CQI

Chartered Quality Institute

 Introduction

Report published in September 2014 by:

International Register of Certificated Auditors (IRCA), part of The Chartered Quality Institute (CQI), 2nd Floor North,
Chancery Exchange, 10 Furnival Street, London EC4A 1AB
T: +44 (0) 20 7245 6722 I www.thecqi.org I www.irca.org
Incorporated by Royal Charter and registered as a charity number 259678

1 www.irca.org
IRCA has prepared this briefing note to update IRCA auditors and other
interested parties on the future of BS OHSAS 18001 and the work of Effective
management
ISO Project Committee 283, the committee responsible for developing of business
the international standard ISO 45001 – Occupational health and safety risk is high
on the board-
management systems. level agenda
Development of ISO 45001 has now reached the Committee Draft (CD) stage. This briefing note of most
provides the background to development of ISO 45001 and outlines the likely main similarities and
differences between OHSAS 18001 and ISO 45001.
organisations.

Background
In today’s ever-changing world, organisations operate in increasingly complex environments,
often involving multinational supply chains and outsourcing parts of their operation. Differences in
cultural norms, legislation, business and social ethics and practices, technologies, etc add to those
complexities.

Yet when things go wrong, it is the reputation of the ‘prime’ organisation that falls under the
spotlight, as we saw with the Deepwater Horizon catastrophe and Boeing Dreamliner battery
problems.

Effective management of business risk is high on the board-level agenda of most organisations.
These days, it is not enough for a company merely to be profitable – it also needs to have robust
systems of internal control, covering not just ‘narrow’ financial risks, but also risks relating to the
environment, business reputation and health and safety.

The need for integrated risk-control systems

ISO management system standards (MSSs), for quality, environment, food safety standards etc,
have been developed and published over a number of years. While some may say these standards
are compatible with each other, the reality is that the proliferation of ISO MSSs and the manner in
which they have been developed has resulted in many apparently common requirements that are
subtly or substantially different.

This has caused confusion and inconsistent understanding and implementation. Consequently, it
has been easy to compartmentalise these different risk-control systems. But that is simply not how
organisations operate or top management thinks.

This compartmentalisation can be a significant barrier to getting the buy-in and hands-on participation
of top management and often results in failure to embed these systems into routine operations.
Instead, each is operated as an independent system in its own right with its own dedicated
management structure. This had led to the need to combine or integrate these different aspects of
business risk management more easily in an effective and efficient manner.

Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 2
 ISO management system standards development
In order to deliver consistent and compatible management system standards in the future, the
Despite not ISO Technical Management Board has produced a common framework for all MSSs. This common
being an ISO framework is referred to as Annex SL. Essentially, Annex SL describes how management standards
of the future will be structured using a common “high-level structure” (ie, clause sequence, common
standard, text and terminology provided in Annex SL). The first standard to adopt this structure was the
OHSAS Business Continuity Management standard (ISO 22301:2012).

18001:2007
BS OHSAS 18001
has gained First published in 1999, OHSAS 18001 was developed to fill the gap where no international standard
global for occupational health and safety existed. The current version of the standard is OHSAS 18001:2007,
acceptance. which was adopted as a British Standard, hence BS OHSAS 18001:2007.

Despite not being an ISO standard, OHSAS 18001:2007 has gained global acceptance. In recent
years there has been a rapid increase in the use of OHSAS 18001 and versions of OHSAS 18001 that
have been adopted by countries, of which there are about 40. Recent surveys report approximately
90,000 accredited certifications in more than 127 countries and a pressing desire from business and
interested parties for an international standard.

IRCA has seen growing interest and take-up of IRCA’s OH&S auditor certification scheme and
auditor/lead auditor training courses – with the number of delegates attending auditor training for
OHSAS 18001 increasing by 40% in four years and exceeding those for EMS.

ISO 45001

3 www.irca.org
Development of ISO 45001
In 2013, ISO approved the creation of a new project committee to develop an International Standard
for occupational health and safety (OH&S). The work is being overseen by ISO Project Committee
(PC) 283. The ISO project committee has been tasked with transforming OHSAS 18001 into an ISO
standard, ISO 45001.

The secretariat of ISO/PC 283 has been assigned to BSI, the British Standards Institution. There
are currently 50 countries/organisations working on or involved in producing ISO 45001, including
the International Labour Organisation (ILO). Richard Green, Head of IRCA Technical Services, is
participating in the development of ISO 45001 as a member of HS/001, the UK committee which is
responsible for the preparation, publication review and revision of generic British Standards or other
products on occupational health and safety.

Development timeline
Development and approval of ISO MSSs follow an established process and sequence; Working
Draft (WD), Committee Draft (CD), Draft International Standard (DIS), Final Draft (FDIS) followed by
publication of the Standard. The significance of change diminishes as development progresses. Once
FDIS is released the nature of any further change is normally minor.

