Professional Documents
Culture Documents
Iso 45009
Iso 45009
Iso 45009
Performance Evaluation
The organization must establish a system that involves the monitoring,
measurement, analysis, and evaluation of its OH&S performance. It
should decide what to measure and how, for instance, accidents or
worker competence. Moreover, internal audits must be established
along with regular management reviews, in order to see the progress
made towards the achievement of OH&S objectives and the fulfillment
of ISO 45001 requirements. Performance evaluation is a constructive
process that aims to improve an organization’s operation and is crucial
to the ‘Plan, Do, Check and Act’ model prescribed by ISO 45001. These
processes should help achieve and support organizational strategy and
goals. Clause 9, Performance Evaluation, provides an in-depth
discussion regarding the criteria for evaluating the overall performance
of the OH&S management system. The primary themes of this section
focus on the means of process evaluation and documentation of
evaluations. The importance of documentation (and how records and
data are retained), as well as document dissemination, are performance
themes both in ISO 45001 in general and in this section in particular.
This section tends to be more specific than some of the others and
includes a detailed discussion of documentation requirements, internal
audit protocols, and relevancy and applicability of measurements
within the organization. The key attributes of this section include:
1. Following applicable legal requirements and documentation are
followed
2. Measuring operational risks and hazards
3. Evaluating the effectiveness of operational controls
4. Establishing the timeline for conducting the measures
5. Planning for analysis, evaluation, and communication of the results
6. Calibrating and verifying the accuracy of all equipment
7. Retaining documentation of all measures
8. Auditing the OH&S Management System, the OH&S Policy, OH&S
Objectives, and the 45001 requirements
9. Establishing the frequency of audits and account for significant
changes to the organization, performance improvements, risks, and
opportunities
1
10. Ensuring the competence of auditors
11. Communicating findings to management, workers, and worker
representatives
12. Taking action to address identified nonconformities
13. Retaining audit results as evidence of the completion of the audit
14. Reviewing audit findings and corrective actions by top
management
15. Ascertaining that corrective actions, worker engagement, and
opportunities for continual improvement are in place
The most important objectives of the Performance Evaluation section
are ensuring the adequacy of the current OH&S management system
and measuring that OH&S objectives are met. These are, essentially, the
only measures of success.
3
4. insurance requirements.
4. Criteria are what the organization can use to compare its
performance against.
1. Examples are benchmarks against:
other organizations;
OH&S statistics.
4
The organization not only has to measure occupational health & safety
progress, but it should also consider its significant hazards, compliance
obligations, and operational controls when tackling this clause. The
methods established should have considerations to ensure that the
monitoring and measuring periods are aligned with the needs of the
OH&SManagement System for data and results, that the results are
accurate, consistent, and can be reproduced and that the results can be
used to identify trends. It should also be noted that the results should
be reported to the personnel with the authority and responsibility to
initiate action on the basis of the outputs themselves. The organization
should have a systematic approach for measuring and monitoring its
OH&S performance on a regular basis, as an integral part of its
management system. The organization needs to monitor and measure
the following in order to determine the performance of the OHSMS and
evaluate its effectiveness:
The extent to which legal and other requirements are fulfilled
including, where applicable, all applicable OH&S legislation,
collective agreements, standards, and codes and insurance
requirements;
Characteristics of activities and operations related to the identified
hazards, risks, and opportunities;
Progress in the achievement of the organization’s OH&S objectives;
Effectiveness of operational and other controls.
6
Event Local Exhaust Ventilation System (LEV)
7
9.1.2 Evaluation of compliance
The organization must establish, implement and maintain
the processes for evaluating compliance with legal
requirements and other requirements. The organization
must determine the frequency and methods for the
evaluation of compliance and must evaluate compliance and
take action if needed. It must maintain knowledge and
understanding of its compliance status with legal
requirements and other requirements. It must retain
documented information on the compliance evaluation
results.
8
exactly what legislation is there that applies to your organization, how
does it apply and why do you need to evaluate it.
The legislation provides regulators with specific duties and powers and
enables the regulators to take enforcement action to mitigate the
consequence of site closures and suspension or revocation of permits.
For example, in 2005/2006 the HSE issued 6400 enforcement notices
and prosecuted in over 1010 cases. Magistrates and courts are coming
under increasing pressure to impose ever more stringent penalties.
