Professional Documents
Culture Documents
ISO 45001 Briefing Note 2 By ISO ORG
ISO 45001 Briefing Note 2 By ISO ORG
1 www.irca.org
IRCA has prepared this briefing note to update IRCA auditors and other
interested parties on the future of BS OHSAS 18001 and the work of Effective
management
ISO Project Committee 283, the committee responsible for developing of business
the international standard ISO 45001 – Occupational health and safety risk is high
on the board-
management systems. level agenda
Development of ISO 45001 has now reached the Committee Draft (CD) stage. This briefing note of most
provides the background to development of ISO 45001 and outlines the likely main similarities and
differences between OHSAS 18001 and ISO 45001.
organisations.
Background
In today’s ever-changing world, organisations operate in increasingly complex environments,
often involving multinational supply chains and outsourcing parts of their operation. Differences in
cultural norms, legislation, business and social ethics and practices, technologies, etc add to those
complexities.
Yet when things go wrong, it is the reputation of the ‘prime’ organisation that falls under the
spotlight, as we saw with the Deepwater Horizon catastrophe and Boeing Dreamliner battery
problems.
Effective management of business risk is high on the board-level agenda of most organisations.
These days, it is not enough for a company merely to be profitable – it also needs to have robust
systems of internal control, covering not just ‘narrow’ financial risks, but also risks relating to the
environment, business reputation and health and safety.
This has caused confusion and inconsistent understanding and implementation. Consequently, it
has been easy to compartmentalise these different risk-control systems. But that is simply not how
organisations operate or top management thinks.
This compartmentalisation can be a significant barrier to getting the buy-in and hands-on participation
of top management and often results in failure to embed these systems into routine operations.
Instead, each is operated as an independent system in its own right with its own dedicated
management structure. This had led to the need to combine or integrate these different aspects of
business risk management more easily in an effective and efficient manner.
Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 2
ISO management system standards development
In order to deliver consistent and compatible management system standards in the future, the
Despite not ISO Technical Management Board has produced a common framework for all MSSs. This common
being an ISO framework is referred to as Annex SL. Essentially, Annex SL describes how management standards
of the future will be structured using a common “high-level structure” (ie, clause sequence, common
standard, text and terminology provided in Annex SL). The first standard to adopt this structure was the
OHSAS Business Continuity Management standard (ISO 22301:2012).
18001:2007
BS OHSAS 18001
has gained First published in 1999, OHSAS 18001 was developed to fill the gap where no international standard
global for occupational health and safety existed. The current version of the standard is OHSAS 18001:2007,
acceptance. which was adopted as a British Standard, hence BS OHSAS 18001:2007.
Despite not being an ISO standard, OHSAS 18001:2007 has gained global acceptance. In recent
years there has been a rapid increase in the use of OHSAS 18001 and versions of OHSAS 18001 that
have been adopted by countries, of which there are about 40. Recent surveys report approximately
90,000 accredited certifications in more than 127 countries and a pressing desire from business and
interested parties for an international standard.
IRCA has seen growing interest and take-up of IRCA’s OH&S auditor certification scheme and
auditor/lead auditor training courses – with the number of delegates attending auditor training for
OHSAS 18001 increasing by 40% in four years and exceeding those for EMS.
ISO 45001
3 www.irca.org
Development of ISO 45001
In 2013, ISO approved the creation of a new project committee to develop an International Standard
for occupational health and safety (OH&S). The work is being overseen by ISO Project Committee
(PC) 283. The ISO project committee has been tasked with transforming OHSAS 18001 into an ISO
standard, ISO 45001.
The secretariat of ISO/PC 283 has been assigned to BSI, the British Standards Institution. There
are currently 50 countries/organisations working on or involved in producing ISO 45001, including
the International Labour Organisation (ILO). Richard Green, Head of IRCA Technical Services, is
participating in the development of ISO 45001 as a member of HS/001, the UK committee which is
responsible for the preparation, publication review and revision of generic British Standards or other
products on occupational health and safety.
Development timeline
Development and approval of ISO MSSs follow an established process and sequence; Working
Draft (WD), Committee Draft (CD), Draft International Standard (DIS), Final Draft (FDIS) followed by
publication of the Standard. The significance of change diminishes as development progresses. Once
FDIS is released the nature of any further change is normally minor.
Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 4
5 www.irca.org
What we know about ISO 45001
ISO 45001 will include guidelines on the use of the standard. At its first meeting, the project
committee re-examined the scope of application of the standard and proposed extending it to cover
the working out of “guidelines for use” supplementing the “requirements” relating to Occupational The purpose
Health and Safety Management Systems. The proposal was submitted to the ISO Technical of the
Management Board (ISO/TBM) and approved. Therefore, unlike OHSAS 18001:2007 that only has
the requirements, and one had to purchase OHSAS 18002 for the guidelines, at this time it looks as standard
though ISO 45001 will have both. This is reflected in the title: remains much
• ISO/CD 45001 – Occupational health and safety management systems – Requirements with the same as
guidance for use.
before...
ISO/CD 45001:2014 Annex A – Guidance on the use of this international standard, includes the
caveat that “this guidance is strictly informative and is intended to prevent misinterpretation of the
requirements contained in this International Standard”. An important statement making it clear that
Annex A is not part of the auditable criteria.
Familiar concepts and requirements include application of the PDCA model, setting policy, setting
objectives, carrying out internal audit, and management review. In many cases the current
requirements have been carried over from OHSAS 18001, albeit with some minor changes of
wording at times. For these topics, the existing processes within current OH&S management
systems may well already address the new requirements since they have largely only been
re-arranged to fit in with the Annex SL structure.
Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 6
Continual improvement is a separate section in ISO/CD 45001, unlike OHSAS 18001 where continual
improvement is shown in the OH&S management system model as coming from the interaction of
policy, planning, monitoring and review etc. ISO/CD 45001 has a specific section on improvement.
However looking in detail at section 10 we find familiar concepts including incident, nonconformity
and corrective action as well as a specific requirement for continual improvement and a requirement
to establish, implement and maintain a continual improvement process.
Missing from ISO/CD 45001 is reference to preventive action. The term preventive action, and any
specific reference to it, has been removed. This stems from the approach of Annex SL.
The hierarchy of control is a concept the OH&S practitioner and auditor will be familiar with. The
requirement in OHSAS 18001 to consider reducing risks according to a hierarchy of controls is
strengthened in ISO/CD 45001, which requires a policy commitment to the control of OH&S risks
through a hierarchy of control and mandates use of the hierarchy in section 8.1 Operational planning
and control. This is typical of a number of changes where what may have seemed optional in OHSAS
18001 is mandatory in ISO/CD 45001.
There is a strengthening of the requirement to demonstrate and understand compliance status at all
times (with legal and other requirements).
There are specific sub-sections and requirements for contractors and procurement, clarifying and
expanding requirements of OHSAS 18001. Also a specific requirement on outsourcing of operations
– “The organization shall ensure that outsourced processes affecting its OH&S management
system are controlled”.
There are enhanced requirements for the use of performance indicators to monitor performance (9.1
Monitoring, measurement, analysis and evaluation) and track OH&S performance including status
and trends in monitoring and measurement results (9.3 Management review – c).
7 www.irca.org
ISO/CD 45001 includes some irregularities with ISO/DIS 9001:2014
Remembering that we are looking at the CD version and very likely some significant changes at
detail level will be made, some differences exist between ISO/CD 45001 and ISO/DIS 9001:2014 for The hierarchy
no apparent reason.
of control is
For example, ISO/CD 45001 has introduced sub-clause titles which ISO/DIS 9001:2014 does not have
(ie, 9.2.1 Internal audit objectives). And ISO/CD 45001 has a requirement that management review
a concept
“includes consideration of the extent to which OH&S policy and OH&S objectives have been met” the OH&S
which is not in ISO/DIS 9001:2014. While seemingly of little consequence, it is this type of difference
that causes confusion, to implementers and auditors, and Annex SL was introduced to prevent.
practitioner
Ideally, these will be resolved as development progresses. and auditor
will be
ISO/CD 45001 includes new concepts familiar with.
Context of the organisation, leadership and documented information are generally thought to be the
more significant new concepts.
Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 8
New clause: Interested parties (4.2)
The organisation has to determine the interested parties that are relevant to the OH&S management
system, and then the relevant requirements of those interested parties. However, there is no
expectation that the organisation shall comply with all those relevant requirements. ISO/CD 45001
adds the statement:
“and which of these become applicable legal and other requirements to which the organisation
subscribes”.
9 www.irca.org
Scope of the OH&S management system (4.3)
ISO/CD 45001 states that “The scope shall include all the activities, products or services within the An area
organization’s control or influence that can impact on the organization’s OH&S performance”.
likely to
An area likely to cause some discussion will be that of outsourced operations. In the definitions ISO/
CD 45001 states that “An external organization is outside the scope of the management system,
cause some
although the outsourced function or process is within the scope”. The question will be – to what discussion
extent is the organisation responsible for the OH&S of outsourced operations carried out by another
organisation or contractor? The guidance given in Annex A advises that:
will be that
“Supply and procurement policies should address hazards and potential OH&S risks to persons in
of outsourced
the organization and, as far as possible, impacts on persons, outsourced or subcontracted, carrying operations.
out activities or producing products or services for the organization”.
