After a gestation period of five years, ISO 45001 is now one year old. Here are some answers to the questions people have been asking during that time.
1. Remind me, what is ISO 45001?
ISO 45001 is the international standard for Occupational health and safety management systems. Depending on where you buy it, it might be preceded by other letters – the version you buy in the UK from BSI is called “BS ISO 45001:2018”, the Polish version is “PN ISO 45001:2018”, the Irish edition is “IS ISO 45001:2018” and so on.
To add to the confusion (and to add to your shopping basket of standards) BSI have also provided various guidance documents on ISO 45001, including BS 45002-0, general guidelines, and BS 45002-1 guidelines on managing occupational health, and BS 45002-3, guidelines for incident investigation. If you noticed -2 is missing, BSI have promised guidelines on managing risks and opportunities, but this has not yet been published. Perhaps this proved a harder challenge.
2. When did ISO 45001 become available?
Although ISO 45001 was published on 12th March 2018, earlier drafts were available in 2017 with essentially the same requirements. Some companies were therefore ready to seek accreditation the week it was published, with accreditation organisations having already carried out preliminary audits.
As a result, the British Standards Institution (BSI) was able to accredit ten companies on the day of publication. The ten included construction, infrastructure and facilities contractors. On the day, BSI were able to check the final text and confirm certification (although UKAS, the body that certifies the certifiers, didn’t approve BSI and others until 29th June 2018).
3. Do I have to do it?
You don’t need ISO 45001 unless you have a client or a manager who tells you to do so. In some industries it has already become a de facto requirement, or an alternative to an otherwise lengthy process of contractor vetting.
However, you do have a legal obligation to protect the safety and health of people at work. If anyone is harmed at work, you need to be able to prove you have systems in place, that they are (mostly) effective, and that they are monitored and reviewed.
Having a documented occupational health and management system (OHSMS) is the best way to do this. Bear in mind “documented” doesn’t mean it has to be on paper. ISO 45001 is clear that “documented” includes electronic or paper records of not just text, but drawings, photographs, audio tracks and visual recordings. Effective Software's system of modules can help you to streamline your safety processes if you are considering accreditation.
4. Are there alternatives to ISO 45001?
If you don’t want to go to the expense of buying the standard and paying for accreditation to ISO 45001 you do have other options.
The UK Health and Safety Executive’s “HSG65” used to be the default model for OHSMS and still has a lot to offer. It is free and uses the same plan – do – check – act (PDCA) scheme used by ISO 45001.
Older versions of HSG65 used a different model, known affectionately as POPIMAR (Policy, Organising, Planning, Implementation, Monitoring, Audit and Review). Many HS professionals believe that the POPIMAR model was more tailored to health and safety compared with the quality-driven PDCA approach.
You can still use OHSAS 18001: 2007, but only if you already have a copy of the standard. BSI will no longer sell you a copy, and you’d be hard pressed to find an accreditation organisation to apply it to a new customer. As the accreditation would have a limited shelf life, there would be little point.
If you are a small organisation with straightforward hazards and without clients demanding ISO 45001, you might find that either the previous or current HSG65 model suits you perfectly well.
5. Why choose ISO 45001?
Some aspects of ISO 45001 might make it the standard that takes you to the next level of OHS management:
• There is a greater emphasis on worker participation. This part of the standard might help you argue for more consultation and involvement of workers in recognising hazards, investigating incidents, coming up with solutions and identifying opportunities.
• There is an explicit requirement to link health and safety to business strategy. This is a great lever to make safety and health considerations more integral to business decisions. In return, you need to make sure you understand the business processes and financial impact of OHS decisions.
• There is an emphasis on opportunities, as well as threats. This could be your chance to point out how improved use of digital technology could provide better, more cost-effective ways of controlling hazards and improving productivity.
• Leadership participation will be audited, so declaring that “safety is our first priority” will no longer be enough. This might get you an audience with senior management, as they will need to know what the challenges are for OHS, and be able to explain the key hazards in the organisation.
• ISO 45001 might give you some influence to improve how your organisation manages contractors, as they are a specific “interested party” mentioned in the standard.
ISO 45001 is also a no-brainer if you already have other aligned ISO certifications such as ISO 9001 for quality, and ISO 14001 for environment. One Scottish company , having updated their existing ISO 9001 and 14001 certifications in December 2017 took the decision to apply for ISO 45001, having not previously had a certified OHSMS. By August 2018 they had achieved their goal, using their experience from the first two standards to their advantage.
ISO 45001 makes sense if your organisation works across international boundaries – a management system invented by the HSE, although respected, will always be seen as British and therefore local, and OHSAS 18001 was similarly based on British Standards.
6. Where do I start?
Even if you decide not to pay out for third party certification, using the structure of ISO 45001 to review your current OHSMS could be cost-effective.
When mapping what you currently have with what ISO 45001 requires, don’t add another set of documents, policies and procedures for every gap you identify. Start with a description of the “context” of your organisation. Share that with colleagues, workers, senior management. Get everyone to agree that it represents your organisation.
Then you can work with colleagues across departments to look at the total management system (not just OHS). For example, can you have one process for “incident reporting” which covers near-misses, quality concerns and environmental issues as well as accidents? Can you have an action raising system that takes actions for investigating any incidents and tracks and chases them?
ISO 45001 should be an opportunity to “declutter” your health and safety arrangements – not to add more paperwork and processes.
7. When will existing registrations to OHSAS 18001 expire?
Existing registrations to OHSAS 18001 will expire by March 2021, although rules are complicated if your 18001 certificate expires between now and then.
Ideally, organisations with 18001 will identify any gaps and migrate to the new standard before their 18001 certificate expires.
8. Where can it go wrong?
• Watch out for the “What gets measured gets done” mentality. What can’t be measured might be more important.
• Prepare well for audits, as they can cause disruption and bad feeling in the workplace if the reasons for the audit are not well explained. Remember worker participation isn’t just telling them about it.
• Make sure that “the system” continues to look for opportunities for improvement and isn’t a reason to freeze current practice as it is. Solving problems requires people to be creative, and a standards approach can work against that creativity if not managed well.
• Don’t lose focus – the goal is not “pass audit” it is “be safe and healthy.” You can pass an audit and still be unsafe (or unhealthy).