ISO 45001: 2018

4.4: OH&S Management System

Clause 4.4 simply states … The organization shall establish, implement, maintain and continually
improve an OH&S management system, including the processes needed and their interactions, in
accordance with the requirements of this document.
The requirement here is that you or the organization establishes the OH&S management system and
all of the associated processes, which could be documented or not, that are needed to meet the
requirements of this standard and that it is up to the organization – you/the organization to
determine what these processes are and how they are applied within the organization.
If you are meeting all of the other clause requirements in the standard then you should be meeting
this one.
There is one word in here that does stand out and is important to understand – that word
is ‘interactions’. This clause mentions ‘the processes needed and their interactions'.
When I see that word I instantly think of the process approach, which I know is more of an approach
referred to in ISO 9001 Quality, but when it comes to systems the process approach is universal.
Understanding this Process Approach further, particularly for an ISO 45001 system integrating the
OH&S system into the standard organization processes is a MUST.
When you develop the required processes for your OH&S system they are not something that sits in
the corner and is separated from the rest of the organization and its processes or people. The OH&S
system is to be integrated with the organization processes and become the standard way OH&S is
completed.
You want your system to be so integrated into your organization that your workers don’t even
realize that they are doing “SAFETY STUFF”. Make it just part of their day and the way things are
done – standard.
For meeting the requirements of this clause:
 Make sure you develop processes as required throughout the Standard First
 Document a requirement to document and then decide on what else would be beneficial to
document so that you have a degree of control and consistency
 When you create these processes and documents make sure they are integrated and embedded
throughout the organization

5.1: Leadership and Commitment

It is the first clause under section 5 Leadership and worker participation. There are quite a few
different elements to this clause so we will break them down into smaller chunks and explain each
part as we go.
A lot of the requirements in this clause you will come across throughout the duration of the
complete audit. There are areas that you will observe, and collect evidence on that will all point back
to these requirements without you specifically making your way through them one by one. There are
other clauses you can conform with that will automatically meet these requirements so there is no
double up.
Each separate requirement in this clause starts off with the statement of Top Management shall
demonstrate leadership and commitment with respect to the OH&S management system by …
And then it lists the various ways in which this leadership and commitment are to be demonstrated.
ISO 45001: 2018
The official definition for top management is “the person or group of people who directs and controls
an organization at the highest level”. Depending on the structure and size of the organization, top
management could be the owners, shareholders, and board of directors, general manager, or even a
project manager if the scope of the system is down to a project level only.
a) Taking overall responsibility and accountability for the prevention of work-related injury and ill
health, as well as the provision of safe and healthy workplaces and activities.
Top management is ultimately responsible and accountable for the prevention of work-related injury
and ill health by providing a safe and healthy workplace. This means that even though top
management can delegate or assign certain responsibilities to others they are still accountable for
the OH&S system.
b) Ensuring that the OH&S policy and related OH&S objectives are established and are compatible
with the strategic direction of the organization.
OH&S Policy requirements are stated in clause 5.2 and OH&S objective requirements are stated in
clause 6.2. Make sure that top management has been involved in the establishment of both the
policy and the objectives. And most importantly that they align with the strategic plan of the
organization. These are not to sit in a corner separate from the strategic direction of the
organization. If the requirements are met in clauses 5.2 and 6.2 then it’s a nice tick back here too.
c) Ensuring the integration of the OH&S management system requirements into the organization's
organization processes.
An OH&S management system isn’t something that is built separately to the organization and it sits
over in a corner gathering dust. The OH&S management system needs to be integrated into the day-
to-day processes so that ‘OH&S’ is just the way you do organization. You will know how well this is
implemented when you’re interviewing employees and they are showing you the processes that
they follow to ensure that they and other workers remain safe and healthy at all times.
d) Ensuring that the resources needed to establish, implement, maintain and improve the OH&S
management system are available
Top management can’t use the excuse that we don’t have enough staff to maintain the OH&S
management system. Believe me, it’s a common excuse given for any gaps that might show up.
However, here it is clearly stated that it IS up to top management to ensure that resources are
available. It’s right here in black and white. Don’t forget that resources are not just people; they can
be plant, equipment, hardware, and software too.
e) Communicating the importance of effective OH&S management and of conforming to the OH&S
management system requirements
It appears as though it is up to top management to communicate to everyone information about the
OH&S management system, what it means to the organization and what it means to workers with
regards to following the system. What a great opportunity to engage with workers and really get
them involved in the system – not only in understanding the requirements but also in providing
feedback and improving the system.
f) Ensuring that the OH&S management system achieves its intended results
And this means that top management should be monitoring what they planned to achieve. They
might do this by monitoring objectives set, investigating incidents, or reviewing non-conformances
and corrective actions.
g) Directing and supporting persons to contribute to the effectiveness of the OH&S management
system
ISO 45001: 2018
Sub-clause e) and f) cover this requirement a bit. Any communication and interaction that top
management has, they should be demonstrating in a positive manner what the OH&S management
system is all about and getting people involved in the process.
h) Ensuring and promoting continual improvement
The important word here is – promoting. This is all about actively encouraging the team to keep an
eye out for improvements. Building a culture where your workers are not too scared to put their
hands up to say that something isn’t working out the best way that it can and putting forward
solutions. This attitude and culture really do need to come from the top.
i) Supporting other relevant management roles to demonstrate their leadership as it applies to
their areas of responsibility
What better way to build a positive culture around OH&S than to give other management roles
leadership responsibilities to promote the OH&S management system? This really shows that the
system is to trickle through all of the relevant functions and levels of the organization. People at
different levels are to be assigned with, areas of leadership and engagement.
j) Developing, leading, and promoting a culture in the organization that supports the intended
outcomes of the OH&S management system
Essentially it is up to top management to lead the way and set the example when it comes to the
OH&S management system and the intended outcomes. It starts from the top. You will identify the
OH&S culture of the organization throughout your audit by what you observe and the responses
from auditee.
Is the organization well-resourced to identify, assess and control OH&S hazards and risks?
Are all workers aware of the OH&S system and related procedures?
How are they involved in the system?
What is their attitude towards OH&S for themselves and their workmates?
k) Protecting workers from reprisals when reporting incidents, hazards, risks, and opportunities
Top management, in their leadership, must ensure that the OH&S culture that they establish
supports workers to come forward to report incidents, near misses, hazards, risks, and opportunities
for improvement. Workers mustn’t feel like there will be consequences if they do come forward. The
culture should be that of open communication, continual learning, and improvement always with the
intent of keeping everyone safe.
l) Ensuring the organization establishes and implements a process (es) for consultation and
participation of workers
This requirement also relates to clause 5.4 Consultation and participation of workers. If clause 5.4 is
being met, then this requirement is being met back here in clause 5.1. Remembering though that it is
top management who is to demonstrate their leadership and commitment when it comes to
consultation and participation – it’s not something where the responsibility and accountability can
be delegated.
There are so many links and parallels to these requirements and not all of them are easily
determined in a straight-out interview with top management. You need to be able to walk around
and ask questions to different workers at different levels to truly see how top management is
demonstrating their leadership and commitment to the OH&S management system.