With this in mind, there is increasing pressure on organizations from
various sources to improve and ensure compliance. In practice, you
may consider putting a list of compliance obligations within a
spreadsheet as outlined under clause 6 of this document. Periodically
this process should be audited within the internal audit programme to
ensure all compliance obligations have been fulfilled. Audit results
including compliance status should be communicated to senior
leadership within the organization. Any outstanding or pending
requirements can be actioned by the leadership team. This will ensure
compliance to obligations and reduction in risk including potential
prosecution. So how can you evaluate compliance? There are essentially
three approaches:
The passive approach means an organization sits back and waits for
things to happen. It relies solely on upon feedback from regulators,
9
employees, and members of the public. Typically few resources are
allocated and compliance efforts are minimized and tend to be focused
on current areas of concern. The drawback of this approach is that it
may well be unrepresentative of the true level of compliance, the
outcome of which being the increased likelihood of a non-compliant
event which could lead to unforeseen prosecutions.
10
quickly identifies the non-compliance status and corrects it. Following
the proactive system-based approach will enable an organization to:
Make a commitment to compliance
Identify current legal and other requirements specific to the
organization and be aware of pending legislation and its impact on
the organization well in advance.
Understand the full implications of all applicable legislation and
incorporate the requirements into business practices.
Keep information up-to-date.
Identify compliance criteria.
Establish a framework to address and control the identified
compliance requirements.
Provide a mechanism for the on-going review, evaluation, and
reporting of compliance performance
11
Legislation, regulations, and statutes
Directives
Permits, licenses or other forms of authorization as Orders issued
by regulatory bodies.
Judgments of courts or administrative tribunals
Treaties, conventions, and protocols
12
Regulator
Description of Regulation
Relevance to the organization — compliance criteria
Responsible Persons
Reference to other parts of the management system e.g.
environmental aspects, health and safety hazards, objectives and
targets
Reference to the license, permit, authorization or notification
Further information (e.g. codes of practice)
Operational Controls
14
Step 6 – Compliance Verification
Define an action plan for addressing the issues identified in the gap
analysis. The action plan might include the:
Allocation of specific clear roles and responsibilities for compliance.
Communication or. the relevance of the requirements at all levels.
Revision of procedures include operational criteria
Provision of relevant training
15
Step 9 – Repeat the process
17
compliance obligations, and risk to the health and safety of workers.
Decide what is reasonable for you, whether that is bi-annually,
quarterly, or whatever you deem suitable. Keep in mind that this
schedule can be changed, preferably through management review and
leadership guidance, in the event of changes that necessitate extra
internal audit activity. The internal audit programme will aid the
organization to achieve the OH&S objectives and targets. It helps:
Monitor compliance with policy and objectives.
Provide evidence that all necessary checks are carried out.
Ensure all current legislative and other requirements are met.
Assess the effectiveness of risk management.
Worker engagement leading to a positive safety culture.
Identify improvement using ‘fresh eyes’ to review a process.
Aid continual improvement.
18
The planning of the internal audit programme must recognize the
importance of the processes concerned and the results of previous
audits. This would be reflected in the audit programme being based on
the results of the risk assessments of the organisation’s activities and
the results of previous audits, which in turn would guide the
organisation in determining the frequency of audits of particular
activities, areas or functions and what parts of the OH&S management
system should be given attention. The OH&S management system
audits should cover areas and activities within the scope of the OHSMS
as defined by clause 4.3 of the standard and also assess conformity to
ISO 45001. The organization must define the audit scope and audit
criteria for each audit. Audit evidence should be evaluated against the
audit criteria to generate the audit findings and conclusions. Audit
evidence should be verifiable. Prior to conducting the audit, the
auditors should review appropriate OH&S management system
documented information, and the results of prior audits. This
information should be used by the organization in planning for the
audit.
It also points out how previous audit results and outputs from risk
assessment can provide inputs for the internal audit itself. Given that
you have a date for your internal audit – whether this is being carried
out by an internal or external auditor – what should you bear in mind
to prepare? Firstly, you must consider how you prepare for your
internal audit. Does your organization have an adequately trained
auditor? Internal audits must be conducted by competent staff with a
19
degree of impartiality to the area being audited. A risk-based approach
can be applied to areas being audited with an increased focus on higher
risk activities. Internal audits must be planned with an expectation of
each process being audited at regular intervals. In addition to planned
audits, unplanned audits may be conducted in reaction to problematic
areas, near-miss reports or incident data with a focus on accident
prevention. It is beneficial to communicate audit results to applicable
interested parties including workers and set realistic completion
timescales for identified ‘opportunities for improvement’ or
‘nonconformities’. Top Management must be aware of deficiencies
within the system to ensure the necessary resources can be allocated to
mitigate the findings. Audit results will be reviewed as part of the
management review process. ISO 45001, like most other ISO standards,
contains a clause that outlines how organizations should perform
internal audits. Internal audits should meet the planned measures of
the OHSMS System and the audit outputs should be made available.
