W H I T E PA P E R

Better Organisational Habits:

System Readiness
for ISO 45001
Ideagen | WHITE PAPER

CONTENTS

Introduction ................................................................................................................................ 4
Key figures for Great Britain (2016) ................................................................................... 4
About Ideagen ............................................................................................................................ 5
About ISO 45001 and OHSAS 18001 ................................................................................. 6
The PDCA Logic of ISO 45001 ....................................................................................... 7
How to Conform to ISO 45001 with Ideagen Products ............................................. 8
Q-Pulse ......................................................................................................................................... 8
Q-Pulse Risk ................................................................................................................................. 8
Q-Pulse Reporting and Incident Management ........................................................... 9
Using Q-Pulse Document Control to create an OH&S Risk Register ..................... 10
Using Coruson ........................................................................................................................... 11
Using Ideagen Academy to Educate Staff about ISO 45001 .................................. 12
Conclusions and Recommendations ................................................................................ 12

2
Ideagen | WHITE PAPER

Often, when we’re tired and distracted, the only thing that can save us is our
good habits.

Total Safety Culture, p58. Dr. Tim Marsh; Ryder Marsh, 2014

An organization is responsible for the health and safety of its workers and
that of other persons under its control who are performing work on its behalf,
including promoting and protecting their physical and mental health. The
adoption of an occupational health and safety (OH&S) management system is
intended to enable an organization to improve its OH&S performance in the
enhancement of health and safety at work and to manage its OH&S risks.

ISO/DIS 45001 2016, ISO 2016

3
Ideagen | WHITE PAPER

INTRODUCTION
Although some countries have improved their industrial safety performance through legislative, regulatory and
cultural change over the past three decades, the issue of work-related injuries and diseases is globally substantial
and growing, damaging the lives of individuals and families, damaging companies and blighting economies.
To recognise and tackle this issue, ISO is in the final stages of developing a new standard named ISO 45001:
Occupational health and safety management systems – Requirements with guidance for use.

There is clearly a need for a global standard. Writing in his 2014 book, Total Safety Culture, Dr. Tim Marsh notes
that, “Here in the UK we have reached a level where, despite a population of around 60 million, deaths from
accidents at work are currently running at fewer than 200 per year. In 1974 when the Health and Safety at Work Act
was introduced it was 650 and back in 1910 it was around 12,000.” Legislative, regulatory and cultural change along
with a changing industrial profile has made places like the UK safer to live and work in, but of course 137 deaths is
137 too many. And globally, the ILO statistics indicate that in some places the level of OH&S risk maturity is closer
to 1910 than 2017.

www.hse.gov.uk/statistics/

Key figures for Great Britain (2016)

1.3 2,542 137

MILLION

working people suffering mesothelioma deaths due to workers killed at work

from a work-related illness past asbestos exposures (2015) (2016/17)

72,702 621,000 30.4 £14.1

BILLION BILLION

other injuries to employees injuries occurred at work working days lost due to estimated cost of injuries
reported under RIDDOR according to the Labour work-related illness and and ill health from current
Force Survey workplace injury working conditions (2014/15)

Globally: (according to ILO, World Day for Safety and Health at Work, 2017)

313 350,000 2 2.35 4%

MILLION MILLION MILLION

Work related accidents Work-related fatal Occupation and work- Work-related deaths Lost GDP due to
causing injury accidents related fatal diseases occupational accidents
and diseases
ISO 45001 will be the world’s first international OH&S standard and will help organisations everywhere to protect
their employees and the public, provide safer working environments, prevent deaths, injuries and diseases while
at the same time participating in supply chains, mitigating broader risks, safeguarding reputation and improving
efficiency and productivity. By implementing ISO 45001, companies will become more transparent, accountable
and resilient. Management will have better situational awareness and the operational intelligence that is necessary
for the organisation to thrive.

