The main purpose of Cybersecurity Awareness training course is to minimize huma....
Transition Chart from OHSAS 18001 to ISO 45001
Health, Safety, and Environment
2016-09-08
Introduction
The new International Standard 45001 (OH&S MS) will replace the current OHSAS 18001 standard. The new forthcoming ISO 45001 standard promises to bring real benefits to those who will use it. This standard, inspired by OHSAS 18001, aims to help organizations ensure the health and safety of people who work for their organizations. ISO 45001 will be internationally recognized, coherent, aligned and fully integrated with other ISO standards, especially, with the quality management system and environment management system.
What's new and different in the ISO 45001 compared to OHSAS 18001?
-
Purpose of the standard remains the same; many of the topics covered in the OHSAS 18001 are provided in the current ISO/DIS 45001
-
The new standard will follow the new format "High-Level Structure" of Annex SL, the new ISO (HLS) that introduces a mutual framework to all management systems. Which means it will be aligned with the revised versions of ISO 14001 and ISO 9001
-
In the new standard, there is a greater focus on the environment in which the organization operates, as well as a greater role assigned to the top management
-
Easier integration with other standards since the structure (HLS) will be identical. Easier integration with ISO 14001, since many organizations, especially small ones, assign a person who follows both aspects of environmental and OH&S security because they are commonly considered as related areas
-
ISO 45001:2016 standard provides additional focus on process approach, and clarifies why it is essential to implement it in each business process of the organization
-
The 45001 will maintain the same commitments of 18001 to regulatory compliance, but strengthening the basic concepts
-
Leadership and culture: Specific requirements for top management in terms of demonstrating leadership, commitment and encouraging a positive occupational health and safety culture within the organization
-
Documentation flexibility
-
Greater Importance on Hierarchy of controls
-
Proactive strategic approach
-
ISO 45001 focuses on identifying and controlling risks, rather than hazards, as it is required in OHSAS 18001
-
Some of the terminology will use similar approaches of other management systems while also maintaining a different specialized approach on OH&S management system
-
Risk-based thinking is one of the major changes in ISO 45001 compared to OHSAS 18001. It requires from organizations to consider the risks and opportunities associated with the issues that are identified in clause 4.1, more specifically with regards to the interested parties. This clause has brought a significant change to the standard, by replacing preventive actions and reducing the need for corrective actions
- Better focus on stakeholders is another change in ISO 45001:2016. The general requirement (clause 4.1) of OHSAS 18001 is also incorporated into the ISO 45001, but the changes that are made are put into two new sub-clauses: “Understanding the organization and its context” and “Understanding the needs and expectation of interested parties”
Integration of Annex SL as a foundation in the new ISO 45001 standard – the new ISO high- level structure (HLS) means that in comparison with the 18001, the structure of the new ISO 45001 standard will be as follows:
-
Scope
-
Normative references
-
Terms and definitions
-
Context of the organization
-
Leadership
-
Planning
-
Support
-
Operation
-
Performance evaluation
- Improvement
The first major change thus is that there are now ten sections instead of four as they were in OHSAS 18001.
NEW REQUIREMENTS:
4.1 Understanding your organization and its context
4.2 Understanding the needs and expectations of interested parties
8.1.2 Hierarchy of controls
8.2 Management of change
8.3 Outsourcing
8.4 Procurement
8.5 Contractors
| ISO 45001 | OHSAS 18001 | Analysis |
| 4. Context of the organization | ||
| 4.1 Understanding the organization and its context | New Requirement |
Context of the organization is a new concept compared to OHSAS 18001. The attention
to the context in which an organization operates is one of the advances that characterize
the current work on the revision of another important standard on management systems. There is
a broader vision, which calls into action the entire organization and in particular the role of
the management. ISO 45001, places more emphasis on the organization's context.
ISO 45001 states that, organizations need to look beyond the direct meaning of
health and safety and consider the company’s health and safety objectives in broad
terms. Organizations must certainly think when choosing their suppliers and contractors,
but also need to consider, for example, how their activities can have an impact on their
neighbors.
In this regard, it requires an organization to consider all positive or negative issues that
may affect directly or indirectly the achievement of expected results, or achieve clear progress
towards planned objectives as it has been intended.
