See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332635933

14. ISO 45001

Chapter · May 2019

DOI: 10.1108/978-1-78769-801-720191014

CITATIONS READS

4 15,411

4 authors, including:

Marco Sartor
University of Udine
67 PUBLICATIONS   1,626 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Manufacturing reshoring: when companies decide to return in the home country (or near to it) View project

Global sourcing and IPO View project

All content following this page was uploaded by Marco Sartor on 16 April 2020.

The user has requested enhancement of the downloaded file.

14. ISO 45001
by Chiara Campailla, Andrea Martini , Federico Minini, Marco Sartor

Abstract
The new standard ISO 45001 is expected to give a significant boost to the growth of the number of companies that have
adopted and certified an occupational health and safety management system. The structure of the new standard reflects
the Annex SL, thus facilitating the Organizations in aligning and integrating their management systems. The
requirements of the standard lead Companies, across the Deming Cycle, to the continual improvement of OHS
performance starting from the essential process of leadership and commitment, through the implementation of the key
processes of planning (context analysis, risk assessment, operational planning and control), of the support processes
(communication and participation, competence and awareness of resources, documentation management) and, finally,
the processes of performance evaluation (monitoring, auditing, management review). The advantages are a full control
of compliance obligations, a significant reduction in the injury indexes, a reduction in the associated costs and an
improvement in corporate image.

Key words: ISO 45001, safety management system, certification

14.1 Introduction
The number of companies that have adopted and certified an occupational health and safety management system
according to BS OHSAS 18001 has gone from 7,000 units in 2012 (source: ACCREDIA Observatory “Occupational
Health and Safety” No. 1 / 2012) to 17000 in 2018 (source: ACCREDIA Observatory “Occupational safety and
certification” No. 1/2018). The increase is due both to an ever-growing safety culture, which enables executives to fully
understand the real benefits of management systems, and to changing prospects in occupational health and safety, which
have prompted companies to adopt and certify a safety management system. ISO 45001, the new international standard
that is going to replace, in the next three years, the British standard OHSAS 18001, is expected to give a significant
boost to the growth of the number of certified Occupational Health and Safety Management Systems.
This chapter outlines the requirements of ISO 45001:2018, providing some practical examples of its application and
highlighting the most significant news that have been introduced during the elaboration of the standard.
14.2 The Annex SL
Before going into detail of the requirements of the standard, it is appropriate to comment briefly on the structure of the
same, since it is profoundly different from the previous reference standard of occupational health and safety
management systems.
The structure of the new standard ISO 45001 reflects the Annex SL, which is included in the first part of the ISO/IEC
Directive and describes the requirements for ISO Management System Standards, that is how these standards shall be
sketched out and written to be aligned and consistent between each other.
The aim of the Annex SL is to provide the same structure (i.e. the high level structure) and terminology to all
management systems, in order to facilitate the organizations in aligning and integrating their management systems.
Annex SL also introduces into the Management Systems Standards the so called “risk based thinking” and the concept
of “context of the organization” and emphasises the issues of leadership and participation and consultation of all parties
that are interested in the management systems.
The risk based thinking is mind-set aiming to drive organizations to design and implement their management systems
integrating them into the strategical processes of the organizations itself.
The concept of risk, already present in the previous reference standard for occupational health and safety management
systems, takes now on a different meaning that will be discussed later.
14.3 The international standard ISO 45001:2018 - definitions and general aspects
ISO 45001:2018 “Occupational health and safety management systems – Requirements with guidance for use” specifies
the requirements that an occupational health and safety management system (hereafter abbreviated with the OHSMS
acronym) must own to allow an organization to effectively control its own risks and opportunities within this scope.
The standard, however, does not provide indications on the occupational health and safety (subsequently abbreviated
with the OHS acronym) performance level that must be achieved by the organization that wishes to apply it; nor it
provides guidance on how to design and implement the system. For this reason, the standard applies to any kind of
organization, regardless of its size, geographic location, socio-cultural factors and binding legislation, compliance to
which is a condition for the application of the standard.
Unlike most national regulation on occupational health and safety, which make the adoption of occupational health and
safety measures mandatory, the application of ISO 45001 is discretionary; it is implemented following the decision of
management to run all aspects of occupational health and safety in a systematic and controlled way and can be adopted
by all organizations wishing to implement, maintain and improve an OHSMS and have a tool that ensures compliance
with its own safety policy and the binding legislation in the field.
The terminology used in this chapter is that defined in the reference standard for OHSMS.
The model the new standard is based on is still the one Deming proposed for the continual improvement of process’
quality: the PDCA (Plan-Do-Check-Act) cycle.

Fig. 14.1 - Deming Cycle referred to the key processes of ISO 45001.