4
Ideagen | WHITE PAPER

About Ideagen
Ideagen is a leader in the development and provision of risk and safety management software solutions for
aviation, aerospace and defence and advanced manufacturing companies. We work closely with compliance,
quality, safety and risk industry professionals around the world and we know many of our customers are keen to
adopt ISO 45001.

Our view is that ISO 45001 will make a material difference to the health and safety performance of any
organisation that adopts it and internalises its intrinsic methodology. But not only that, our understanding of ISO
45001 coupled with our experience of similar standards including ISO 9001 and ISO 14001 makes it evident to us
that those organisations that embrace it will also benefit indirectly in terms of:

▪▪ Operational excellence;
▪▪ A culture of reporting, learning and sharing;
▪▪ A stronger brand and reputation;
▪▪ A substantial reduction in problems, undesirable events and failures of every type;
▪▪ Increased business resilience (deriving in part from an improved safety culture that drives risk awareness).

In this paper we indicate some of the ways in which Ideagen’s quality, safety and risk software products can help you:

▪▪ Achieve and demonstrate compliance with any standard, including ISO 45001, using Statements of
Applicability;
▪▪ To use the document control system in Q-Pulse or Coruson to implement risk-based policies and procedures
and then control these using the reporting system;
▪▪ Apply highly visual risk assessments to events using the Q-Pulse or Coruson Incident Management and
Investigation System (IMS);
▪▪ Fully implement a risk-based approach to OH&S management using the risk modelling and management
capabilities of Q-Pulse Risk or Coruson.
▪▪ Integrate your audit activities and incident management information with risk models.

5
Ideagen | WHITE PAPER

About ISO 45001 and OHSAS 18001

The introduction of ISO 45001 responds to the global need for a coherent approach to OH&S management based
on an international standard. As ISO 45001 is launched in 2018, OHSAS 18001 certification will be withdrawn
and certified organisations will have to make a new application to obtain a certification to ISO 45001 (or to other
accepted standards) once their existing certification expires.

ISO 45001 reflects ISO’s new High Level Structure (HLS) which covers ten standard clauses:

Clause 1 - Scope

Clause 2 - Normative references

Clause 3 - Terms and definitions

Clause 4 - Context of the organization

Clause 5 - Leadership

Clause 6 - Planning

Clause 7 - Support

Clause 8 - Operation

Clause 9 - Performance evaluation

Clause 10 - Improvement

As a result, it is designed to integrate with other management systems and the standardised approach makes it
easier for organisations to adopt and implement and for senior management to get on board. Above all, perhaps,
it will be easier to manage compliance with a system that already has its basic structure reflected in existing
business processes. That is, if you have already implemented ISO 9001:2015 or 14001:2015, then it will be relatively
straightforward to implement 45001.

Some differences from OHSAS 18001 worth noting

More flexibility around the documentation and structuring of the management system, for example in the
requirement for information rather than procedures. Similarly, since the overall purpose of the standard is
preventive there is no requirement to state specific preventive activities.

The focus on organisational context (clause 4), including internal and external issues and stakeholder needs.
This finds its highest expression in the requirement for leadership involvement and grass-roots participation
throughout the organisation.

The emphasis of risk-basis, like ISO 9001:2015, puts greater emphasis on risk modelling and hazard and
opportunity identification at the planning stage (6.1), control management (8.1), change management (8.2)
and the risky business of outsourcing and supplier management (8.3-5).

6
Ideagen | WHITE PAPER

The PDCA Logic of ISO 45001

Like ISO 9001:2015, ISO 45001 supports the Plan-Do-Check-Act (PDCA) model of continuous improvement in its
structure. Plan-Do-Check-Act is a virtuous cycle associated with the basics of quality management. The HLS of ISO
45001, like that of 9001 and 14001, is aimed at delivering long-term, sustained improvement rather than quick
fixes. The overall goal of ISO 45001 is continuous improvement of the OH&S Management System.

The diagram below shows how the improvement cycle works within the OH&S management system with the
standard HLS clauses noted in brackets.