JUNE OCTOBER JULY JUNE JULY OCTOBER PROPOSED

2013 2013 2014 2015 2015 2016 TRANSITION
PERIOD

DRAFT APPROVED CD FOR PROPOSED PROPOSED PROPOSED 2-3 YEARS

DESIGN SPEC. DESIGN SPEC COMMENT DIS FDIS ISO FROM
AND WDO AND WD1 AND BALLOT PUBLICATION PUBLICATION 45001:2016 STANDARD
(3 MONTHS) PUBLICATION PUBLICATION

Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 4
5 www.irca.org
What we know about ISO 45001
ISO 45001 will include guidelines on the use of the standard. At its first meeting, the project
committee re-examined the scope of application of the standard and proposed extending it to cover
the working out of “guidelines for use” supplementing the “requirements” relating to Occupational The purpose
Health and Safety Management Systems. The proposal was submitted to the ISO Technical of the
Management Board (ISO/TBM) and approved. Therefore, unlike OHSAS 18001:2007 that only has
the requirements, and one had to purchase OHSAS 18002 for the guidelines, at this time it looks as standard
though ISO 45001 will have both. This is reflected in the title: remains much
• ISO/CD 45001 – Occupational health and safety management systems – Requirements with the same as
guidance for use.
before...
ISO/CD 45001:2014 Annex A – Guidance on the use of this international standard, includes the
caveat that “this guidance is strictly informative and is intended to prevent misinterpretation of the
requirements contained in this International Standard”. An important statement making it clear that
Annex A is not part of the auditable criteria.

ISO 45001 will adopt the high-level structure of Annex SL

This is the same common structure, definitions and core text being used to revise ISO 14001 (EMS)
and ISO 9001 (QMS).

This will mean the structure of the standard will be:

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
The first significant change therefore is that there are now ten sections instead of four in OHSAS 18001.

ISO/CD 45001 includes familiar concepts and requirements

The purpose of the standard remains much the same as before and ISO/CD 45001 retains many
familiar concepts and requirements. The stated purpose is “to enable an organization to proactively
improve its OH&S performance in preventing injury and ill-health”; whereas the purpose of OHSAS
18001 is given as “to enable an organisation to control its OH&S risks and improve its OH&S
performance”. Some will argue this puts more emphasis on seeking continual improvement and not
only by addressing OH&S risks, but also through other initiatives, for example health education and
training. Others may argue that this simply clarifies previous intent.

Familiar concepts and requirements include application of the PDCA model, setting policy, setting
objectives, carrying out internal audit, and management review. In many cases the current
requirements have been carried over from OHSAS 18001, albeit with some minor changes of
wording at times. For these topics, the existing processes within current OH&S management
systems may well already address the new requirements since they have largely only been
re-arranged to fit in with the Annex SL structure.

Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 6
 Continual improvement is a separate section in ISO/CD 45001, unlike OHSAS 18001 where continual
improvement is shown in the OH&S management system model as coming from the interaction of
policy, planning, monitoring and review etc. ISO/CD 45001 has a specific section on improvement.
However looking in detail at section 10 we find familiar concepts including incident, nonconformity
and corrective action as well as a specific requirement for continual improvement and a requirement
to establish, implement and maintain a continual improvement process.

Missing from ISO/CD 45001 is reference to preventive action. The term preventive action, and any
specific reference to it, has been removed. This stems from the approach of Annex SL.

Preventive action has been replaced with:

• 4.1 (determination of external and internal issues)
• 6.1 (actions to address risks associated with threats and opportunities)
• 5.2c (commitment to satisfy applicable legal and other requirements to which the organisation
subscribes)
• 8.6 Emergency preparedness and response (where potential emergency situations are
identified and planned for and the emergency procedures are tested).
In reality, as currently, the whole of the standard is about eliminating or minimising OH&S risks by
taking appropriate preventive measures.

The hierarchy of control is a concept the OH&S practitioner and auditor will be familiar with. The
requirement in OHSAS 18001 to consider reducing risks according to a hierarchy of controls is
strengthened in ISO/CD 45001, which requires a policy commitment to the control of OH&S risks
through a hierarchy of control and mandates use of the hierarchy in section 8.1 Operational planning
and control. This is typical of a number of changes where what may have seemed optional in OHSAS
18001 is mandatory in ISO/CD 45001.

ISO/CD 45001 includes some enhanced requirements

ISO/CD 45001 places more emphasis on risk management and ongoing assessment of risks and
opportunities to prevent, or reduce, undesired effects.

There is a strengthening of the requirement to demonstrate and understand compliance status at all
times (with legal and other requirements).