Consider what surrounds the organization and evaluate how it may affect your
OH&S Management System. ISO 45001 indicates to us that, when considering the context
of an organization we must take into account:
The internal issues among which are: the organizational structure, responsibilities and distribution,
personal knowledge, middle management, technology, information flows, processes of decision making, and so on.
External issues including: the cultural environment, market competition, new and old suppliers, new technology, new legislation, and so on.
|
|
4.2 Understanding the needs and expectations of works and other interested parties
|
New Requirement |
The organization should have a general understanding of the needs and expectations
expressed by the stakeholders that the company determines as relevant.
This is an important point which involves performing a reflection of work and understanding of
the needs and expectations of different stakeholders.
ISO 45001 tells us that we need
to identify:
• needs
• expectations
Stakeholders of an OH&S Management System may include:
• Legal and regulatory authorities
• Parent organizations
• Suppliers, contractors and subcontractors
• Workers of the organization
• Owners, shareholders, customers, visitors, local community and neighbors of the company and the general public
• Medical services and other community services, media, business associations and NGOs
• Companies engaged in safety and health at work
The needs and expectations of stakeholders are not necessarily business requirements. It is important to distinguish between
the needs and requirements, such as:
• Mandatory requirements
• Requirements that must be
assumed
• Other requirements that the
company subscribes voluntarily
|
| 4.3 Determining the scope of the OH&S management system | Scope & Clause 4.1 |
A company has the freedom and flexibility to define the limits considering their work-related
activities. A company can choose to implement the ISO 45001 standard across the entire organization or
in the most specific parts, thus defining that top management has its own roles, responsibilities and
authorities to establish an OH&S MS. The scope has to be objective and representative of operations
that implement OH&S MS, so that it does not mislead stakeholders.
When defining the scope of the OH&S MS the company has to consider:
• Clause 4.1 identifying external and internal issues
• Requirements of Clause
4.2 (identify the needs and expectations of interested parties)
• Organization’s work related activities
Thus, the scope of OH&S MS cannot be defined without considering requirements of clauses 4.1, 4.2
and work related activities. The defined scope should be available as documented information.
|
| 4.4 OH&S management system and your processes | Clause 4.1 General Requirements |
This component of the standard remains basically the same as it was in OHSAS 18001.
|
| 5. Leadership and worker participation | ||
| 5.1 Leadership and commitment and your processes | Clauses 4.4.1, 4.4.3, 4.4.6 |
ISO 45001 emphasizes that the aspects of health and safety are now integrated into the overall
organization's management system, thus requiring a stronger and more involvement of its
management. Similar to ISO 9001: 2015 and ISO 14001: 2015, there is a greater role for top management
in the new ISO 45001 standard. Health and safety at work become central aspects of the management
system, and this requires a strong commitment by top management. It is a significant change for those
who so far have delegated these aspects to a specific department responsible for OH&S, rather than,
fully integrate it into all activities of the organization. ISO 45001 requires that health and safety
are a part of the entire business management system and are no longer something extra, as
required by OHSAS 18001.
In addition, the organization shall identify and clearly describe, in a separate process, opportunities
for improvement for health and safety at work.
Such opportunities may arise from:
• organizational changes
• elimination of health risks in the workplace and safety in theworkplace
• adaptation of working conditions to the needs of employees
|
| 5.2 OH&S policy | Clause 4.2 OH & S policy |
The OH&S policy is a set of principles that establishes the commitments of the management
of the organization, and it should support and continuously improve performance to achieve safety
and health in the workplace.
Establishes a framework for the organization to set goals and take the necessary decisions
to achieve the expected results within the management system.
Top management must establish, implement and maintain a policy of safety and health at work in
consultation with workers at all levels of the company.
Organization must indicate commitment to comply with applicable legal requirements
and other requirements. Also, indicate commitment to control risks related to safety and health
at work using the priorities of the controls.
Different from OHSAS 18001 this clause requires greater participation of the workers when
developing the OH&S policy. Additionally, the communication across the organization should
be improved i.e communication between top management and workers.
The policy of OHSMS must:
• Be available as documented information.
• Communicated to employees of the organization.
• Be available to all interested parties.
