Professional Documents
Culture Documents
Quentic Whitepaper ISO 45001
Quentic Whitepaper ISO 45001
ISO 45001
How to implement the international standard
for occupational health and safety
1
INTRODUCTION
Since March 12th, 2018, occupational health and safety (OH&S) management systems
have a new ISO standard: the ISO 45001. It repaces the previously applicable OHSAS
18001 standard. Companies with occupational health and safety management systems
under OHSAS 18001 have had over three years since the publication of ISO 45001 to
transition their systems to meet the requirements of the new standard. The original
deadline was extended for an additional six months in light of the Corona pandemic
and ended on September 30th, 2021. Having an occupational health and safety system
in compliance with ISO 45001 is worthwhile: It will increase employee safety, motivation
and productivity, as well as bolstering the company image. In this whitepaper, we will
explain the requirements of ISO 45001. You will also learn what concrete steps to take
to implement the standard and upgrade your existing occupational health and safety
management system in accordance with ISO 45001.
2.78
MILLION PEOPLE
CONTENTS
3
WHITEPAPER HEALTH & SAFETY // ISO 45001
With ISO 45001, a unified global standard for company occupational health and
safety management system (OH&SMS) is now available for the first time. The new
standard replaces OHSAS 18001, which was withdrawn at the end of the transition
period on September 30th, 2021.
OHSAS
18001
ISO
45001
4
2 Who needs an ISO 45001 compliant OH&SMS?
Organizations wanting to transfer Organizations whose OHSAS 18001 Organizations whose (potential)
their occupational health and safety certificate expired in September 2021 business partners require them
measures to a reliable structure of and who wish to or have to remain to hold an ISO 45001 compliant
continual improvement. certified. OH&S certificate.
Organizations are subject to extensive Organizations that have not managed to It is increasingly important for organi-
legal requirements that oblige them to switch their OH&S management systems zations not only to improve their own,
provide comprehensive health and safety over from OHSAS 18001 to ISO 45001 with- internal occupational health and safety,
protection in the workplace for their in the designated transition period, but but also to look beyond the confines
workers. For instance, they must carry who still need to prove that they have an of their own organization. Stakeholders
out risk assessments and derive safety OH&S management system can use the are interested in the conditions under
measures from them, continually improve existing basis at their company and further which natural resources are extracted and
health and safety protection, train and develop this system to meet ISO 45001 primary and semi-finished products are
instruct their workers, and document all requirements. In this case, a first-time certi- produced. Looking at occupational health
these activities. Introducing an OH&SMS fication for ISO 45001 will be necessary. and safety across the entire supply chain
provides organizations with a useful is therefore also a key requirement of
tool to ensure both the structured and ISO 45001. Already today, many organiza-
continual implementation of actions and tions insist on ISO 45001 certification as an
compliance with the legal requirements essential requirement for entering into a
(“legal compliance”). business relationship with their partners
(e.g., suppliers). This will put more and
more pressure on businesses across the
supply chain to get certified.
GOOD TO KNOW
9–14
MONTHS
5
WHITEPAPER HEALTH & SAFETY // ISO 45001
The structure and requirements of ISO 45001 are based on the (Clause 3 – all terms relevant to the standard are defined here).
High-Level Structure (HLS) introduced by ISO in 2012. This is a Therefore, ISO 45001 now too has a harmonized structure, just
unified structure, which applies to all new management system like ISO 9001 (quality management systems), 14001 (environ-
standards and consists of a set of ten clauses, with the require- mental management systems), and 50001 (energy management
ments of the relevant management system set out in Clauses systems).
four to ten (see Table 1). Clauses one to three provide introduc-
tory information on the relevant standard, such as its scope of The HLS is based on the Plan-Do-Check-Act management cycle
content (Clause 1 – here: OH&SMS), references to other norms (PDCA cycle) while adding a number of new or stricter require-
(Clause 2 – e.g., references to associated guidelines; however, in ments to it. The PDCA cycle in the HLS comprises the following
the case of ISO 45001 there are none) and terms and definitions requirements:
PLAN: CHECK:
Clause 6: Planning
The objectives and measures for the OH&SMS are derived from
the identification of risks and opportunities as well as hazards.