5.2: OH&S Policy

ISO 45001: 2018
You will note that this clause is in clause 5 Leadership, so it’s not something that is buried in the
system. This means that Top Management is responsible. I’d better remind you who top
management is then. The official definition for top management is … the person or group of people
who directs and controls an organization at the highest level. Depending on the structure and size of
the organization, top management could be the owners, shareholders, board of directors, general
manager, or even a project manager if the scope of the system is down to a project level only.
As mentioned previously it is top management who are responsible for establishing, implementing,
and maintaining the OH&S policy. A policy is the high-level intent and commitment of the
organization. A policy isn’t supposed to tell you WHAT to do; it’s created to ‘set the standard’ of
what the organization is committed to achieving.
Before we move on, it is important to note that while it is not stated in this clause specifically, it is a
requirement as per clause 5.4 that non-managerial workers are consulted when it comes to
establishing the OH&S policy. So, their views are to be sought prior to any decision-making regarding
the establishment of the policy.
The areas to be considered when establishing, implementing, and maintaining the OH&S policy
are:
a) Includes a commitment to provide safe and healthy working conditions for the prevention of
work-related injury and ill health and is appropriate to the purpose, size and context of the
organization and to the specific nature of its OH&S risks and OH&S opportunities.
We determine the context of the organization in an earlier clause, Clause 4.1 – understanding the
organization and its context. Align your OH&S policy with the context of the organization.
Now, this section also requires a commitment to provide safe and healthy working conditions for the
prevention of work-related injury and ill health. Your policy can simply state this. This doesn’t mean
just because you’ve mentioned it in your policy then you don’t need to do anything else of course! I
would expect to see how you intend to meet this commitment throughout other areas in your OH&S
management system. Like setting objectives, hazard identification, and then how you will eliminate
or reduce these. This should filter all the way through your system and always be able to link back to
this high-level commitment in your policy.
b) Provide a framework for setting OH&S objectives.
This is always a confusing one for most people. The requirement doesn’t mean that you have to list
your objectives within the policy. All they are asking is for there to be a commitment or statement in
the policy that demonstrates or documents the commitment to setting objectives. It could be as
simple as stating... ‘
We are committed to setting OH&S objectives that support our commitment to provide safe and
healthy working conditions and are appropriate to the purpose, size and context of the organization.
The objectives are established, communicated, measured and reviewed at least annually or when
changes to the organization and system occur.
Something like that – You can see that this just simply explains the very high-level intention for the
objective framework within your organization.
c) Include a commitment to fulfil legal requirements and other requirements.
Further along in ISO 45001, there is actually a clause 6.1.3 Determination of legal requirements and
other requirements. And then there is clause 9.1.2 Evaluation of compliance. Both of these clauses
work together to identify what legal and other requirements are relevant, determine how they apply
in the OH&S management system and then check whether they are being followed. You probably
ISO 45001: 2018
would have also identified which needs and expectations of workers and interested parties are or
could become legal and other requirements way back in clause 4.2.
Moving along though, amongst these other clauses in the Standard, whatever requirements you
identify and then take action and check are more on the operational or DOING side. All the OH&S
policy wants is a commitment to fulfil what you identify. It can be as simple a statement as ‘we are
committed to fulfilling all legal requirements and other requirements identified as relevant to our
activities, products, and services.'
d) Include a commitment to eliminate hazards and reduce OH&S risks.
Again, as the policy is a high-level intent it is quite acceptable to have a simple statement in your
policy exactly along those lines – XYZ Company is committed to eliminating hazards and reducing
OH&S risks. Honestly, it can be as simple as that! You can even throw in an extra line that might give
a brief overview of what this looks like which could be something like –
XYZ Company is committed to eliminating hazards and reducing OH&S risks through a high level of
consultation and participation with our workers aimed at continual improvement of our OH&S
management system.
e) Include a commitment to continual improvement of the OH&S management systems.
In the last statement of policy this is combined with requirement of section d).
f) Include a commitment to consultation and participation of workers, and where they exist,
workers representatives.
This requirement has also been included in the policy statement given earlier.
Of course, it’s all well and good making all of these commitment statements. What you have to
remember is that if you make the commitment then you have to back it up in your system. This isn’t
about a warm and fuzzy policy being created and then forgetting about HOW you are going to
demonstrate your commitment. Be very aware that ISO 45001 will throw more clauses at you where
it WILL require you to figure out HOW you will meet these commitments. This is the brilliant thing
about the Standard – every clause supports each other.
Now that you understand WHAT is included in the policy let’s look at HOW it is to be communicated
and made available. The first point states that the policy is to be available as documented
information.
Easy – write your OH&S policy up! It needs to be documented; we need to see it. It can’t just be in
your head. Normally an OH&S policy is just one page. Remember it’s a high-level intent and
commitment so there’s not a lot of detail or HOW to do things in the document. That’s why it is
normally just one page.
Now the next point states that the policy is to be communicated within the organization. This is
further backed up by clause 7.3 Awareness and 7.4 Communication further on in the Standard – be
sure to check those out too. So once again this policy isn’t just documented to look pretty and create
all warm and fuzzy feelings for you. It is required to be communicated – how, is up to you. The
standard is not specific on this. Normally a policy is communicated within the organization by being
displayed at the reception, on a noticeboard, and as a part of staff induction and training.
Next up the policy is also to be available to relevant interested parties, as appropriate
These interested parties are what you would have identified as a part of clause 4.2 Understanding
the needs and expectations of interested parties. We have already touched on this in the previous
point when communicating within the organization; however, making the policy available to external
interested parties could be managed by having the policy available on your company website or
ISO 45001: 2018
including it in tenders. It is up to the organization to determine the best method to make the policy
available to interested parties based on what communication channels you already currently use
with them.
Then finally the OH&S policy is to be relevant and appropriate. Interesting – relevant and
appropriate to what? I would say, relevant and appropriate within the scope determined as part of
clause 4.3 Determining the scope of the OH&S management system. The scope is the boundaries
and applicability of your OH&S management system – so what activities, products, and services fall
within your system? Therefore the OH&S policy inclusions should all be relevant and appropriate to
the activities, products, and services determined as the scope of your OH&S management system. So
basically, don’t download a random OH&S policy off the internet and think that it will work for your
system.

5.3: Organizational roles, responsibilities & authorities

The leading statement in this clause is Top Management shall ensure that the responsibilities and
authorities for relevant roles are assigned and communicated at all levels within the organization.
There are those words again ‘Top Management’. The official definition of top management is …
The person or group of people who directs and controls an organization at the highest level.
Depending on the structure and size of the organization, top management could be the owners,
shareholders, board of directors, general manager or even a project manager if the scope of the
system is down to a project level only.
This clause says that the responsibilities and authorities for relevant roles are assigned – so
delegated, given to someone who has responsibility for them – communicated – so this could mean
that these responsibilities and authorities are shared within the organization so everyone is aware
who is responsible for what. This communication could be part of induction and training, or it could
simply be available to view within the organization like in position descriptions or organizational
charts.
Now it is interesting that this clause does state that these responsibilities and authorities are to
be maintained as documented information. This is quite different from ISO 9001:2015 and ISO
14001:2015 where they don’t stipulate that documented information is required to be maintained
for this clause.
This does mean that you do have to have something documented to demonstrate these
responsibilities and authorities. Remember though that this clause doesn’t say ‘you shall maintain
position descriptions and organizational charts’ – it just says to assign and communicate and
document.
The leading paragraph also states that Workers at each level of the organization shall assume
responsibility for those aspects of the OH&S management system over which they have
control. Therefore, it may be beneficial to define the areas of control for workers at their different
levels and roles – again, this could be documented in their position descriptions, couldn’t it?
Responsibilities may also be documented in the Safe Work or Operating Procedures. Wherever is
most relevant to the type of work and the system that you have in place.
There is then a note added right in the middle of this clause stating that While responsibility and
authority can be assigned, ultimately top management is still accountable for the functioning of
the OH&S management system. Absolutely! Yes, top management can delegate responsibilities and
even authority however they still need to be aware of the effectiveness of the OH&S management
system and also getting involved in improvements and changes. This leads nicely to the last section
ISO 45001: 2018
of this clause where it DOES talk about assigning the responsibility and authority for certain ‘tasks’
you could say.
This section states that Top management shall assign the responsibility and authority for:
a) Ensuring that the OH&S management system conforms to the requirements of this
document (meaning the Standard itself).
Now, this just means that there is to be someone responsible and with authority to monitor and
check that the system is being followed. This could be through internal audits or scheduled
operational reviews. Whatever the organization determines the monitoring and evaluation
requirements are and how these will be performed.
And then there is point b) which states that there is also to be reporting on the performance of the
OH&S management system to top management.
This makes sense as obviously if you are monitoring whether the OH&S management system
conforms to the standard then there would have to be some objective reporting provided to top
management to demonstrate the status of the system – is it conforming? Is it not? Where are the
areas that it can improve? And so on.
The word that stands out in this clause is Authority.
You can have responsibility without the authority, however, when it comes to a management system
and being responsible for conformance, maintenance, integrity, and reporting – without the
authority to do this, it becomes very difficult to gain traction and most importantly implement
change and improvement. When this happens, nothing changes and the system stagnates or even
declines. This is the important part to ensure is assigned and communicated within the organization
as well as externally where it is relevant.

