)
• Production Manager: To review/revise in consultation with the above. (Before Oct 15th 20xx)
• Company Secretary: To forward agreed requirements to company legal advisor for inclusion into the contract, or amendment as legally required/advised. (Before Oct end 20xx)
• Purchasing Managers: To include new tenders/contracts. (Before Nov end 20xx)
• Purchasing Manager: To start negotiating changes to existing contracts to include the above OH&S requirements. (On-going, but expected completion of all existing contracts by April 20xx)
• Production Manager: To communicate new requirements for all company workers who may be involved with contractors. (Before Nov)
• Purchasing Manager: To monitor the response from the contractor’s top management on the new requirements in tenders/contracts. (From Nov 20xx onwards)

(What resources will be required)

• Workers Representative
• Purchasing Manager
• Purchasing Supervisor
• H&S Manager
• Company Secretary
• Company legal Advisor
• Time and cost for legal advice (KWD 500)

(Who will be responsible) Purchasing Manager and Production Manager.

(When it will be completed) Over the next four months (April 20xx+l).

(How it will be measured through indicators (if practicable) and monitored, including frequency). Through the dates and responsibilities identified above, and reported through the monthly OH&S committee meetings.

(How the results will be evaluated) Through the Purchasing Manager requesting if OH&S requirements are now clear in contracts (sample contractors’ management), and thereafter the Purchasing Supervisor monitoring of conformance against contract OH&S requirements (number of contract OH&S breaches/month).

(How the actions to achieve OH&S objectives will be integrated into the organization’s business processes) Actions will be integrated into each responsible person’s personal appraisal for the year and reviewed as part of their personal development and achievement.

…………………………………End of Examples …………………………………………

CLAUSE 5 – Leadership and worker participation

Top management and their workers are required to have involvement in the input and operation of the OHSMS management system and must ensure that the requirements are integrated into the organization’s OHSMS processes and that the policy and objectives are compatible with the strategic direction of the organization. The top management must take overall responsibility and accountability for the prevention of work-related injury and ill-health as well as the provision of safe and healthy workplaces and activities. This clause places requirements on top management to assign relevant responsibilities and support other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. Critical to the success of the OH&S management system is leadership and commitment from ‘Top Management’. The expectation of leaders within an organization is to become champions of the system and provide the necessary resources to protect workers from harm. This clause is the cornerstone for the success of the OH&S MS. In OHSAS 18001, top management was responsible for OH&S and was required to ‘appoint’ a member of top management with specific responsibility for OH&S. Top management in ISO 45001 is responsible and accountable for the prevention of work-related injury and ill-health as well as the provision of safe and healthy workplaces (not simply providing support for a management system). This requires top management to be personally involved in order to develop, lead and promote a culture that supports OH&S. It should also be noted that leadership and culture are identified as a potential hazard later in the standard. It is also top management that has to ensure that a process for consultation and participation with workers is established. This may include establishing a health and safety committee. It is also the top management’s responsibility to establish, implement and maintain the health and safety policy.
The required contents for the policy include elements such as a commitment to consultation and participation of workers. Importantly consultation with workers on the health and safety policy is included later in this clause. Consultation and participation of workers are significantly enhanced from OSHAS 18001 which was limited to participation in hazard identification and consultation on changes. In ISO 45001 consultations involve seeking views before making a decision with clear two-way communication, whilst participation is involved in decision-making. This must include non-managerial workers. The organization is now required to provide the mechanisms, time, training, and resources for consultation and participation of workers. This includes removing any obstacles or barriers such as language, literacy, or fear of reprisals.

Context 5.1: Leadership and commitment

Top management should demonstrate leadership and commitment with respect to the OH&S management system. Top management must be taking overall responsibility and accountability for the prevention of work-related injury and ill-health as well as the provision of safe and healthy workplaces and activities. Top management must be ensuring that the OH&S policy and related OH&S objectives are established and are compatible with the strategic direction of the organization. The top management must be ensuring the integration of the OH&S management system requirements into the organization’s business processes. The top management must be ensuring that the resources needed to establish, implement, maintain and improve the OH&S management system are available. The top management must be communicating the importance of effective OH&S management and of conforming to the OH&S management system requirements. The top management must be ensuring that the OH&S management system achieves its intended outcome. The top management must be directing and supporting persons to contribute to the effectiveness of the OH&S management system. The top management should be ensuring and promoting continual improvement. The top management should be supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. The top management should be developing, leading, and promoting a culture in the organization that supports the intended outcomes of the OH&S management system. The top management should be protecting workers from reprisals when reporting incidents, hazards, risks, and opportunities. The top management should be ensuring the organization establishes and implements processes for consultation and participation of workers. The top management supporting the establishment and functioning of health and safety committees.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Leadership and commitment, including awareness, responsiveness, active support, and feedback, from the organization’s top management, are critical for the success of the OH&S management system and achievement of its intended outcomes; therefore, top management has specific responsibilities for which they need to be personally involved or which they need to direct. A culture that supports an organization’s OH&S management system is largely determined by top management and is the product of individual and group values, attitudes, managerial practices, perceptions, competencies, and patterns of activities that determine the commitment to, and the style and proficiency of, its OH&S management system. It is characterized by, but not limited to, active participation of workers, cooperation and communications founded on mutual trust, shared perceptions of the importance of the OH&S management system by active involvement in the detection of OH&S opportunities, and confidence in the effectiveness of preventive and protective measures. An important way top management demonstrates leadership is by encouraging workers to report incidents, hazards, risks, and opportunities and by protecting workers against reprisals, such as the threat of dismissal or disciplinary action, when they do so.

The requirements within this clause are generally self-explanatory. You will need to provide information on how top management ensures the OHSMS is compatible with the strategic direction as well as taking responsibility for promoting a safety culture to ensure that the management system achieves its intended outcome. In clause 5.1, 45001 uses the term ‘top management’ to refer a group or an individual at the highest level, controlling and directing the organization.  This sets out a list of things that top management must do, to demonstrate commitment and leadership with respect to their health and safety management system. Three of these directly refer to the rights of workers:

• To support establishing and the ongoing operation of health and safety committees, this clause specifically refers to the need to put emphasis on the participation of non-management workers in setting up these committees.
• Ensuring that clause 5.4 is implemented.
• Ensuring the protection of workers from any reprisals when they report hazards and risks.