The four iterative phases that compose the cycle (figure 14.1) can be described as follows when applied to health and
safety:
• Plan: this is the phase where, starting from the analysis of the context of the organization, the interested parties
and OH&S risks and opportunities, a plan of actions is defined to address the significant elements and to
improve the OH&S performance in relation to the objectives set by the organization in line with its safety
policy. An effective planning process must also include the definition of intervention priorities,
implementation responsibilities, human and economic resources to be assigned to each intervention, criteria to
measure the degree of achievement of the objectives and the definition of intermediate targets in case of long-
term plans. Criteria for the definition of intervention priorities are dictated by risk assessment, whereas for the
preferred intervention arrangements, it is recommended to apply the hierarchy of controls.
• Do: this is the stage of preparation and implementation of improvement plans; depending on the type of
 intervention, it may involve one or more parts of the organization and cover one or more areas (training,
organizational or technical).
• Check: this is a performance monitoring and measurement phase; it concerns the assessment of actions
effectiveness; it also includes the comparison between the results achieved and the objectives set through the
analysis of data collected during the management system implementation phase and the calculation of
performance indicators;
• Act: this is the phase where results are consolidated and become, where possible, an integral part of the
business management system as well as of the preparation of the new planning phase; this will start with the
assessment of the degree of achievement of the objectives, the analysis of the reasons for success and the
causes of any partial or total failure (partial or missed achievement of one or more goals).
Some of the above-mentioned steps, as discussed later, need to be documented as appropriate to the extent necessary to
have confidence that what was stated is true and implemented within the organiza tion; this happens through the
drafting of documents such as a safety policy, procedures and operating instructions related to the significant risks
identified during the planning phase, the definition of parameters to be measured or to undergo periodic monitoring, the
provision of models suitable to record measures and monitoring results, the drafting of reports on analyses, organization
evaluations and decisions on health and safety issues.

