Requirements for the ISO 45001 Occupational Health and Safety standard were developed from the world’s health and safety bodies and a group of industry health and safety experts. The risk-based approach is designed to anticipate hazards – not just react to incidents. Driven by leadership and with participation required by all employees, the topic of occupational health and safety – in the eyes of ISO – is the responsibility of everyone involved in the organization. The requirements of the standard are designed to help them consistently maintain a safe and healthy work experience, and to continuously look for areas where further improvement can be made. From physical strain and risk management to mental and emotional well-being, each facet that could potentially affect employee health and wellness will be scrutinized and optimized for excellence.

ISO standards follow the same ten-clause format, and clauses 1 through 3 are designed to introduce and inform the organization about the specifics of the standard. Moving into clause 4, companies will find the first OH&S-specific requirements and begin the real work of developing their new management system.

Clause 4: The Context of the Organization

Following the standard ISO format, organizations will first be required to determine the context of their organization as it applies to OH&S. In examining the external and internal forces impacting the effectiveness, efficiency, and well-being of their team, companies are able to determine the positioning of their organization and clearly define the expectations of their OH&S management system as well as their health and safety goals. Regulatory authorities, customers, suppliers, investors and partners, and, if applicable, unions can all have influence on the context of the organization.

In addition to the context, companies must define the scope of their OH&S management system, outlining the needs and procedures that will be included within the system and setting boundaries for what will and will not be controlled.

These two statements combine to set benchmarks for system effectiveness measurement.

Clause 5 – Leadership and Worker Participation

Leadership participation is crucial in all ISO standards, but ISO 45001 takes leadership responsibility to a whole new level. Executive leadership is required to take overall responsibility for the implementation of the OH&S system, and they are held accountable for the health and safety of all workers.

Through clause 5, leadership is responsible for setting roles and responsibilities within their team and creating and maintaining documentation for all levels of involvement. They’re encouraged to create cross-functional teams to work through protocol establishment and should actively engage with all workers to gain insight from various viewpoints and levels of experience. They may assign authorities to a team member or group of team members to ensure the long-term success and compliance of their OH&S management system, but all reporting and system oversight must remain the responsibility of the executive leadership team.

OH&S Policy
In addition to roles and responsibilities, leadership must also draft and publish an Occupational Health & Safety policy, setting the principles and guidelines by which the company will conduct business and reach its goals. Through development, focus must be kept on the policy’s direct governance of the OH&S system and the organization as a whole. Once finalized, the policy must be officially documented and communicated throughout the organization, and then be made available for review by interested parties.

The policy must include written commitments by the leadership to fulfill legal and regulatory requirements, eliminate hazards, reduce risk, promote continuous improvement, and encourage team involvement and input.

Clause 6 – Planning

After completing the work to establish the bones of the system (through context, scope, OH&S policy development, and responsibilities assignment), companies can begin to plan for the actual development and implementation of their ISO 45001 compliant OH&S management system. This is the first step of the familiar PDCA cycle (Plan, Do, Check, Act) that those familiar with ISO will recognize.

With the now-defined framework in place, companies can begin to develop processes that will help them reach the goals of their system and create a continuously-improving, safety-focused culture. There are two specific factors for consideration throughout the planning process.

Hazard Identification, Assessment of Risk and Opportunities
The first step in the planning process is to evaluate hazards faced by workers and fully assess the risk and opportunity of each hazard. These hazards are not limited to just day-to-day operations – they include issues related to visitors, suppliers, contractors, and even customers.

By methodically moving through each section of the business, leaders are able to consider how each variable could pose threats to interested parties. From layout and access to the work area, machinery and equipment, and routine activities to product and process design and potential for emergency situations, project leaders must consider how each risk could potentially affect the health and safety of their workers. Furthermore, they must evaluate the risks their team faces when they are off-site for business (i.e. supplier warehouses, customer facilities, business events, etc.). Careful consideration should be given to legal and regulatory requirements and how the planned risk management tactics satisfy those obligations.

The process follows a specific, ISO-required format:

  1. Identify the hazard
  2. Assess the risk of the hazard (the severity and the opportunity for occurrence)
  3. Identify opportunities to reduce or eliminate the risk.

Organizations are required to utilize the practice of hazard identification and risk assessment to create a continued process of hazard evaluation, which will play into the OH&S system’s goal of improved workplace health and safety.

Achievement of OH&S Objectives
After hazards have been identified and risks evaluated, ISO 45001 requires companies to establish objectives and goals to not only address the found risks, but to also maintain continuous improvement of the OH&S management system. These objectives must directly align with the established OH&S policy and also be measurable, monitored, and communicated regularly throughout the organization.

Plans for achieving objectives should be thorough, digging into the what, when, who, and how for each goal. Determination must be made for required resources, responsibilities, timeframes, measurement tools, transparency, and impact, and all objectives and their related data are required to be documented and carefully maintained.