• Periodically reviewed to ensure that is kept updated.
|
|
5.3 Organizational roles, responsibilities, accountabilities and authorities
|
Clause 4.4.1 Resources, roles, responsibility, accountability & authority
|
The Essentials of this clause remain the same as in OHSAS 18001. The management has to
ensure that the responsibilities, accountability and authorities for relevant roles within the OH&S
Management System have been communicated and designated, and keep as documented
information. Workers at every level of the company have to take responsibility for those
aspects of the management system over which they have control.
|
| 5.4 Participation and consultation |
Clauses 4.4.2, 4.4.3, 4.5.1, 4.5.2, 4.5.3
|
The company must establish, implement and maintain different processes for
participation in the development, planning, implementation,
evaluation and action for improvement of the OH&S
Management System. Employees at all levels and functions applicable, must be involved.
Different from OHSAS 18001 this clause requires organizations the participation of non -management workers.
The organization should provide an additional importance on the presence of non - managerial
workers in the consultation that relates to the determination of the needs and expectations
of stakeholders, also when establishing the policy, allocating roles and when determining how to apply the legal requirements.
|
| 6. Planning | ||
|
6.1 Actions to address risks and
opportunities
|
Clauses 4.3.1, 4.3.2, 4.3.3 |
This clause has been revised and combines some of the clauses of OHSAS 18001 resulting in a
broader concept that includes opportunities and measures of effectiveness.
|
| 6.1.1 General | ||
|
6.1.2 Hazard identification and assessment of OH&S risks
|
This clause and its sub clauses offer all the requirements for identifying hazards and assessing
OH&S risks, and in general, this process is the same as required in the OHSAS 18001 standard.
In order for an OHSMS to work effectively a company has to identify all the risks presented by
its processes and then assess the risk in the hazards.
|
|
| 6.1.2.1 Hazard Identification |
ISO 45001 requires a company to design the identification process in a proactive manner based
on the possible risks that may arise from the operations of the company. This identification of
risks and hazards must take into account the following:
• Routine and non-routine activities
• Emergency situations
• People who are involved
• Other issues that include the design of the workplace
• Changes in the company
• Changes in information about the dangers
• The incidents of the past
• Social factors of the company
|
|
|
6.1.2.2 Assessment of OH&S risks and other risks to the OH& Management system
|
The risk assessment still requires that the risks of hazards are identified and lead to the prevention
of occupational hazards and its operations. These criteria must be defined by the company, as it will
be different from one company to another.
|
|
|
6.2 OH&S objectives and planning to achieve them
|
Clause 4.3.3 |
This component of the standard remains basically the same as it was in OHSAS 18001.
|
| 7. Support | ||
| 7.1 Resources | Clause 4.4 |
The organization should determine and provide the resources that are needed to
successfully implement an OH&S Management system.
|
| 7.2 Competence | Clause 4.4.2 |
The essentials of this clause remain the same as in OHSAS 18001, however procedures are
no longer required. Documented Information should be accessible to support competence
evaluation and development. Actions will be assessed to check their efficiency.
|
| 7.3 Awareness | Clause 4.4.2 |
Employees should be aware of risks & hazards related to them and how their tasks affect the
overall performance of OH&S MS. Employees should also be aware of policy requirements and
outcomes of relevant incident investigations.
|
| 7.4 Information and communication | Clauses 4.4.3 and 4.4.3.2 |
The organization has to establish information and relevant internal and external communications of
OH&S Management System. It must clearly define what to report, when to report it, how to report it
and to whom to report it, in order to make and keep all information up-to-date. Additionally it should
determine the objective of the communication and evaluate its effectiveness.
|
| 7.5 Documented Information | Clauses 4.4.4, 4.4.5, 4.5.4 |
One of the key changes is the approach that is given to documented information,
which is the new operational terminology applied to all documents and records of
the ISO 45001 standard. This terminology is based on Annex SL similar to other ISO standards
that have been recently reviewed; it appears that the documented information requirements
are less demanding than in OHSAS 18001. But it should be noted that ISO 45001 has
different requirements that the organization will need to comply to.
The procedures and technical requirements of documents and controls are replaced with documented information.
But if the organization sees them as necessary they can be retained. However, documented
information still requires control similar to OHSAS requirements.
