ISO-TC283 N0364 ISO NWIP 45002 - Updated Preliminary Draft For Consideration in Kigali

ISO/TC 283 N 364
ISO/TC 283
Occupational health and safety management
Email of secretary: sally.swingewood@bsigroup.com

Secretariat: BSI (United Kingdom)
ISO NWIP 45002 - updated preliminary draft for consideration in Kigali
Document type: Other committee document
Date of document: 2019-08-22
Expected action: INFO
Background: This draft is provided as a starting document for the

development of ISO 45002 (ISO 45001 implementation
guidance), assuming that this is approved in the current ballot.
The work will take place in WG3, with a small group of experts
working separately to the main body of experts working to
finalise the current handbook project.
The handbook remains the priority for WG3 at the Kigali
meeting. however it is possible that this work will be finished
quickly if not many comments are recieved. Therefore experts to
WG3 - and others - are invited to review this draft and come
with ideas if they wish to be involved in the project going
forward.
Committee URL: https://isotc.iso.org/livelink/livelink/open/tc283

© ISO 2019 – All rights reserved
ISO 45002:2019 (Preliminary draft)

ISO TC 283/SC -/WG 3
Secretariat: XXXX
Occupational Health & Safety Management Systems -

General guidelines on implementation of ISO
45001:2018
Preliminary stage
Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is
subject to change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent
rights of which they are aware and to provide supporting documentation.
© ISO 20XX
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part
of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or
mechanical, including photocopying, or posting on the internet or an intranet, without prior written
permission. Permission can be requested from either ISO at the address below or ISO’s member body in
the country of the requester.
ISO copyright office

CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO 2019 – All rights reserved 1

ISO 45002 Preliminary draft
Contents
Foreword .......................................................................................................................................................................... 4
Introduction .................................................................................................................................................................... 5
1 Scope .......................................................................................................................................................................... 6
2 Normative references ............................................................................................................................................ 6
3 Terms and definitions ........................................................................................................................................... 6
4 Context of the organization............................................................................................................................. 14
4.1 Understanding the organization and its context..................................................................................... 14
4.2 Understanding the needs and expectations of workers and other interested parties ............. 15
4.3 Determining the scope of the OH&S management system .................................................................. 17
4.4 OH&S management system ............................................................................................................................. 18
5.1 Leadership and commitment ......................................................................................................................... 19
5.2 OH&S policy .......................................................................................................................................................... 21
5.3 Organizational roles, responsibilities and authorities ......................................................................... 22
5.4 Consultation and participation of workers ..............................................Error! Bookmark not defined.
6 Planning ................................................................................................................................................................. 24
6.1 Actions to address risks and opportunities .............................................................................................. 24
6.1.1 General ................................................................................................................................................................ 24
6.1.2 hazard identification and assessment of risks and opportunities ................................................ 25
6.1.2.1 hazard identification .................................................................................................................................. 26
6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management system ..................... 31
6.1.2.3 Assessment of OH&S opportunities and other opportunities for the OH&S
management system ................................................................................................................................... 34
6.1.3 Determination of legal requirements and other requirements ..................................................... 35
6.1.4 Planning action ................................................................................................................................................. 37
6.2 OH&S objectives and planning to achieve them ...................................................................................... 38
6.2.1 OH&S objectives ............................................................................................................................................... 38
6.2.2 Planning to achieve OH&S objectives................................................................................................... 39
7 Support ................................................................................................................................................................... 40
7.1 Resources ............................................................................................................................................................... 40
7.2 Competence ........................................................................................................................................................... 41
7.3 Awareness .............................................................................................................................................................. 43
7.4 Communication .................................................................................................................................................... 43
7.4.1 General ................................................................................................................................................................ 43
7.4.2 Internal communication ............................................................................................................................... 45
7.4.3 External communication ............................................................................................................................... 47
7.5 Documented information ................................................................................................................................. 47
7.5.1 General ................................................................................................................................................................ 47
7.5.2 Creating and updating.................................................................................................................................... 48
7.5.3 Control of documented information ......................................................................................................... 49
8 Operation............................................................................................................................................................... 51
8.1 Operational planning and control ................................................................................................................. 51
8.1.1 General ................................................................................................................................................................ 51
8.1.2 Eliminating hazards and reducing OH&S risks ..................................................................................... 55
8.1.3 Management of change .................................................................................................................................. 57
8.1.4 Procurement...................................................................................................................................................... 58
2 © ISO 2019 – All rights reserved