There are specific sub-sections and requirements for contractors and procurement, clarifying and
expanding requirements of OHSAS 18001. Also a specific requirement on outsourcing of operations
– “The organization shall ensure that outsourced processes affecting its OH&S management
system are controlled”.

There are enhanced requirements for the use of performance indicators to monitor performance (9.1
Monitoring, measurement, analysis and evaluation) and track OH&S performance including status
and trends in monitoring and measurement results (9.3 Management review – c).

7 www.irca.org
ISO/CD 45001 includes some irregularities with ISO/DIS 9001:2014
Remembering that we are looking at the CD version and very likely some significant changes at
detail level will be made, some differences exist between ISO/CD 45001 and ISO/DIS 9001:2014 for The hierarchy
no apparent reason.
of control is
For example, ISO/CD 45001 has introduced sub-clause titles which ISO/DIS 9001:2014 does not have
(ie, 9.2.1 Internal audit objectives). And ISO/CD 45001 has a requirement that management review
a concept
“includes consideration of the extent to which OH&S policy and OH&S objectives have been met” the OH&S
which is not in ISO/DIS 9001:2014. While seemingly of little consequence, it is this type of difference
that causes confusion, to implementers and auditors, and Annex SL was introduced to prevent.
practitioner
Ideally, these will be resolved as development progresses. and auditor
will be
ISO/CD 45001 includes new concepts familiar with.
Context of the organisation, leadership and documented information are generally thought to be the
more significant new concepts.

New clause: Context of the organisation (4.1)

The intent of 4.1 is to provide a high-level, conceptual understanding of the important issues that can
affect, either positively or negatively, the way the organisation manages its responsibilities in relation
to the OH&S management system for persons working under its control. The issues of interest are
those that affect the organisation’s ability to achieve the intended outcome, including the objectives
it sets for its OH&S management system, which include meeting its OH&S policy commitments.

Examples of the issues are:

a) External issues such as the cultural, social, political, legal, financial, technological,
economic and natural surroundings and market competition, whether international,
national, regional or local.

b) Internal characteristics or conditions of the organisation such as governance,

structure, roles and accountabilities and the organisation’s culture.

The guidance given in ISO/CD 45001 adds the comment that:

“The results of the context review should be used to assist the organization in understanding and
determining the scope of its OH&S management system, determining its risks and opportunities,
developing or enhancing its OH&S policy, setting its OH&S objectives and determining the
effectiveness of its approach to maintaining compliance with applicable legal requirements and other
requirements to which the organization subscribes”.

Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 8
 New clause: Interested parties (4.2)
The organisation has to determine the interested parties that are relevant to the OH&S management
system, and then the relevant requirements of those interested parties. However, there is no
expectation that the organisation shall comply with all those relevant requirements. ISO/CD 45001
adds the statement:

“and which of these become applicable legal and other requirements to which the organisation
subscribes”.

Referring to the guidance given in Annex A, we have the explanation:

“That Interested party needs and expectations are not necessarily compliant requirements of the
organization. It is important to distinguish between what these needs and expectations will lead to:
• mandatory requirements, laws, regulations
• voluntary commitments to interested parties to which the organization voluntarily subscribes
Needs and expectations from interested parties only become obligatory requirements for an
organization if that organization chooses to adopt them”.

9 www.irca.org
Scope of the OH&S management system (4.3)
ISO/CD 45001 states that “The scope shall include all the activities, products or services within the An area
organization’s control or influence that can impact on the organization’s OH&S performance”.
likely to
An area likely to cause some discussion will be that of outsourced operations. In the definitions ISO/
CD 45001 states that “An external organization is outside the scope of the management system,
cause some
although the outsourced function or process is within the scope”. The question will be – to what discussion
extent is the organisation responsible for the OH&S of outsourced operations carried out by another
organisation or contractor? The guidance given in Annex A advises that:
will be that
“Supply and procurement policies should address hazards and potential OH&S risks to persons in
of outsourced
the organization and, as far as possible, impacts on persons, outsourced or subcontracted, carrying operations.
out activities or producing products or services for the organization”.

New clause: Leadership (5)

Section 5 dedicates itself to “Leadership”
This section is divided into three sub-clauses:
5.1 Leadership and commitment.
5.2 Policy.
5.3 Organizational roles, responsibilities, accountabilities and authorities.
Although some of section 5 will seem familiar to users of OHSAS 18001 there are significant new
and enhanced requirements.

This clause calls for the organisation’s top management to demonstrate their involvement and
engagement with the OH&S management system through direct participation in, for example:
• Taking OH&S performance into account in strategic planning
• Communicating the importance of effective OH&S management and of conforming to the OH&S
management system requirements
• Directing and supporting persons to contribute to the effectiveness of the OH&S management
system for all functions
• Promoting and leading organisational culture with regard to the OH&S management system
• Top management shall identify one or more of its members to be accountable for the OH&S policy
and OH&S management system.