14.4 Requirements and implementation of an occupational health and safety management system.
The requirements of an OHSMS are described in Chapters 4 to 10 of the standard. Following the steps of the Deming
cycle, the chapters are describing processes and support documentation that an organization must establish, implement
and maintain within its management system. The standard does not in any case provide specific indications on how to
comply with the requirements: useful information for its interpretation and understanding are given in Annex A
“Guidance on the use of this document” (i.e. “the standard”) which analyses the requirements of ISO 45001 supplying
guidance on their application. The Annex describes the principles underlying each standard’s statement and details its
purpose, the typical input data, the process to implement and the expected results.
Another useful reference document for the interpretation of the standard’s requirements is BS 45002-0:2018
“Occupational Health and safety management systems - Part 0: General guidelines for the application of ISO 45001”,
which provides examples and recommendations for the development of the OHSMS.
A brief analysis of an OHSMS requirements is provided below, together with the operating process useful to design and
implement it.
The first clause, which introduces one of the most relevant news of the reference standard, requires the organization to
understand its context, determining the internal and external issues that can positively or negatively affect its capability
to achieve the intended outcomes of the OHSMS (clause 4.1).
The context is the general environment the Organization is working in, and it is determined by circumstances that can
be internal or external to the organization itself and can influence its possibility and capability of achieving the planned
results.
External issues that may be considered in the context analysis are those related to the socio-political and environmental
conditions of workplace locations, the legal framework, the relationships with the interested parties and external
contractors, the conditions determined by the reference market and the product group while internal issues are those
related to the Organization’s size, nature and activities, its governance and policies, values and culture, its assets in
terms of material resources and human capital. The comprehension of the context, as well as its planned and foreseeable
changes, is essential to establish an occupational health and safety management system adequate to the size and
complexity of the organization.
Establish - literally "set up, form, organize stably" - means to implement all the elements of the system before it can be
considered permanently established, while maintain means to keep the system in place through an active effort on the
part of the organization.
The process to establish the management system starts from the context analysis, which can be carried on with
methodologies as “what-if” questions or PESTLE analysis or derived by a business process mapping, and continues
with the identification of interested parties and determination of their needs and expectations that are relevant to the
OHSMS.
This process, introduced by clause 4.2, requires the Organization to identify what internal and external parties, in
addition to workers, may affect or be affected by the OHSMS and to determine which of their needs and expectations
are relevant to the management system and should therefore be considered when establishing it.
The Organization is also required to determine what relevant needs and expectation become a compliance obligation,
that means a requirement the organization must or decide to comply with.
Examples of interested parties are customers, regulating authorities, suppliers, contractors and other external providers,
shareholders, visitors, local communities and media.
Having understood the context and the needs and expectations of interested parties, the Organization is then required to
determine the scope of the OHS management system.
The scope of the OHSMS shall be determined (clause 4.3) considering the relevant issues of the context, the interested
parties relevant needs and expectations and the Organization’s activities and services under the control or influence of
the organization itself that can impact on its OHS performance.
The capability of an Organization to control (i.e. manage with a full decision making power) or influence (i.e. play a
part in determining how to manage) the work related activities and the workplace where the same are performed within
the scope of OHSMS, strongly affects the Organization’s responsibility under the OHSMS itself.
In the identification of the workplace it is important to consider, besides the company headquarters, all the places where
activities are carried out under the control of the organization, including those external to the premises, where workers
transit or perform their tasks. Within this definition, and therefore within the scope of a management system, are
construction sites and all the activities carried out internally, or the activities performed permanently or occasionally at
customers' premises (e.g. maintenance, assembly, service).
Once the scope has been defined, the OHSMS can be established.
When establishing the OHSMS, it is required to integrate it with the other business processes (clause 5.1) in order to
ensure that safety requirements and objectives are taken into account at the higher levels of the Organization, being the
involvement of interested parties a key to succeeding in safety management.
ISO 45001 particularly emphasises the importance of Top Management leadership and commitment, that shall be
demonstrated through a clearly marked series of actions.
The first step for the Top Management to demonstrate leadership and to provide stability to the management system is
to define and approve the organization's health and safety policy (clause 5.2). The OHS policy defines the general
orientation of the organization and, starting from its mission, vision and values, drives it to the definition of health and
safety objectives.
It should be appropriate to the Organization’s features, context, risk and opportunities and shall include the commitment
to comply with the binding standards on health and safety, to continual improvement and the prevention of injury and ill
health and to the consultation and participation of workers and their representatives.
The policy issued by the top management must be reported to both company staff and those who operate under its
control and must be made available to interested parties.
 rev.1
SAFETY POLICY
09.2018
The company management, aware of the responsibility of the Organization towards the protection of worker’s health and safety, has
implemented and maintains a safety management system compliant with ISO 45001:2018.
The health and safety policy at work established by the Management is the following:
The organization’s goal is to continuously improve its environmental and occupational safety and health performance.
To achieve this goal, the top management undertakes to:
• Fulfil applicable laws and regulations on health and safety at work;
• Implement the necessary measures to prevent accidents and occupational diseases
• Promote the consultation and participation of workers to enhance safety culture and awareness on safety issues
• Make resources available to support the implemented management system
• Set goals for the safety management that will be expressed in a periodically reviewed improvement plan and make
resources available to achieve them
• Maintain and improve workplace safety conditions in line with evolving technological know- how
• Continually improve their occupational safety and health performance through elimination and where this is not possible,
risk reduction.
• Ensure maximum collaboration of all staff for the implementation of the occupational health and safety management
system at work through continuous specific training;
• Spread the policy of health and safety at work and related certifications to interested parties.
The management is responsible for disseminating, understanding and implementing the policy of health and safety at work to all the functions
involved. On the occasion of the management review, the management itself verifies the suitability of the expressed policy, evaluating any
updates.

Fig.14.2 - Example of safety policy

The reference standard also emphasises the process of consultation and participation of workers as a key for the
effectiveness of the OHSMS (clause 5.4).
This process shall be extended also to non-managerial workers with relation to different issues, e.g. consultation in
establishing the safety policy (figure 14.2) or participation in the process of hazard identification.
Once foundations have been laid, i.e. system scope and management commitment, the planning phase begins. It covers
two wide areas: the risks and opportunities area and the support one.
Planning requirements related to the risk and opportunities area concern the identification and assessment of risks and
opportunities for occupational health and safety and for the OHSMS, the determination of compliance obligations and
the establishment of occupational health and safety objectives for the continuous improvement as well as the planning
of actions that are necessary to address these risks and opportunities, the legal and other requirements and the OHS
objectives.
Planning requirements related to support area concern the processes of resources management, competence, awareness
and communication.
Another of the most relevant news introduced by the new ISO 45001 standard requires the Organizations that are
implementing an OHSMS to approach the risk assessment process pursuant to the new definition of risk, that is now
intended as the consequence of the unpredictability of an event, where the consequence can be both negative and
positive deviation from an expected result.
Negative deviations from expected results are commonly called risks, while positive deviations are commonly referred
to as opportunities, because they can lead to an enhancement of OHS performance.
With relation to negative deviations the prevention process, which comprises hazards identification, risk assessment and
definition of the necessary control measures, still remains the hearth of the planning phase.
This process, which methodology and criteria shall be maintained (i.e. kept updated) and retained (i.e. prevented from
unauthorized modification) as a documented information, must take into account some key elements, which may be
grouped into the following categories:
- activities: ordinary and extraordinary activities undertaken in workplaces by internal and external staff
(including third parties and visitors) under the control of the organization and activities
 - product and service safety risks analysed in a life cycle perspective (i.e. from design to disposal, as applicable
to each organization)
- human and social factor: human behaviour and skills, culture and leadership in the organization;
- hazards: both those originating outside the workplace and which may adversely affect the health and safety of
personnel inside the workplace, being the previous controlled or not by the organization, and those generated
in the areas surrounding the workplace by activities correlated to those of the organization;
- infrastructures and organization: infrastructure, equipment, work organization, site and work areas design;
- past significant incidents and real or potential emergencies
- planned or foreseeable changes in the above mentioned groups and in the knowledge of hazards.
All the above elements must also be analysed in light of binding obligations and operational contexts, which may
involve specific risks abroad, such as those related to extreme climatic conditions, endemic diseases, work in faraway
places, dangerous animals, unstable socio-political conditions, possible abductions and civil or military turmoil.
The process shall favour prevention rather than protection in a proactive and not reactive safety perspective. For this
scope, a scale of risk mitigation interventions is also provided: elimination is in first place, followed by substitution,
technological measures, signage and organizational measures, and ultimately protection equipment. Risk assessment
outcomes and controls definition must be documented and kept up-to-date.
The standard leaves the employer free to choose the most suitable assessment criterion based on the nature and risks of
the Organization.
A widely accepted criterion estimates the risk for safety (R) as a function of the event probability (P) and damage
magnitude (G), as shown in Table 14.1 (source: ISPESL)