Mandatory documents and records can now be consolidated as documented information; according to the new standard it
is advised that this information is used in the certification audit of the standard itself to ensure that it meets the requirements of the
ISO 45001 standard.
|
| 8. Operation | ||
|
8.1.1 Operational planning and control
|
Clause 4.4.6 |
Planning component is an addition to this clause. The new standard requires planning,
instead of just control as it was required in OHSAS 18001. The planning criteria should be based
on the requirements defined in Section 6.
|
| 8.1.2 Hierarchy of Controls | New requirement |
In the hierarchy of controls, the need to have controls to reduce the risks in terms of safety and
health at work at the lowest level possible, is introduced. The hierarchy of controls is based on risk management principles.
|
| 8.2 Management of Change | New requirement |
This clause introduces the requirements for planned changes that impact OH&S
performance. The company has to implement and use a proper applicable methodology for risk
and opportunity assessment that may rise as an outcome of change. This process depends
on the nature of the foreseen change.
The organization has to ensure that unexpected hazards and an increase on risk profile do not
happen as a result of change recently implemented in the company. The organization has
to ensure that all employees that are affected from a change implemented in the company,
are appropriately informed and capable to cope with thetransformation.
|
| 8.3 Outsourcing | New requirement |
ISO 45001 requires that outsourcing processes shall be controlled and monitored and
also reduce the possible impact of outsourced activities. ISO 45001 requires that any outsourced
process should be under the OHSMS control. The organization should define the controls that will
apply to the outsourcing company and the result of the outsourcing activities. The organization should
evaluate the outsourcing provider and check what controls they implement within their company and check their effectiveness.
The organization also must consider the risk involved when outsourcing its activities.
|
| 8.4 Procurement | New requirement |
This clause refers directly to the procurement of goods and services. ISO 45001 requires organizations
to implement controls in order to ensure that when the company purchases goods such as raw
materials, hazardous substances, or any equipment, they conform to the requirements of its OHSMS.
These controls also apply to any product or services that the organization purchases. Proper controls should be defined and
implemented before the company purchases any goods or services.These controls should be able to identify and evaluate potential
health and safety risks related with the goods or services prior to their introduction at the workplace.
|
| 8.5 Contractors | New requirement |
This section, delves into the establishment of the coordination of activities. A distinction betweencoordination with contractors on
the basis of whether they have or not implemented an OHSMS, if the contractor has not implementedan OH&S-MS,the organization has
to specify how the coordination of the contractor will be made with activities and processes of the management system.
A very important part of the coordination will require verification that the contractors are able to perform their tasks before allowing
them to proceed with their work, examples:
• Performance records of safety and health
• Specify all criteria used to qualify, gain experience and control the competence of employees.
• Training requirements and other requirements of employees are carried out.
• Should take into account all resources, equipment and work preparation they are adequate and are ready to start work.
An organization has to establish and maintain procedures to ensure that the contractors comply with the company’s OHSMS. These procedures must include proper health and safety criteria when selecting a contractor.
|
|
8.6 Emergency preparedness and response
|
Clause 4.4.7 |
This clause remains similar to its predecessor in OHSAS 18001, however the requirements have been strengthened and expanded and also include the
communication component. Potential emergency situations should be identified. The company should evaluate OH&S risks related
to emergency situations. The company should have a plan to respond to emergency situations.
The emergency response plan should be periodically tested and exercised to check its competence.
|
| 9. Performance evaluation | ||
|
9.1 Monitoring, measurement, analysis
|
Clauses 4,5 4.5.1 |
The requirements of this clause have been revised and extended. Different from OHSAS 18001 this clause now also includes
communication and criteria. Documented information replaces the procedural requirements that were part of this clause in OHSAS 18001.
|
|
9.1.2 Evaluation of compliance with legal requirements and other requirements
|
Clause 4.5.2 |
Again, documented information replaces the procedural requirements that were part of this clause in OHSAS 18001. This
clause has also been revised and extended to include evaluation method and frequency.
|
| 9.2.1 Internal audit objectives | Clause 4.5.5 |
Again, documented information replaces the procedural requirements that were part of this clause in OHSAS 18001. Internal audit objectives remain the same as in OHSAS 18001.
|
| 9.2.2 Internal audit process | Clause 4.5.5 |
This clause has also been revised and extended to include: established communication with workers and their representatives,
assist in continual improvementof the overall OH&S MS. The requirements of this clause also include proper action when retaining documented information and addressing nonconformities.
|
| 9.3 Management Review | Clause 4.6 |
The requirements of this clause are based on the previous standard. However, the new standard sets a greater importance in communication
and improvement based on the effectiveness of the system and risk opportunities. The management should review the OH&S performance by
monitoring trends for example in: incident occurrence, participation of workers and the results of discussions, OH&S risks and opportunities and so on.
