A long-standing influence in the occupational health and safety field, OHSAS 18001 is on its way out, soon to be replaced by the new ISO 45001:2018 standard.
The ISO 45001 standard, published in March 2018, seeks to bring occupational health and safety (OH&S) in step with other ISO standards organizations could have already. More than just a name change, ISO 45001 brings the adoption of ISO structure, an emphasis on leadership and objectives measurement, risk management, communication and awareness and a reduction in prescriptive requirements. The new standard increases the prominence of OH&S management in organizations’ strategic planning processes.
Broadly speaking, most of the changes from OHSAS 18001 to ISO 45001 can be placed into a few categories. The first of these is strategic OH&S management.
In the new standard, the prominence of OH&S management in an organization’s strategic planning process is greatly enhanced. In addition, to support the systems contributing to an organization’s OH&S management, leadership is more closely outlined. Clause 5 has been added, assigning specific responsibilities for those in leadership positions to promote health and safety within organizations.
Under Clause 5, top management ultimately is accountable for the management system and its effectiveness. They are responsible for integrating the management system in other business processes, ensuring the adequacy of resources allocated to the management system and to health and safety processes and communicating the importance of and conformance to the occupational health and safety management system (OHSMS). Requirements in the standard can be delegated, but ultimately top management is responsible for whether the requirements are effective.
The ISO 45001 standard expands proactivity in protecting the health and safety of not just workers but also other involved parties. These initiatives should be consistent within the context of the organization but might include hazard identification, risk assessment, emergency response processes, operational controls and/or monitoring and measurements. Unlike before, the standard emphasizes continual improvement of the management system as well as improving OH&S performance.
Internal and external communication also has become more vital in the new standard, which adds requirements for a communication strategy emphasizing both areas.
Additionally, the standard’s stance on documentation has been updated to reflect evolving technology, such as computer and cloud-based systems. To align with the ISO basis of 45001, organizations must retain the flexibility to determine when “procedures” are needed to ensure process control.
In the transition from OHSAS 18001 to ISO 45001, the planning requirements—found in Clause 6—have undergone some of the most drastic changes.
Overall, the planning requirements have been completely restructured to emphasize achieving the intended outcome of the OHSMS: “to prevent injury and ill health to workers and to provide safe and healthy workplaces.” The planning and risk determination processes must consider negative hazards (“risks”) and positive impacts (“opportunities”) of the OHSMS. Clause 4 outlines such issues as relevant to the OHSMS and its capabilities.
By identifying all risks proactively, appropriate actions to minimize (or, ideally, prevent) resulting undesired effects can be implemented; these actions have the added benefit of helping to continually improve the system.
Hazard identification requirements are more prescriptive in the ISO 45001 standard, requiring consideration of a variety of factors, including nearby individuals who are not under the control of the organization but could be affected by the activities or OHSMS, work areas, equipment designs, past incidents, etc.
A formal process for assessing risks and opportunities must be implemented to meet the requirements of Clause 6, and companies must maintain documented information to provide evidence of such. This section of ISO 45001 also requires up-to-date access to all legal and other requirements that are relevant to the OHSMS, with clear determinations of required communications.
Taking the above into account, Clause 6 subsequently calls for actions to be planned within the OHSMS as appropriate to address issues in accordance with the hierarchy of controls requirements found in Clause 8.1.2.
Changes to the verbiage regarding OH&S objectives also have been made in Clause 6, including the need to ensure objectives are either measurable or capable of evaluation and to account for the results of worker consultation. Planning for the achievement of objectives must include any resource requirements, methodologies for evaluating or monitoring and how the actions will be integrated within the organization’s business processes. The retention of documented information should serve as evidence of achieving these standard requirements.
The certification process
For those unfamiliar with ISO certification, becoming certified is a multistep process for first-time applicants. Documentation for OHSMS must be established first, following ISO 45001:2018 requirements, followed by training to and implementation of the OHSMS requirements. Implementation should be supported by internal system audits, compliance evaluation and a review of the system based on input from the internal audit.
Once the systems are in place and documentation has been well-established, the organization will contract with an accredited certification body, and Stage I and Stage II audits will be scheduled. Once any nonconformities are addressed and results of the audit are clear, the accreditation body will issue the new ISO 45001 certificate.