Table 14.1 - Example of a risk assessment criterion

Probability P Severity G

P Level Definition G Level Definition

4 Highly probable There are known episodes where the
hazard has caused damage, or there is
direct correlation between hazard and
damage.
The occurrence of injury or damage
would not be a surprise for the company.
3 Likely Some episodes are known where the
hazard has caused damage or the hazard
can turn into damage, even though not by
default.
The occurrence of injury or damage
would hardly be a surprise for the
company.
2 Not very likely Only rare episodes are known or the
hazard can occur only under specific
circumstances.
The occurrence of injury or damage
would be a surprise for the company.
1 Unlikely There are no known episodes, or the
damage can occur only following a
combination of improbable and
independent events.
4 Extremely Accident with very serious and irreversible
serious injuries, total disability or life-threatening
consequences.
Chronic exposure with lethal or totally
disabling effects.
3 Serious Injury or temporary disability with
significant and irreversible injuries or
partial disability.
Chronic exposure with irreversible or
partially disabling effects.
2 Average Temporary accident or disability with
significant mid-term reversible ailments or
injuries.
Chronic exposure with reversible effects.
1 Light Temporary injury or disability with rapidly
reversible effects.
Chronic exposure with rapidly reversible
effects.

The occurrence of damage will cause

astonishment in the organization.
 R=P x G

4 4 8 12 16

3 3 6 9 12

2 2 4 6 8

1 1 2 3 4

1 2 3 4 P

RISK ACTION OPERATIONAL CONTROLS

Take immediate measures of risk prevention and protection or, Operational control is not applicable
12 ≤R≤16 Extremely high where not possible, temporarily suspend the activity. since measures of risk level reduction
Identify short-term improvement measures to reduce the risk level. need to be implemented first

Implement immediate measures for risk prevention and protection Operational control is not applicable
6≤R≤8 High Identify short-term improvement measures aimed at reducing the since measures of risk level reduction
level of risk. need to be implemented first

In case of risk with D = 1 or D = 2, consider long-term

improvement measures to reduce the risk level.
Procedures or instructions drafting for
3≤R≤4 Intermediate In case of risk with D = 3 or D = 4 take immediate measures of risk operational control.
protection and consider long term improvement measures to reduce
the risk level.

No precautionary and protective measures are strictly necessary Monitoring to ensure that the level of
1≤R≤2 Low
(those in place can be regarded as sufficient) risk is at least maintained.