6.1.1: General
Clause 6.1.1 General is under clause 6.1 “Actions to address risks and opportunities” in the Planning
section of ISO 45001. I know that the clause title of GENERAL doesn’t really explain much, does it?
The ISO 45001 technical committee has named quite a few clauses throughout the standard as
General. You can see that clauses called General are always the first clauses in a sub-clause section.
A general clause normally explains an overall expectation of what’s coming up.
Now, there are quite a few different elements to this sub-clause so I will break them down into
smaller chunks and explain each part as I go.
This is an interesting clause as I think it’s actually pulling everything that you’ve learned and applied
in two previous clauses to do something about it. It also looks forward to what you will learn in
clauses that are still coming up in Clause 6. ISO 45001 isn’t just all talk and no action!
The sub-clause 6.1.1 starts off with stating that:
When planning for the OH&S management system, the organization shall consider the issues
referred to in 4.1 (context), the requirements referred to in 4.2 (interested parties) and 4.3 (the
scope of its OH&S management system) and determine the risks and opportunities that need to be
addressed.
You should have implemented the requirements for clauses 4.1, 4.2, and 4.3 so you DO have an
understanding of the requirements identified. As a result of completing the requirements for clauses
4.1, 4.2, and 4.3 you will have identified risks and opportunities to the organization and to the OH&S
management system.
ISO 45001: 2018
So now clause 6.1.1 wants you to recognize those risks and opportunities and put some actions in
place to manage them (as per the rest of this clause).
The next section states...
a) Give assurance that the OH&S management system can achieve its intended outcomes.
b) Prevent, or reduce, undesired effects
c) Achieve continual improvement.
These actions we put in place are so we can improve our performance within the OH&S
management system and manage risks to mitigate any impacts but also leverage the opportunities
all the while moving towards continual improvement.
This clause then goes on to state that When determining the risks and opportunities for the OH&S
management system and its intended outcomes that need to be addressed, the organization shall
take into account:
- Hazards (see 6.1.2.1)
- OH&S risks and other risks (see 6.1.2.2)
- OH&S opportunities and other opportunities (see 6.1.2.3)
- Legal requirements and other requirements (see 6.1.3)
This is now saying that you not only need to identify risks and opportunities as a result of the output
from clauses 4.1 context and 4.2 interested parties, but also you will have to identify more risks and
opportunities as a result of working through the requirements of those clauses that you’re yet to
come across in the standard as mentioned above.
All of these risks and opportunities that you identify as a result of actions from other clauses in ISO
45001 now need actions to address them. These actions may look like new processes, new
equipment, training; new technology, setting objectives, and putting on new team members or
contractors. Whatever is needed to take action on these risks and opportunities will just be a part of
your organization and OH&S system.
This clause then goes on to state that
The organization, in its planning process(es), shall determine and assess the risks and opportunities
that are relevant to the intended outcomes of the OH&S management system associated with
changes in the organization, its processes or the OH&S management system.
Now, remember that the higher risks should get the most attention from you. The opportunities that
have the potential for the biggest growth or improvement of the system should get the most
attention from you.
It is then stated in this clause that:
In the case of planned changes, permanent or temporary, this assessment shall be undertaken
before the change is implemented (see 8.1.3).
And 8.1.3 is Management of change. Be sure to check out clause 8.1.3 to understand the full picture
of managing change in your OH&S system. The key thing that stands out in this section is that they
are referring to permanent and temporary changes, so if your organization or its activities do
change, an assessment is to be undertaken BEFORE the change is implemented. This is proactive
hazard identification and risk assessment.
Now to finish off this clause it is stated that:
The organization shall maintain documented information on:
ISO 45001: 2018
- Risks and opportunities
- the process(es) and actions needed to determine and address its risks and opportunities (see 6.1.2
to 6.1.4) to the extent necessary to have confidence that they are carried out as planned.
Which leads me to ask the question, “What would this look like in your OH&S management system”?
Now that I’ve broken this clause down, what are we looking for in this documented information
requirement?
I mentioned some of these actions earlier on as examples which were:
- New processes
- New equipment
- Training
- New technology
- Setting objectives
- Putting on new team members or contractors
So as auditors, we would see these actions as documented or visible evidence as part of the audit.
Now, is that normally all that you would see? To be honest no. What is quite common to see is a risk
register of some description. The risks and opportunities identified as part of the output from clause
4 and clause 6 (all of the clauses referenced so far) could be documented in the risk register and then
a risk assessment completed in the register followed by the planned actions.
Most importantly - keep it real. Follow a process that aligns most with how your organization works
currently.

6.1.2.1: Hazard identification

This clause has a lot of requirements which are all there to help us to understand what to look for or
take into consideration when we are conducting hazard identification. Before we cover these
requirements it may be beneficial to get our heads around the definition of a hazard as per ISO
45001. The term hazard is defined as a source with the potential to cause injury and ill health.
So, therefore, this clause, hazard identification is about identifying the source or sources that have
the potential to cause injury and ill health.
The leading sentence for clause 6.1.2.1 is:
The organization shall establish, implement and maintain a process(es) for hazard identification
that is on-going and proactive.
Two words stand out here – the first word is on-going. Hazard identification is not something you do
once and forget about. Where and how you work is constantly changing so you have to be aware of
what has changed and how this may impact the environment you work in or the tools and
equipment that you use. Hazard ID is not a project with an end date, it is a constant.
The second word that stands out to me is proactive. Hazard identification is conducted as a
preventive measure. We don’t wait for something to happen. The point of hazard ID is to identify the
hazards that have the potential to cause an incident, whether this is injury or ill health.
The clause then goes on to state -
The process(es) shall take into account, but not be limited to:
Here we are provided with a huge list of what to consider when conducting hazard identification.
ISO 45001: 2018
a) How work is organized, social factors (including workload, work hours, victimization,
harassment and bullying), leadership and the culture in the organization.
ISO 45001 has used examples here of workload, work hours, victimization, harassment, and bullying
and an overarching angle of looking at the leadership and culture within the organization.
So when you are identifying hazards you might be looking at rosters to determine appropriate
workloads across all workers as well as varying work hours or shifts (where suitable).
You might also consider the numbers of sick days taken to identify particular areas of the
organization that may be having an impact on workers either physically or mentally or both of
course. You will identify the leadership and cultural elements through interviews with a broad
sample of workers.
b) Routine and non-routine activities and situations, including hazards arising from:
1) Infrastructure, equipment, materials, substances and the physical conditions of the
workplace;
2) Product and service design, research, development, testing, production, assembly,
construction, service delivery, maintenance and disposal;
3) Human factors
4) How the work is performed.
The important words are “routine and non-routine activities and situations” here. It is all too often
that we wear blinkers and just look at what we do day in and day out without taking into
consideration the exceptions to the rule.
For example, if we are plant operators and our normal day is operating an excavator. Then one-day
the excavator breaks down and you’re in the middle of nowhere with no mechanic or field tech on
site. So of course, you decide you are going to see if you can troubleshoot and fix the issue. Is this
your routine activity? Are there additional or different hazards that you need to be aware of?
c) Past relevant incidents, internal or external to the organization, including emergencies, and their
causes.
We can learn from what’s happened in the past so we have an idea of what the current hazards and
risks are. This isn’t just past relevant incidents that have occurred within your organization, it’s also
what’s happened in your industry.
If it’s happened to others it’s definitely a potential hazard for you too. What a great opportunity you
have been given to put some controls in place before it happens (there’s that proactive approach I
mentioned earlier).
d) Potential emergency situations
This makes total sense – as you work through identifying hazards you will also naturally identify
potential emergency situations. Those events still may occur even if you have identified the hazard
and put controls in place. What to do once you’ve identified potential emergency situations is
further explained when you get to clause 8.2 Emergency preparedness and response.
e) People, including consideration of:
1) Those with access to the workplace and their activities, including workers, contractors,
visitors and other persons;
2) Those in the vicinity of the workplace who can be affected by the activities of the
organization;
ISO 45001: 2018
3) Workers at a location not under the direct control of the organization
So, we need to consider not only our own workers (which does include contractors) that access our
workplace but also any other workplace (and its workers) that may be impacted by our activities.
f) Other issues, including consideration of:
1) The design of work areas, processes, installations, machinery/equipment, operation
procedures and work organization, including their adaptation to the needs and capabilities of
the workers involved;
2) Situations occurring in the vicinity of the workplace caused by work-related activities under
the control of the organization;
3) Situations not controlled by the organization and occurring in the vicinity of the workplace
that can cause injury and ill health to persons in the workplace
Understanding how work is actually performed including the work areas, processes, equipment, and
procedures can identify if OH&S risks are increased or reduced. This can be conducted by observing
and discussing hazards with workers.
Observing these activities while discussing the potential hazards with workers it really opens up the
potential for your system to not only identify hazards and potential risks, it also includes consultation
and participation of your workers. This will assist with the support of the system, including any
changes that may need to be implemented.
g) Actual or proposed changes in organization, operations, processes, activities and the OH&S
management system (see 8.1.3)
Hazard identification is not something that you do just once. It is on-going as changes are made or as
incidents or non-conformances occur. Hazard identification is a proactive approach and should be
constantly conducted within the organization to pick up any changes.
h) Changes in knowledge of, and information about, hazards
It is important to stay up to date with industry knowledge and information specific to the hazards
relevant to your industry. Sources of knowledge, information, and a new understanding of hazards
can include industry newsletters or articles, OH&S alerts and updates, feedback from workers, and
even the review of your own organization's operations.
All of these sources are about providing you with the opportunity to identify new information about
hazards and OH&S risks in your organization and in your industry.
This again is a proactive approach to staying on top of what has changed or could change, as well as
being continually aware of where new knowledge comes from so that it can be implemented in your
own system.
This clause is essentially a very handy checklist for you!