Note that these are activities top management are required to carry out, they cannot delegate them
to others. Thus, the top management assume an active role in the OH&S management system. The
leaders must also ensure the integration of the OH&S management system requirements into the
organisation’s business processes.

Revised requirements – Documented information (7.5)

OHSAS 18001 requirements for documentation and records are largely transferred to section 7.5,
with revisions.

Sub clause7.5 is further divided into three parts:

7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented Information
The significant change is use of the term “documented information” not “documents and records”
as is the case in OHSAS 18001. Documented information includes processed information held for
example on smartphones, tablets etc.

Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 10
 Conclusion
ISO/CD 45001 signals the significant similarities between OHSAS 18001 and the high-level changes
Both internal and enhancements we expect to see in the new ISO standard. The DIS is likely to continue to refine
the standard. Contentious issues such as definitions (eg, definition of risk, worker, and workplace)
and external and proposals to replace ‘hazard identification’ with risk identification will need to be resolved in
auditors ways that are acceptable to all nations involved in this process.

need to have We expect the OH&S specific text being added to the Annex SL core text will continue to be refined
a real-time, as development progresses. The extent and significance of ongoing changes will depend upon the
degree of acceptance of the CD version when put to a ballot. That said, much of what is in ISO/CD
practical 45001 is familiar to those already using OHSAS 18001 and while specific requirements may change,
approach to the overall concepts and intent of the new ISO standard are unlikely to change much from what we
see in the CD version.
their audits.
By the time ISO 45001 is published in 2016, the new concepts coming from Annex SL will, for
many organisations and auditors, be tried and tested because they appear also in the updated QMS
and EMS standards due to be released in 2015. Organisations operating QMS, EMS and OH&S
management systems will have a unique opportunity to align and integrate these three management
systems, if they choose to do so.

Organisations, OH&S professionals and auditors should be aware that at Committee Draft
International Standard (CD) stage, technical changes may still occur, therefore it is recommended
that, while preparation can be carried out, significant changes should not be implemented until the
Final Draft International Standard (FDIS) is issued and the technical content is finalised.

CQI/IRCA will continue to issue updates as development progresses.

11 www.irca.org
THE BUSINESS VIEW
DNV GL Business Assurance
We see the new standard as a dynamic standard which can be easily coupled to all other available ISO standards that
follow the high-level structure (HLS), which is sure to have a true business impact on the organisation.

We expect to see more consistency in the content of training, but more flexibility and tailored approach in the delivery.
The consistency in the content is required as it is an ISO standard based on the HLS and the standard requirements will
be the same around the world. However, every time you try to implement these requirements, you need to be aware
of the business context (both internal and external) of your organisation, and this demands a lot of updated knowledge,
flexibility and customisation in our training.

Not only because of the changes in the standard but especially when compared to the current practices in training,
these changes call for a clear facelift for our training modules in terms of the market and business awareness. As
such, the trainers should have a sound knowledge on the specific business context and its impacts including the
identification, prioritisation and management of relevant interested parties, risks, opportunities and so on, connected to
the specific industry, country or local community. This means that the users of the standard should be able to explore
the consequences related to ever-changing demands in various business and industry sectors coupled to the technical or
technological and societal changes etc. In other words, they need to be able to ‘look outside of the box’.

Auditors and the people working with the standards not only need to be trained for the Occupational Health & Safety
related risks, PDCA cycle and the process approach, but also on the other factors such as market awareness, risks and
opportunity management, financial and human resources management, for example,that would have a direct or an
indirect impact on the processes within the organisation.

Both internal and external auditors need to have a real-time, practical approach to their audits. The times when they
used standard checklists are gone. They need to focus on the impact of the business plans as a result of good or bad
management of Occupational Health and Safety Systems in the organisation and vice versa. This will raise the awareness
and commitment from the top management in adhering to the standard, and this is also the expectation of the HLS. The
awareness and commitment from the top management in adhering to the standard, and especially to HLS elements, will
need to be improved significantly as well compared to the past. As such, there will be a training need for all stakeholders
involved, including the top management.

Last but not least, as the busy organisations need flexibility, we strongly believe that eLearning and blended learning will
have higher demand in the near future.

Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 12
 Published in September 2014 by:
The International Register of Certificated Auditors (IRCA)
Part of: The Chartered Quality Institute

The Chartered Quality Institute (CQI)

2nd Floor North, Chancery Exchange
10 Furnival Street
London EC4A 1AB
United Kingdom
T: +44 (0) 20 7245 6722 I F: +44 (0) 20 7245 6788
www.thecqi.org I www.irca.org

Incorporated by Royal Charter and registered as a charity number 259678 www.twitter.com/irca_inform

© 2014 the CQI. All Rights Reserved www.twitter.com/cqi
16 www.irca.org