DO:
6
1 2 3
Scope Normative Terms and
references definitions
4 5 6 7 8 9 10
Context of the Leadership Planning Support Operation Performance Improvement
organization evaluation
A.1 Scope
6.2 7.4.2 8.2 9.2.2
A.2 Normative references OH&S objectives Internal Emergency Internal audit
A.3 Terms and definitions and planning to communication preparedness program
A.4 Context of the achieve them and response
organization
A.5 Leadership and 6.2.1 7.4.3 9.3
worker participation OH&S objectives External Management
A.6 Planning communication review
A.7 Support
A.8 Operation
6.2.2 7.5
A.9 Performance evaluation Planning to Documented
A.10 Improvement achieve OH&S information
objectives
7
WHITEPAPER HEALTH & SAFETY // ISO 45001
Based on the sequence of the standard’s clauses, only the new requirements resulting from the
ISO 45001 standard will be examined in the following. Starting with explaining the changes,
we will then provide you, on that basis, with methodical tips for their implementation and with
practical advice.
New terms and definitions Clause 3 Risks and opportunities: Risk is an effect where the likelihood
of occurrence and the severity of damage that may be caused
Compared with OHSAS 18001, ISO 45001 contains some entirely are uncertain. In ISO 45001, risk refers not only to OH&S risks but
new (e.g., Clause 4: Context of the organization) and some stricter also to risks for the OH&SMS (e.g., prohibition of substances). Risks,
requirements (e.g., Clause 5: Leadership). This is also reflected in as understood by the ISO 45001 standard, can also have positive
the terminology used. outcomes, in which case they are referred to as opportunities.
Apart from the assessment of risks and hazards, the standard also
The term worker has a much wider meaning now. A worker is looks at the opportunities that may result from the various OH&S
expressly defined as any person performing work for the organiza- aspects for the organization. They are taken into account in the
tion – irrespective of whether it is paid or unpaid, seasonal, casual, evaluation and derivation of OH&S objectives and measures.
or full-time work, or whether the worker supports the organiza-
tion internally or externally. This suggests that outsourced services, “Co-determination and consultation” is replaced by
procurement contracts, and subcontractors are coming under “Participation and consultation”. Consultation focuses on
increased scrutiny. The group of people employed by the organi- mutual communication, i.e., dialog and interaction where workers
zation as “workers”, as understood by the ISO 45001 standard, has are asked for their views. Participation aims to involve the workers
become larger and includes, among others, workers at external in important decision-making processes regarding the OH&SMS.
providers (e.g., suppliers), contractors (e.g., maintenance or clean-
ing companies), and temporary employment agencies. All these “Documents and records” is replaced by “documented
workers must be included in the organization’s OH&S measures. information”. This comprises any information required to be
produced, controlled, and maintained by an organization. No
Context of the organization: This refers to internal and linguistic distinction is made between specification documents and
external issues which impact on the OH&SMS either positively or supporting documents. ISO 45001 defines the specific documented
negatively. Issues are conditions that are of immediate relevance information to be maintained, as did OHSAS 18001 previously.
or undergoing political or legal changes. They may, however, also
concern aspects within (e.g., financial standing or knowledge of
the organization) and outside (e.g., new products or available TIP
labor market potential) the organization.
Find out in Clause 5.4 what exactly the
topics are on which workers must be con-
sulted or where they must be involved.
Note:
The key terms of ISO 45001 are defined in Clause 3
of the standard.
8
The organization and its context Clause. 4.1
Organizations are characterized by their internal structures and Every organization must develop its own methodical approach
processes and their integration into an external environment. to identify its internal and external issues. Workshops at company
To develop an understanding of this larger context in which level, department level, or at process level could be one way of
the organization operates, all internal and external issues that doing this. Cluster the issues and, most crucially, derive measures
influence the organization’s OH&S policy, OH&S objectives, and to best tackle the issues in the context of your OH&SMS. It is not
OH&S processes should be identified and considered during the particularly useful to merely produce a collection of issues.
implementation and improvement of the OH&SMS. This means
organizations need to consider and be aware of both their actual
business activity and the environment in which they operate.
TIP
Here are some examples of relevant issues:
Cluster the issues using, for example,
The cultural, social, political, legal, financial, technological, the PESTEL analysis:
economic, and natural environment
– Politics
Competitors, contractors, suppliers, partners, new technolo- – Economy
gies, new laws, and the emergence of new fields of work – Social
– Technology
New knowledge of products and their effects on – Environment
health and safety – Law
9
WHITEPAPER HEALTH & SAFETY // ISO 45001
ISO 45001 requires organizations to pay greater attention to the It is useful to consider the implementation of the standard
needs and expectations of their workers and other interested requirements 4.1 and 4.2 in conjunction with one other. The
parties. Their needs and expectations have to be determined following steps are recommended for their implementation:
and checked to ascertain whether any legal or other binding
requirements arise from them. The term “worker ” has already 1. Assign issues arising from the context analysis (e.g., prohibi-
been explained above. Interested parties are individuals or orga- tion of substances or customer requirements) to the specific
nizations that are either able to influence a decision or activity of interested parties.
the organization or are influenced by such a decision or activity.