6.1.2.2: Assessment of OH&S risks and other risks to OHSMS

The title of this clause refers to OH&S risks AND other risks to the OH&S management system. It’s
pretty clear that the OH&S risks come from the hazard identification process covered in clause
6.1.2.1 but what are the other risks to the OH&S management system?
The other risks would have been identified earlier on in the standard more than likely when working
through Clause 4.1 understanding the organization and its context and Clause 4.2 understanding
the needs and expectations of workers and interested parties.
ISO 45001: 2018
Other sections in the standard where other risks are identified would be Clause 6.1.3 Determination
of legal requirements and other requirements and even possibly Clause 8.1 Operational planning
and control. The point to take away here is that this assessment requirement is NOT just a result of
hazards identified. It is a holistic assessment approach for all risks associated with the OH&S
management system.
If we go in a reverse way, the final paragraph of this clause states:
The organization’s methodology(ies) and criteria for the assessment of OH&S risks shall be defined
with respect to their scope, nature and timing to ensure they are proactive rather than reactive
and are used in a systematic way. Documented information shall be maintained and retained on
the methodology(ies) and criteria.
First off when I read the words methodology and criteria I think of a risk matrix.
Insignificant Minor Medium Major Catastrophic
Permanent
Minor 1st aid MTI LTI Fatality
disability
Loss of Reportable Uncontained Major
Minor spill
containment spill spill environment
Likelihoo
Descriptor Client
d Community Client Media Adverse
complaint
issue concern loss attention loss publicity
loss
Loss < Rs.1000- Rs.1,00,000- > Dissolve
Rs.1000 1,00,000 10,00,000 Rs.10,00,000 company
ALMOST Known to happen
HIGH HIGH EXTREME EXTREME EXTREME
CERTAIN often
LIKELY Could happen easily MEDIUM HIGH HIGH EXTREME EXTREME
Could happen and has
POSSIBLE LOW MEDIUM HIGH EXTREME EXTREME
happened earlier
Hasn't happened but
UNLIKELY LOW LOW MEDIUM HIGH EXTREME
it could happen
Conceivable but only
RARE in extreme LOW LOW MEDIUM HIGH HIGH
circumstances
Criteria of Risk Matrix can be aligned to the Likelihood and Consequence. The different levels in
these parameters will differ based on each organization's hazards. Setting criteria for each will help
to achieve ‘some sort of’ consistency. It will never be perfect and can still be subjective; however, it’s
certainly a start.
ISO 45001 guidance also states that methodologies can include on-going consultation of workers and
other methodologies including monitoring and communication of changed or new legal
requirements as well as other. So it’s not only a ‘tool’ such as a risk matrix, it's also activities that you
conduct within your OH&S management system.
Don’t forget that this methodology and criteria are required to be maintained and retained. So, we
are looking for a procedure that tells us HOW we assess OH&S risks and what methodology and
criteria are used. THEN we are also required to retain evidence of its use. This means we should
expect to see an output such as a risk or hazard register – It’s more about demonstrating that you
have:
1. Identified hazards or other OH&S risks
2. Used the documented methodology and criteria to assess the risks
3. Documented what the risk rating is (which is essentially a demonstration of the assessment).
Now that we understand what methodology, criteria and documented information is required let’s
go back to the beginning and see what the requirements are.
ISO 45001: 2018
This clause kicks off with stating that-
The organization shall establish, implement and maintain a process(es) to:
a) Assess OH&S risks from the identified hazards, while taking into account the effectiveness of
existing controls. AND
b) Determine and assess the other risks related to the establishment, implementation, operation
and maintenance of the OH&S management system.
Ok – so point a) we’ve already really covered – assess the OH&S risks from the hazards identified –
and then it wants us to consider what controls are already in place when we do assess the risk.
When we use our risk matrix, for example, our assessment of the Likelihood and Consequence
should take into consideration any controls that are already in place.
So, if we’ve identified the hazard of power tools and when the power tools are used existing controls
include:
 A risk assessment on the tool itself
 Training and competence sign off
 PPE
The risk assessment needs to consider how these existing controls will influence the Likelihood and
Consequence of an incident or injury occurring. Make sense?
And then point b) is not just about assessing risks as a result of hazards identified. Assessment of
risks is also required for all of the OH&S management system commencing with establishing the
system, then implementing, the operational aspects, and of course on-going maintenance.
Assessment isn’t something we do once; it is an on-going activity to ensure that the OH&S
management system remains current and relevant to all activities.

6.1.2.3: Assessment of OH&S opportunities and other

opportunities for the OH&S management system
This clause 6.1.2.3 falls under the overarching clause 6 Planning. We’ll break this clause down and
turn it into something that we can all understand.
I do want to point out that the title of this clause refers to opportunities. This isn’t something that
has always been mentioned as part of an OH&S management system, however, opportunities have
always been there. Opportunities come in the form of risk treatments and controls, new processes,
new systems, and training. Anything that improves the OH&S management systems performance
eliminates hazards and reduces OH&S risks.
This clause states that –
The organization shall establish, implement and maintain a process (es) to assess:
a) OH&S opportunities to enhance OH&S performance, while taking into account planned changes
to the organization, its policies, its process or its activities and:
1) Opportunities to adapt work, work organization and work environment to workers; AND
2) Opportunities to eliminate hazards and reduce OH&S risks AND
b) Other opportunities for improving the OH&S management system
This highlights that the process for assessment should consider the OH&S opportunities that are
determined, their benefits, and their potential to improve the OH&S management systems
ISO 45001: 2018
performance. The reference to adapting work, the organization of work, and the work environment
as well as any other opportunities to eliminate hazards and reduce OH&S risks is simply recognizing
that the controls that you put in place whether they come from the higher-level controls such as
elimination or also include lower-level controls such as Administration can be considered
opportunities.
And these should be assessed to determine how well they will work to achieve the elimination of
hazards as well as improvement of the OH&S management system.
This clause really is as simple as recognizing these opportunities in your system and including them in
your assessment processes.

6.1.3: Determination of Legal Requirements and Other

Requirements
Before we get stuck into the actual clause requirements it is important to note that the title of this
clause includes Legal requirements and other requirements. So, we probably all understand what
legal requirements are referring to, but what about other requirements? If you use the process of
deduction, obviously the Other requirements are NOT the Legal requirements – so what could these
Other requirements be?
They can be:
 Your own organization's requirements – so your own system, policies, and procedures.
 Contractual requirements – which could be from your customers or even suppliers. Your
customers may have specific OH&S requirements for you to access their worksite for instance.
 Employment agreements – your organization will more than likely have in place employee
agreements that do state certain OH&S requirements.
 Industry standards – depending on what industry you are in your overarching industry body or
organization may have OH&S requirements.
 Voluntary associations – your organization may have taken on board a voluntary cause that may
support an OH&S cause, like a mental health cause for example.
So, you can see just a few examples of what might fall under this vague heading of Other
requirements.
There are 3 key points in this clause that all link back to the opening statement of
The organization shall establish, implement and maintain a process(es) to ... and then the 3 key
points are provided. I’m now going to share these 3 key points knowing that you have the
understanding that these are all about being established, implemented, and maintained as processes
in your OH&S management system. To start off we have...
a) Determine and have access to up-to-date legal requirements and other requirements that are
applicable to its hazards, OH&S risks, and OH&S management system.
Two statements here stand out here – determine and have access to. The first step is that you need
to determine what the legal requirements and other requirements are that are relevant to your
activities, products, and services – and of course, the hazards identified – which we covered in clause
6.1.2.1 Hazard identification.
So, where can you find out what requirements are relevant to your organization?
ISO 45001: 2018
It really depends on the resources you have within your organization. A lot of larger organizationes
have their own internal legal teams. These legal teams are the experts in identifying and determining
what is relevant.
We don’t always have access to these resources. If we are a smaller organization, it is more than
likely that we won’t have our own internal legal team! What I normally see in these circumstances is
that the organization will have a consultant or a subscription that provides this information.
Having this provided externally does take a lot of pressure off you and puts it in the hands of the
professionals. That way you can spend your time doing what you’re good and knowledgeable at.
However, if you do want to take this on yourself OH&S related laws are reasonably accessible online.
You just need to make sure that you access the requirements of each state, particularly if your
organization conducts activities in different states. If your organization conducts activities
internationally you also need to be aware of what is relevant and where, when it comes to OH&S
legislation in other countries.
Now, remember the 2 keywords – determine and have access to that I mentioned earlier? All of this
so far is about how you will determine your requirements. Don’t forget that once you have
determined them you need to ensure that you have access to them also. This might not mean just
having access to the legal jargon documents; it will also mean access to how you will apply the
requirements within your organization through your activities, products, and services.
This is a great segue to the next point in this clause which states
b) Determine how these legal requirements and other requirements apply to the organization and
what needs to be communicated.
So somehow you have to interpret what the legal requirements and other requirements are and
figure out what actions or processes you will take within your OH&S management system to ensure
they are applied. This is where it is handy to have a legal team or a consultant. Even with a
subscription they do tend to turn it into language that we understand and then we know how to
apply it to our activities, products, and services. And of course, don’t forget to communicate the
application of these requirements internally and externally (whatever is relevant to your
organization) to whoever is required to be aware of this.
Then the third key point states:
c) Take these legal requirements and other requirements into account when establishing,
implementing, maintaining and continually improving its OH&S management system.
These legal and other requirements should be embedded into your OH&S management system. So,
they become ‘just the way you operate’. These requirements don’t sit in a corner with people too
scared to go over there! If they are applied and integrated into your OH&S management system, it
becomes part of your day-to-day operations. And of course, it’s important to stay up to date with
any changes and then if any changes influence your OH&S management system then it is simply
updated. The method you use to determine your relevant requirements will be the method you use
to keep up to date with changes.
Then finally, the last sentence of this clause states:
The organization shall maintain and retain documented information on its legal requirements and
other requirements and shall ensure that it is updated to reflect any changes.
So, if you are implementing a system, please ensure that you have documented information on how
this is conducted as well as evidence of what has been identified and applied.
This is not something that should just be kept in your head. It’s here in black and white that
documented information is to be maintained (so a process) and retained (so evidence) on your legal
ISO 45001: 2018
and other requirements. Ensure that what you identify and how it’s applied can be easily
demonstrated through your system, procedures, or even a legal register and, be updated when there
are changes.