The following are examples of how leadership can be demonstrated within the OH&S management system:

• Take overall responsibility and accountability for the prevention of work-related injury / ill health, as well as the provision of a safe and healthy work environment
• Facilitating positive culture and continual improvement
• Ensure the OH&S system is integrated within the business processes
• Promote communication internally and externally and at all levels (cascading from the top)
• Protect workers from reprisal when reporting incidents,
  hazards, risk, and opportunities
•  Provision and support for safety committees

For an external audit, the expectation is for senior leadership to be at the heart of the OH&S management system with a clear demonstration of understanding the system.

Clause 5.2: OH&S policy

Top management must establish, implement and maintain an OH&S policy. The policy must include a commitment to provide safe and healthy working conditions for the prevention of work-related injury and ill health and is appropriate to the purpose, size, and context of the organization and to the specific nature of its OH&S risks and OH&S opportunities. The policy should provide a framework for setting the OH&S objectives. The policy should include a commitment to fulfill legal requirements and other requirements. It should include a commitment to eliminate hazards and reduce OH&S risks. The policy should include a commitment to continual improvement of the OH&S management system. It should include a commitment to consultation and participation of workers, and, where they exist, workers’ representatives. The OH&S policy should be available as documented information. It should be communicated within the organization. It must be available to interested parties, as appropriate. It must be relevant and appropriate.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The OH&S policy is a set of principles stated as commitments in which top management outlines the long-term direction of the organization to support and continually improve its OH&S performance. The OH&S policy provides an overall sense of direction, as well as a framework for the organization to set its objectives and take actions to achieve the intended outcomes of the OH&S management system. These commitments are then reflected in the processes an organization establishes to ensure a robust, credible, and reliable OH&S management system (including addressing the specific requirements in this document). The term “minimize” is used in relation to OH&S risks to set out the organization’s aspirations for its OH&S management system. The term “reduce” is used to describe the process to achieve this. In developing its OH&S policy, an organization should consider its consistency and coordination with other policies.

Top management needs to establish, implement and maintain an OHSMS policy that includes a commitment to provide safe and healthy working conditions for the prevention of work-related injury and ill health and is appropriate to the purpose, size, and context of the organization and to the specific nature of its OHSMS risks and opportunities. The policy must be communicated, set out the framework for establishing measurable occupational health and safety objectives and targets, including a commitment to consultation and participation of workers or representatives and a commitment to eliminate hazards and fulfill legal requirements.

An OH&S Policy is a ‘Statement of Intent or ‘Mission Statement’ which sets out the framework to manage the Occupational Health and Safety Management System. The OH&S policy is approved by senior leadership and will drive the controls that are in place and the actions that are carried out to improve it. The standard specifically requires that the OH&S policy should include commitments to:

• Provide a framework for setting objectives
• Provide safe and healthy working conditions for the prevention of work-related injury and/or ill-health
• Eliminate hazards and reduce OH&S risks
• Continual improvement of the OH&S system
• Consultation and participation of workers and where they exist worker representatives,
• Fulfilment of legal and other requirements

Once the OH&S policy has been approved it must be communicated to stakeholders including workers. The policy must be available to interested parties, which will include customers and external providers on request. In addition, periodically the OH&S policy must be reviewed by senior leadership to ensure it remains applicable to the context of your organization.

Sample Occupational Health and Safety Policy

This policy will apply to __(Name of Business)_____ at all locations.

__(Name of Business)______________ is committed to providing a healthy and safe work environment for its workers and preventing occupational illness and injury. To express that commitment, we issue the following policy on occupational health and safety.
As the employer, (Name of Business) is responsible for the health and safety of its workers. __(Name of Business)______________ will make every effort to provide a healthy and safe work environment. We are dedicated to the objective of eliminating the possibility of injury and illness.
As _(CEO/Owner/etc.)______________ I give you my personal promise to take all reasonable precautions to prevent harm to workers.
Supervisors will be trained and held responsible for ensuring that the workers, under their supervision, follow this policy. They are accountable for ensuring that workers use safe work practices and receive training to protect their health and safety.
Supervisors also have general responsibility for ensuring the safety of equipment and facility.
__(Name of Business)__________________ through all levels of management, will cooperate with the Joint Occupational Safety and Health (JOSH) Committee or the Health & Safety Representative and workers to create a healthy and safe work environment. Cooperation should also be extended to others such as contractors, owners, officers, and so on.
The workers of (Name of Business) will be required to support this organization’s health and safety initiative and to cooperate with the JOSH Committee or Health & Safety Representative and with others exercising authority under the applicable laws. It is the duty of each worker to report to the supervisor or manager, as soon as possible, any hazardous conditions, injury, accident, or illness related to the workplace. Also, workers must protect their health and safety by complying with applicable Acts and Regulations and following policies, procedures, rules and, instructions as prescribed by
__(Name of Business)______________.
_(Name of Business)______________ will, where possible, eliminate hazards and, thus, the need for personal protective equipment. If that is not possible, and where there is a requirement, workers will be required to use safety equipment, clothing, devices, and materials for personal protection.
__(Name of Business)________ recognizes the worker’s duty to identify hazards, and supports and encourages workers to play an active role in identifying hazards and to offer suggestions or ideas to improve the health and safety program.
Signed:
Title:
This policy has been developed in cooperation with the  Committee, Health & Safety Representative, or workers.

—————————End of example—————————————

Clause 5.3: Organizational roles, responsibilities, and authorities

Top management must ensure that the responsibilities and authorities for relevant roles within the OH&S management system are assigned and communicated at all levels within the organization and maintained as documented information. Workers at each level of the organization must assume responsibility for those aspects of the OH&S management system over which they have control. While responsibility and authority can be assigned, ultimately top management is still accountable for the functioning of the OH&S management system. Top management must assign the responsibility and authority for ensuring that the OH&S management system conforms to the requirements of this document. There must be reporting on the performance of the OH&S management system to top management.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Those involved in the organization’s OH&S management system should have a clear understanding of their role, responsibilities, and authorities for achieving the intended outcomes of the OH&S management system. While top management has overall responsibility and authority for the OH&S management system, every person in the workplace needs to take into account not only their own health and safety but also the health and safety of others. Top management being accountable means being answerable for decisions and activities to the organization’s governing bodies, legal authorities, and, more broadly, its interested parties. It means having ultimate responsibility and relates to the person who is held to account if something is not done, is not done properly, does not work, or fails to achieve its objective. Workers should be enabled to report hazardous situations so that action can be taken. They should be able to report concerns to responsible authorities as required without the threat of dismissal, disciplinary action, or other such reprisals. The specific roles and responsibilities identified in 5.3 may be assigned to an individual, shared by several individuals, or assigned to a member of top management.