8.1.4.1 General ............................................................................................................................................................. 58

8.1.4.2 Contractors ..................................................................................................................................................... 59
8.1.4.3 Outsourcing .................................................................................................................................................... 60
8.2 Emergency preparedness and response ..................................................................................................... 61
9 Performance evaluation .................................................................................................................................. 64
9.1 Monitoring, measurement, analysis and performance evaluation ................................................... 64
9.1.1 General ................................................................................................................................................................ 64
9.1.2 Evaluation of performance ........................................................................................................................... 66
9.2 Internal audit ........................................................................................................................................................ 67
9.2.1 General ................................................................................................................................................................ 67
9.2.2 Internal audit programme............................................................................................................................ 67
9.3 Management review ........................................................................................................................................... 68
10 Improvement ....................................................................................................................................................... 69
10.1 General ................................................................................................................................................................. 69
10.2 Incident, nonconformity and corrective action ..................................................................................... 70
10.3 Continual improvement ................................................................................................................................. 73
Annex A (informative) Annex title e.g. Example of a figure and a table ................................................ 74
A.1 Clause title autonumber................................................................................................................................... 74
A.1.1 Subclause autonumber............................................................................................................................... 74
A.1.1.1 Subclause autonumber............................................................................................................................... 74
Bibliography ................................................................................................................................................................. 75

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national

standards bodies (ISO member bodies). The work of preparing International Standards is
normally carried out through ISO technical committees. Each member body interested in a
subject for which a technical committee has been established has the right to be represented on
that committee. International organizations, governmental and non-governmental, in liaison
with ISO, also take part in the work. ISO collaborates closely with the International
Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of ISO documents should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see
www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the
subject of patent rights. ISO shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in
the Introduction and/or on the ISO list of patent declarations received (see
www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and
does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 283, Occupational health and
safety management, Working Group 3.
A list of all parts in the ISO 45001 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html.

Introduction
An organization is responsible for the occupational health and safety (OH&S) of workers and
others who can be affected by its activities. This responsibility includes promoting and
protecting their physical and mental health. The adoption of an OH&S management system is
intended to enable an organization to provide healthy and safe workplaces, prevent work-
related injury and ill health, and continually improve its OH&S performance.
The purpose of an OH&S management system is to provide a framework for managing OH&S
risks and opportunities. The aim and intended outcomes of the OH&S management system are
to prevent work-related injury and ill health to workers and to provide safe and healthy
workplaces; consequently, it is critically important for the organization to eliminate hazards and
minimize OH&S risks by taking effective preventive and protective measures.
When these measures are applied by the organization through its OH&S management system,
they improve its OH&S performance. An OH&S management system can be more effective and
efficient when taking early action to address opportunities for improvement of OH&S
performance.
Implementing an OH&S management system that conforms to the requirements in ISO
45001:2018 enables an organization to manage its OH&S risks and improve its OH&S
performance and can assist an organization to fulfil its legal requirements and other
requirements.
This document is intended to give guidance on how to implement the requirements in ISO
45001:2018 - Occupational health and safety management systems in any type of organization.
It follows the structure and clauses of ISO 45001:2018 but where ISO 45001:2018 states what
needs to be done, this document expands on that and gives guidance on how it can be done.
The OH&S management system approach applied in this document is founded on the concept of
Plan-Do-Check-Act (PDCA). The PDCA concept is an iterative process used by organizations to
achieve continual improvement. It can be applied to
a management system and to each of its individual
elements, as follows:
a) Plan: determine and assess OH&S risks, OH&S
opportunities and other risks and other
opportunities, establish OH&S objectives and
processes necessary to deliver results in
accordance with the organization’s OH&S policy;
b) Do: implement the processes as planned;
c) Check: monitor and measure activities and
processes with regard to the OH&S policy and
OH&S objectives, and report the results;
d) Act: take actions to continually improve the OH&S
performance to achieve the intended outcomes.
This document incorporates the PDCA concept
into a new framework, as shown in Figure 1. Figure 1 — Relationship between
PDCA and the framework in this
NOTE The numbers given in brackets refer to the
document
clause numbers in this document.