6.1.4: Planning Action

Before we get stuck into the actual clause requirements, I want to point out that this final clause is
all about actually doing something with what you’ve learned throughout the rest of clause 6.
In fact, Clause 6.1.4 even references these other clauses to help you to see where the requirements
for action will come from. This means the standard ensures that it’s not just all warm and fuzzy stuff,
but that you actually have to do something with it.
Clause 6.1.4 starts off by stating
The organization shall plan:
a) Actions to:
1) Address these risks and opportunities (see 6.1.2.2 and 6.1.2.3)
2) Address legal requirements and other requirements (see 6.1.3)
3) Prepare for and respond to emergency situations (see 8.2)
I don’t really have to explain too much here because the clause is already pointing you in the
direction of the other clauses to refer to! They’ve made it really easy for you. Basically, what they’re
saying is that there would be actions required as a result of meeting the requirements of the clauses:
And actually, just touching on that last one that refers to Clause 8.2, the potential emergency
situations could also have been identified as part of Clause 6.1 Actions to address risks and
opportunities as well as 6.1.2.1 Hazard identification.
Now you just have to come up with a plan on how these actions will be implemented, which leads to
the next section of this clause which is point
b) How to:
1) Integrate and implement the actions into its OH&S management system processes or other
organization processes;
2) Evaluate the effectiveness of these actions.
This is saying that your plan and your actions are to be a part of your OH&S management system, its
policies, procedures, and processes. Again, this is not something that just sits in the corner, these
actions become integrated into your organization, and they become ‘just how things are done
around here’.
To evaluate the effectiveness of the actions integrated into your OH&S management system, you
could use Clause 9.1 Monitoring, measurement, analysis, and evaluation, and even Clause 9.2
Internal audit to monitor and determine the effectiveness. Even if this identifies improvements or
non-conformances – that’s what you actually want your system to do! Find where the gaps are and
implement corrective action to always be improving.
This clause does also state that:
The organization shall take into account the hierarchy of controls (see 8.1.2) and outputs from the
OH&S management system when planning to take action.
Again this clause is pointing you in the direction of the related clause of 8.1.2 Eliminating hazards
and reducing OH&S risks. This is stating that when planning your actions and integrating them into
ISO 45001: 2018
your OH&S management system ensure that the actions you take follow the hierarchy of control,
prioritizing the more effective controls first and where they can be applied.
And then finally the last sentence of this clause states:
When planning its actions, the organization shall consider best practices, technological options and
financial, operational, and organization requirements.
The actions that you take should align with what resources and operations the organization already
has in place. Look at what you already have in processes and systems and integrate your actions
within these first.
Also, understand what the ‘normal’ practice is in your industry while also considering your access to
technology and your own financial resources. Your financial, technological, and operational
resources will influence the level of action you can take.
While there is no specific documented information requirement stated for this clause, the
requirement of integrating and implementing the actions into other organization processes indicates
that as an auditor you will find these actions within the system as a whole.

6.2: OH&S objectives and planning to achieve them

Let’s take a look at what Clause 6.2 wants us to do. There are a couple of sub-clauses in 6.2 so we
will break each of them down separately.
Now, sub-clause 6.2.1 is all about the establishment of the OH&S objectives. And by the way, you
can call them anything you want – objectives, goals, targets, KPIs – this is completely up to you. This
sub-clause states that:
The organization shall establish OH&S objectives at relevant functions and levels in order to
maintain and continually improve the OH&S management system and OH&S performance (see
10.3).
When I read this, I see that these objectives aren’t just high-level corporate objectives or just
operational objectives. These objectives are to be established at relevant functions and levels of the
OH&S management system. So, you might start with the corporate OH&S objectives and then they
should filter down to each department or function in the organization and even where they apply to
processes of the organization.
As an example, if one of the company OH&S objectives is to have 100% of workers across all
departments trained in the new OH&S management system by December 31st, 2024, there would be
several departments or functions that would also require objectives set to be able to meet this
objective. Each department could then set its own objectives to ensure its team was trained by the
December 31 deadline. Their objectives might be to train the Project Managers by September 30,
train the Site Administrators by October 30, and then finally train the workers on project sites
including contractors by December 31.
Now, moving along in clause 6.2.1 it does state that:
The OH&S objectives shall:
a) Be consistent with the OH&S policy
Well, look at that - When we set our OH&S objectives they need to somehow align with our intent
and commitment that we documented in our OH&S policy.
What a great way to ensure that our intent from our policy is met. Then:
ISO 45001: 2018
b) States that the OH&S objectives are to be measurable or capable of performance evaluation.
Of course, when objectives are set you need to be able to measure them or evaluate the extent to
which they are being achieved.
It’s no good setting an objective and you’re not able to monitor it. Make sure you collect the data
and can generate the reports needed to track how well you are going in achieving your objectives.
Otherwise, you don’t have a clue where you’re at. To make your objectives measurable it’s
important to have a timeframe that you want to achieve your objective by. Then you know what you
want to achieve and by when.
I’m sure you’ve all heard of SMART goals, this helps you to set Specific, Measurable, Achievable,
Realistic, and Timely goals.
c) States to take into account
1) Applicable requirements
2) The results of the assessment of risks and opportunities (see 6.1.2.2 and 6.1.2.3)
3) The results of consultation with workers (see 5.4) and, where they exist, workers’
representatives;
First up, what are these applicable requirements?
Well, we will determine these applicable requirements as action is taken on other clauses
throughout the Standard. For instance, when you understand the needs and expectations of workers
and other interested parties, as per clause 4.2, you may identify some applicable requirements based
on what your interested parties expect from you.
If this is the case, wouldn’t it be beneficial to set an objective to ensure that this is met – and met to
a standard and timeframe that’s expected? For example, an interested party is your workers, and
they expect that they go home safe and healthy each day. Another clause where you will identify
applicable requirements is in Clause 6.1.3 Determination of legal requirements and other
requirements.
And of course, please ensure that your consultation outcomes covered in clause 5.4 are considered –
wherever any type of risk or opportunity is identified, wrap it up in an objective so that it is clear and
understood across the entire organization. It’s something solid to aim for!
Right, then we move to:
d) Be monitored
If you’re going to set objectives, you need to monitor them to see the extent to which you’re
meeting them. Are you on track? If not, what can you do differently so that you can make changes in
enough time to meet your objective by the set timeframe?
Then this clause goes on to state:
e) Be communicated
That’s it – just communicated, so this clause doesn’t provide any other ‘hints’ as to who to or how
often, etc. however this does align with Clause 7.4 Communication where it is up to the organization
to determine what, when, with whom, who and how to communicate.
So, if we apply the knowledge from clause 7.4 it is up to the organization to determine the
communication requirements of the OH&S objectives…. although clause 7.3 Awareness does include
the statement that Workers shall be made aware of the OH&S objectives. So that’s a big hint for you.
If workers are to be aware of OH&S objectives there’s our answer right there as to what is to be
communicated as part of clause 6.2 OH&S objectives. It is also a requirement:
ISO 45001: 2018
f) Be updated as appropriate
Meaning as, or when the objectives do need to be updated as a result of a change in the organization
then do it. Objectives may not always stay the same. As the organization changes, activities change,
locations change, and tools and equipment change so this will influence the objectives that have
been set too.
Now we can move to sub-clause 6.2.2 Planning to achieve OH&S objectives. This sub-clause states
that:
When planning how to achieve its OH&S objectives, the organization shall determine
a) What will be done;
b) What resources will be required;
c) Who will be responsible;
d) When it will be completed;
e) How the results will be evaluated, including indicators for monitoring;
f) How the actions to achieve OH&S objectives will be integrated into the organization’s
organization processes.
This means that the OH&S objectives that we set, and document, aren’t to sit on the shelf and gather
dust. Or they’re not to be pinned to the wall so everyone can walk past and just get a warm fuzzy
feeling. Not at all!
You actually have to figure out what actions you are going to take to achieve the objectives, who is
going to be responsible for these actions, and whether you need any other resources (such as
people, knowledge, skills, equipment, training, and so on).
We’ve already talked about setting a timeframe for these objectives as part of being measurable
which aligns nicely with the requirement for determining when the objectives will be completed by.
Now, you just have to figure out how you will evaluate and monitor the results of the objectives to
see how you are tracking with the objective set within the timeframe set.
One of my favourite statements in the Standards is that 'these actions to achieve the objectives will
be integrated into the existing organization processes'. There shouldn’t be a separate corner of the
office for the objectives and their actions – embed the actions in existing processes so the culture of
‘this is just how we do things around here’ is created.
The final requirement in section 6.2.2 is:
The organization shall maintain and retain documented information on the OH&S objectives and
plans to achieve them.
Ok, now that we understand what is needed, now we know that these OH&S objectives as well as
the plans and strategies on how they will be achieved are to be documented.
So, what does all of this normally look like when it’s documented? A matrix having the objective
documented including what is to be achieved and by when – this could be in a single column or over
a couple of columns, with the timeframe separated. Then there are additional columns that
reference the strategy of what will be done – now this could be as simple as referencing a procedure
or procedures. Other columns then might list who’s responsible and then the monitoring or
measurement that will be conducted – which may reference different reports or statistics.
Ok, that’s a great start; we now have documented OH&S objectives as well as a plan on how they will
be achieved. Develop what works for you – keep it simple, real, and relevant to the scope of YOUR
system and how you normally document within the organization.
ISO 45001: 2018