Top management needs to ensure that the responsibilities and authorities for relevant roles are assigned, communicated, and understood throughout the organization. The scope and boundaries of the OH&S Management System must now be thoroughly examined and defined considering the aforementioned interested parties and their needs, plus resulting compliance obligations. Also requiring consideration are the OH&S Management System functions and physical boundaries, and all products, services, and activities, including the organization’s ability to exert control on external factors, with the results of the whole definition included in the OH&S Management System and kept critically as “documented information.”It requires the organization to define clear roles, responsibilities, and authorities throughout the organization.
It is recognized that overall responsibility for the OH&S management system falls to ‘Top Management’ however individuals must take account of their own health and safety and that of others. Consider documenting roles, responsibilities, and authorities within high-level and localized organizational charts. Individual policies and work instructions may also include responsibility and authority however competence must be considered. Top management is ultimately responsible for the OH&S management system, even if the day-to-day decisions related to occupational health and safety are delegated to others. What is delegated and to whom should be clearly and unambiguously communicated so that everybody understands who is responsible for what. Top management should assign responsibility and authority for:

• Ensuring that the OH&S management system conforms to the requirements of ISO 45001;
• Reporting on the performance of the OH&S management system to top management.

Since resources can be limited, opportunities should be sought out to integrate OH&S responsibilities within existing functions of the organization, such as manufacturing, facilities management, purchasing, and human resources. If other management systems are already in place, such as quality, environment, energy or food safety, synergies may exist where there are similar roles and responsibilities. This will enhance ownership of OH&S management across the organization and potentially create efficiencies. ISO 45001 requires that the responsibilities and authority of all persons who perform duties that are part of the OH&S management system be documented. These can be described and included in:

• OH&S management system procedures;
• Operational procedures and process maps;
• Project and/or task descriptions;
• Job descriptions;
• Induction training packages.

Such documentation can, among others, be required for the following personnel:

• Management at all levels in the organization, including top management;
• Safety committees/safety teams;
• Process operators and the general workforce;
• Those managing contractors;
• Those responsible for OH&S training;
• Those responsible for equipment operation and maintenance;
• Those responsible for facilities management;
• Employees with OH&S qualifications, or other OH&S specialists, within the organization;

Care should be taken with the clarification of responsibilities at the interfaces between different functions (e.g. between departments, between different levels of management, between workers, between the organization and contractors and between the organization and its neighbors).

Some examples of Roles, responsibility, authority, and accountability 

1.) Managing Director:

• Overall responsibility for the performance of the Organization
• Overall responsibility & accountability for the OHS System, directly or through a nominated executive
• Chair and Management Review Meeting
• Define the OHS Policy
• Review and approve the OHS System manual and its amendments
• Ensures adequate resources are available for effective implementation
• Appoint Management Representative
• Approval of Purchase Orders for capital items
• Overall accountable for continual improvement of the OHS Management system

2.) Cross-Functional Team:

• Preparation of objectives and targets in consultation with Top Management
• Conducting departmental reviews
• Coordinate in providing resources for departmental elements of OHS.
• Providing direction to the department on the design, implementation, and maintenance of OHS
• Resolving corrective action issues
• The MR is accountable for the effective implementation of OHS MS
• Identify training needs for personnel directly reporting.

3) Legal Team:

• Identify applicable legislation and other requirements.
• Evaluate Legal compliance
• Communicate the legal non-compliances
• Hold review meetings on a legal requirement.
• Update with latest legislations / amendments.
• DGM-HR is accountable for compliance with OHS legal & other requirements.

4) Audit Team:

• Conduct internal audits as per the audit schedule
• Generate audit reports
• Verify the audit closure
• MR is accountable for conducting audit & NC closure

5) Emergency Response Team:

• Review emergency response & preparedness manual
• Train the people for emergency response
• Conduct the role during the mock drill
• To see the entry of unauthorized persons is restricted to areas.
• To check whether Fire Extinguishers are provided at appropriate places and are tested periodically.
• To check persons working are using proper PPE’s
• To train the personnel over the safety & to identify key areas where safety is necessary
• To identify safe assembly area
• Impart safety awareness to all employees through in-house training as per the needs identified.
• To check whether safety instructions have been prepared and displayed at relevant places through Operation control Instruction for use of Safety Personal Protective Equipment.
• To see all the effectiveness of the emergency preparedness
• An emergency response team has been constituted with Personnel from all departments to review / initiate actions for identified potential Emergency situations identify through the significant Study.
• To co-ordinate with respective Functions head for identifying different types of emergency situations and prepares an “onsite emergency plan” which briefly describes the action to be taken by the employees during identified emergency situation internally.
• To prepare an evacuation plan & to describe the plan for evacuation from the emergency area and to identify the gathering point.
• To prepare mitigation actions after the emergency.
• To organize Mock drills or Mock exercise, to test the Onsite emergency plan for the different identified emergency situations.
• To make sure the Mock Drill records are maintained by the Safety Officer. To decide the possible changes needed in the emergency plans.
• The safety officer is accountable for compliance with Emergency preparedness and response

6) First Aid Team

• The team should regularly monitor medicine availability in the box.
• The First Aid personnel shall take care of the injured persons and in case of an emergency condition.
• The First Aid persons should take care that the injured persons are shifted to the hospital in time.
• Admin Officer is accountable for maintaining adequate first-aid medicines, providing first aid to injured personnel.

7) Safety Committee:

• Safety Committee shall meet as often as necessary but at least once in three months. The minutes of the meeting shall be recorded
• Safety Committee shall have the right to be adequately and suitably informed
• Functions and duties of the safety committee shall include-
• Dealing with all matters concerning health, safety, and environment, and to arrive at practical solutions to problems encountered.
• Creating safety awareness among all the workers.
• Undertaking educational, training and promotional activities.
• Discussing reports on safety, environmental and occupational health surveys, safety audits, risk assessments, emergency and disaster management plans and implementation of the recommendations made in the reports.
• Carrying out health and safety surveys and identifying the cause of accidents.
• Looking into any complaint made on the likelihood of imminent danger to the safety and health of the workers and suggesting corrective measures and
• Reviewing the implementation of the recommendations made by it.
• Incident investigation results & review of the effectiveness of the action taken.
• Safety Officer is accountable for conducting safety committee meeting.