You should establish and plan your internal audit schedule, based on
the results of previous audits and risk assessments. Although it is
sensible and standard, as are other clauses in ISO 45001, the internal
audit should be approached with more care than, for instance, the
comparable clauses in ISO 9001 (Quality Management) or ISO 14001
(Environmental Management). This is because an ineffective OHSMS
audit could endanger the welfare of your employees. The organization
should plan their internal audits at regular intervals. It should,
however, be noted that accidents, incidents, risk assessments or
stakeholder input can all be used to initiate internal audits beyond the
regular schedule. This would be the case if the organization feels it
would be beneficial to the overall health and safety performance. Let’s
look at when who, and how the ISO 45001 system internal audit should
be performed.
20
performance outputs, risk assessment information and results, desired
OHSMS objectives and stakeholder input.
The ISO 45001 standard requires that management should have access
to the results of any internal audits. This enables the top management
team to make decisions on actions that need to be taken based on the
results from the internal audit. In terms of continual improvement, it is
however also helpful if the auditor makes suggestions based on the
audit itself, as they have had direct experience and interactions with the
procedures and processes during the audit. This will give the
management team a more balanced view of the audit’s effectiveness and
the validity of the results. This will create a bigger chance of continual
improvement and output that could potentially prevent incidents and
accidents. It is obviously necessary that the process is documented,
including findings, outcomes, and actions, as the internal audit takes its
place in the improvement cycle. Make sure that internal audits are
always thorough, honest, and accurate. Use the “plan, do, check, act”
methodology to ensure that the proposed actions are implemented,
effective, and maintained. Once you have done this, you can be sure that
the results of the internal audit are truly effective. The principles of ISO
19011 which addresses system auditing can also help you with regard to
structuring your audit. So, what other elements do we need to consider
when undertaking the internal audit? Let us consider:
Remember, the internal audit will show your ability to meet the
requirements of the standard itself (or some of it, depending on the
scope of the audit). Ensure you and your organization have met all
requirements of the standards, including management review, risk
assessment, and emergency response. Bear in mind that any non-
conformities will be reported and you should consider using your
corrective action process to rectify any identified non-conformities.
Concentrate on hazard and risk identification. Though closely
related, hazard and risk are not the same things. ISO 45001 defines
a hazard as a “source or situation with a potential to cause injury
21
and ill health”. In other words, what features of your processes have
the ability to harm individuals? This could be a hazardous chemical
you need to use in a process or a machine that has a pinch point that
needs to be guarded to protect the people who need to use it. It could
also be an office position that requires certain actions that over time
could lead to repetitive strain injuries. An OH&S risk is defined as
the “combination of the likelihood of occurrence of a work-related
hazardous event or exposure and the severity of the injury and ill
health that can be caused by the event or exposures”. So, the hazard
is the feature of the process that can harm an individual, and the
risk is the likelihood that it will happen along with how to sever the
consequences will be. This should be a key element of most internal
audit examinations, and the identification of both, as well as
mitigation of risk, are key to maintaining an effective OH&SMS.
Ensure your corrective action process is effective. The steps to take
once corrective action is initiated in your OH&SMS, we looked at
the step by step process for ensuring corrective action with respect
to ensuring that root causes of problems were correctly identified
and eradicated. While prevention is preferable to cure in any
OH&SMS, an effective system must have an effective corrective
action process. It is likely that this will be examined closely in most
internal audits.
Ensure your team is ready. Ensuring your team has satisfied these
clauses can be vital to your internal audit. Keep in mind that no
OH&SMS can flourish without employee knowledge, commitment
and buy-in. Ensure that your team is involved in the preparation
for, and execution of the internal audit. This can help your
OH&SMS flourish and your internal audit is successful.
Rehearse for your external audit. Remember that your internal
audit is an opportunity to prepare and rehearse for your external
certification audit. There are several ways you can do this, using the
information in the article What questions should you expect from
the ISO 45001 auditor? should help you prepare your OH&SMS and
your own team for both the internal and likely forthcoming external
audit.
