ISO CD 45001 Briefing Note

CQIChartered Quality Institute

www.irca.org 4

Introduction

Report published in September 2014 by:International Register of Certificated Auditors (IRCA), part of The Chartered Quality Institute (CQI), 2nd Floor North, Chancery Exchange, 10 Furnival Street, London EC4A 1ABT: +44 (0) 20 7245 6722 I www.thecqi.org I www.irca.org

Incorporated by Royal Charter and registered as a charity number 259678

Occupational health and safety management systems – BS OHSAS 18001 moving to ISO 45001 5

IRCA has prepared this briefing note to update IRCA auditors and other interested parties on the future of BS OHSAS 18001 and the work of ISO Project Committee 283, the committee responsible for developing the international standard ISO 45001 – Occupational health and safety management systems. Development of ISO 45001 has now reached the Committee Draft (CD) stage. This briefing note provides the background to development of ISO 45001 and outlines the likely main similarities and differences between OHSAS 18001 and ISO 45001.

BackgroundIn today’s ever-changing world, organisations operate in increasingly complex environments, often involving multinational supply chains and outsourcing parts of their operation. Differences in cultural norms, legislation, business and social ethics and practices, technologies, etc add to those complexities.

Yet when things go wrong, it is the reputation of the ‘prime’ organisation that falls under the spotlight, as we saw with the Deepwater Horizon catastrophe and Boeing Dreamliner battery problems.

Effective management of business risk is high on the board-level agenda of most organisations. These days, it is not enough for a company merely to be profitable – it also needs to have robust systems of internal control, covering not just ‘narrow’ financial risks, but also risks relating to the environment, business reputation and health and safety.

The need for integrated risk-control systemsISO management system standards (MSSs), for quality, environment, food safety standards etc, have been developed and published over a number of years. While some may say these standards are compatible with each other, the reality is that the proliferation of ISO MSSs and the manner in which they have been developed has resulted in many apparently common requirements that are subtly or substantially different.

This has caused confusion and inconsistent understanding and implementation. Consequently, it has been easy to compartmentalise these different risk-control systems. But that is simply not how organisations operate or top management thinks.

This compartmentalisation can be a significant barrier to getting the buy-in and hands-on participation of top management and often results in failure to embed these systems into routine operations. Instead, each is operated as an independent system in its own right with its own dedicated management structure. This had led to the need to combine or integrate these different aspects of business risk management more easily in an effective and efficient manner.

Effective management of business risk is high on the board-level agenda of most organisations.

www.irca.org 6

ISO management system standards developmentIn order to deliver consistent and compatible management system standards in the future, the ISO Technical Management Board has produced a common framework for all MSSs. This common framework is referred to as Annex SL. Essentially, Annex SL describes how management standards of the future will be structured using a common “high-level structure” (ie, clause sequence, common text and terminology provided in Annex SL). The first standard to adopt this structure was the Business Continuity Management standard (ISO 22301:2012).

BS OHSAS 18001First published in 1999, OHSAS 18001 was developed to fill the gap where no international standard for occupational health and safety existed. The current version of the standard is OHSAS 18001:2007, which was adopted as a British Standard, hence BS OHSAS 18001:2007.

Despite not being an ISO standard, OHSAS 18001:2007 has gained global acceptance. In recent years there has been a rapid increase in the use of OHSAS 18001 and versions of OHSAS 18001 that have been adopted by countries, of which there are about 40. Recent surveys report approximately 90,000 accredited certifications in more than 127 countries and a pressing desire from business and interested parties for an international standard.

IRCA has seen growing interest and take-up of IRCA’s OH&S auditor certification scheme and auditor/lead auditor training courses – with the number of delegates attending auditor training for OHSAS 18001 increasing by 40% in four years and exceeding those for EMS.

ISO 45001

Despite not being an ISO standard, OHSAS 18001:2007 has gained global acceptance.


Development of ISO 45001In 2013, ISO approved the creation of a new project committee to develop an International Standard for occupational health and safety (OH&S). The work is being overseen by ISO Project Committee (PC) 283. The ISO project committee has been tasked with transforming OHSAS 18001 into an ISO standard, ISO 45001.

The secretariat of ISO/PC 283 has been assigned to BSI, the British Standards Institution. There are currently 50 countries/organisations working on or involved in producing ISO 45001, including the International Labour Organisation (ILO). Richard Green, Head of IRCA Technical Services, is participating in the development of ISO 45001 as a member of HS/001, the UK committee which is responsible for the preparation, publication review and revision of generic British Standards or other products on occupational health and safety.

Development timelineDevelopment and approval of ISO MSSs follow an established process and sequence; Working Draft (WD), Committee Draft (CD), Draft International Standard (DIS), Final Draft (FDIS) followed by publication of the Standard. The significance of change diminishes as development progresses. Once FDIS is released the nature of any further change is normally minor.