The activity-wise responsibilities are as shown below

—————————End of example—————————————

Clause 5.4: Consultation and participation of workers

The organization must establish, implement and maintain processes for consultation and participation of workers at all applicable levels and functions, and, where they exist, workers’ representatives, in the development, planning, implementation, performance evaluation, and actions for improvement of the OH&S management system. The organization must provide mechanisms, time, training, and resources necessary for consultation and participation. Worker representation can be a mechanism for consultation and participation. The organization must provide timely access to clear, understandable, and relevant information about the OH&S management system. It must determine and remove obstacles or barriers to participation and minimize those that cannot be removed. Obstacles and barriers can include failure to respond to worker inputs or suggestions, language or literacy barriers, reprisals or threats of reprisals, and policies or practices that discourage or penalize worker participation. The organization must emphasize the consultation of non-managerial workers while determining the needs and expectations of interested parties and establishing the OH&S policy. The organization must emphasize the consultation of non-managerial workers while assigning organizational roles, responsibilities, and authorities as applicable. The organization must emphasize the consultation of non-managerial workers while determining how to fulfill legal requirements and other requirements. The organization must emphasize the consultation of non-managerial workers while establishing OH&S objectives and planning to achieve them. The organization must emphasize the consultation of non-managerial workers while determining applicable controls for outsourcing, procurement, and contractors. The organization must emphasize the consultation of non-managerial workers while determining what needs to be monitored, measured, and evaluated. The organization must emphasize the consultation of non-managerial workers while planning, establishing, implementing, and maintaining an audit program. The organization must emphasize the consultation of non-managerial workers while ensuring continual improvement. The organization must emphasize the participation of non-managerial workers while determining the mechanisms for their consultation and participation. The organization must emphasize the participation of non-managerial workers while identifying hazards and assessing risks and opportunities. The organization must emphasize the participation of non-managerial workers while determining actions to eliminate hazards and reduce OH&S risks. The organization must emphasize the participation of non-managerial workers while determining competence requirements, training needs, training, and evaluating training. The organization must emphasize the participation of non-managerial workers while determining what needs to be communicated and how this will be done. The organization must emphasize the participation of non-managerial workers while determining control measures and their effective implementation and use. The organization must emphasize the participation of non-managerial workers while investigating incidents and nonconformities and determining corrective actions. Emphasizing the consultation and participation of non-managerial workers is intended to apply to persons carrying out the work activities but is not intended to exclude, for example, managers who are impacted by work activities or other factors in the organization. It is recognized that the provision of training at no cost to workers and the provision of training during working hours, where possible, can remove significant barriers to worker participation.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The consultation and participation of workers, and, where they exist, workers’ representatives, can be key factors of success for an OH&S management system and should be encouraged through the processes established by the organization. Consultation implies a two-way communication involving dialogue and exchanges. Consultation involves the timely provision of the information necessary for workers, and, where they exist, workers’ representatives, to give informed feedback to be considered by the organization before making a decision. Participation enables workers to contribute to decision-making processes on OH&S performance measures and proposed changes. Feedback on the OH&S management system is dependent upon worker participation. The organization should ensure workers at all levels are encouraged to report hazardous situations so that preventive measures can be put in place and corrective action is taken. The receipt of suggestions will be more effective if workers do not fear the threat of dismissal, disciplinary action, or other such reprisals when making them.

The organization must establish, implement and maintain processes for consultation and participation of workers at all applicable levels and functions, and, where they exist, workers representatives, to continually improve the OHSMS. These clauses require engagement with work health and safety committees and existing workers’ representatives. The essence of any health and safety management system is for an organization to proactively and systematically engage with its workers, at all levels, to collaboratively prevent: incidents, injury, and disease. There is considerable evidence that the effective participation of workers and the representation of their interests in OHS are crucial elements in improving health and safety performance at the workplace. This representation occurs through the use of health and safety representatives (HSRs). Clause 5.4 requires an organization to set up a health and safety management system process or processes to ensure the consultation and participation of all workers, including the representatives of workers. 45001 also states that organizations are to support the establishment of health and safety committees. So that workers have an ongoing role in improving the organization’s health and safety management system and its outcomes, by:
• Developing
• Planning
• Implementing and
• Evaluating the organization’s health and safety management system and its outcomes.
So as then to proactively and systematically improve the organization’s health and safety management system and its outcomes in reducing injury, illnesses, disease, and fatalities. 45001 also requires that the organization provides the necessary resources, training, and time through its mechanisms for consultation and participation. When an organization decides to develop, plan, implement, performance evaluate, or improve its health and safety management system. Clause 5.4 also calls for the organization to give emphasis to the participation of workers who are not managers in the following:

• Setting up processes for their consultation and participation
• Hazard identification, risk assessment and opportunities for improving health and safety outcomes
• Working on how to eliminate hazards and if not possible, then reducing remaining health and safety risks
• Deciding health and safety risk controls and how to implement these effectively
• Establishing: training needs, competence levels and the evaluation of training
• Deciding the health and safety communication measures and the manner in which they are done
• The investigation of health and safety incidents, including near misses and other types of exposures to hazards and their risks, including nonconformities with the health and safety management system, and decisions over actions to correct these.

Clause 5.4 specifically refers to giving emphasis to consulting workers who are not managers in the following;

• Drawing up the work health and safety policy.
• Working out who has what health and safety roles,
• The determination of the organization’s fulfillment of their legal and other requirements.
• Designing the health and safety objectives for the organization including plans for their achievement.
• Working out risk management processes in the use of outsourcing, contractors, and procurement.
• Decisions over implementing, monitoring, measuring and evaluating elements of the organization’s health and safety management system.
• Decisions over applying the audit process, including the audit plan and its establishment, implementation and maintenance.

CLAUSE 4 – CONTEXT OF THE ORGANISATION

This clause underpins the 2018 Standards and establishes the context of the Occupational Health and Safety Management System (OHSMS). This clause is found in all ISO management system standards, and it requires the organization to determine all internal and external issues that may be relevant to the achievement of the objectives of the OH&SManagement System itself. This includes all elements which are, and maybe capable of, affecting these objectives and outcomes in the future. It gives you the opportunity to identify all internal and external issues that are relevant and may affect, the strategic direction of the organization and the OHSMS. You will also need to identify the needs and expectations of workers and other interested parties that are relevant to your management system. These groups can include workers, shareholders, subcontractors, regulatory groups, etc. Finally, you’ll need to establish, implement, maintain and continually improve the management system.