ISO 45001 Clause 7.2 Competence

First off, the clause states that...
The organization shall:
a) Determine the necessary competence of workers that affects or can affect its OH&S
performance;
b) Ensure that workers are competent (including the ability to identify hazards) on the basis of
appropriate education, training or experience;
That’s right - it’s up to the organization to figure out what competence requirements are needed for
the different roles relevant to the OH&S management system.
You normally see what these competence requirements are by being documented in Position
Descriptions or Job Descriptions. They could also be included in a training matrix or register. These
requirements should be based on appropriate education or training requirements which could be
licenses, certifications. These could also include on-the-job training requirements. These will be
determined by legal requirements (which you’ll identify as part of clause 6.1.3), industry
requirements, and your own organization requirements.
As well as education and training there may also be experience requirements that could be what the
person comes to you with OR it could mean that there is an element of on-the-job training to be
completed before they are marked off as competent. The unique requirement for OH&S with
regards to competence is that this competence INCLUDES hazard identification as well as anything
else determined by the organization as a requirement.
Then the next section states that...
c) Where applicable, take actions to acquire and maintain the necessary competence, and evaluate
the effectiveness of the actions taken;
The NOTE at the end of this clause actually states that...
Applicable actions can include, for example, the provision of training to, the mentoring of, or the
re-assignment of currently employed persons; or the hiring or contracting of competent persons.
So, now that you have established the competence requirements, whether it be by education,
training, or experience individually or altogether, you can still consider taking on board people to the
organization with some shortfalls to the competence requirements, however you need to make sure
that actions are taken to complete training, further study or on-the-job training or experience in
tasks – which could also include mentoring from another person in the organization.
Then the final section of this clause states...
d) Retain appropriate documented information as evidence of competence.
So, for any competence requirements that have been determined, you need to ensure that you have
evidence that they have been achieved. Therefore if you say that a Degree or a certification, or both
are required for a particular job, ensure that you have collected and saved the documentation to
prove that this has been met. If you also state that on-the-job training is required, ensure that there
is a record of this as well.
To summarise these clause requirements an organization needs to:
1. Figure out what competence requirements are needed – base this on legal and industry education
and training requirements as well as on-the-job.
ISO 45001: 2018
2. Make sure that these competence requirements are met, even if the organization has to support
some actions to make sure they are achieved.
3. Retain evidence that these competence requirements HAVE been met by keeping a record of
training completed, certificates gained, licenses, as well as on-the-job training records.

ISO 45001 Clause 7.3 Awareness

Let’s take a look at what Clause 7.3 wants us to do. First off, the clause states that
Workers shall be made aware of:
a) The OH&S policy and OH&S objectives;
b) Their contribution to the effectiveness of the OH&S management system, including the benefits
of improved OH&S performance;
c) The implications and potential consequences of not conforming to the OH&S management
system requirements;
We should remind ourselves who the Workers are in this context first.
ISO 45001 states that a Worker is a person performing work or work-related activities that are under
the control of the organization. These workers can be paid or unpaid, regular or temporary,
intermittent or seasonal, casual or part-time. They can also be external providers, contractors,
agency workers, or individuals.
We need to ensure that they are made aware of the OH&S policy and the OH&S objectives.
Normally with new workers the policy and objectives would be shared during the induction process
or induction training. This captures new workers only of course, so when there are changes to the
policy and objectives there should be a process in place to continue to share any updates with all
workers. There might be a regular team meeting, toolbox talk, stand-up, or whatever is appropriate
and relevant in your industry and organization.
These options then of course support the implementation of points b) and c) where the workers
must be aware of what their role is in contributing to the OH&S management system and what
would likely happen if they did not follow this. Again this is great information to share at induction.
Something to remember with this clause is that nowhere does it state that documented information
is required to be maintained or retained. So we don’t need to document a procedure on how we are
going to keep our workers aware of these requirements and there is no requirement to retain
evidence that we have.
However, if you are considering the risk of not retaining any evidence of these communications it is
worthwhile keeping records of what has been communicated, to whom, when, and how. By doing
this you are ensuring that you are protecting your workers and your organization.
Then this clause goes on to state …
d) Incidents and the outcomes of investigations those are relevant to them;
e) Hazards, OH&S risks, and actions determined that are relevant to them;
f) the ability to remove themselves from work situations that they consider present an imminent
and serious danger to their life or health, as well as the arrangements for protecting them from
undue consequences for doing so.
These three (3) requirements are a great addition to awareness of the OH&S management system.
For the OH&S management system to be effective and improve workers must be aware of any
ISO 45001: 2018
relevant incidents and outcomes that impact the activities that they conduct as well as the hazards
and OH&S risks that are relevant to the work they conduct. In fact, it is a requirement of clause 5.4
Consultation and Participation that non-managerial workers participate in the investigation of
incidents determining corrective action as well as identifying hazards so this backs up this clause
requirement perfectly.
And finally, as part of this awareness, it is essential to establish a system that empowers employees
to remove themselves from any work circumstances they perceive as an immediate and serious
threat to their well-being or safety. For instance, if a worker notices a damaged electrical cord that
poses a high risk of electrocution, they should have the ability to halt work and report the hazard
without fear of retaliation or adverse consequences.
The organization should establish protocols to ensure the employee's protection from any negative
outcomes arising from their responsible action and workers need to be made aware that this is
within their power.

8.1.2: Eliminating hazards and reducing OH&S risks

This clause gets straight into the requirements and gives us a nice list to work with and states that...
The organization shall establish, implement and maintain a process (es) for the elimination of
hazards and reduction of OH&S risks using the following hierarchy of controls:
a) Eliminate the hazard;
b) Substitute with less hazardous processes, operations, materials or equipment;
c) Use engineering controls and reorganization of work;
d) Use administrative controls, including training;
e) Use adequate personal protective equipment.
And that is the entire clause, so that leaves us with breaking these down and understanding what
each of them mean and how they work together.
I remember this Hierarchy by using this little saying in my head. Try it and see if it works for you!
Every Saturday Eat A Pie
o Every = Eliminate
o Saturday = Substitute (you could use Sunday too)
o Eat = Engineering
o A = Administration
o Pie = PPE
The hierarchy of control is called a hierarchy because each control is considered less effective than
the one before it. It is common to combine several controls to manage OH&S risks to an acceptable
level.
This means when determining what controls to put in place, start from the first in the list and then
work your way down.
#1 Eliminate the hazard.
This means removing it by not using hazardous chemicals, removing mobile plant such as forklifts
from certain areas, eliminating monotonous work, or removing a piece of equipment that causes
injury or ill health. In some instances, this is achievable; however, if it is not, move to #2.
ISO 45001: 2018
#2 Substitution
This is about replacing hazardous chemicals with less hazardous ones, changing slippery floor
material to non-slip, or lowering voltage requirements for equipment.
#3 Use Engineering controls and reorganization of work.
This option could be isolating people from the hazard, having machine guarding installed, ventilation
systems installed, noise monitoring and reduction, guard rails when working at height, ensuring
workers are not working alone, and managing work hours and workloads. You can see with this
option that you could implement these controls in parallel with #1 Elimination or #2 Substitution.
#4 is Administrative
These controls are normally training, inspections, licenses, signage, and even health and wellness
programs.
#5 Personal Protective Equipment (PPE)
PPE includes clothing, safety shoes, safety glasses, hearing protection or gloves, as well as training
and instructions on when, where, and how to wear or use the PPE.
And once again you can use these administrative and PPE controls in combination with the higher-
level controls. We should never just use these lower-level controls IF there is an option to eliminate,
substitute, or engineer.
Simply work through the hierarchy, top to bottom, and determine the relevant controls at each level
for the OH&S risk you have identified. And I’m not saying the first time you do this, you’ll get it 100%
right, because there is always an option to improve and change. You should continue to review the
controls, monitor what’s working and what’s not working, and make improvements.
Finally, all of these actions, reviews, and implementation of controls need to have your workers
participating in the process. This means your workers should be asked for their input and be part of
the final decision-making process. Please do not forget this very important part of the process as
when you involve your workers you have a higher chance of success.