In addition to the risks generated by the hazards associated with work activities, the risk that the management system
does not achieve the expected results must also be assessed.
These expected results are above all the control of legal compliance, the continual improvement of OHS performance
and the achievement of OHSMS objectives set by the Organization.
Events or circumstances that can give the possibility to the Organization to enhance the OHS performance or to
improve the OHSMS are referred to as opportunities.
These opportunities shall be assessed and managed as appropriate with relation to the nature, size and complexity of the
Organization.
Opportunities that may be seized to enhance OHS performance can be found, for example, in the process of design of
products, services and working areas and may be supported by the resort to technologies as automation or remote
monitoring.
The other processes of the planning phase are the management of legal and other requirements to which the company
wishes to or must adhere to, the planning of actions and the definition of safety management objectives and
programmes (figure 14.3).
The process of managing legal and other requirements is aimed to ensure the identification of applicable requirements
and the organization of the necessary actions to achieve and maintain full compliance, in line with the company policy
statements. The requirements to be considered range from binding ones, authorizations, permissions and licenses
related to the organization's activities up to agreements with internal or external stakeholders and the adoption of non-
mandatory guidelines and good practices. When managing this process, organizations whose workers are temporarily or
permanently resident in countries other than that of the organization headquarters, will also have to take into account
binding laws in these other countries. Although the underlying principles of health and safety legislations are the same,
each country may have its own specificities. The most significant differences in binding requirements are found not so
much in Europe, where laws of member states are harmonized by Community Directives, as in non-European countries,
where requirements are usually much less strict; only in rare cases the opposite is true, i.e. where prescriptions are
extremely tight in terms of prevention (e.g. in the United States and Canada).
It is therefore crucial for organizations operating abroad to analyse the legislation in the destination country in advance
to comply with the specific requirements before activities begin (time for authorizations and permits, time to arrange
workplaces in accordance with the standards and local laws). Among other requirements (non-legislative but as per
ISO must be considered) are customer requirements. For example, in Saudi Arabia/UAE, customers have high safety
standards and by corporate policy ask for more stringent requirements than binding laws in their countries. Thus further
analysis is needed on this point. Should this phase not be adequately investigated, the consequences could be criminal,
economic (production block) or financial penalties (from customer to contractor).
The output of legal requirements management process must be maintained and retained as documented information.
The process of defining and documenting safety objectives is an integral part of OHSMS planning and is one of the key
tools for continual improvement; the objectives must be defined in line with the commitments stated in the safety
policy, taking into account both legal and other requirements applicable to the organization and other elements
emerging from the planning phase, such as the identified risks and opportunities and the real or potential identified
emergencies.
In defining improvement objectives, it is necessary to bear in mind that adjustment measures to be implemented
following a non-compliance do not qualify as improvement measures; such are for example those allowing the
organization to obtain and maintain a lower target exposure value by a defined percentage limit, given a binding
exposure limit already complied with.
The objectives should be "SMART" as far as possible, in technical literature meaning Specific, Measurable (or
assessable, according to ISO 45001), Attainable, Relevant, Time-bound, to allow a true quantification of goals and
continual improvement achievements.
Rev.01
Objective plan
09.2018
RESPONSIBLE

CLOSE DATE
RESOURCES

DUE DATE

STATUS

RISK OBJECTIVE ACTIONS NOTES

risk reduction from 6 Integration of Signposts

investment by to 3 vertical signs. completed
MNT €1000 12.2018 40%
forklifts probability reduction Installation of rear- Mirrors
from 2 to 1 view mirrors ordered
Mechanical
risk of valve
Safety signage
projection in
risk reduction from 4 application related
case of
to 2 to the safe area for
incorrect MNT €50 08.2019 10%
probability reduction the operator during
manoeuvring
from 2 to 1 the test
during
functional
testing

Fig.14.3 - Example of objectives programme

The second phase is about doing; it includes the processes of:

 - definition of the functional resources for the implementation of the OHSMS;
- training and awareness;
- communication (in the new reference standard the process of consultation and participation of workers is now
a part of the chapter on leadership);
- management and control of documented information;
- definition of operational control measures aiming to the elimination of hazards and reduction of OHS risks;
- emergency preparedness and response
One of the factors affecting the effectiveness of an OHSMS is commitment to implementation, maintenance and
improvement by members of the Organization, starting from the highest management levels; it is up to them to define
the organizational structure by assigning roles, responsibilities and resources in relation to occupational health and
safety management. To ensure an optimum level of compliance with the requirements of the standard, roles need to be
clearly defined and responsibilities correctly allocated, to provide each member of staff with the training and technical
and economic resources necessary for the given assignments (figure 14.4).

Fig.14.4 - Example of organizational chart

Key processes include training, operational control and emergency preparedness and response; they should be part of
the ordinary company safety management since these are normally processes/themes subject to binding legal
requirements.
Particularly interesting is the training requirement of the standard (figure 14.5); usually it is the employer's duty (set by
the law) to train its own workers, whereas the standard requires the organization to operate so as all people carrying out
under its control activities with an impact on health and safety, acquire the necessary skills through training and
practice. This process is strategic about compliance with one of the safety policy compulsory commitments, i.e. the
reduction of accidents and occupational diseases. Through training and coaching it is possible to make workers aware
not only of risks and preventive procedures, but also of the importance of their role and responsibility in achieving
corporate health and safety objectives.
 Rev.01
Training programme
09.2018
METHODOLOGY PLANNING