This clause ‘sets the scene’ for the organization and the scope and boundaries for the occupational health and safety management system. Importantly ISO 45001 should be aligned to the strategic direction of the organization, embedding OH&S management into the core business functions, rather than as a stand-alone discipline. Within this clause the organization has to determine the internal and external factors that may affect its ability to achieve the intended outcomes of its OH&S MS. Externally this may be issues such as socio-economic and political instability; internally, it may be issues such as restructuring, acquisitions or new products. The organization is also required to determine the needs and expectations of ‘interested parties with regard to the OH&S MS. This means that the system cannot operate in isolation – those who have an interest in the outcomes of the OH&S MS – workers, shareholders, legal authorities, contractors, etc have to be considered.
Most organizations will have worked through these two aspects as part of their overall risk and opportunity management (and/or if they have other ISO standards) but it is important for ISO 45001 that these issues are expressly considered against the intended outcomes of the OH&S MS. How could political insecurity or an organizational restructure put worker’s health and safety at risk? Or provide an opportunity to improve the workplace? The final scope for the OH&S MS must be documented. this helps to evidence the integrity of the MS. It would be unacceptable to exclude a particular part of the business or site due to poor health and safety performance. Remember the aim for the OH&S MS – to prevent injury and ill-health and provide a safe and healthy workplace. Excluding a particular part of the business would undermine the overall credibility of the organization.

Context 4.1: Understanding the Organization and Its Context

The organization should determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcomes of its OH&S management system.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

An understanding of the context of an organization is used to establish, implement, maintain and continually improve its OH&S management system. Internal and external issues can be positive or negative and include conditions, characteristics, or changing circumstances that can affect the OH&S management system, for example:
a) external issues, such as:
1) the cultural, social, political, legal, financial, technological, economic, and natural surroundings and market competition, whether international, national, regional, or local;
2) introduction of new competitors, contractors, subcontractors, suppliers, partners and providers, new technologies, new laws, and the emergence of new occupations;
3) new knowledge on products and their effect on health and safety;
4) key drivers and trends relevant to the industry or sector having an impact on the organization;
5) relationships with, as well as perceptions and values of, its external interested parties;
6) changes in relation to any of the above;
b) internal issues, such as:
1) governance, organizational structure, roles, and accountabilities;
2) policies, objectives, and the strategies that are in place to achieve them;
3) the capabilities, understood in terms of resources, knowledge, and competence (e.g. capital, time, human resources, processes, systems, and technologies);
4) information systems, information flows and decision-making processes (both formal and informal);
5) introduction of new products, materials, services, tools, software, premises, and equipment;
6) relationships with, as well as perceptions and values of, workers;
7) the culture in the organization;
8) standards, guidelines, and models adopted by the organization;
9) the form and extent of contractual relationships, including, for example, outsourced activities;
10) working time arrangements;
11) working conditions;
12) changes in relation to any of the above.

It requires an organization to assess both internal and external influences in formulating and implementing a health and safety management system. In addition to the traditional customer, economic and competitive factors, it notes that these influences can include how laws, technical developments, and even political/ cultural/social changes might impact the mission of the organization, whether their origin is local, regional, national or international. It specifically wants the ISO 45001 directed health and safety effort to address the requirements of Clause 4.2. 4.3, and 4.4.

The organization must understand the internal and external issues that can impact in a positive or negative manner its health and safety performance including, inter alia, organizational culture and structure, and the external environment including cultural, social, political, legal, financial, technological, economic, market competition and natural factors of significance to its performance. The company will be required to identify all relevant internal and external issues including conditions, characteristics, or changing circumstances that can affect its occupational health and safety management system and then address those that require further attention. External issues include the following:

1. The cultural, social, political, legal, financial, technological and economic conditions in which the company operates, whether at the international, national, regional or local level.
2. The legislative framework in which the organization operates including statutory, regulatory and other forms of legal requirements, Competition and market conditions.
3. Relationship with contractors, suppliers, partners and other external interested parties.
4. Key drivers and trends of relevance to the industry or sector in which the organization operates.

Internal issues include:

1. The size and complexity of the organization and the nature of the activities carried out therein;
2. The strategic direction of the organization, its policies, and objectives.
3. Organizational governance and structure, roles and accountabilities.
4. The capability and capacity of the organization in terms of resources, knowledge, and competence (e.g. capital, employee competencies, processes, systems, and technologies).
5. Information systems: information flows and decision-making processes (both formal and informal) and the time frame within which they are accomplished.
6. The process for introducing new products, materials, services, tools, software, premises, and equipment.
7. Organizational style and the health and safety culture of the organization.
8. The form and extent of contractual relationships, including, for example, outsourced activities.
9. Working time arrangements.
10. Working conditions;

An understanding of the organization and its context can be achieved at a strategic level by using techniques such as Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis, and Political, Economic, Social, Technological, Legal, and Environmental (PESTLE) analysis. Alternatively, depending on the size and complexity of its operations, the organization can use a simpler approach, such as brainstorming and asking, “what if” questions. A formal process or documented information is not required in order to satisfy the requirements of this sub-clause – the onus is on each organization to adopt the approach best suited to its circumstances. However, the process adopted by the organization to develop an understanding of its context should guide its efforts to plan, implement, maintain and continually improve its occupational health and safety management system. It is recommended that the organization documents and periodically updates the process and its results as needed. The results can be used to assist the organization in:

1. Setting the scope of its OH&S management system.
2. Determining the risks and opportunities that need to be addressed. /li>
3. Developing or enhancing its OH&S policy.
4. Establishing its OH&S objectives.
5. Fulfilling its compliance obligations.

Clause 4.2: Understanding the Needs and Expectations of Workers and other Interested Parties

The organization must determine the other interested parties, in addition to workers, that are relevant to the OH&S management system. The organization must also determine the relevant needs and expectations (i.e. requirements) of workers and other interested parties. The organization must also identify the needs and expectations which could become legal requirements and other requirements.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

Interested parties in addition to workers can include:
a) legal and regulatory authorities (local, regional, state/provincial, national or international);
b) parent organizations;
c) suppliers, contractors, and subcontractors;
d) workers’ representatives;
e) workers’ organizations (trade unions) and employers’ organizations;
f) owners, shareholders, clients, visitors, local community and neighbors of the organization and the general public;
g) customers, medical and other community services, media, academia, business associations, and non-governmental organizations (NGOs);
h) occupational health and safety organizations, occupational safety, and health-care professionals.
Some needs and expectations are mandatory; for example because they have been incorporated into laws and regulations. The organization may also decide to voluntarily agree to, or adopt, other needs and expectations (e.g. subscribing to a voluntary initiative). Once the organization adopts them they are addressed when planning and establishing the OH&S management system.

This requirement addresses the desires and demands of all those who may have an interest in the organization and could impact its mission and who, in turn, should then influence its OHSMS It asks those seeking ISO 45001 certification to have an ongoing system for determining these influences.