Clause 7 – Support

The implementation of an effective OH&S management system requires generous support from the entire organization. Stressing the importance of the system’s impact and providing adequate resources for workers as they work on system-related tasks will help to build awareness and buy-in for the concepts of health and safety in the workplace.

Through resources, competence, awareness, communication, and documentation, organizations will develop the support needed to pursue ISO 45001 compliance and certification.

Resources
Companies are required to provide adequate personnel, tools and equipment, and organizational structure to support their management system. Signage, documented processes, specific tools or machine guards, or even extra workers for a specific task can all help to ensure the effectiveness of the system, and the safety of all involved in the process.

Competence
Worker competence must be monitored as they perform the necessary functions of their job within the OH&S system protocols. Their capabilities must be documented and reviewed periodically, and education, training, and experiential learning opportunities offered to assist in their professional development. If competencies are unable to be met, the organization must have a plan for reassignment and replacement to ensure optimal health and safety.

Awareness
Organizations are required to make all team members aware of company OH&S policies and objectives. Workers are responsible for understanding how their work and actions play a role in the success of the system, and will need to demonstrate awareness of their knowledge of the system and system-related variables (such as failure to comply repercussions, incident reaction, management, and prevention, and new hazard identification). They must also demonstrate an understanding of their right to remove themselves from any situation in which they feel unsafe and should feel comfortable doing so without fear of repercussion.

Communication
Organizations are required to create processes for both the internal and external communication of information related to their OH&S management system. These processes must clearly define what will be communicated, when and how it will be distributed, and who will receive each communication.

Health and safety issues require more transparency than standard company information, but not all information will be communicated with the entire organization. Through the development of the communication plan, organizations must consider the diversity of their workforce and their legal obligations without jeopardizing sensitive company information and worker confidentiality.

Documentation
Finally, the standard requires that companies follow a structured and controlled documentation and record-keeping process for all information related to their OH&S management system. They must establish a standard documentation format, and all changes and updates must be made in a way which is traceable. Relevant documentation must be made available for use when and where it is required but also safeguarded to protect sensitive information and prevent improper use.

Clause 8 – Operation

Thus far, it has been established that proper process evaluation, new procedure development, and thorough documentation and record keeping is required for ISO 45001 compliance. Clause 8 is when the action of implementation occurs (the Do phase of the PDCA cycle), and companies should carefully focus on the effectiveness of each of their plans as they work through each section.

Operational Planning and Control
Organizations are required to establish processes and implement controls to ensure that those processes are consistently working toward their OH&S goals. Proper training is required to be delivered and documented for each new process, and careful planning for all major changes should be closely monitored and recorded.

Hazard Elimination and Risk Reduction
Hazards that have been identified will be addressed, and can be handled in various ways. If they have been documented in a previous clause, ISO 45001 requires companies to address the risk and eliminate the hazard. They may choose to replace the offending process, material or equipment, control the risk with process adjustments or special training, implement new guards or safety protocols to avoid the risk, or retain the risk and provide adequate Personal Protective Equipment (PPE) for all members of their team who may encounter the hazard.

The goal of the organization should always be to eliminate hazards. However, this is not entirely possible, so companies must make use of all necessary alternative methods in order to minimize the risk effect to workers or other interested parties.

Change Management
Specific to the ISO 45001 standard, organizations are required to address changes and carefully manage and monitor the way in which those changes may impact the effectiveness of their system and the health and safety of their team. From new processes, products or services to updated legal and regulatory requirements, new knowledge of hazards and risks to updated technology and new equipment, companies are required to review the effect the change will have – both the intended changes and the potential unintended changes – and create a plan to minimize any associated risks.

Procurement
As new equipment or materials are brought into the facility, outside contractors gain access to work spaces, and processes or functions are outsourced, companies are required to consider the risk and impact of those factors on their environment and team. Controls must be put in place to fulfill both legal requirements and to ensure that all outcomes align with the goals of the OH&S management system.

Emergency Preparedness and Response
While the goal is to mitigate and eliminate risk, there will be times when organizations will be required to respond to emergency situations. From natural disasters and active shooter situations to accidents resulting from lapses in team member judgment or carelessness, companies must train and prepare to handle situations in a way that restores the safety of their team as quickly as possible.

Emergency preparedness can be conducted through many channels, and all plans must be documented and recorded as part of the OH&S system. They can include training, performance and process evaluation, emergency response communications, and periodic simulations to test and demonstrate emergency response capabilities.

Clause 9 – Performance Evaluation

Measuring the effectiveness of a newly-developed OH&S management system is paramount to its success. The “Check” in the PDCA cycle, ISO 45001 sets requirements for performance evaluation that must be closely monitored in order to provide the proof needed for compliance and certification.