Ensuring your OH&SMS benefits. As stated, the internal audit is not
only a dry run for your external certification audit in terms of the
conformance of your OH&SMS. It is also a huge opportunity for
improvement. Use the information in How to create an internal
audit checklist for your Health & Safety management system to
ensure you cover all the elements required in the standard itself.
22
Record your results, and clearly outline any corrective action or
improvements made. This will serve as evidence and ensure you
have a record of action and improvement for your next audit,
whether internal or external. Treat your internal audit as a measure
of conformity, an opportunity to improve and a rehearsal for your
external audit. Doing this will ensure that real value can be derived
from this mandatory part of ISO 45001.
23
continual improvement – the element that underpins the standard
itself.
Have you completed the critical functions of the OH&SMS? Have
you assessed risks and hazards correctly? Have you performed
corrective action in the cases where something has gone wrong?
Have you completed internal audits with satisfactory outcomes and
actions to guarantee improvement to your OH&SMS? Have you
documented these accurately as evidence? These elements are all
central to running a successful OH&SMS, you can be sure the
auditor will focus on these to a large extent; therefore, it is wise to
prepare. Also, be sure to remember that while these elements are
critical, they only make up part of the clauses you will be audited
against!
Can you demonstrate competence, awareness, and evidence of
training? Especially in matters of health and safety, it is critical that
your team can demonstrate that they are aware of processes,
communications that may have taken place, and are generally
aware enough to operate safely within your organization. Ensure
that your employees realize that it is very likely that the auditor will
come and speak to them, and instruct them on how to react. There
is no need to be nervous, but being articulate, truthful, and honest
will help greatly.
Can you demonstrate improvement? As stated previously, this is
necessary to demonstrate your organization’s compliance with ISO
45001. It is therefore certain that the auditor will ask a member of
the team about how this is obtained and evidenced. Be prepared for
this.
How you can make the audit smoother for your organization and
people. It is wise to remember that the auditor is trying to help you
pass, not trying to make you fail. Anticipating the questions he will
ask will undoubtedly help you to prepare your employees and
ensure that they are less nervous, as well as helping you to ensure
that you have all your respective boxes ticked in terms of meeting
the clauses of the standard. Remember that the auditor is trying to
help you make sure your organization remains a safe place to work,
not trying to trip you up. Lastly, should the auditor have any
observations or recommendations during the audit, be sure that you
take them on board and use them to help you improve your
OH&SMS.
24
9.3 Management review
Top management must review the organization’s OH&S
management system, at planned intervals, to ensure its
continuing suitability, adequacy, and effectiveness. The
management review must consider the status of actions from
previous management reviews. The changes in external and
internal issues that are relevant to the OH&S management
system including the needs and expectations of interested
parties, legal requirements, and other requirements and
risks and opportunities. It must consider the extent to which
the OH&S policy and the OH&S objectives have been met. It
must also consider the information on the OH&S
performance such as trends in:
1. incidents, nonconformities, corrective actions, and
continual improvement;
2. monitoring and measurement results;
3. results of the evaluation of compliance with legal
requirements and other requirements;
4. audit results;
5. consultation and participation of workers;
6. risks and opportunities;
25
they exist. The organization shall retain documented
information as evidence of the results of management
reviews.
The management review topics listed in 9.3 need not be addressed all
at once; the organization should determine when and how the
management review topics are addressed.
26
Adequate: is the management system implemented appropriately;
Effective: has the management system achieved its intended
outcomes.
27
Opportunities for continual improvement;
Any need for changes to the OH&S management system;
Additional resources needed;
Any actions needed;
Opportunities to improve the integration of the OH&S management
system with other business processes such as environment, quality,
business continuity, etc.
Any implications for the strategic direction of the organization.
Top management must communicate relevant outputs from the
management reviews to workers, and where they exist, workers’
representatives.
9.3
Summary of the requirement for Management Review
Standard
agenda/clause reference point
reference
28
In addition to B1 note any changes or pending changes to legal and
b2)
other requirements and actions to address compliance obligations.
Discuss the results of internal audits and actions that have been taken
d4) to resolve any non-conformities. Discuss areas of improvement and
areas which are performing well.
29
General discussion with the provision of information on how the OH&S
g). management system is performing and how can it continually improve
in the future
30