INSTRUCTED
DS OF PAR
NEE TIE
S

PERFORMANCE
EVALUATION

DO CHECK

RED
IMP CED INJURY & ILLN CE
EXTERNALL ISSUES
INTERNAL ISSUES

U
ROVED
PARTICIPATION
SUPPORT &

PERFORMA
& IMPROVEMENT
OPERATIONS
LEADERSHIP

N
ESS
PLAN ACT

PLANNING

CO N
NTE
XT OF ISATIO
THE ORGAN

Fig. 1 PDCA in ISO 45001

Planning is central to the OH&S management system and starts with understanding the organisational context
and the needs of interested parties (4.1 & 4.2), which are then used to scope the business processes (4.3 & 4.4).

Successful implementation relies on leadership commitment to focus the entire organisation on developing a
strong safety culture (5.1, 5.2 & 5.3).

The next level of planning brings risk basis into the standard. This is a key difference from OHSAS 18001 and
reflects the emphasis on hazard and opportunity risk in ISO 9001:2015. (6.1, 6.2 & 6.3). The final planning level
focuses on the support structure for execution (7.1-5).

Doing, i.e. execution of the plan extends to all of the activities and processes required to implement the OH&S
management system, including safety operations (8.1), business change programme (8.2), outsourcing and
procurement (8.3-5) and emergency response processes (8.5).

ISO 45001 contains several elements aimed at checking and managing the performance and effectiveness of the
OH&S management system (9.1-3) including monitoring, measurement, internal audit and evaluation.

Act refers to the need to address problems identified in the check stage (10.1-2).

7
Ideagen | WHITE PAPER

HOW TO CONFORM TO ISO 45001 WITH IDEAGEN PRODUCTS

Q-Pulse ®

Q-Pulse Risk
Both Q-Pulse Risk and Coruson (see below) provide the tools for you to create and view a Statement of Applicability
in relation to any standards that you need to comply with. In a risk-based OH&S Management System, risks related
to policies, procedures, assets, suppliers or other such entities within the system can be identified and their
associated threats, controls and consequences can be recorded and the risks managed throughout their complete
lifecycle.

In the case of ISO 45001, for example, specific controls can be linked to the Standard’s clauses and a detailed,
specific Statement of Applicability (SOA) can be generated. This allows you to demonstrate the extent of your
organisation’s conformance to the Standard at any given moment. For instance, in advance of an internal or
external audit you can provide the auditor with a copy of your Statement of Applicability in order that they can
quickly determine the extent of your compliance and also plan their audit to address the areas of highest current
and emerging risk.

Implementing a Risk-Based OH&S Management System

Our advice for Q-Pulse users who want to align immediately with ISO 45001 and with maximum performance
benefits is to upgrade their Q-Pulse solution to include Q-Pulse Risk. This reflects our experience with the risk-basis
in ISO 9001:2015 and in the aviation sector where our airline customers, in order to comply with the regulations
imposed by their local civil aviation authorities, use Q-Pulse and Q-Pulse Risk together in order to implement a risk-
based approach to safety management.

The graphical visualisation features of Q-Pulse Risk help drive communication about risk and increase overall
adoption of the OH&S Management System:

▪▪ Widespread understanding of risk across the organisation – from the most junior to the most senior;
▪▪ Real time visibility of the organisation’s risk profile;
▪▪ Effective leadership oversight of all risks and the effectiveness of the controls in place;
▪▪ Instant understanding of the impact and extent of change to any controls;
▪▪ The sharing of lessons learned and best practice across the entire organisation.

Q-Pulse Risk uses the bowtie model to graphically illustrate a risk, including the undesirable events to be avoided,
the preventive and recovery controls that mitigate the business risk. When integrated with the Q-Pulse, the result is
a solution that supports dynamic risk management where controls are maintained in real time.