8.2: Emergency preparedness and response

This clause states that...
The organization shall establish, implement and maintain a process (es) needed to prepare for and
respond to potential emergency situations, as identified in 6.1.2.1, including:
a) Establishing a planned response to emergency situations, including the provision of first aid;
We need to understand what our potential emergency situations are and prepare for them so that
we can respond adequately. We need to have a planned response to these emergency situations
that include providing first aid.
How do we know what the potential emergency situations are? Well, luckily, earlier on in clause 6.1
Actions to address risks and opportunities there are several opportunities for us to have already
identified our potential emergency situations which include hazard identification and planning
actions based on what has been identified.
We should already have an idea of what our potential emergency situations are and of course, part
of our action to manage these is to establish planned responses. These planned responses can
include these further points in ISO 45001:
b) Providing training for the planned response;
ISO 45001: 2018
c) Periodically testing and exercising the planned response capability;
This means that once we have established our planned responses, we need to provide training for all
of those potentially impacted and involved in an emergency response so everyone is familiar with
the response process. And this also provides a great opportunity for feedback.
Then of course as part of this training, you will include testing and exercising of the response
processes. You might choose to do a run-through of the response based on a scenario or you could
do a desktop review. As part of the test if there is any equipment that is to be used during the
response (such as an emergency eye wash or shower station) be sure to test that these are working
as they should.
Now that we’ve established these response processes and are providing training, testing, and
exercise, this clause moves on to state…
d) Evaluating performance and, as necessary, revising the planned response, including after testing
and, in particular, after the occurrence of emergency situations;
During the training / on-site and off-site drills, there has to be somebody responsible to evaluate the
performance and receiving feedback from others so that any improvements to the planned response
could be made. These updates are not only after a drill but also in the instances where there has
been an actual emergency that requires response.
Then this clause goes on to talk about communication requirements …
e) Communicating and providing relevant information to all workers on their duties and
responsibilities;
f) Communicating relevant information to contractors, visitors, emergency response services,
government authorities and, as appropriate, the local community;
g) Taking into account the needs and capabilities of all relevant interested parties and ensuring
their involvement, as appropriate, in the development of the planned response.
Absolutely! If there is a potential emergency situation that impacts workers whether they are
employees or contractors, they need to be aware of what is expected if an emergency does arise.
And it’s not just workers, its visitors and emergency response services as well. Any interested party
that will be impacted needs to be included in developing the response, training, and testing.
Then finally how will you provide evidence that all of this has been conducted?
The final statement of this clause is:
The organization shall maintain and retain documented information on the process (es) and on the
plans for responding to potential emergency situations.
We need to maintain documented information so this means that our planned responses should be
documented. What we have to do should be written down somewhere so we can access it and
follow it when we need to.
Then on top of this, we also need to retain documented information, so this is evidence of what has
been done. We would expect to see a record of the tests and exercises conducted and the results of
these. We would also expect to see records of responses to any actual emergency situations that
have occurred, the results of following the response and any improvements and changes as a result
of this.

9.2: Internal Audit

This clause starts off with sub-clause 9.2.1 General where it states...
ISO 45001: 2018
The organization shall conduct internal audits at planned intervals to provide information on
whether the OH&S management system:
a) Conforms to:
1) The organizations’ own requirements for its OH&S management system, including the OH&S
policy and OH&S objectives;
2) The requirements of this document (meaning ISO 45001);
b) Is effectively implemented and maintained.
This sub-clause is spelling out what our internal audits should be conducted against – which is
normally referred to as the criteria. Your planned audits should ensure that there are two criteria
areas that you audit against, and will look something like this:
 The Criteria level is ISO 45001
 The System level is your own OH&S management system
 The Operations level is what they are actually doing
We then move on to the second sub-clause of 9.2.2 Internal audit program where it states...
The organization shall plan, establish, implement and maintain an audit program (s), including the
frequency, methods, responsibilities, consultation, planning requirements and reporting, which
shall take into consideration the importance of the processes concerned and the results of previous
audits.
This is pretty clear that we are required to develop an audit program (sometimes referred to as an
audit schedule). The audit program should be for all of the audits planned over a period of time –
normally within organizations you see this over a period of 12 months. For 3-year certification cycle,
the audit programme shall be for 3 years. It is up to the organization to determine what timeframe
the audit program is developed for its own internal audits. The audit program should include some
key areas, which are:
 Frequency – so when are the audits conducted? Which months? Or weeks? And how often?
 Methods – this may include a reference to a procedure or a report template to be used for the
audit.
 Responsibilities – who is conducting which audits?
 Consultation – ensure that the process of establishing what is included in your audit program is
discussed with workers so that they can have input and provide feedback.
 Planning requirements and reporting – again, this may reference a separate procedure that
internal auditors are to follow when preparing, planning, conducting, and reporting on an audit.
 Results of previous audits. If there were non-conformances raised in an audit this month for
example, then this should prompt a review of the audit program, to ensure that this process or
area that attracted the non-conformance is included in the audit cycle again. This ensures that
high-risk areas (those that have had previous non-conformances) are picked up and reviewed or
revisited sooner, rather than later.
 Taking into account risk or as this clause says, take into consideration the importance of the
processes concerned.
This audit program might have the organization's processes and activities listed and when they are to
be audited and by whom. A major part of this is determining which procedures should be audited
ISO 45001: 2018
first or more often as they are high risk. This could be new procedures or procedures related to a
new process or location or product.
You can see that this audit program should be a risk-based tool that you use to monitor key parts of
the organization with a focus on the high-risk areas. It is more important to conduct audits on areas
of higher risk than auditing absolutely everything, even the areas that are low-risk and have never
had any issues or changes.
Make sure that your audit program is a living, breathing tool that you use to benefit your
organization.
Before I move on to point b) I want to skip ahead in this clause a bit first to...
f) Retain documented information as evidence of the implementation of the audit program and the
audit results.
This clause requirement confirms that we need a documented audit program –whether it’s a hard
copy, electronic, or a software program. Then we also require documented information to be
retained as evidence of the audit results. So, this means we need to see documented evidence of the
outcomes of the audits conducted.
This could be as simple as an audit report which you need to ensure includes as per...
b) Define the audit criteria and scope for each audit;
In your audit report you would include a field to document the audit criteria, which is WHAT you are
auditing against, which could be a particular ISO clause or even a specific activity or procedure and
then also include a field for the scope of the audit. The scope of the audit is the extent and
boundaries. So, this could be specific locations, activities, departments, and so on.
Then finally we have points...
c) Select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;
d) Ensure that the results of the audits are reported to relevant managers, ensure that relevant
audit results are reported to workers, and, where they exist, workers’ representatives, and other
relevant interested parties.
To summarise these 2 final points:
 Do not audit your own work. Therefore, if you generate the evidence within the scope of the
audit, then you shouldn’t be auditing that area. You need to ensure another auditor who is
impartial and has no conflict of interest is assigned to that audit in your audit program.
 And then once you have completed your audit report, ensure that it is provided to relevant
management within the organization, as well as communicated and shared with workers and any
other relevant interested party, which could be customers or suppliers.
And then finally we have...
e) Take action to address nonconformities and continually improve its OH&S performance (see
Clause 10).
Therefore, ensure that you follow your corrective action process when non-conformances are
identified as a result of the audit. To understand what is required for your non-conformance and
corrective action process, be sure to refer to the clause 10.2.
ISO 45001: 2018