Possible interested parties are, for example: 2. Cluster the issues and parties that you identified (e.g., based
on strategic/operational issues or based on departments).
Customers, communities, suppliers, supervisory bodies,
non-governmental organizations, investors (external) 3. Evaluate the relevance of the issues and parties you
identified.
Employees, management, works council, representatives
(internal) 4. Derive measures for the key issues and parties from
your analysis, including an assessment of the binding
commitments.
TIP
Combine the evaluation of the issues and the parties with a risk and
opportunity assessment.
10
Leadership and commitment of the
top management Clause 5.1
With the introduction of ISO 45001, greater emphasis has been By creating values and strategies as well as participation, informa-
put on top management (TM) involvement in the OH&SMS. The tion and communication processes, the top management must
following duties of the TM are specifically defined in Clause 5.1 establish and set an example of an OH&S culture which is then
of the standard: spread throughout the organization by other managers. The fol-
lowing are some examples of specific actions that TM can initiate:
Determine the policy and objectives of the OH&SMS
A self-declaration of commitment to and/or an OH&S policy
Integrate the OH&SMS requirements into business processes on the need for and importance of an internal OH&SMS
Ensure the availability of the resources required for The documented allocation of time as well as human and
the OH&SMS financial resources to the OH&SMS (e.g., OH&S Officer, OH&S
training, safety and first-aid material)
Convey the importance of an effective OH&SMS and the task
performance of every individual Initiation and holding of meetings and staff assemblies with
OH&S content
Support managers and other individuals in fulfilling their tasks
11
WHITEPAPER HEALTH & SAFETY // ISO 45001
Note: TIP
The following are examples of how to achieve this:
– Periodic meetings and consultations There is no need to reinvent the wheel. The
– Health and safety committee meetings issue of risks and opportunities is also a key
– Site inspections aspect of quality, environmental, or energy
– Training, information events management systems. Check whether any
– Employee suggestion schemes tried-and-tested tools of these systems can
– OH&S competitions be used for the OH&S risk and opportunity
– Info corner with notice board assessment or whether it is possible to inte-
grate this assessment in existing assessments.
12
Actions to address risks and opportunities
Clauses 6.1/6.1.2/6.1.4
What is the requirement? 2. Assess and prioritize the risks and opportunities
ISO 45001 requires organizations to identify OH&S-relevant risks Risks and opportunities can usually be evaluated based
and opportunities on an ongoing basis and to use these findings on their likelihood of occurrence and severity (damage or
to derive appropriate actions for dealing with them (Clause 6.1). success). When these two evaluative components are multi-
These risks and opportunities arise from the internal and external plied, a ranking and classification (e.g., A, B, C) of the risks and
issues identified in the context analysis (Clause 4.1), the stakehold- opportunities can be established. The risk and opportunity
er analysis (Clause 4.2), the defined scope of application of your classes determine the need to take action and the urgency
OH&SMS (Clause 4.3), and from the legal obligations and other with which actions need to be planned.
requirements (Clause 6.1.3) as strategic risks and opportunities.
Operational opportunities and risks result from workplace-related
risk assessments as per Clause 6.1.2. 3. Derive measures in the OH&SMS, for example
as follows:
The aim of this risk and opportunity-based approach is to
increasingly encourage organizations to act with foresight and in Risk class A: The risks are unacceptable, unjustifiable, and
a precautionary manner in the OH&SMS. By addressing the risks require immediate action to minimize the risk
and opportunities, you can mentally prepare a response to them.
It also gives you a better understanding of internal processes and Risk class B: The risks are justifiable with some reservations,
structures and external impacts on the organization. short-term action is required to minimize the risk
How is this implemented by organizations? Risk class C: The risks are justifiable, effective preventative
measures are usually established for these
Here, too, the following applies: Every organization must develop
its own methodical approach to identifying risks and opportuni-
ties. The following are useful steps that may be taken: Opportunity classes can be defined in the same way.