Monitoring, Measurement, Analysis, and Performance Evaluation
Without methods in place for measurement, it will be impossible to monitor, analyze, and control the effectives of the processes. Companies must create methods within each controlled process to evaluate outcomes to ensure they are meeting OH&S objectives. These measurements may relate to legal and regulatory compliance, hazard identification and management, operational processes and job-related tasks, and general OH&S goals.

Internal Audit
Once measurement strategies have been determined, organizations can utilize the results to conduct internal audits. Another requirement of the standard, internal audits can be used to evaluate the effectiveness of the full system or simply spot check certain aspects. The internal audit process must be documented, with all findings being logged for reference and further evaluation (if necessary). Internal audits are to be scheduled at routine intervals, continually keeping system functions and OH&S goals in check and ensuring that all ISO and other requirements are being met.

Management Review
The management review process is the final requirement of process evaluation. Similar to other ISO standards, 45001 requires leadership to meet routinely and analyze the OH&S system to find evidence of compliance and address any potential issues. These reviews should be handled with priority, and management should continuously consider incident occurrence and trends, resource adequacy, legal and regulatory changes, actions from previous reviews, and opportunities for continual improvement.

Clause 10 – Improvement

The final clause of the ISO 45001 standard centers around the “Act” phase of the PDCA cycle. Through hazard identification and goal setting, companies find innumerable avenues for improvement, aiding in their ability to meet their OH&S objectives. True work-place improvement and cultural changes happens not just when and OH&S management system is implemented, but through continuous examination and proactivity for future progress.

Incident, Non-Conformity, and Corrective Action
ISO 45001 requires companies to develop process for investigation and report of all found nonconformities and OH&S incidents in order to develop plans for corrective action. Careful documentation of all activities and issue correction aids in further improvement plan development and helps to ensure effectiveness.

It’s important to understand the difference between incidences and nonconformities in order to move forward with improvement.

Incidents are near misses, injuries, or damage to buildings or equipment, that could pose a risk to the worker’s health and safety. Incidents are caused by action.

Nonconformities are specific to processes and procedures, and result when a team member violates a safety requirement. Failure to comply with PPE rules, ignorance or refusal of safety protocols, and participation in knowingly unsafe practices are all examples of nonconformities.

Organizations are required to diligently monitor team member behavior and work practices so that they are able to identify incidents and nonconformities as soon as possible. Additionally, they should develop a system designed for all team members to report observances of nonconformities and unsafe acts, encouraging workers to always speak up for safety.

When incidents and nonconformities are found, a full investigation must be carried out, and records of causes, actions, and consequences must be kept. The investigation team should include a worker or a worker’s representative. Through root cause analysis, leaders will need to define the specific hazard that resulted in the incident or nonconformity, and then create a corrective action plan to address that hazard specifically. The corrective action should be tracked for effectiveness after implementation, and all team members connected to the specific process should actively participate in the improvement. Formal evaluation of the improved process should be scheduled by an internal audit team within a set timeframe of the initial implementation to verify the effectiveness of the solution and adjust as necessary.

Documentation and Communication
Any time that incidents or nonconformities are recorded, companies should take the time to report them to their team, and, if necessary, communicate them externally to shareholders, customers, or regulatory bodies. Investigations of these issues must be carefully and meticulously documented to serve as evidence that corrective action was taken as immediately as possible and to show commitment to the priority of worker health and safety.

Continual Improvement
Finding nonconformities and experiencing safety incidents is inevitable for every organization. And while the purpose of an ISO-certified OH&S management system is to organize and improve operations to optimize workplace health and safety, the real goal is to create a system for continuous improvement. There is no limit to the ways in which illness and injury risk can be reduced in a workplace, and the use of the OH&S system, PDCA cycle, and overarching ISO principles can be extended and expanded as businesses grow.

Utilizing process evaluation, internal audits, management reviews, and even incidents and findings of nonconformities, companies are constantly given the opportunity to use their system to continue to evolve into a safer workplace. Organizations will benefit from an open mindset and will find ways for improvement in many avenues. From evaluating new methods and technology and finding safer tools and material, to constant examination of best practices, openness to suggestions or improvement, and increased knowledge, to improvements to worker competence and job capability, they will find unlimited ways to continuously pursue improvement through their OH&S management system.

Pursuing ISO 45001 compliance and certification requires a full examination of an organizations safety systems, protocols, processes, and employees. Without commitment from the entire team, the challenge of meeting all of the requirements of the standard will prove more complex and challenging than they need to be. True dedication and priority to employee well-being ensures that they implementation of an ISO-certified OH&S management system will be set up for long term success, and that success will be reflected in business growth and opportunity.

For information on consulting services for ISO 45001, visit Core Business Solution’s ISO 45001 Standard page.