Rather than defining and managing risks inside documents in the Q-Pulse Documents Module, Q-Pulse Risk uses
risk registers where risks can be recorded, described and visualised in terms of the hazards or assets they relate
to and where undesirable events are represented as threats, consequences and controls. Leaders have ultimate
responsibility for effective risk management in any organisation: the new draft standard emphasises this. A risk-
based operating model delivers high performance people, processes and organisations and puts business critical
decision support information in front of management in near or real time.

8
Ideagen | WHITE PAPER

Q-Pulse Reporting and Incident Management

Upgrade Q-Pulse to include the Reporting capability that includes:

Flexible form builder for all kinds Flexible workflow modelling and Incident management and
of operational reporting response automation investigation features

To support a culture of leadership and learning, it is vital to foster open reporting procedures for all stakeholders:
free from punitive measures and prescriptive manual processes. The Q-Pulse Advanced Reporting capability acts
as a central focal point that ensures the effective capture of information, minimises the risk of data inaccuracy and
avoids duplication of reports and information. This approach generates a single version of the truth.

Q-Pulse Advanced Reporting has several features that increase the volume and quality (accuracy) of reporting,
notably:

▪▪ The option to report with confidentiality (volume);

▪▪ Mobile reporting – can be accessed via mobile apps to support remote and flexible workers (reach, volume,
accurate and timely);
▪▪ The ability to define fields and forms that accurately reflect the information you need to capture in a
particular type of report (accuracy).
▪▪ Mandatory fields (accuracy and relevance);
▪▪ Attach supporting evidence (includes image annotation).

In addition to a basic process management approach (described below), Advanced Reporting embeds risk
assessment and management into the operational reporting process. In responding to an incident, the reporting
module includes risk assessment and analysis tools that enable:

▪▪ Risk assessment throughout the investigation process;

▪▪ Automatic visibility of new events and investigations;
▪▪ Attachment of new evidence to support the investigation process;
▪▪ Manage findings and outcomes.
▪▪ Analysis for continuous improvement and risk mitigation purposes.

The visualisation of risk in Q-Pulse Advanced Reporting shows a quantification of:

▪▪ Initial level of risk (post-incident);

▪▪ Interim level of risk (during mitigation);
▪▪ Final level of risk (after mitigation is effective).

Next-steps guidance is also shown for consistent decision support across teams. Each risk can be assigned:

▪▪ A name, description and revision number

▪▪ A likelihood and severity dimension
▪▪ Up to 10 extra severity perspectives (e.g. environment, reputation, financial)

This can be completely customised to the business needs.

9
Ideagen | WHITE PAPER

Using Q-Pulse Document Control to create an OH&S Risk Register

This would be a basic entry-level approach to get your organisation thinking about safety risks. If you already use
the Q-Pulse document management module to control your policies and procedures, a straightforward option that
you can introduce immediately is to review your ISO 45001 procedures in line with the new draft standard. ISO
45001 requires that you adopt a risk based approach to safety. This requires the modelling of incidents as risks
that consist of the undesirable event plus the preventive barriers and mitigating controls. Each risk

can exist as a document within the repository. It can be created collaboratively, edited, approved, published,
distributed, reviewed and withdrawn. When new information becomes available that can strengthen a preventive
barrier, it simply becomes a matter of updating the control description in the relevant procedure document.
For example, you are the safety manager in an industrial plant. An undesirable event that you want to avoid is
someone falling from a height. You can model this undesirable event as a risk:

A fall is the failure you want to prevent. Preventive controls (barriers) are put in place that include:

▪▪ Safety briefings
▪▪ Planned maintenance
▪▪ Supervision
▪▪ Platform Safe-To-Work instructions
▪▪ Competent staff

Mitigating (recovery) controls are put in place that include:

▪▪ Use of fall arrest harness

▪▪ First aid training
▪▪ First aid equipment

A new member of staff is recruited and starts work without receiving a safety briefing. They subsequently use
a ladder on a slippery floor and are injured in a fall. What can then happen is that a safety manager (or any
employee) involved can raise a change request against the risk definition document: a preventive control needs to
be added (or strengthened) to the effect that a safety briefing must be delivered to a new staff member before s/
he is allowed onto that part of the plant. The respective document is then updated, reviewed, approved, published
and distributed. The organisation learns and quality and safety is improved.