ISO 45001 Clause 10.2 Incident, nonconformity and corrective

action
Before I get started on the clause, I think it’s important to understand the definition of
nonconformity and an incident. After all, if we don’t know how to recognize one then we won’t know
when to take action, will we? Referring to clause 3 of ISO 45001 states that an incident is
an occurrence arising out of, or in the course of, work that could or does result in injury and ill
health.
Therefore, if an event occurs while we are at work and we are injured or become sick this is
considered an incident.
Then the definition of a nonconformity states that it is a non-fulfilment of a requirement and the
definition of a requirement is a need or expectation that is stated, generally implied or obligatory.
These requirements that we are bound to conform with may come from our customers, product or
legal requirements, ISO Standard requirements, or even our own OH&S management system
requirements. Put simply, we need to identify and understand what our requirements are and then
follow them. When we don’t that is a non-conformance.
This will now help us as we move through the clause requirements so let’s get started. Let’s take a
look at what Clause 10.2 wants us to do. The clause starts off by stating that ...
The organization shall establish, implement and maintain a process(es), including reporting,
investigating and taking action, to determine and manage incidents and nonconformities.
When an incident or nonconformity occurs, the organization shall:
a) react in a timely manner to the incident or nonconformity and, as applicable
1) take action to control and correct it:
2) deal with the consequences
Points 1) and 2) of taking action and dealing with the consequences can be referred to as the action.
This is the first step we take to deal with the consequences of an incident or non-conformance. If it is
an incident, it would be managing an injury, isolating the area or machine that may have caused it,
and so on. Basically, mop up what’s happened and put some actions in place immediately to ensure
nobody else is injured.
This is not a long-term fix or corrective action. It is just getting it under control initially.
The next part of the clause is where we look at the long-term fix or corrective action. Therefore, this
clause states that the organization shall:
b) evaluate, with the participation of workers (see 5.4) and the involvement of other relevant
interested parties, the need for corrective action to eliminate the cause(s) of the incident or
nonconformity, in order that it does not recur or occur elsewhere, by:
1) investigating the incident or reviewing the nonconformity;
2) determining the cause(s) of the incident or nonconformity;
3) determining if similar incidents have occurred, if nonconformities exist, or if they could
potentially occur.
You will have noticed that the overarching goal is to prevent the incident or nonconformity from
recurring or occurring elsewhere. And this is done by reviewing and analyzing the incident or
nonconformity to determine the cause or causes. By doing this we also have the opportunity to find
ISO 45001: 2018
out whether there have been similar nonconformities that have already occurred or have the
potential to occur.
For example, if a non-conformance has been raised several times at different locations for workers
not wearing the required PPE, this may indicate that the root cause has not been identified and
appropriate corrective action implemented as the issue continues to reoccur. This could be further
exacerbated if an incident occurs and the investigation identifies that the correct PPE was not being
worn. The intent is to investigate, determine the cause and then implement corrective action to
prevent the non-conformance or incident from happening again, not only where they were identified
in the first place, but in any other location or situation as well. This all feeds nicely into the next set
of clause requirements which are:
c) review existing assessments of OH&S risks and other risks, as appropriate (see 6.1)
d) determine and implement any action needed, including corrective action, in accordance with
the hierarchy of controls (see 8.1.2) and the management of change (see 8.1.3).
e) assess OH&S risks that relate to new or changed hazards, prior to taking action
This is building on the steps I talked about earlier of identifying the cause and implementing
corrective action. It would be beneficial as part of the investigation to determine whether the
potential OH&S risk had been identified as part of the proactive process of hazard identification.
Meaning, did the organization identify that there was a risk that workers would not follow the
requirements for wearing PPE? If it wasn’t identified, part of the corrective action should loop it back
to be included and if it WAS identified, what controls were to be put in place? These controls should
follow the hierarchy of controls.
Then finally when new or changed hazards are identified, be sure to assess these so you understand
the level of risk and impact if they do occur. To understand this more be sure to read the article for
clause 6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management system.
This leads us to the next part of this clause which states ...
f) review the effectiveness of any action taken, including corrective action and
Not only do we implement the corrective action, but we should also be giving it sufficient time to be
followed and used so that we can review whether it has effectively prevented the issue from
recurring. Therefore, in this example, you would continue to monitor the use of PPE across all
locations, and determine if the corrective action you put in place is actually working.
If it isn’t completely working, you might tweak the corrective action or ask for feedback from
workers as to what is working and what is not working. You will continue to monitor until you are
getting feedback and evidence that PPE is being worn to requirements and there haven’t been any
follow-up non-conformances raised.
Then the final point ...
g) make changes to the OH&S management system, if necessary and Corrective actions shall be
appropriate to the effects or the potential effects of the incidents or nonconformities
encountered.
These couple of points are saying that when there has been a nonconformity does this mean that
there are additional risks or opportunities that may have been missed in your initial assessment of
the process or operations? And if so, does this change your OH&S management system and
associated procedures? This provides that final loop back from an Operations level up to a Systems
level.
ISO 45001: 2018
And of course, the corrective action taken should be at a level that is suitable for what actually
occurred. For example, corrective action of firing all of the workers for not wearing PPE the first time
it has occurred may be a little over the top and not proportionate to the actual issue and in particular
even the root cause.
The final section of this clause states …
The organization shall retain documented information as evidence of:
 the nature of the incidents or nonconformities and any subsequent actions taken;
 the results of any action and corrective action, including their effectiveness.
The organization shall communicate this documented information to relevant workers, and, where
they exist, workers’ representatives, and other relevant interested parties.
Any incidents and nonconformities identified need to be recorded as to what they were and what
actions were taken, including the results (successful or otherwise) of the corrective action taken. This
is normally in the form of an Incident Report, Incident Register, Non-conformance Report, and Non-
conformance Register.
You can call it whatever you want and you could combine the reporting and registers for non-
conformances and incidents, as long as it does record this information at a minimum.
Other information that this register might also include that is helpful is:
 who is responsible
 created or occurrence date
 the due date for corrective action
 the due date for review of implemented corrective action
 any links to photos or investigations
 identified by category (which might be an internal audit, external audit, daily operation,
customer complaint, and so on)
These are just a few additional fields that I have come across that help with analyzing ongoing
improvements.
This then makes it easy to communicate to workers and any other parties that may have been
impacted by the incident or non-conformance or will be impacted by the corrective actions.
We include a worker representative in incidence investigation. Whether this is an IMS requirement? If yes, under which
clause?
We do carry out an EPP drills. Where is the requirement in IMS?
Our management supports CIPs. Where is the requirement?
Which standard asks for roles and responsibility of each worker be defined and documented? Under which clause? In FIL,
where we mention responsibility of individual, in which document?
Whether imparting training for mock drills and EPP drills is necessary? Under which clause?
Does ISO 45001:2018 standard allow exempting any clause of the standard? Where is it stated?

What is the difference between occupational

safety and process safety?
You are here:
 ISO 45001: 2018
1. Home
2. News & Articles
3. What is the difference between…
Jun 82021

Occupational health and safety management system (OHSMS) and process

safety management (PSM) are essential for hazardous chemical enterprises
to maintain continuous operation and reduce damages. Occupational safety
focuses on identification and risk controls on occupational health and safety
ISO 45001: 2018
for workers and managing environmental impacts from operating activities.
Meanwhile, Process safety focuses on preventing and reducing the disasters
for workers, community, and major environmental events from chemical
release’s occurrence.
In this article, we briefly compare the two management systems, with
reference to the requirements of ISO 45001 and the process safety
management system (PSM) of the Center for Chemical Process Safety (CCPS),
American Institute of Chemical Engineers (AIchE) called CCPS PSM [1]
According to Kristen Hansen’s opinion, it is too difficult to find the similarity
of two management systems on scope, standard structure, elements or
clause, requirements, etc. because of the two following basic factors [2].
 Who is protected?
Since process safety deals with emergency situations, it protects
communities – not only the workers in the facility but anyone in neighboring
buildings that could be affected by a destructive event.
Occupational safety, on the other hand, is focused solely on protecting the
workers themselves from illness or injury. Occupational safety incidents are
far more contained and localized.
 Monitoring
As the name implies, process safety involves ensuring the good functioning of
the facility’s processes. Depending on the workplace, process safety
monitoring might involve regular inspection of chemical release, energy,
and contaminant levels to ensure that the hazards remain properly
controlled.
On the contrary, occupational safety monitoring is concerned with the
features of the work environment that workers interact with directly. It might
include making sure that walkways and stairwells are well maintained and
inspecting machine guards to ensure that they are properly installed and in
good shape.
In addition, CCPS PSM has elements that ISO 45001/ISO 14001 does not –
such as Asset Integrity and Reliability, Operational Readiness and Safe Work
Practices – these are the three most important elements of the PSM system.
Even the elements which the two systems have the same name are
essentially different.
For example, the clause on Change Management in ISO 45001 is a wide
concept, very general requirements, and relatively easy to meet, whereas the
Change Management element of CCPS PSM is focused on process change
management, has specific and strict requirements and difficult to meet.
Thus, a chemical manufacturing enterprise that meets the requirements of
health, safety, and environment management system according to ISO
45001/ISO 14001, may not meet the requirements of PSM system according to
CCPS PSM.
ISO 45001: 2018
However, the two management systems also have similar elements, such as
Emergency Preparedness and Response, Subcontractor Management, Audit,
etc., and the requirements of these two systems are not much different.
Thereby, a chemical manufacturing company that meets the requirements of
the Health and Safety management system according to ISO 45001 and ISO
14001 got huge advantages to achieve the requirements of process safety.
20 elements of CCPS PSM include [1]:

Table 1 – 20 elements of CCPS PSM

Pillar No. Element
Commit to process safety 1 Process Safety Culture

2 Compliance with Standards

3 Process Safety Competency

4 Workforce Involvement
ISO 45001: 2018
Pillar No. Element
5 Stakeholder Outreach

6 Process Knowledge Management

Understand hazards and risk
7 Hazard Identification and Risk Analysis

8 Operating Procedures

9 Safe Work Practices

10 Asset Integrity and Reliability

11 Contractor Management

Manage risk 12 Training and Performance Assurance

13 Management of Change

14 Operational Readiness

15 Conduct of Operations

16 Emergency Management

17 Incident Investigation

18 Measurement and Metrics

Learn from experience 19 Auditing

20
Management Review and Continuous Improvement

Conclusion
It is difficult to compare the similarity between the requirements of health,
safety and environment management system (ISO 45001 and ISO 14001) and
process safety system (such as CCPS PSM), because the two systems have
protected groups and monitoring to be different. However, it can be said that
a company that meets the requirements of an HSEMS has the premise to
meet the requirements of a process safety system.