Occupational health & safety management systems – General

guidelines on implementation
1 Scope
This document provides guidance for an organization on the establishment, implementation,

maintenance and improvement of a robust, credible and reliable OH&S management system
that conforms to ISO 45001:2018.
This document helps an organization achieve the intended outcomes of its OH&S management
system, which include:
— enhancement of OH&S performance;
— fulfilment of legal requirements and other requirements;
— achievement of OH&S objectives.
The guidance in this document can help an organization to enhance its OH&S performance and
enables the elements of the OH&S management system to be integrated into its core business
process.
This guidance in this document is applicable to any organization, regardless of size, type and
nature, and can be used in whole or in part to systematically improve its OH&S management
system. It serves to provide additional explanation of the concepts and requirements.
While the guidance in this International Standard is consistent with the ISO 45001 OH&S
management system model, it is not intended to provide interpretations of the requirements in
ISO 45001. The use of the term “should” in this document is not intended to weaken any of the
requirements in ISO 45001:2018.
2 Normative references
There are no normative references in this document.
3 Terms and definitions

For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at http://www.electropedia.org/
3.1
organization
person or group of people that has its own functions with responsibilities, authorities and
relationships to achieve its objectives (3.16)

Note 1 to entry: The concept of organization includes, but is not limited to sole-trader, company, corporation,
firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether
incorporated or not, public or private.
Note 2 to entry: This constitutes one of the common terms and core definitions for ISO management system
standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1.
3.2
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a
decision or activity
3.3
worker
person performing work or work-related activities that are under the control of the organization
(3.1)
Note 1 to entry: Persons perform work or work-related activities under various arrangements, paid or
unpaid, such as regularly or temporarily, intermittently or seasonally, casually or on a part-time basis.
Note 2 to entry: Workers include top management (3.12), managerial and non-managerial persons.
Note 3 to entry: The work or work-related activities performed under the control of the organization may be
performed by workers employed by the organization, workers of external providers, contractors, individuals,
agency workers, and by other persons to the extent the organization shares control over their work or work-
related activities, according to the context of the organization.
3.4
participation
involvement in decision-making
Note 1 to entry: Participation includes engaging health and safety committees and workers’ representatives,
where they exist.
3.5
consultation
seeking views before making a decision
Note 1 to entry: Consultation includes engaging health and safety committees and workers’ representatives,
where they exist.
3.6
workplace
place under the control of the organization (3.1) where a person needs to be or to go for work
purposes
Note 1 to entry: The organization’s responsibilities under the OH&S management system (3.11) for the
workplace depend on the degree of control over the workplace.
3.7
contractor
external organization (3.1) providing services to the organization in accordance with agreed
specifications, terms and conditions
Note 1 to entry: Services may include construction activities, among others.