This approach to risk documentation and management, using the Document Control module you already have in
your Q-Pulse installation, is one way that you can start to think about and align with the new ISO

45001 standard. You can experiment with it and roll it out across any part of the business: the risks can range from
slips and trips in the foyer to losing a major account to a competitor. The process is the same regardless of the
scale and context of the risk: define the failure, define the preventive controls, define the mitigations, document
these definitions and procedures and use the Q-Pulse Document Control, CAPA and Audit modules to manage all
of this.

There are logistical limitations with this approach, however:

▪▪ Lack of automation
▪▪ No graphical visibility of risk profiles
▪▪ Limited visibility of exposure to emerging risks
▪▪ No risk/control impact or relationships for change assessment

For example, supervisors and workers may use non-conformance reporting to report unsafe practices in working
at height and in a given month there may be many such reports but no actual incidents. In the case of a document-
based risk management system, this trend of emerging risk would not be visible. To make this emerging risk profile
visible requires a more powerful risk management capability such as that available in Q-Pulse Advanced Reporting,
Q-Pulse Risk or Coruson.

10
Ideagen | WHITE PAPER

Using Coruson
Ideagen Coruson is an enterprise risk-based safety management software product that comprises policy
management, incident management, safety reporting, audit and risk management. Built on Amazon Web Services,
Coruson has scalable cloud architecture and can be extended without limits to user numbers and geographical
location. It is always accessible through a modern browser and easy to roll out to new users.

Coruson delivers all of the functionality discussed above in relation to Q-Pulse and Q-Pulse Risk in a complete,
seamlessly integrated, cloud software application:

Policy and Procedure Audit Management Corrective/Preventive Action Incident Management and
repository with full Change (CA/PA) Management Reporting
Control

Investigation and Action Hazard Identification Risk Assurance and Dashboards, Analysis and
Tracking Management Management Business Intelligence

The tools are there when you need them and when you are ready, we will help you to get the maximum
transformational benefit regardless of what maturity stage your organisation is at.

As with Q-Pulse, Coruson is ready to respond to ISO 45001 via intelligent document management, intuitive
accurate reporting, risk modelling and management that ties into all the other functions, third party management
and real time analysis and insights for organisational leaders. Above all in this context of the risk-based model
intrinsic to ISO 45001, Coruson has been designed and built on the same basis. Coruson enables you to identify,
understand and manage risk throughout your organisation. Like Q-Pulse

Risk, Coruson uses the Bowtie Methodology to help you build graphical visualisations that help you to quantify,
prioritise and mitigate threats to the safety and wellbeing of personnel. Seamless integration with Coruson’s
performance management tools results in automatic alerts and workflow-driven escalations when thresholds and
risk controls are compromised. It is possible to track trends and keep on top of emerging risks to the business such
as correlated near misses or frequency of unsafe working practices.

Statement of Applicability using Coruson

Similar to Q-Pulse Risk (see above), Coruson also features a Statement of Applicability function enabling you to
document and easily monitor your risk-based compliance across all the clauses of the new ISO 45001 standard (or
any standard).

11
Ideagen | WHITE PAPER

Using Ideagen Academy to Educate Staff about ISO 45001

Ideagen Academy is our online Learning Management System (LMS) entirely dedicated to our customers’ training
needs relating to safety, risk and quality management. You can use the Academy to train your staff on how to use
products such as Q-Pulse to implement a OH&S management system that conforms to ISO 45001.

Once the standard is published, you can be sure that it will be captured and reflected in the training courses
and content available. You can also add your own content to support internal training needs and employee skill
development. Competence management can be aligned to business risk as well as operational needs.