ASSESSMENT
TRAINER

METHOD

PERSONNEL
COACHING

DURATION
TRAINING
TYPE STATUS

OTHER

DATE

(hr)
Update of employees
for the operation of Forklift Feb Forklift
X Oral exam 4 To do
forklifts according to specialist 2020 operators
regulation n.2

Update of the first aid Competent Oct First aid Confirmed

X test 6
officers group A doctor 2021 officers registration

Fig.14.5 - Example of training programme

The process of defining operational control measures is usually activated immediately after the process of hazard
identification and risk assessment, to which it is closely linked.
Once hazards have been identified, the measures to eliminate, reduce and control them are established; these measures
shall follow the hierarchy of controls (clause 8.1.2) and may include actions related to maintenance (maintenance plans
for machines, work equipment and infrastructures), administration (staff rotation, access control, requirement
assessment for third parties with access to the company), procedures (definition of procedures and work instructions for
hazardous activities and jobs, use of work permits, figure 14.6) and management (design of environments and
workstations, management of hazardous substances).
Fig.14.6 - Example of work permit

In the definition of operational controls, procurement and outsourced processes must also be considered.
ISO 45001 states that an organization retains responsibility towards the activities that are outsourced instead of carried
on internally.
In this case the organization should define the degree of control on the outsourced processes and functions and ensure
the appropriate operational control measures are in place, as appropriate.
The procurement process shall be managed in order to effectively control the hazards introduced in the workplace by
products, substances or external activities.
Another key aspect of occupational health and safety management relates to emergency preparedness and response. The
standard requires to establish, implement and maintain one or more processes to identify possible emergency situations
and respond to such situations (figure 14.7). Procedures should be periodically tested through revised emergency
simulations, both following exercises and real emergency situations.

Fig. 14.7 - Flow chart for fire emergency management

Many are the factors to consider when identifying possible emergency situations and they must be investigated both
inside and outside the organization.
Factors within the organization range from hazards associated to the use of machinery and dangerous substances, the
use of processes that in case of failure may result in the release of gases or other dangerous substances, to fire load or
presence of explosive atmospheres.
External factors include the geographical location of workplaces (extreme climatic conditions, endemic diseases,
particular geo-climatic conditions that may lead to natural disasters), the political situation (jobs in "hot" areas with high
risk of public disorders, terrorist or violent events in the workplace).
This phase is particularly important in the case of companies that have to manage locations or workplaces abroad in
addition to national headquarters, such as construction or service sites; these companies will have to design, for
example, specific procedures to manage evacuation from workplaces and to arrange, both locally and remotely, the
repatriation of their staff abroad. Both operational and health emergency management procedures will also be required,
such as the management of work suspension in adverse climatic or meteorological conditions or the management of
health emergencies.
The third phase, related to control, comprises the processes of:
- performance evaluation, monitoring and measurement;
- conformity assessment;
- internal auditing
- Management review
In relation to these processes, the standard requires the organization to implement and maintain them in order to:
 - regularly monitor the effectiveness of the management system elements, with particular attention to the
monitoring of the effectiveness of operational control measures and the measurement of health and safety
performance indicators;
- periodically assess compliance with binding laws and other applicable provisions;
- plan, carry out and document periodical internal audits to verify the OHSMS compliance with the reference
standard, its effectiveness in policy compliance and the achievement of objectives.
In carrying out performance monitoring and measurement activities, the organization should choose proactive rather
than reactive measurements, being the first ones more in line with the basic philosophy of the reference standard.
Proactive monitoring includes, for example, preventive and periodic assessment of compliance to legal or other
requirements, the use of health screening data, the use of behavioural occupational safety observations, and the analysis
of potential and near-miss nonconformities for the implementation of preventive actions; reactive measurements are
instead those based on the assessment of injury indices, disease monitoring and the analysis of corrective actions
implemented following nonconformities.

clause REQUIREMENTS C O NC NOTES

ACTIONS TO ADDRESS RISKS AND
6.1.1
OPPORTUNITIES - general requirements
The Organization has determined risks and
opportunities that need to be addressed, taking
into account:
hazards
risks for health and safety
risks for the OHSMS
opportunities for health and safety
Opportunities for the OHSMS
Compliance obligations and other legal and non-
legal requirements
hazard identification and assessment of risks
6.1.2
and opportunities
The Organization retains documented information
on the criteria and methodology for risk
assessment