3.8
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1)
and interested parties (3.2) that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information (3.24).
3.9
legal requirements and other requirements
legal requirements that an organization (3.1) has to comply with and other requirements (3.8) that
an organization has to or chooses to comply with
Note 1 to entry: For the purposes of this document, legal requirements and other requirements are those
relevant to the OH&S management system (3.11).
Note 2 to entry: “Legal requirements and other requirements” include the provisions in collective
agreements.
Note 3 to entry: Legal requirements and other requirements include those that determine the persons who
are workers’ (3.3) representatives in accordance with laws, regulations, collective agreements and practices.
3.10
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.14) and
objectives (3.16) and processes (3.25) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities,
planning, operation, performance evaluation and improvement.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. Note 2 to
entry has been modified to clarify some of the wider elements of a management system.
3.11
occupational health and safety management system OH&S management system
management system (3.10) or part of a management system used to achieve the OH&S policy (3.15)
Note 1 to entry: The intended outcomes of the OH&S management system are to prevent injury and ill health
(3.18) to workers (3.3) and to provide safe and healthy workplaces (3.6).
Note 2 to entry: The terms “occupational health and safety” (OH&S) and “occupational safety and health”
(OSH) have the same meaning.
3.12
top management
person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization, provided ultimate responsibility for the OH&S management system (3.11) is retained.

Note 2 to entry: If the scope of the management system (3.10) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
entry has been modified to clarify the responsibility of top management in relation to an OH&S management
system.
3.13
effectiveness
extent to which planned activities are realized and planned results achieved
3.14
policy
intentions and direction of an organization (3.1), as formally expressed by its top management
(3.12)
3.15
occupational health and safety policy OH&S policy
policy (3.14) to prevent work-related injury and ill health (3.18) to workers (3.3) and to provide safe
and healthy workplaces (3.6)
3.16
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product
and process (3.25)).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an OH&S objective (3.17), or by the use of other words with similar meaning (e.g.
aim, goal, or target).
standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The
original Note 4 to entry has been deleted as the term “OH&S objective” has been defined separately in 3.17.
3.17
occupational health and safety objective OH&S objective
objective (3.16) set by the organization (3.1) to achieve specific results consistent with the OH&S
policy (3.15)
3.18
injury and ill health
adverse effect on the physical, mental or cognitive condition of a person
Note 1 to entry: These adverse effects include occupational disease, illness and death.
Note 2 to entry: The term “injury and ill health” implies the presence of injury or ill health, either on their
own or in combination.

3.19
hazard
source with a potential to cause injury and ill health (3.18)
Note 1 to entry: hazards can include sources with the potential to cause harm or hazardous situations, or
circumstances with the potential for exposure leading to injury and ill health.
3.20
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide
73:2009, 3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of
occurrence.
Note 5 to entry: In this document, where the term “risks and opportunities” is used this means OH&S risks
(3.21), OH&S opportunities (3.22) and other risks and other opportunities for the management system.
entry has been added to clarify the term “risks and opportunities” for its use within this document.
3.21
occupational health and safety risk OH&S risk
combination of the likelihood of occurrence of a work-related hazardous event(s) or exposure(s)
and the severity of injury and ill health (3.18) that can be caused by the event(s) or exposure(s)
3.22
occupational health and safety opportunity OH&S opportunity
circumstance or set of circumstances that can lead to improvement of OH&S performance (3.28)
3.23
competence
ability to apply knowledge and skills to achieve intended results
3.24
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media, and from any source.
Note 2 to entry: Documented information can refer to:
a) the management system (3.10), including related processes (3.25);
b) information created in order for the organization to operate (documentation);
c) evidence of results achieved (records).

3.25
process
set of interrelated or interacting activities which transforms inputs into outputs
3.26
procedure
specified way to carry out an activity or a process (3.25)
Note 1 to entry: Procedures may be documented or not.
[SOURCE: ISO 9000:2015, 3.4.5, modified — Note 1 to entry has been modified.]
3.27
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings. Results can be
determined and evaluated by qualitative or quantitative methods.
Note 2 to entry: Performance can relate to the management of activities, processes (3.25), products (including
services), systems or organizations (3.1).
entry has been modified to clarify the types of methods that may be used for determining and evaluating
results.
3.28
occupational health and safety performance OH&S performance
performance (3.27) related to the effectiveness (3.13) of the prevention of injury and ill health (3.18)
to
workers (3.3) and the provision of safe and healthy workplaces (3.6)
3.29
outsource, verb
make an arrangement where an external organization (3.1) performs part of an organization’s
function
or process (3.25)
Note 1 to entry: An external organization is outside the scope of the management system (3.10), although the
outsourced function or process is within the scope.
3.30
monitoring
determining the status of a system, a process (3.25) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.