The management should also review relevant communication with stakeholders and determine the actions that need to be taken when the objectives have not been achieved. The company has to retain documented information as evidence of the results of management reviews.
|
| 10.Improvement | ||
|
10.1 Incident, nonconformity and corrective action
|
Clauses 4.5.3, 4.5.3.1, 4.5.3.2 |
This clause has brought a significant change to the standard, by replacing preventive action and reducing the need for corrective actions. The
reason for the disappearance of the concept of preventive action, is that the structure of Annex SL introduces the concept that the company needs to examine its
business risks while developing its OH&S Management System, and use it as a tool to prevent the risk occurrence. That is, if a company is using an OH&S Management System under ISO 45001 to control risks, it is considered that the entire management system itself is a prevention tool. Requirements of this clause include:
• Incidents should be reported on time,
• Documented information related to this clause should be communicated to relevant workers,
• Direct actions should be taken to control and correct incidents or nonconformities. These actions should be conducted in a timely manner in order to deal with the consequences as soon as possible. After a corrective action has been performed, the organization may investigate and consider if any additional action is required to prevent the occurrence of a similar nonconformity or incident.
• Risk reduction and risk assessment principles should be applied.
• OH&S risk assessment performed in clause 6.1 should be reviewed
• Organizations are required to identify what caused the nonconformity or incident. The organization has to determine what actions can be taken to approach the cause or the problem, evaluate any risk assessments or launch a new assessment – following the requirements for implementing a corrective action. The organization has also to consider if there are any potential similar problems remaining possibly in other parts of their operations.
After that the implementation of any corrective action seen as necessary is required, evaluate its effectiveness and if necessary implement changes to the management system. Root cause analysis is a significant factor for continual improvement.
|
| 10.2 Continual improvement |
Opportunities for improvement of safety and health at the workplace coming from the hazard identification, risk assessment and other activities of the company should be identified. This clause
addresses the need to act on all opportunities to increase or improve the management system. This clause also requires the retention of documented information related to actions, evaluation of effectiveness and communications.
|
|
|
10.2.1 Continual improvement objectives
|
This clause is basically a summary of the previous standard. The objectives of continual improvement:
• Top Management should develop, manage and promote a positive OH&S culture within the organization.
• Prevent incidents.
• Improve the overall OH&S performance
|
|
|
10.2.2 Continual improvement process
|
Continual improvement process should result from the management system. This can be realized from a range of components within the system. ISO 45001 requires the organizations to demonstrate the usage of the results from their evaluation and analysis processes that are used to identify areas of deficit and opportunities for improvement. This clause also requires:
• Communication of results
• Maintain documented information
Relevant methodologies, techniques and tools should be implemented from the organization to support this process.
|
|
Useful tips on Documented Information:
Most mid-sized companies can consider the following hierarchy in terms of documentation and streamlining
method for documented information:
-
An organization must include the scope of the OH&S Management System, in which the methods and processes used to address the opportunities and risks, controls operations and planning are included, all necessary requirements to establish leadership and communication, as well as preparing the organization to face emergency situations.
-
It should be documented that there are processes that must be incorporated into the documented information for your company, for example, perform a management review, internal audit or corrective action processes.
- An organization can develop a matrix with the results, of the outputs of the processes recorded and use the results for evaluation, analysis, improvement, and objectives. This may be your day to day working quality assessment, while the manual contains more details on all individual process documents.
About the author
Artan Mustafa is the Course Development Manager for Security at PECB. He is in charge of developing and maintaining training courses related to SEC. If you have any questions, please do not hesitate to contact him at: sec@pecb.com.
Infographic