JUNE 2013

OCTOBER 2013

JULY 2014

JUNE 2015

JULY 2015

OCTOBER 2016

PROPOSEDTRANSITION

PERIOD

DRAFT DESIGN SPEC.

AND WDO

APPROVED DESIGN SPEC

AND WD1

CD FOR COMMENT

AND BALLOT(3 MONTHS)

PROPOSED DIS

PUBLICATION

PROPOSED FDIS

PUBLICATION

PROPOSED ISO

45001:2016 PUBLICATION

2-3 YEARS FROM

STANDARD PUBLICATION

www.irca.org 8


What we know about ISO 45001ISO 45001 will include guidelines on the use of the standard. At its first meeting, the project committee re-examined the scope of application of the standard and proposed extending it to cover the working out of “guidelines for use” supplementing the “requirements” relating to Occupational Health and Safety Management Systems. The proposal was submitted to the ISO Technical Management Board (ISO/TBM) and approved. Therefore, unlike OHSAS 18001:2007 that only has the requirements, and one had to purchase OHSAS 18002 for the guidelines, at this time it looks as though ISO 45001 will have both. This is reflected in the title:

• ISO/CD 45001 – Occupational health and safety management systems – Requirements with guidance for use.

ISO/CD 45001:2014 Annex A – Guidance on the use of this international standard, includes the caveat that “this guidance is strictly informative and is intended to prevent misinterpretation of the requirements contained in this International Standard”. An important statement making it clear that Annex A is not part of the auditable criteria.

ISO 45001 will adopt the high-level structure of Annex SL This is the same common structure, definitions and core text being used to revise ISO 14001 (EMS) and ISO 9001 (QMS).

This will mean the structure of the standard will be:

1. Scope

2. Normative references

3. Terms and definitions

4. Context of the organisation

5. Leadership

6. Planning

7. Support

8. Operation

9. Performance evaluation

10. Improvement

The first significant change therefore is that there are now ten sections instead of four in OHSAS 18001.

ISO/CD 45001 includes familiar concepts and requirementsThe purpose of the standard remains much the same as before and ISO/CD 45001 retains many familiar concepts and requirements. The stated purpose is “to enable an organization to proactively improve its OH&S performance in preventing injury and ill-health”; whereas the purpose of OHSAS 18001 is given as “to enable an organisation to control its OH&S risks and improve its OH&S performance”. Some will argue this puts more emphasis on seeking continual improvement and not only by addressing OH&S risks, but also through other initiatives, for example health education and training. Others may argue that this simply clarifies previous intent.

Familiar concepts and requirements include application of the PDCA model, setting policy, setting objectives, carrying out internal audit, and management review. In many cases the current requirements have been carried over from OHSAS 18001, albeit with some minor changes of wording at times. For these topics, the existing processes within current OH&S management systems may well already address the new requirements since they have largely only beenre-arranged to fit in with the Annex SL structure.

The purpose of the standard remains much the same as before...

www.irca.org 10

Continual improvement is a separate section in ISO/CD 45001, unlike OHSAS 18001 where continual improvement is shown in the OH&S management system model as coming from the interaction of policy, planning, monitoring and review etc. ISO/CD 45001 has a specific section on improvement. However looking in detail at section 10 we find familiar concepts including incident, nonconformity and corrective action as well as a specific requirement for continual improvement and a requirement to establish, implement and maintain a continual improvement process.

Missing from ISO/CD 45001 is reference to preventive action. The term preventive action, and any specific reference to it, has been removed. This stems from the approach of Annex SL.

Preventive action has been replaced with:

• 4.1 (determination of external and internal issues)

• 6.1 (actions to address risks associated with threats and opportunities)

• 5.2c (commitment to satisfy applicable legal and other requirements to which the organisation subscribes)

• 8.6 Emergency preparedness and response (where potential emergency situations are identified and planned for and the emergency procedures are tested).

In reality, as currently, the whole of the standard is about eliminating or minimising OH&S risks by taking appropriate preventive measures.

The hierarchy of control is a concept the OH&S practitioner and auditor will be familiar with. The requirement in OHSAS 18001 to consider reducing risks according to a hierarchy of controls is strengthened in ISO/CD 45001, which requires a policy commitment to the control of OH&S risks through a hierarchy of control and mandates use of the hierarchy in section 8.1 Operational planning and control. This is typical of a number of changes where what may have seemed optional in OHSAS 18001 is mandatory in ISO/CD 45001.

ISO/CD 45001 includes some enhanced requirementsISO/CD 45001 places more emphasis on risk management and ongoing assessment of risks and opportunities to prevent, or reduce, undesired effects.

There is a strengthening of the requirement to demonstrate and understand compliance status at all times (with legal and other requirements).

