One in a series of occasional blogs on ISO/DIS 45001 Occupational health and safety management system.
Clause 8.3: Outsourcing; Clause 8.4: Procurement; Clause 8.5: Contractors
The FDIS version of ISO 45001 is only months away from publication. ISO/FDIS 45001 is the penultimate version before final publication of the standard. Already, a lot of interest has been expressed in the differences between ISO 45001 and OHSAS 18001.
One key change is the increased emphasis on outsourcing, procurement and the management of contractors.
Ideally, the safety and health requirements of the company should be incorporated into purchasing and leasing specifications. OHSAS 18001/18002 documents demand that such requirements be communicated to the supplier, but do not stipulate how. National laws and regulations should be identified prior to procurement. In the OHSAS documents, these would ipso facto be identified during the risk assessment process [see OHSAS 18002, 4.3.1d (1)i below].
“As well as considering the hazards and risks posed by activities carried out by its own personnel, the company should consider hazards and risks arising from the activities of contractors and visitors, and from the use of products or services supplied to it by others.”
ISO/DIS 45001 Clause 8.3: Outsourcing requires the company to ensure that outsourced processes affecting its health and safety management system are controlled.
An outsourced process is defined as one that fulfils all of the following criteria:
- it is within the scope of the health and safety management system
- it is integral to the company’s functioning
- it is needed for the health and safety management system to achieve its intended outcome
- liability for conforming to requirements is retained by the company
- the company and the external provider have a relationship where the process is perceived by interested parties as being carried out by the company
Outsourcing is classically facilities management, e.g. HR, payroll, ICT, cleaning, building maintenance. Some of these activities, such as cleaning and building maintenance have the propensity to introduce significant hazards into the workplace with the potential to negatively impact on the wellbeing of the company’s own workforce and that of the outsourced service provider. ISO/DIS 45001 requires the company to moderate the potential impact of outsourced activities.
Any outsourced processes are under health and safety management system control; this means that the company cannot ignore how the outsourced process is being implemented and controlled. The controls that will be applied to both the outsourced provider and the output must be defined. The company must consider the risk involved and how good the outsourced provider’s own controls are.
Clause 8.4: Procurement
The company is required to establish controls in order to ensure that the procurement of goods such as products, hazardous substances, raw materials, equipment and services conform to its health and safety management system requirements.
Prior to purchasing goods and services, the company should identify appropriate controls. These controls should be used to identify and assess potential health and safety risks associated with these goods and services before their introduction into the workplace. Consideration should be given to supplies, equipment, raw materials and other goods and related services purchased by the company in order to conform with its requirements pertaining to information, participation and communication.
The company should verify that equipment, installations and materials are adequate before being released for use by its workers such that:
- equipment is delivered in accordance with specification and is tested to ensure that it works as intended
- installations are commissioned to ensure that they function as designed
- materials are delivered in accordance with their specifications
- usage requirements, precautions to be taken and/or other protective measures are communicated and made available when and where required
Clause 8.5: Contractors
The company is required to establish processes to identify and communicate the hazards and assess and control the risks that arise from:
- contractors’ activities and operations in relation to the company’s workers, to other interested parties in the workplace such as visitors and to the contractors’ own workers
- the company’s activities and operations in relation to the contractors’ workers and to other interested parties in the workplace such as visitors
The company must establish and maintain processes in order to ensure that the requirements of its health and safety management system are met by contractors and their workers. These processes must include appropriate health and safety criteria for the selection of contractors.
The company can delegate responsibility to suitable contractors for the identification, evaluation and control of health and safety hazards and associated risks. Notwithstanding the knowledge, skills and capabilities of contractors, this delegation of responsibility does not obviate the necessity for the company to assume responsibility for the health and safety of its own workers.
Contractors engaged in maintenance, construction, security, landscaping, facility maintenance, janitorial, sanitation or clean-up of production processes are, inter alia, typical of the activities covered by this clause of ISO/DIS 45001. Contractors can also include specialists in administration and accounting and other service-related activities.
The company can manage its contractors’ activities by the drafting of contracts that clearly define all of the responsibilities of the parties involved. The company can utilise a variety of tools for managing its contractors’ health and safety performance, including contract award mechanisms, the use of pre-qualification criteria, which consider past health and safety performance, safety training, or health and safety competencies, in addition to direct contract requirements.
The relationships between a company and its contractors can be both diverse and complex and can involve different types and levels of risk. The nature of the relationships and the degree of coordination required are predicated on such issues as:
- the terms of the contract
- the nature of the hazards and risks
- the type and size of the operations
- the duration of the work on the site
Factors that should be considered in determining the level of coordination required between the company and its contractors include:
- the reporting of hazards between itself and its contractors
- controlling worker access to hazardous areas
- procedures to be followed in the event of an emergency
If a contractor has not implemented its own health and safety management system, then the company should specify how the contractor coordinates its activities with the company’s own health and safety management system processes such as those used for confined space entry, working at height, lockout-tagout, occupational exposure assessment and process safety management, and for the reporting of work-related injuries and ill-health.
The company should verify that contractors are capable of performing their tasks before being allowed to proceed with their work, by verifying, inter alia, that:
- health and safety performance records are satisfactory
- qualification, experience and competency criteria for workers are specified
- training, and other worker requirements are undertaken
- resources, equipment and method statements are adequate and ready for the work to proceed
I’ve previously written on the topic of ISO 45001, other blogs can be found here: