Implementing ISO 45001:2018 – Our Experience
Over the last number of weeks, we began the process of transitioning from OHSAS 18001:2007 to ISO 45001:2018. Prior to the transition, we had been maintaining an integrated quality and environmental management system – to which we are certified to the 2015 versions – and a separate health and safety management system for our certification to OHSAS 18001. Hence, we eagerly awaited the publication of ISO 45001 to allow us to develop a single integrated system across all three standards.
For the purposes of this opinion piece, I shall give you an overview of how we implemented several key clauses of ISO 45001.
Clause 4. Context of the Organisation
This sprang naturally from our corporate business plan, strategic growth ambitions and certification to ISO 9001:2015 and ISO 14001:2015. Firstly, we outlined the purpose of the organisation, defining our mission, vision and commitment to excellence. Secondly, we performed a business SWOT analysis to identify any internal or external issues or conditions, which could affect the intended outcomes of our Integrated Management System (which now included OH&S).
It is also possible to use a PESTEL analysis to identify and monitor any external influences on your organisation. However, we decided to use the SWOT analysis as it tends to cover both internal and external issues and therefore it is slightly more aligned with clause 4.1.
We felt we had this clause well understood as part of our quality and environmental management system. However, we needed to update our “Context and Stakeholder Analysis Register” to reflect the needs and expectations of interested parties insofar as they apply to OH&S. We identified the following relevant interested parties:
- Local emergency services
- Co-tenants of our premises
- Contractors, sub-contractors and visitors
We then performed a needs and expectations analysis of each interested party to determine what considerations we needed to make as part of our OH&S management system (see below example). Furthermore, we determined which of these needs and expectations are legal and/or other requirements.
Clause 5. Leadership and worker participation
Admittingly, our existing communication and consultation procedure needed some improvement. Therefore, we took this as an opportunity to completely re-think how we could actively encourage the consultation and participation of employees at all levels of the organisation. With this in mind, we applied the following practical means of improving consultation and participation:
- We established a safety committee consisting of managerial and non-managerial employees
- We implemented a safety suggestion box
- We developed a consultative approach to our office inspection process, affording all employees an opportunity to voice any health and safety concerns
- We elaborated on our existing employee opinion survey to understand employee attitudes towards health and safety
- We initiated monthly IMS meetings, in addition to our Annual Management Review meeting
- We added health and safety as a priority item at our annual Strategic Management Meeting
- We improved our induction process to detail our communication and consultation procedures to all new employees.
Interestingly, this clause is quite prescriptive in terms of emphasising the consultation and participation of non-managerial employees with respect to the items listed in clause 5.4 (d) and (e). Unfortunately, the standard does not define “emphasise” and I felt it was rather abstruse. I look forward to seeing how other organisations interpret this term and what certification bodies expect to see in terms emphasising consultation and participation.
Clause 6. Actions to address risks and opportunities
6.1 Actions to address risk and opportunities
This clause was particularly unclear. Firstly, distinguishing between the terminology was difficult:
“When determining the risks and opportunities to the OH&S management system and its intended outcomes that need to be addressed, the organisation shall take into account:
- OH&S risks and other risks
- OH&S opportunities and other opportunities
- Legal requirements and other requirements”
Several questions sprang to mind, for example: how does an organisation take account of OH&S risks and other risks when determining risks and opportunities to the OH&S management system? What are other risks? Do these OH&S risks relate to the hazard identification and risk assessment process?
To meet clause 6.1, we decided to identify OH&S hazards, which are likely to have the most significant impact on employee safety and business continuity (e.g. driving for work and fire/loss of premises). These OH&S hazards were documented and assessed (i.e. to determine a risk rating) via our existing “Risks and Opportunities Register”, which we had prepared as part of our existing quality and environmental management system. Thereafter, suitable objectives and targets were planned in accordance with clause 6.2 (OH&S Objectives and Planning to Achieve Them) to reduce the risk rating of the identified OH&S hazards.
The process of identifying opportunities in relation to the our OH&S management system was also quite testing. Certainly, it was difficult to determine any opportunities arising from our most significant OH&S hazards that were not already covered as part of our OH&S objectives. Instead, we looked at our business as a whole and identified the potential opportunities that could arise from the publication of ISO 45001. We concluded that becoming experts in ISO 45001 implementation through ongoing professional development and training of our consultants was the most the valuable opportunity to our business.
I question the value of clause 6.1 in ISO 45001; it over-complicates the standard. I feel many of the requirements on risks and opportunities are ambiguous and added in vain to provide alignment to ISO 14001:2015 and ISO 9001:2015. I feel the outcomes of the traditional hazard identification process and setting of OH&S objectives should determine the key risks and opportunities to the OH&S management system.
Clause 8 Operation
Whilst a specific clause on procurement did not feature in OHSAS 18001:2017, clause 4.4.6 required organisations to implement and maintain:
- controls related to purchased goods, equipment and services;
- controls related to contractors and visitors to the workplace.
ISO 45001 is much more prescriptive, requiring organisations to establish, implement and maintain processes to control the procurement of products and services to ensure their conformity to its OH&S management system. Furthermore, clause 126.96.36.199 (Contractors) requires organisations to identify hazards and assess and control OH&S risks arising from:
- the contractor’s activities that may impact the organisation;
- the organisation’s activities that may impact on the contractor’s workers; and
- the contractors’ activities and operations that impact other interested parties in the workplace
There is also a specific requirement to ensure that health and safety criteria is applied to procurement processes for contractor selection. For many companies, this is likely to form part of contractual documents.
In the context of our organisation, clause 188.8.131.52 was less important as we do not rely heavily on contractors. Nonetheless, we updated our contractor selection procedures to account for various OH&S criteria when selecting contractors and we also instituted a contractor code of practice, which is communicated to all contractors prior to engaging in any work at our premises.
For the delivery of larger and highly specialised consultancy projects, we often require expertise in the form of sub-contractors. Therefore, clause 184.108.40.206 (Outsourcing) was particularly important to our organisation as it requires organisations to ensure that outsourced functions and processes are controlled. To meet this clause, we set mandatory OH&S criteria that sub-contractors were required to meet prior to selection. Such criteria included:
- Level of insurance cover
- Submission of safety documentation, i.e. Safety Statements/Manuals/Policies
- Certifications to relevant ISO standards
- Trade body membership
- Professional body membership
Secondly, we reviewed our existing sub-contractors to ensure they were in receipt of our necessary safety information, such as a copy of our Safety Statement, relevant risk assessments and operational control procedures. Thirdly, we extended our pre-site risk assessment to all sub-contractors to ensure they assessed each site prior to arrival. Lastly, sub-contractor performance formed part of the monthly IMS meetings and the annual management review meeting. The aforementioned was supported by increased consultation and communication with all of our sub-contractors.
In summary, having gone through the implementation process, I can attest to the efficiency of the Annex SL framework, which did allow for a relatively straight forward integration of ISO 45001 to our existing quality and environmental management system. In essence, we had the fundamentals addressed as part of our certification to ISO 9001:2015 and ISO 14001:2015. Therefore, we simply studied the nuances of ISO 45001, implemented the additional requirements where necessary and updated our documentation accordingly.
Antaris Consulting is the first organisation to be certified to ISO 45001:2018 in Ireland. It was also one of the first technical consultancies in Ireland to achieve certification to ISO 9001:2015 and ISO 14001:2015. These distinctions support Antaris’ ambition to be the leading management systems consultancy in Ireland and it also demonstrates our ongoing commitment to excellence. For a consultation on implementing ISO 45001 or integrating it with other ISO standards, please feel free to contact us on 00353 (0)61 464666 or firstname.lastname@example.org
I shall finish with some general tips for implementing or transitioning to ISO 45001:2018