13
WHITEPAPER HEALTH & SAFETY // ISO 45001
14
15
WHITEPAPER HEALTH & SAFETY // ISO 45001
To obtain ISO 45001 certification, you will need a structured approach with a regimented time
schedule. We recommend those responsible take the following steps:
2 Information Inform yourself about the ISO 45001 requirements. Purchase the standard and train project
managers.
Also provide your internal auditors with OH&SMS training.
3 Communication Persistently communicate details of the planned “ISO 45001 Introduction/Migration” project
within your organization, in particular as regards the responsibilities and timeline.
4 GAP analysis Perform a structured gap analysis of your existing occupational health and safety
management system.
Align all aspects of your existing management system with the requirements of ISO 45001.
If you do not yet have a formalized occupational health and safety management system,
assess whether the current standard of quality of your workplace health and safety rules is
sufficient to meet the standard’s requirements. Because of the extensive and dual nature of
the German occupational health and safety legislation , you will not be starting from scratch.
The gap analysis will show you which requirements of the standard you are already imple-
menting and to what degree. On this basis, you can then develop an implementation plan.
5 Closing the gaps Define which gaps should be closed by whom, by when, and in what way. You may use the
same structure as set out in ISO 45001 (i.e., Clauses 4 to 10) for this, although you do not have
to use it.
Be sure to adapt your processes, to inform your workers and communicate new regulations,
and to adapt the documentation. It is essential that you focus on the new and stricter
requirements of ISO 45001.
Hold check-in meetings on a regular basis to review what targets have been attained and
plan the next steps.
6 Internal audit Perform an internal audit to assess your level of readiness for (re-) certification. Eliminate any
nonconformities identified here in a timely manner.
If appropriate, you may have an external DELTA audit carried out at this point. This audit
checks whether your existing OH&SMS meets the requirements of ISO 45001.
16
6 Support along the way
It may be very helpful to use a process-supporting software A software program can guide you through the project and
during this process, as this can be customized to your own help you manage your OH&SMS efficiently and present it clearly
OH&SMS. Using the integrated checklists and guidance on during internal or external audits.
actions provided there, the OH&SMS managers can plan their
tasks in the OH&SMS (e.g., OH&S objectives, instructions, audits), Your certification body or advisor will support you in performing
document them (e.g., index of legal provisions, risk assessments), a GAP audit or DELTA audit if need be.
and analyze them (e.g., legal compliance, number of accidents).
17
From left to right: Markus Will,
Jana Brauweiler, Annekatrin Kluttig
THE AUTHORS
Prof. Jana Brauweiler is a professor of “Integrated Management Systems” (IMS) at Hochschule Zittau/Görlitz. Together
with Annekatrin Kluttig and Markus Will, she is involved in the working group supporting the effective implementa-
tion of environmental, OH&S, energy, and quality management systems. The group also promotes the integration of
such systems in industrial SMEs.
At Hochschule Zittau/Görlitz, Jana Brauweiler and Markus Will are responsible for the education and training of
students on the master study courses “Integrated Management Systems” and “Integrated Management”. Together
they have published a number of practical guides on occupational health and safety management systems, on
environmental management, and on the auditing of management systems. They are also both working as advisors
and coaches for companies to support the implementation of such systems in their day-to-day business activities.
Quentic is one of the leading solution providers of Software as a Service (SaaS) for Editor
HSEQ and ESG management. The company is headquartered in Berlin, Germany, and Quentic GmbH
Schreiberhauer Str. 30
employs more than 250 people. Branch offices are located in Germany, Austria, Swit-
10317 Berlin
zerland, Finland, Sweden, Denmark, Belgium, the Netherlands, France, Spain and Italy.
+ 49 30 921 0000 0
contact.en@quentic.com
QUENTIC. THE SOFT WARE www.quentic.com
Photo Credits
title: iStock.com/PeopleImages
The Quentic platform comprises ten individually combinable modules and offers
p. 9: iStock.com/cgtoolbox
an ideal way for companies to manage Health & Safety, Risks & Audits, Incidents p. 10: iStock.com/AJ_Watt
& Observations, Hazardous Chemicals, Control of Work, Legal Compliance, Online p.11: iStock.com/FatCamera
Instructions, Processes, Environmental Management and Sustainability. The portfolio p.12: iStock.com/stocknroll
is complemented by the Quentic App for mobile reporting and by Quentic Analytics p.14: iStock.com/asbe
for powerful HSEQ data analysis using clear and daily updated dashboards. Over 900 p.14: iStock.com/AzmanL
management systems in compliance with ISO 14001, ISO ISO 45001 and ISO 50001.