Preparing for ISO 45001
ISO 45001, the new International Standard for Occupational Health and Safety Management Systems (HSMS) and successor to OHSAS 18001, has seen many delays. Although a final version of the standard is not yet available, it is possible to pre-empt some of the significant changes.
Why the delay?
The International Organization for Standardization failed to achieve approval of the first Draft International Standard (DIS) amongst ISO members, primarily national standards bodies such as the UK’s British Standards Institution (BSI). Although the reasons for the failure have not been circulated, there are reportedly a “variety of reasons” why members voted against the DIS.
It is now likely that a second draft (DIS2) will be delivered for ballot by members in December 2016 or January 2017 which, if successful, will see the standard available around December 2017.
So what can we expect to see in the final version?
Nobody knows exactly what the finalised standard will look like once it is agreed but the DIS shows us that barring any major changes it will follow ISO’s management system standard framework , allowing it to be readily compatible with other existing standards such as ISO 9001 for Quality, ISO 14001 for Environment and ISO 27001 for Information Security.
If we look at the other standards we see that they tend to follow a very similar model broken down into four key phases: Plan, Do, Check, Act, or ‘PDCA’. If this sounds familiar, it may be because the Health and Safety Executive (HSE) use it in their own Health and Safety Management System standard, HSG65.
Within the ISO 45001 DIS and other ISO standards, we see PDCA model reflected in Planning, Operation, Performance Evaluation and Improvement. We also see some new areas and these are the ones that are likely to puzzle those seeking to move from OHSAS 18001 to ISO 45001.
Aligning itself with modern risk management methodologies, the standard has moved to a more risk-based approach. One significant example of this is the absence of preventive actions, instead the focus being on more detailed corrective action requirements including reacting to incidents or non-conformities in a timely manner, implement controls and deal with the consequences. Furthermore it must be determined if similar issues exist or could occur, then resolve them.
Your organisation in context
The first main difference is that you have to consider the context of your organisation. This means looking at both external and internal issues that are relevant to how your organisation operates and the strategic direction it is following. In H&S terms this might mean considering how legal, technological, competitive, market, cultural, social and economic issues affect implementation throughout your organisation, in both positive and negative ways.
You will need to understand the needs of your workers. If you have good communication and consultation on H&S issues between workers and management then you’re well on the way to implementation.
In addition to workers, the needs of other interested parties should be considered. These could include:
- Customers, service users.
- Neighbouring businesses or tenants.
- Emergency services.
- Enforcing bodies such as HSE and Local Authority.
- Members of the public.
Leading from the top
Top Management will need to demonstrate leadership and commitment to the H&S management system under the new standard; Senior Managers must accept accountability for the effectiveness of the system and ensuring that the Policy and Objectives are compatible with the context and strategy of the organisation.
This all means that it won’t simply be enough to appoint an individual or team to ‘do Health and Safety’ for the organisation. While it will still be acceptable to appoint competent persons to assist in implementation, to meet the requirements of the standard Top Management must play a more active part, driving H&S initiatives through Management Review, Strategy, Business Objectives, Board Meetings and other forums.
Planning to win
The new standard will require you to address your business risks and opportunities. This doesn’t directly refer to risk assessment, it relates more to determining risks and opportunities to improve and enhance the organisation’s HSMS while preventing or reducing undesired effects.
For instance, the British exit from the European Union (BREXIT) may or may not result in significant changes to UK H&S law and our trade agreements with the continent. Organisations should be horizon scanning for any changes relating to this, both good and bad, then react accordingly. The overall drive is to achieve improvement of the system.
H&S Objectives need to be measurable and Top Management will need to ensure that the intended results are achieved. Utilising SMART (specific, measurable, achievable, realistic and time-related) will help ensure that your H&S Objectives hit the mark.
Changes to your HSMS need to carried out in a planned manner, taking account of the purpose of the changes and their consequences, the effects on the integrity of the system, availability of resources and individual responsibilities.
Another new requirement will be to determine what ‘organisational knowledge’ is required for your organisation to operate and achieve conformity with the standard, then make it available as necessary.
Organisational knowledge can include internal sources such as intellectual property, lessons learned from both failures and successes, unshared knowledge held by workers and process, product or service improvements. It can also include external sources such as HSE ACoPs, Guidance, trade industry guidance and knowledge from customers or external providers.
A significant benefit of understanding and maintaining your organisational knowledge will be that you can respond to changes quicker and with more agility, while also giving workers easy access to time-saving knowledge.
In the new standard, the Management Review will need more Top Management involvement than it required under OHSAS 18001. It will likely require that the following issues are considered in addition to existing requirements:
- a) Changes in external and internal issues affecting the HSMS
- b) Resources for H&S
- c) Risks and Opportunities affecting the HSMS
Again Top Management will need to be more involved in the process and more aware of the performance of the HSMS throughout the organisation. They won’t be expected to know everything in detail but must certainly be seen to be driving the wider, strategic focus of the HSMS.
These are just some of the expected changes to come with the publication of ISO 45001 but the overall thrust of the new standard can be broken down into two elements: a) adoption of a more risk-based approach within the HSMS and b) more active and focused Top Management involvement in H&S.
The risk-based approach fits more closely with modern H&S techniques and allows organisations to focus in on the significant risks i.e. those that can cause actual harm or loss. It will also allow organisations to devote resources to the significant risks rather than spending a lot of time on minutiae.
The PDCA model framework will help organisations to integrate the standard with both existing and new processes. Compatibility with similar ISOs such as 9001 and 14001 will allow organisations to share key processes such as tracking and handling of non-conformities and potentially reduce the number of surveillance visit days required by BSI or other certification body.