This clause calls for the organisation’s top management to demonstrate their involvement and
engagement with the OH&S management system through direct participation in, for example:
• Taking OH&S performance into account in strategic planning
• Communicating the importance of effective OH&S management and of conforming to the OH&S
management system requirements
• Directing and supporting persons to contribute to the effectiveness of the OH&S management
system for all functions
• Promoting and leading organisational culture with regard to the OH&S management system
• Top management shall identify one or more of its members to be accountable for the OH&S policy
and OH&S management system.
Note that these are activities top management are required to carry out, they cannot delegate them
to others. Thus, the top management assume an active role in the OH&S management system. The
leaders must also ensure the integration of the OH&S management system requirements into the
organisation’s business processes.
Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 10
Conclusion
ISO/CD 45001 signals the significant similarities between OHSAS 18001 and the high-level changes
Both internal and enhancements we expect to see in the new ISO standard. The DIS is likely to continue to refine
the standard. Contentious issues such as definitions (eg, definition of risk, worker, and workplace)
and external and proposals to replace ‘hazard identification’ with risk identification will need to be resolved in
auditors ways that are acceptable to all nations involved in this process.
need to have We expect the OH&S specific text being added to the Annex SL core text will continue to be refined
a real-time, as development progresses. The extent and significance of ongoing changes will depend upon the
degree of acceptance of the CD version when put to a ballot. That said, much of what is in ISO/CD
practical 45001 is familiar to those already using OHSAS 18001 and while specific requirements may change,
approach to the overall concepts and intent of the new ISO standard are unlikely to change much from what we
see in the CD version.
their audits.
By the time ISO 45001 is published in 2016, the new concepts coming from Annex SL will, for
many organisations and auditors, be tried and tested because they appear also in the updated QMS
and EMS standards due to be released in 2015. Organisations operating QMS, EMS and OH&S
management systems will have a unique opportunity to align and integrate these three management
systems, if they choose to do so.
Organisations, OH&S professionals and auditors should be aware that at Committee Draft
International Standard (CD) stage, technical changes may still occur, therefore it is recommended
that, while preparation can be carried out, significant changes should not be implemented until the
Final Draft International Standard (FDIS) is issued and the technical content is finalised.
11 www.irca.org
THE BUSINESS VIEW
DNV GL Business Assurance
We see the new standard as a dynamic standard which can be easily coupled to all other available ISO standards that
follow the high-level structure (HLS), which is sure to have a true business impact on the organisation.
We expect to see more consistency in the content of training, but more flexibility and tailored approach in the delivery.
The consistency in the content is required as it is an ISO standard based on the HLS and the standard requirements will
be the same around the world. However, every time you try to implement these requirements, you need to be aware
of the business context (both internal and external) of your organisation, and this demands a lot of updated knowledge,
flexibility and customisation in our training.
Not only because of the changes in the standard but especially when compared to the current practices in training,
these changes call for a clear facelift for our training modules in terms of the market and business awareness. As
such, the trainers should have a sound knowledge on the specific business context and its impacts including the
identification, prioritisation and management of relevant interested parties, risks, opportunities and so on, connected to
the specific industry, country or local community. This means that the users of the standard should be able to explore
the consequences related to ever-changing demands in various business and industry sectors coupled to the technical or
technological and societal changes etc. In other words, they need to be able to ‘look outside of the box’.
Auditors and the people working with the standards not only need to be trained for the Occupational Health & Safety
related risks, PDCA cycle and the process approach, but also on the other factors such as market awareness, risks and
opportunity management, financial and human resources management, for example,that would have a direct or an
indirect impact on the processes within the organisation.
Both internal and external auditors need to have a real-time, practical approach to their audits. The times when they
used standard checklists are gone. They need to focus on the impact of the business plans as a result of good or bad
management of Occupational Health and Safety Systems in the organisation and vice versa. This will raise the awareness
and commitment from the top management in adhering to the standard, and this is also the expectation of the HLS. The
awareness and commitment from the top management in adhering to the standard, and especially to HLS elements, will
need to be improved significantly as well compared to the past. As such, there will be a training need for all stakeholders
involved, including the top management.
Last but not least, as the busy organisations need flexibility, we strongly believe that eLearning and blended learning will
have higher demand in the near future.
Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 12
Published in September 2014 by:
The International Register of Certificated Auditors (IRCA)
Part of: The Chartered Quality Institute