Clause 4.1 requires the organization to understand the internal and external issues that can impact in a positive or negative manner its health and safety performance including, inter alia, organizational culture and structure, and the external environment including cultural, social, political, legal, financial, technological, economic, market competition and natural factors of significance to its performance. Consideration of the above will aid the identification of interested parties and their needs and expectations. ISO 45001 defines an interested party or stakeholder as “a person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity”. ISO 45001 requires the organization to determine:

• The other interested parties, in addition to workers, that are relevant to the OH&S management system.
• The relevant needs and expectations or requirements of workers and other interested parties.
• Which or these needs and expectations are or could become legal and/or other requirements

Interested parties in addition to workers can include:

• Legal and regulatory authorities such as the Health and Safety Authority HSA/Health and Safety Executive HSE;
• Kuwait Agency for Safety and Health at Work.
• Owners, shareholders, the parent company.
• Suppliers, contractors and subcontractors.
• Workers’ representatives such as safety representatives/safety councils/health and safety committee.
• Trade unions and employers’ organizations.
• Clients.
• Visitors.
• Local community and neighbours of the organization.
• The general public.
• Medical and emergency services.
• The media.
• Non-governmental organizations (NGOs)

Occupational health and safety organizations such as IOSH Occupational safety and health-care professionals. Some needs and expectations are mandatory because they have been incorporated into laws and regulations. For example, the Safety, Health, and Welfare at Work (Chemical Agents) Regulations 2001 and the Control of Substances Hazardous to Health Regulations 2002 (COSHH) require the organization, if applicable, to ensure that the exposure of employees and other persons to hazardous substances is either prevented or adequately controlled. The organization must assess the risks posed by hazardous substances to decide what precautions are needed to prevent or adequately control exposure. It must also ensure that the control measures are used and maintained. If necessary, the exposure of employees to hazardous substances should be monitored and appropriate medical surveillance should be carried out. Plans and procedures should be prepared to deal with accidents and incidents that involve hazardous substances. Employees should be properly informed, trained, and supervised.

The organization may also decide to voluntarily agree to, or adopt, other needs and expectations such as subscribing to a voluntary initiative. Once the organization adopts these needs and expectations they are addressed when planning and establishing the OH&S management system. Employees indubitably constitute the organization’s most significant interested party, whose needs and expectations must be identified and addressed. The organization should seek out their views on health and safety concerns regarding work activities, products or services. It should follow up on inquiries, requests, complaints or suggestions made by employees to learn more about their expectations. The health and safety committee is an excellent forum for the gathering and evaluation of workers’ concerns. The organizations should take the time to understand the relevant interested parties’ needs and expectations and determine the ones that are relevant to the OH&S management system and should be addressed.

Clause 4.3: Determining the Scope of the OH&S Management System

The organization must determine the boundaries and applicability of the OH&S management system to establish its scope. When determining this scope the organization must consider the external and internal issues and take into account the legal and other requirements identified from the needs and expectations of workers and other interested parties. The organization must take into account the planned or performed work-related activities. The OH&S management system must also include the activities, products, and services within the organization’s control or influence that can impact the organization’s OH&S performance. The scope must be documented.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

An organization has the freedom and flexibility to define the boundaries and applicability of the OH&S management system. The boundaries and applicability may include the whole organization, or (a) specific part(s) of the organization, as long as the top management of that part of the organization has its own functions, responsibilities, and authorities for establishing an OH&S management system.
The credibility of the organization’s OH&S management system will depend upon the choice of the boundaries. The scope should not be used to exclude activities, products, and services that have or can impact the organization’s OH&S performance, or to evade its legal requirements and other requirements. The scope is a factual and representative statement of the organization’s operations included within its OH&S management system boundaries that should not mislead interested parties.

Because of the above more wide-ranging franchise, the standard requires the scope of the OH&S to potentially be widened to include how the needs of those relevant groups noted above can be addressed within the OH&S as it delivers its products and services.
Define the Scope of your OH&S. The scope of the OH&S Management System must be defined; what parts of the workplaces associated with the plant/factory and the office/administration are included in the system.
Once the scope is defined, an organization must include in the OH&S management system the activities, products, and services that it controls or influences and that can impact its OH&S performance. Clause 4.1 requires the organization to understand the internal and external issues that can impact in a positive or negative manner its health and safety performance including, inter alia, organizational culture and structure, and the external environment including cultural, social, political, legal, financial, technological, economic, market competition and natural factors of significance to its performance. Clause 4.2 requires the organization to identify relevant interested parties and their needs and expectations.

Once the organization has determined and assessed its internal and external issues and identified the needs and expectations of relevant interested parties, including its workforce, it should then define the boundaries and applicability of the OH&S management system. The scope of the OH&SMS can include the whole organization, or specific and identified functions or sections of the organization. Therefore, if the organization makes a statement that it conforms to ISO 45001, then it must make the scope of the management system available so that interested parties clearly understand what parts of the organization are covered. The scope of the management system should include everything under the organization’s control or influence that could impact its OH&S performance. The credibility of the organization’s OH&S management system will largely depend on the extent of the defined boundaries. Under no circumstances should the scope be used to exclude activities, products or services that have or could have the potential to impact the organization’s OH&S performance, or to evade its legal and other requirements. An inappropriately narrow or exclusive scope could undermine the credibility of the organization’s OH&S management system with its interested parties and reduce its ability to achieve the intended outcomes of the occupational health and safety management system. The scope is a factual statement of the organization’s operations or business processes to be included within its OH&S management system boundaries. Once the scope is defined, the concept of ‘organization’ is limited to what the scope covers, e.g. if the scope of the OH&S management system is limited to a particular function or section of the organization, the remainder of the organization is then considered to be an external provider or other interested parties. The organization should maintain the scope of the OH&S management system as documented information and make it available to interested parties. There are several methods for so doing, e.g. using a written description, inclusion on a site map, an organizational diagram, a webpage, or posting a public statement of its conformity. When documenting its scope, the organization should consider using an approach that identifies the activities or processes involved, the products or services that ensue, and the location(s), where they occur.

An example of how a scope could be derived

Company Overview

LLL is an electronic controller, power supply manufacturer, and installer within passenger and goods lifts within buildings. This extends to industrial settings, including petrochemical and mines. The business is based in  Kuwait. Kuwait is well placed geographically to act as the gateway to the Persian Gulf, the European continents, and Africa. Situated in the northern edge of Eastern Arabia at the tip of the Persian Gulf, it shares borders with Iraq and Saudi Arabia. There are good aviation links to America and Europe.

Our company growth strategy is linked heavily with the construction, petrochemicals, and mining markets within differing jurisdictions. Our fiscal growth play requires the business to grow with a projected Turnover from 7m KWD to 7.5 KWD within two years and an increase in profit from 8% to 11%. Other strategies may result in a move to base the organization within more preferential tax regimes to assist in the growth and profit objectives. The growth plan will require engagement as tier-one suppliers, into established and specialist lift manufacturers, in addition to developing a reputation as installers of lift power supplies and controllers into hazardous environments. It is therefore crucial that not only must our products be suitable for those environments, but also our installation teams must perform well within high safety performance cultures and be capable of immediate compliance with the safety requirements of our customers. Offices for installation and commissioning teams will be established in the main conurbations. Technical sales support for specifiers and lift manufacturers will be country-based.

The company enables its customers to meet their compliance requirements of  ISO 45001, local and government legislation, and regulations. The OH & S  Management System (OH & S MS) serves to formalize the policies, processes, and operating standards that will apply to the company’s employees, partners, and contractors. Successful growth would permit the penetration into wide markets with an objective to standardize controllers. Afiersales service is therefore critical to our reputation and growth. Combining this with our expertise in the local, regional and national markets gives us increasing leverage in sales through our undoubted ability to produce bespoke solutions at short notice and compliant with hazardous environments.

The global perspective of the business demands that we not only comply but exceed the requirements of national laws. LLL is to earn a reputation as an ethical employer. Whilst an excellent work ethic is to be expected from our employees, overwork will not be tolerated. The management of work-related upper disorders (WRULD) and matters such as absenteeism, through stress management, are vital to our success. Our Human Resources Department with be active and instrumental in achieving this goal. Our reputation for safety leadership is such that we must be seen to occupy the center stage amidst our competitors and be perceived as such by our valued customers.

External and Internal Issues

The company determines the external and internal issues that are relevant to its purpose and strategic direction and that affect its ability to achieve the intended results of the OH&S MS. Consideration is given to the:

• Positive and negative factors or conditions.
• External context and issues, such as legal, regulatory, technological, competitive, cultural, social, political and economic environments.
• Internal context and issues, such as values, culture, organization structure, knowledge and performance of the business.
• Determination and requirements of the needs and expectations of interested parties relevant to the OH&S MS.
• Authority and the ability to exercise control and influence.
• Activities, products, and services are relevant to the business.
• Documented information is retained as evidence to support that the context of the organization has been taken into account in the OH&S MS.

External issues

1.Purpose of the Company

The vision of the company is to become the predominant partner for lifi controllers and power supplies in high hazard industries and to develop equipment and techniques that are considered the safest in the world. This is to be enhanced with reliable staff to install and where necessary maintain their installations. External issues relevant to health and safety are identified below. Risks and opportunities associated with these are contained in the organization’s risk assessments.

2. Site Context

The company operates manufacturing, a research center, and an installation team. (Issue: Legal Compliance)
The legal environment in Kuwait contains, amongst other things, statutory requirements contained in the Occupational Health and Safety Act. Health and safety statutory regulations are enforced within Kuwait and civil liability may attach to incidents within the workplace. The structure of safety is not dissimilar to that within the UK and therefore given the very extensive provisions for health and safety within the UK, it is considered that UK legislation and practice will be adopted unless this fails to satisfy Kuwait requirements, in which case the more demanding requirements will be met. The Department of Occupational Safety and Health regularly inspects operators, responds to complaints. (Fines and legal costs)

3. Market Pressures

In recent years, the company has had an increase in requests from customers for its safety record and control methodology. This has especially been the case where there has been a need to install on-site and to supply to the petrochemical and raw material processing industries. Also of note, are high profile architectural skyscrapers with attendant security controls.

Reliability of components is regarded as being equally important to customers as health and safety, during construction and maintenance. LLL has not been able to respond adequately to requests for information and has failed prequalification on a number of instances. (Stakeholder complaints, evaluation of compliance with customer requirements).

Guidance documents on health and safety responsibilities have been published by relevant local industry trade associations and the Department of Occupation Safety and Health (DOSH) and the company is beginning to make use of those. (Concern: Stakeholder complaints legal compliance)

In response to international market pressures and to ensure that the company’s stakeholder needs were being met, the management of the company authorized the implementation of a health and safety management system that meets the requirements of ISO 45001:2018. The company decided not to acquire third-party certification of the system. (Loss of stakeholder confidence)

4. History

The company was formed 40 years ago and has always operated at the  Ahmedi. Early production focused on servicing local and regional customers. More latterly, with increasing demand for high-quality products and site-based installation and service, demand has grown into more complex installations. Company expansion followed and the company now holds a number of key accounts with property owners, construction companies, and one petrochemical organization, though inquiries are increasing from the petrochemical and mining sectors. (Legal compliance, not meeting stakeholder interests)

Internal Issues

The company already had an integrated management system that incorporates quality and environmental management. The company started developing its formal health and safety management system last year. The Head of SHEQ was initially charged with the responsibility of implementing the system by the Board. Later, responsibility for the management system was given to a new post (Health and Safety Manager). The Head of SHEQ has overall responsibility for maintaining any documents as part of the integrated environment, health and safety, and quality system. Consequently, the head of HSEQ wrote most of the health and safety documents including risk assessments, processes, and procedures. Time pressures effectively excluded any practical contribution from other managers. (Lack of consultation & participation, culture & loss of staff and associated competence)

LLL employs 255 personnel of which: 20 are in R&D and testing; 140 personnel work over three shifts within the manufacturing center; 50 Installation team; 20 Delivery and distribution and 25 Sales. Kuwait has a legal structure of Acts, Regulations, and Guidance for the management of health and safety. The requirements of LLL and their partners are to comply with local legalization and additional good practice. There is also a requirement to implement and monitor corporate objectives. These corporate objectives are provided on the 1 January each year to the Managing Director of its Holding company.

The manufacturing process

LLL designs, develops, assembles, transports, installs, commissions, and maintains lift controllers and associated items for passenger and goods lifis. It also arranges transportation of the finished product to the Asian market. Approximately 20% of the site is taken up by the Prospect Heights Factory, of which the ground floor is entirely occupied by the assembly and materials storage areas including finished product. There is very little space to spare, and stores on site are kept to a minimum, relying on ‘just in time (lean)’ delivery of materials. First floor offices contain production administration, Sales & Purchasing, Executive functions, and staff canteen facilities. A separate R&D testing laboratory for developing controllers and switchgear is also present.