3.31
measurement
process (3.25) to determine a value
3.32
audit
systematic, independent and documented process (3.25) for obtaining audit evidence and
evaluating it objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third
party), and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its
behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
3.33
conformity
fulfilment of a requirement (3.8)
3.34
nonconformity
non-fulfilment of a requirement (3.8)
Note 1 to entry: Nonconformity relates to requirements in this document and additional OH&S management
system (3.11) requirements that an organization (3.1) establishes for itself.
entry has been added to clarify the relationship of nonconformities to the requirements of this document and
to the organization’s own requirements for its OH&S management system.
3.35
incident
occurrence arising out of, or in the course of, work that could or does result in injury and ill health
(3.18)
Note 1 to entry: An incident where injury and ill health occurs is sometimes referred to as an “accident”.
Note 2 to entry: An incident where no injury and ill health occurs, but has the potential to do so, may be
referred to as a “near-miss”, “near-hit” or “close call”.
Note 3 to entry: Although there can be one or more nonconformities (3.34) related to an incident, an incident
can also occur where there is no nonconformity.
3.36
corrective action
action to eliminate the cause(s) of a nonconformity (3.34) or an incident (3.35) and to prevent
recurrence
standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The

definition has been modified to include reference to “incident”, as incidents are a key factor in occupational
health and safety, yet the activities needed for resolving them are the same as for nonconformities, through
corrective action.
3.37
continual improvement
recurring activity to enhance performance (3.27)
Note 1 to entry: Enhancing performance relates to the use of the OH&S management system (3.11) in order to
achieve improvement in overall OH&S performance (3.28) consistent with the OH&S policy (3.15) and OH&S
objectives (3.17).
Note 2 to entry: Continual does not mean continuous, so the activity does not need to take place in all areas
simultaneously.
entry has been added to clarify the meaning of “performance” in the context of an OH&S management system;
Note 2 to entry has been added to clarify the meaning of “continual”.

4 Context of the organization

Introductory clause text?
4.1 Understanding the organization and its context
In order for an organization to establish, implement, maintain and continually improve an

occupational health & safety management system, it should determine the context within which
it operates. Determining the context here means reviewing, in general, what can help or make it
more difficult to achieve the intended outcomes of the OH&S management system.
The term “intended outcome” means what the organization intends to achieve by implementing
its OH&S management system. Intended outcomes include enhancement of occupational health
& safety performance, fulfilment of compliance obligations and achievement of occupational
health & safety objectives. These are the minimal, core outcomes. However, the organization can
set additional intended outcomes, such as going beyond the scope and requirements of the
management system. For example, the organization can require that suppliers also implement
OH&S management systems.
The organization should consider both external and internal issues that can be relevant and
have a potential impact on the OH&S management system.
Understanding the context is important, as the organizations ability to achieve the intended
outcomes depend on many different external and internal issues, such as the organization’s
activities, products and services, complexity, structure and geographical locations of its
functional units for the entire organization, as well as at a local level. The organization should be
aware that external and internal issues can change, and therefore, should be monitored and
reviewed. An organization might conduct reviews of its context at planned intervals and
through activities such as management review.
Issues are important topics for the organization, problems for debate and discussion, or
changing circumstances that affect the organization’s ability to achieve the intended outcomes it
sets for its OH&S management system.
To understand which issues are important, the organization can consider those that:
- are key concerns for workers and other interested parties;
- have been known to cause injuries and ill health in the past;
- relates to legal requirements and other requirements;
- may be challenging in relation to OH&S management such as cultural, competence and
resource issues;
- can be leveraged for beneficial effect, including consultation and participation of
workers and innovation leading to improved OH&S performance;
- offer other advantages like improvement of the organization’s reputation.
There is no requirement in ISO 45001:2018 to document, in any way, the information on the
results from this work with understanding the organization and its context. It is however, good
practice to do so, as this enables the organization to use the output in a more structured way
when the management system is established, implemented, maintained and continually
improved. It may also be very helpful to retain these results when people or processes change
over time and to be able to review what could have been done differently when incidents occur,
or the OH&S system is not successful in delivering its intended outcomes.