CONCLUSIONS AND RECOMMENDATIONS

The purpose of an OH&S management system is to provide a framework for

managing the prevention of death, work-related injury and ill health. The
intended outcome is to prevent death, work-related injury and ill health to
workers, to improve and provide a safe and healthy workplace for its workers
and other persons under its control. An organization’s activities can pose a
risk of death, work-related injury and ill health, consequently it is critically
important for the organization to eliminate or minimize OH&S risks by taking
effective preventive measures. When these measures are applied by the
organization through its OH&S management system (supported by the use
of appropriate controls, methods and tools, at all levels in the organization)
they improve its OH&S performance. It can be more effective and efficient to
take early action to address potential opportunities for improvement of OH&S
performance.
ISO/DIS 45001 2016, ISO 2016

The benefits of compliance with ISO 45001 include improved safety and wellbeing of staff and the public, reduced
costs associated with improved safety, better relationships with customers and suppliers and more efficient
business processes. The risk-based approach to compliance inherent in ISO 45001 adds significantly to this via the
anticipative, proactive attitude it engenders.

▪▪ Modernise and strengthen your OH&S Management System

▪▪ Strengthen safety culture and risk awareness
▪▪ Anticipate problems and prevent them before they emerge
▪▪ Strengthen control and oversight of operational processes
▪▪ Make a step change improvement in operational performance and efficiency
▪▪ Strengthen processes for reputation and brand protection

Ideagen’s safety, compliance, quality and risk management products Q-Pulse and Coruson offer a complete
solution to achieving ISO 45001 conformance. The approach and degree of process automation you choose can be
partial, stepped or complete. Whatever your choice, the Ideagen Customer Experience and Professional Services
teams are available to help you every step of the way.

12
Ideagen | WHITE PAPER

WHAT SHOULD YOU DO NEXT?

We recommend that organisations using OHSAS 18001 take the following steps:

Review the ISO 45001 standard and identify the gaps in your OH&S management system that need to be
addressed for compliance with the new standard.

Create an action plan for implementation that includes senior stakeholders and representatives and champions
throughout the business.

Verify the effectiveness of your upgraded OH&S management system and consult with your certification body
regarding the 18001-45001 migration tasks, including any training and competence requirements.

It is likely that significant changes will be needed in your OH&S management system and this is where a software
solution like Q-Pulse or Coruson can be not just an enabler for the migration but also a long-term bulwark for
positive change and business process improvement. Some initial key tasks will include:

▪▪ Gap analysis clause by clause (statement of applicability can help)

▪▪ Alignment of documentation, policies and procedures (document management)
▪▪ Training and competence upgrade
▪▪ Workflows and response automation
▪▪ Incident management and investigation procedures
▪▪ Implementation of risk-basis
▪▪ Improved management reporting

The biggest benefit of business process modernisation is felt in the long term as a result of the positive cultural
change that derives from:

▪▪ Increased reporting and the development of good operational safety habits

▪▪ Familiarity with the semantics of risk
▪▪ Awareness of safety risk models and controls
▪▪ Organisational transparency from all perspectives
▪▪ Increased operational intelligence
▪▪ Growing pride in continuous improvement

Culture in many ways is what staff in your organisation do when you are not
watching them. It is values based and ethically driven. You can create ever
stronger processes and controls, but if your staff do not understand or buy in,
these will only be paper thin and will probably not stand up to scrutiny in a
future crisis.
Alex Hindson, former Chairman of IRM, writing in “The Risk Management Handbook,” KoganPage, 2016

13
 Please contact Ideagen for advice about using
our software to help you to improve your OH&S
performance in a proactive manner, preventing

Anticipate prob- injury and ill health.

lems before they

emerge

e : info@ideagen.com | w : ideagen.com
Copyright © 2017 Ideagen Plc. All rights reserved worldwide.