There are specific sub-sections and requirements for contractors and procurement, clarifying and expanding requirements of OHSAS 18001. Also a specific requirement on outsourcing of operations – “The organization shall ensure that outsourced processes affecting its OH&S management system are controlled”.

There are enhanced requirements for the use of performance indicators to monitor performance (9.1 Monitoring, measurement, analysis and evaluation) and track OH&S performance including status and trends in monitoring and measurement results (9.3 Management review – c).


ISO/CD 45001 includes some irregularities with ISO/DIS 9001:2014 Remembering that we are looking at the CD version and very likely some significant changes at detail level will be made, some differences exist between ISO/CD 45001 and ISO/DIS 9001:2014 for no apparent reason.

For example, ISO/CD 45001 has introduced sub-clause titles which ISO/DIS 9001:2014 does not have (ie, 9.2.1 Internal audit objectives). And ISO/CD 45001 has a requirement that management review “includes consideration of the extent to which OH&S policy and OH&S objectives have been met” which is not in ISO/DIS 9001:2014. While seemingly of little consequence, it is this type of difference that causes confusion, to implementers and auditors, and Annex SL was introduced to prevent. Ideally, these will be resolved as development progresses.

ISO/CD 45001 includes new conceptsContext of the organisation, leadership and documented information are generally thought to be the more significant new concepts.

New clause: Context of the organisation (4.1)The intent of 4.1 is to provide a high-level, conceptual understanding of the important issues that can affect, either positively or negatively, the way the organisation manages its responsibilities in relation to the OH&S management system for persons working under its control. The issues of interest are those that affect the organisation’s ability to achieve the intended outcome, including the objectives it sets for its OH&S management system, which include meeting its OH&S policy commitments.

Examples of the issues are:

a) External issues such as the cultural, social, political, legal, financial, technological, economic and natural surroundings and market competition, whether international, national, regional or local.

b) Internal characteristics or conditions of the organisation such as governance, structure, roles and accountabilities and the organisation’s culture.

The guidance given in ISO/CD 45001 adds the comment that:

“The results of the context review should be used to assist the organization in understanding and determining the scope of its OH&S management system, determining its risks and opportunities, developing or enhancing its OH&S policy, setting its OH&S objectives and determining the effectiveness of its approach to maintaining compliance with applicable legal requirements and other requirements to which the organization subscribes”.

The hierarchy of control is a concept the OH&S practitioner and auditor will be familiar with.

www.irca.org 12

New clause: Interested parties (4.2)The organisation has to determine the interested parties that are relevant to the OH&S management system, and then the relevant requirements of those interested parties. However, there is no expectation that the organisation shall comply with all those relevant requirements. ISO/CD 45001 adds the statement:

“and which of these become applicable legal and other requirements to which the organisation subscribes”.

Referring to the guidance given in Annex A, we have the explanation:

“That Interested party needs and expectations are not necessarily compliant requirements of the organization. It is important to distinguish between what these needs and expectations will lead to:

• mandatory requirements, laws, regulations

• voluntary commitments to interested parties to which the organization voluntarily subscribes

Needs and expectations from interested parties only become obligatory requirements for an organization if that organization chooses to adopt them”.


Scope of the OH&S management system (4.3)ISO/CD 45001 states that “The scope shall include all the activities, products or services within the organization’s control or influence that can impact on the organization’s OH&S performance”.

An area likely to cause some discussion will be that of outsourced operations. In the definitions ISO/CD 45001 states that “An external organization is outside the scope of the management system, although the outsourced function or process is within the scope”. The question will be – to what extent is the organisation responsible for the OH&S of outsourced operations carried out by another organisation or contractor? The guidance given in Annex A advises that:

“Supply and procurement policies should address hazards and potential OH&S risks to persons in the organization and, as far as possible, impacts on persons, outsourced or subcontracted, carrying out activities or producing products or services for the organization”.

New clause: Leadership (5)Section 5 dedicates itself to “Leadership”

This section is divided into three sub-clauses:

5.1 Leadership and commitment.

5.2 Policy.

5.3 Organizational roles, responsibilities, accountabilities and authorities.

Although some of section 5 will seem familiar to users of OHSAS 18001 there are significant new and enhanced requirements.

This clause calls for the organisation’s top management to demonstrate their involvement and engagement with the OH&S management system through direct participation in, for example:

• Taking OH&S performance into account in strategic planning

• Communicating the importance of effective OH&S management and of conforming to the OH&S management system requirements

• Directing and supporting persons to contribute to the effectiveness of the OH&S management system for all functions

• Promoting and leading organisational culture with regard to the OH&S management system

• Top management shall identify one or more of its members to be accountable for the OH&S policy and OH&S management system.