Fig. 14.8 - Extract from an internal audit checklist

Rev.1
INTERNAL AUDIT PROGRAMME
09.2018

Reference 2018 2019

N. AUDIT PURPOSE Clause Audit recipient Auditor
documents 7 8 9 10 11 12 1 2 3 4 5 6

1 Assess OHS legal compliance 6.1.3 - 9.1.2 audit check list HSE Mgr CE O

Assess the compliance of OHSMS to

2 all audit check list HSE Mgr CE O
the reference standard

Assess the level of implementation and HSE Mgr. +

3 8.1 audit check list CE O
application of the OHSMS Foreman

Assess the level of implementation and

Maintenance
4 application of the OHSMS: maintenance 8.1 audit check list CE O
manager
process

Fig14.9 - Example of internal audit programme

The process of management review is, in the new standard ISO 45001, a part of the performance evaluation chapter; its
accuracy is crucial since it allows top management to periodically review the whole system to evaluate its suitability,
adequacy and effectiveness. Similarly to the policy, the entire system must be appropriate to the size and nature of the
organization, considering its context, complexity and risk, focused on its policy and objectives and effective in
achieving the expected results.
The information useful to top management to carry out these assessments may come from audit reports (figure 14.8) of
any level and results of standards and laws compliance assessments, inspection reports by health and safety audit bodies
(figure 14.9), summary data on the organization's health and safety performance - such as accident statistics, health
surveillance outcomes and performance indicators trend - and results of the near-miss and nonconformities analysis,
including emergencies occurred during the reference period, which usually corresponds to the calendar year or financial
year.
Other elements to take into account during management review are the degree of achievement of health and safety
objectives, the degree of resolution of actions resulting from previous management reviews, communication from
interested parties, the results of consultation and participation of workers, changes in any relevant internal and external
condition, including new health and safety legislation, interested parties’ issues and risks and opportunities.
Outcome elements of the management review process, consistently with the commitment of top management to
continual improvement, comprise decisions and actions affecting health and safety performance, policy and objectives,
resources and other elements of the OHSMS.
The last phase of the Deming cycle, Act, is described in chapter 10 related to the improvement of OHSMS and its
performance.
This phase includes the management of incidents and non-conformities and all the requirements related to continual
improvement.
Incident and non-conformities shall be investigated, evaluated with the involvement and participation of workers or
their representative and appropriate corrective actions must be planned and taken in order to control the incident or non-
conformity and to remove its cause.
Corrective actions shall be appropriate to the nature of the event and planned according to the hierarchy of controls, as
per clause 8.1.2.
The last clause of the standard leads to the apex of the Deming Cycle: the continual improvement.
This is the higher objective that an Organization implementing an OHSMS shall chase, in order to improve OHS
performance and the effectiveness of the OHSMS.

14.5 Certification of the Occupational Health and Safety Management System

The certification of the safety management system is issued by a certification body following a series of checks carried
out at the premises of the organization to be certified.
The certification body is a legally constituted organization with the purpose of carrying out certification activity.
For uniformity of behaviour, certification bodies operate in accordance with ISO/IEC 17021-1:2015, an international
standard defining requirements for organizations carrying out audits and management systems certification.
An independent body in turn accredits certification bodies after verifying they actually operate under ISO/IEC 17021-1
and monitors their behaviour over time.
The meaning of accreditation is, as the word itself indicates, to make the issued certificate truthful and validate it by
making it internationally effective.
The certification process (figure 14.10) is divided into the following phases:
• preliminary audit
• initial audit
• certification audit
• surveillance audit
Fig.14.10 - OHSMS certification process