Occasionally work is carried out over the weekends, mainly for maintenance or to accommodate extra work for urgent, complex, or large orders. Key components are bought into the company; frames are cut to size, electronic printed circuit boards (PCB’s) are designed; PCB boards are made by an outsourced supplier, and then populated; inserted into cabinets; moved to the test areas; tested; packaged and sent to site for either installation by subcontractor or installation by LLL installation team. In addition, research and development of electronic controllers take place within established test areas; as does bespoke design and population of printed circuit boards. The organization hopes to corner the market with its unique design for controllers and therefore the R&D function is critical to their business success. The key steps in the manufacturing process are:

1. Designers or technical sales gather key performance data for the desired product. This is passed to the production players who determine the through-put into the production department and associated delivery dates.
2. The printed circuit boards are requested from specialist supplies; the boards are checked for defect and provided to production to populate with electronic components. This process can take some time to achieve.
3. The populated boards are passed through the wave solder machine. There are a number of issues in connection with this machine. There is fume from the solder and on occasion, the machines have to be cleaned. There are fire risks and burn risks all of which is managed successfully through good practice and PPE.
4. Completed circuit boards are sent to QA for checking and QC.
5. The full-size plan for the design for the frame and panel is printed out with a plotter and used as a full-size template. The production team lay this out on benches and begin to cut components to size and construct the frame, We have many problems with backs and long period spend doing this seem to create H&S issues.
6. Steel channel is cut to size with cutting wheels.
7. A hole is drilled to receive the electrical components.
8. The electrical components are secured onto the frame ready for wiring. The wiring process is very fiddly and some employees only wish to do this for short periods.
9.  All electrical components are degreased before final location into the frame. This is often completed by hand using turpentine. Again some employees complain of dermatitis although we believe that the cause lies outside of the work environment.
10. The assembled frame is mechanically or manually handled into the cabinet. This involves some manual handling.
11. The cabinet is wheeled on a trolley into the test area where it is tested and electrically H&S checked.
12. It then moves to the packaging and dispatch area for palletizing and loading onto lorries as required.
13. All components are kept inside the manufacturing area as adverse atmospheric conditions may detrimentally affect individual components.

	Cassettes for populating the printed circuit boards with the smaller components. The larger components are inserted manually.
	Wave solder machine for lead-free soldering. The apron is worn when cleaning the machine. There have been problems with the ventilation but this has not affected production.
	Assembly area for producing controller boxes. This requires the use of abrasive wheels. There can be sparks that occur from the cutting and noise is only a problem in short bursts.
	Tool bench and jig table for assembly of panels.
	Assembly of the electronic relays and switches. Stooping over the benches for hours is required.
	Cables reels on a freestanding jig with other tools and equipment to construct electronic panels.
	Open panel ready to receive the electrical components
	Assembled frame put into the cabinet. View of the internal electronic controls (relays and switches).
	Transporting panels within the factory on trolleys.
	Panels for testing within the test centre located with R&D
	Forklift trucks located at goods in for loading and unloading components and panels.

Vision, Mission, and Values

Vision: “Gets everyone involved and participating in QHSE”
Mission: Makes compliance enjoyable.
Values: Our customers’ are successful in compliance

Key Business Strategies

Scope

Our health and safety management system address all employees and customers affected by the manufacture and installation of our lift controllers and power supplies to our customers. The OH & S MS describes how the company requirements are to be addressed throughout its operations and addresses the requirements of ISO  45001:2018.

—————————End of example—————————————

Clause 4.4: OH&S Management System

The organization must establish, implement, maintain and continually improve an OH&S management system, including the processes needed and their interactions, in accordance with the requirements of this document.

As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains:

The organization retains the authority, accountability, and autonomy to decide how it will fulfill the requirements of this document, including the level of detail and extent to which it:
a) establishes one or more processes to have confidence that it (they) is (are) controlled, carried out as planned and achieve the intended outcomes of the OH&S management system;
b) integrates requirements of the OH&S management system into its various business processes (e.g. design and development, procurement, human resources, and sales and marketing).
If this document is implemented for a specific part(s) of an organization, the policies and processes developed by other parts of the organization can be used to meet the requirements of this document, provided that they are applicable to the specific part(s) that will be subject to them and that they conform to the requirements of this document. Examples include corporate OH&S policies, education, training and competency programmes, and procurement controls.

An organization must establish, implement, maintain and continually improve an OH&S management system, including the processes needed and their interactions, in accordance with the requirements of ISO 45001. Learn more about what a process approach is.
For the OH&S Management System, the organization can decide how it will fulfill the requirements of ISO 45001, including the level of detail and extent to which it will:
Integrate requirements of the OH&S management system into its various business operations, such as design & development, procurement, human resources, sales, and marketing, etc.
Incorporate the issues associated with its context (4.1), its interested party requirements (4.2), and the scope (4.3) of its OH&S management system. Make use of policies and processes developed by other parts of the organization such as corporate OH&S policies, document management system, competency programs, procurement controls, etc. Document the process properly, including updates, and making it available to all involved. Clause 4.4 requires the organization to establish, implement, maintain and continually improve its OH&S management system, including the processes needed and their interactions. The OH&S management system should reflect the context of the organization, be proportionate to its size and complexity, and be properly resourced. An OH&S management system should be viewed as an organizing framework that should be continually monitored and periodically reviewed to provide effective direction for an organization’s responses to changing internal and external issues. The OH&S management system should be aligned and integrated with other business processes to ensure that OH&S performance is not compromised in order that other business objectives can be achieved, e.g. sacrificing health and safety at the expense of achieving productivity objectives. It is imperative that OH&S requirements are aligned and integrated with the organization’s management practices and business processes.  For example, if an organization conducts an annual strategic review of its market position, customer needs and expectations, and business performance, then it is more effective to incorporate an understanding of the internal and external issues that can impact on its health and safety performance, interested party needs and expectations, and OH&S performance into that process.  By doing so, occupational health and safety issues can be evaluated in light of the organization’s strategy, and OH&S initiatives can be aligned with other business imperatives. The organization should consider the application of a PDCA approach towards its OH&S management system as follows:

• Plan – decide what the organization wants to achieve (considering internal and external issues, the needs of interested parties, and risks and opportunities), and put in place the necessary processes and resources.
• Do – put the plans into action.
• Check – monitor and measure processes and performance against requirements and what you want to achieve.
• Act – take actions to deal with nonconformities and to improve OH&S performance.

OH & S-Process