Note that these are activities top management are required to carry out, they cannot delegate them to others. Thus, the top management assume an active role in the OH&S management system. The leaders must also ensure the integration of the OH&S management system requirements into the organisation’s business processes.

Revised requirements – Documented information (7.5)OHSAS 18001 requirements for documentation and records are largely transferred to section 7.5, with revisions.

Sub clause7.5 is further divided into three parts:

7.5.1 General

7.5.2 Creating and updating

7.5.3 Control of documented Information

The significant change is use of the term “documented information” not “documents and records” as is the case in OHSAS 18001. Documented information includes processed information held for example on smartphones, tablets etc.

An area likely to cause some discussion will be that of outsourced operations.

www.irca.org 14

ConclusionISO/CD 45001 signals the significant similarities between OHSAS 18001 and the high-level changes and enhancements we expect to see in the new ISO standard. The DIS is likely to continue to refine the standard. Contentious issues such as definitions (eg, definition of risk, worker, and workplace) and proposals to replace ‘hazard identification’ with risk identification will need to be resolved in ways that are acceptable to all nations involved in this process.

We expect the OH&S specific text being added to the Annex SL core text will continue to be refined as development progresses. The extent and significance of ongoing changes will depend upon the degree of acceptance of the CD version when put to a ballot. That said, much of what is in ISO/CD 45001 is familiar to those already using OHSAS 18001 and while specific requirements may change, the overall concepts and intent of the new ISO standard are unlikely to change much from what we see in the CD version.

By the time ISO 45001 is published in 2016, the new concepts coming from Annex SL will, for many organisations and auditors, be tried and tested because they appear also in the updated QMS and EMS standards due to be released in 2015. Organisations operating QMS, EMS and OH&S management systems will have a unique opportunity to align and integrate these three management systems, if they choose to do so.

Organisations, OH&S professionals and auditors should be aware that at Committee Draft International Standard (CD) stage, technical changes may still occur, therefore it is recommended that, while preparation can be carried out, significant changes should not be implemented until the Final Draft International Standard (FDIS) is issued and the technical content is finalised.

CQI/IRCA will continue to issue updates as development progresses.

Both internal and external auditors need to have a real-time, practical approach to their audits.


DNV GL Business AssuranceWe see the new standard as a dynamic standard which can be easily coupled to all other available ISO standards that follow the high-level structure (HLS), which is sure to have a true business impact on the organisation.

We expect to see more consistency in the content of training, but more flexibility and tailored approach in the delivery. The consistency in the content is required as it is an ISO standard based on the HLS and the standard requirements will be the same around the world. However, every time you try to implement these requirements, you need to be aware of the business context (both internal and external) of your organisation, and this demands a lot of updated knowledge, flexibility and customisation in our training.

Not only because of the changes in the standard but especially when compared to the current practices in training, these changes call for a clear facelift for our training modules in terms of the market and business awareness. As such, the trainers should have a sound knowledge on the specific business context and its impacts including the identification, prioritisation and management of relevant interested parties, risks, opportunities and so on, connected to the specific industry, country or local community. This means that the users of the standard should be able to explore the consequences related to ever-changing demands in various business and industry sectors coupled to the technical or technological and societal changes etc. In other words, they need to be able to ‘look outside of the box’.

Auditors and the people working with the standards not only need to be trained for the Occupational Health & Safety related risks, PDCA cycle and the process approach, but also on the other factors such as market awareness, risks and opportunity management, financial and human resources management, for example,that would have a direct or an indirect impact on the processes within the organisation.

Both internal and external auditors need to have a real-time, practical approach to their audits. The times when they used standard checklists are gone. They need to focus on the impact of the business plans as a result of good or bad management of Occupational Health and Safety Systems in the organisation and vice versa. This will raise the awareness and commitment from the top management in adhering to the standard, and this is also the expectation of the HLS. The awareness and commitment from the top management in adhering to the standard, and especially to HLS elements, will need to be improved significantly as well compared to the past. As such, there will be a training need for all stakeholders involved, including the top management.

Last but not least, as the busy organisations need flexibility, we strongly believe that eLearning and blended learning will have higher demand in the near future.

THE BUSINESS VIEW

www.irca.org 16

www.twitter.com/irca_informwww.twitter.com/cqi

The Chartered Quality Institute (CQI)2nd Floor North, Chancery Exchange10 Furnival StreetLondon EC4A 1ABUnited Kingdom

T: +44 (0) 20 7245 6722 I F: +44 (0) 20 7245 6788www.thecqi.org I www.irca.org

Incorporated by Royal Charter and registered as a charity number 259678© 2014 the CQI. All Rights Reserved

Published in September 2014 by:The International Register of Certificated Auditors (IRCA)Part of: The Chartered Quality Institute

Documents

ISO CD 45001 Briefing Note