The preliminary audit is optional and is designed to assess the compliance status of the company occupational health
and safety management system to the standard requirements and to the relevant health and safety laws, to highlight gaps
that could lead to delay or failure in achieving certification.
In the initial audit, also called Stage 1, the management system documentation and the risk identification and
assessment process on machines, equipment and substances involved in the production process are assessed. The
effectiveness of the occupational management system application is also assessed through the analysis of the
documentation.
In the certification audit, also called Stage 2, the effectiveness of the occupational management system application is
assessed through conversations with managers and field audits.
Following each assessment, an audit report is drawn up highlighting any nonconformity, recommendation, and
improvement opportunity.
Nonconformities can be classified as major or minor. Major non-compliance hinder the certification process; it is thus
necessary to resolve them before the next certification body visit. Minor nonconformities need to be resolved before the
following assessment, after submitting the proposal for nonconformity resolution (handling, cause analysis and
corrective action) within a few days of the assessment.
Once both stages of the assessment (Stage 1 and Stage 2) have been successfully passed, a technical commission
belonging to the certification body will examine the assessment audit reports and will decide about the certificate
issuing.
Once the certificate is obtained, the organization is subject to an annual surveillance audit and a renewal audit within
three years of the certificate issuance or the last renewal.
During the three-year certificate validity period, the certification body carries out spot check visits to all locations of the
organization, including any site and foreign branch.
The Organizations whose management system is certified according to BS OHSAS 18001:2007 have a three years
period from march, 12th 2018 to migrate to ISO 45001; after this migration period the certificates issued under BS
OHSAS 18001 will not be effective any longer.
14.6 Benefits of adopting an OHSMS and additional benefits of certification
What are the benefits of adopting an effective OHSMS and what are the added benefits of a certified management
system compared to one that is a non-certified?
Firstly, the adoption of an effective OHSMS allows the organization to fully control its compliance with binding laws:
by analyzing §6.1.3 and §9.1.2 requirements, it appears that compliance with binding laws on occupational health and
safety is in fact a prerequisite for maintaining a safety management system. Certification provides a further warranty on
maintaining and fulfilling law conformity, since it is subject to periodic third party assessment during certification and
surveillance audits.
A correlation analysis between the requirements of the standard and the legal requirements of most countries adopting a
civil law system may also points out that some of the requirements of the standard are not found in legislative
framework.; it is thus clear that the company aiming to implement and maintain a management system chooses to go
beyond compliance to binding law requirements. These steps come into being particularly in:
 • analysing the context, the expectations and needs of interested parties and risks and opportunities towards
OHSMS;
• defining a Safety Policy that formalises the commitment of top management to maintain full legislation
compliance, to control hazards and associated risks, to reduce injuries and continually improve occupational
health and safety performances;
• defining and implementing a systematic set of documented information on occupational health and safety
issues; this should ensure that all documentation supporting occupational risk elimination or reduction (risk
assessment documents and operating instructions) is managed in a controlled manner, i.e. ensuring its
readiness and dissemination to everyone involved;
• programming and carrying out periodic audits, technically defined internal audits, to assess the application of
what defined in the implemented management system.
The outcome of "doing more" is certainly an improvement in corporate image, both inward and outward (Orzes et al.,
2018; Orzes et al., 2017; Sartor et al, 2016; Sartor et al., 2019 in press).
Secondly, the adoption of an OHSMS allows a significant reduction in the severity and injury frequency indexes and
thus a reduction in the associated direct and indirect costs, the number of penalties for the company management and
sanctions arising from the application of laws.
A study published by the Italian Institute for the insurance of accidents at work (INAIL) at the end of 2012 (Table 14.2)
highlighted the percent variation of severity and frequency injury indices between Italian certified and non-certified
companies belonging to each tariff group. The average injury indices variation for the three-year period 2012-2014 is
16% in terms of occurrence frequency and 40% in terms of severity: this means that in certified companies 16% less
accidents occur and when an accident occurs in a certified company, it is in 40% of cases less serious than the same
accident occurred in a not certified company.

Frequency index Accident severity index

Sector
If (%) Ig (%)
Services -9 - 23
Fishing, Food, Agriculture -11 -46
Chemistry, Plastic, Paper,
- 32 - 48
Leather
Construction industry - 10 - 26
Energy, Water, Gas - 21 - 69
Wood -7 - 62
Metallurgy, Machines - 26 - 70
Mining engineering - 46 - 45
Textiles industries - 10 - 30
Transportation, stock - 17 - 67

Overall data - 16 - 40
Table 14.2 Severity and frequency injury indices of Italian certified and non-certified companies
Another benefit of adopting an OHSMS concerns the approach to health and safety issues: the system allows to address
all aspects related to occupational health and safety management under normal, abnormal and emergency situations, in a
systematic and documented way.
The management system is also a useful tool in investment or technology change decisions as it allows on one side to
plan investments based on goals set with precise criteria, and on the other to manage change neatly and systematically
without leaving anything to chance.
 The system finally results in greater control over safety management even at foreign locations.

BIBLIOGRAPHY
Orzes, G., Moretto, A. M., Ebrahimpour, M., Sartor, M., Moro, M., & Rossi, M. (2018). United nations global compact:
Literature review and theory-based research agenda. Journal of Cleaner Production, 177, 633-654.
Orzes, G., Jia, F., Sartor, M., & Nassimbeni, G. (2017). Performance implications of SA8000 certification. International
Journal of Operations and Production Management, 37(11), 1625-1653.
Sartor, M., Orzes, G., Di Mauro, C., Ebrahimpour, M., & Nassimbeni, G. (2016). The SA8000 social certification
standard: Literature review and theory-based research agenda. International Journal of Production Economics, 175, 164-
181.
Sartor, M., Orzes G., Touboulic, A., Culot, G., Nassimbeni, G., in press, “ISO 14001 standard: Literature review and
theory-based research agenda”, Quality Management Journal.
ISO 45001:2018 Occupational Health and Safety Management Systems – Requirements with guidance for use, ISO
BS 45002:2018 Occupational health and safety – Part 0: General guidelines for the application of ISO 45001, BSI

View publication stats