Here are a few examples of how internal and external issues that are relevant for the OH&S
management system can be determined.
How to implement these requirements?
Example 1
To be written.......
Example 2
Example 3
4.2 Understanding the needs and expectations of workers and other interested
parties
Workers and other interested parties constitute part of the context in which an organization
operates and should be taken into account when the organization is reviewing its context.
Determining interested parties and developing a relationship with them enables
communication, which can lead to the potential for building mutual understanding, trust and
respect. This relationship need not be formal.
The organization should determine its interested parties and their needs and expectations,
related to their OH&S management system. The organization can benefit from a process that
identifies the relevant needs and expectations of workers and other interested parties, to
determine those that it has to comply with and voluntary agreements that it chooses to comply
with. The methods used, and resources applied, can vary depending on, for example, the size
and nature of the organization, the finances available, the OH&S risks and opportunities that
need to be addressed and the organization’s experience with OH&S management.
The organization is expected to gain a general (i.e. high-level, not detailed) understanding of the
expressed needs and expectations of workers and other relevant interested parties, so that the
knowledge gained can be considered when determining its legal requirements and other
requirements.
Determining other relevant interested parties, in addition to workers
Workers on all levels are always at the heart of the OH&S management system but other
interested parties can also be relevant to the organization’s OH&S system and their needs
should be determined. Regulatory or statutory agencies are also always relevant but so too are
customers, communities, owners, neighbours etc. and these should be considered. Interested
parties can change over time and can depend on the sector or industry or the geographic
location in which the organization operates. Changes in the internal or external issues that are
part of the organization’s context can also result in a change in interested parties.
Determining relevant needs and expectations of workers and other interested parties
An organization should determine the relevant needs and expectations of its workers and other
relevant interested parties as an input towards the design of the OH&S management system.
Relevant interested parties, those that have been identified as having a role in the context, may

have some needs that are not relevant to the organization’s OH&S management system and thus
not all their needs are necessarily considered.
Determining legal requirements and other requirements
An organization should determine which of the relevant interested parties’ needs and
expectations it has to comply with, and then which of the remaining needs and expectations it
chooses to adopt, all of which become its legal requirements and other requirements. This
general, high level knowledge then gives input to managing legal requirements and other
requirements as further detailed in 6.1.3.
There is no single approach to determining needs and expectations. The organization should
use an approach that is appropriate to its scope, nature and scale, and is suitable in terms of
detail, complexity, time, cost and availability of reliable data. The organization can determine
the needs and expectations of its relevant interested parties through other processes or for
other purposes.
Worker requirements can be stipulated in collective and other agreements.
For requirements set by a regulatory body, the organization should gain knowledge of those
broad areas of legislation that are applicable, such as for e.g. OH&S management systems,
consultation and participation, working hours, anti-discrimination, air quality, fall protection,
ergonomic, machine guarding etc. etc.
In the case of voluntary commitments, the organization should gain broad knowledge of the
relevant needs and expectations, such as customer requirements, voluntary codes and
agreements with community groups or public authorities. This knowledge enables the
organization to understand the implications these can have on the achievement of the intended
outcomes of its OH&S management system.
Use and application of the needs and expectations of interested parties
The outputs the steps above should be considered in setting the scope of the organization’s
OH&S management system, establishing its OH&S policy, identifying hazards, determining legal
requirements and other risks and opportunities and risks and opportunities that need to be
addressed by the organization. Although not a requirement in ISO 45001:2018, the organization
can find it useful to document this information to facilitate its use to meet other elements in this
International Standard.
Example 1
Example 2
Example 3

4.3 Determining the scope of the OH&S management system
An organization should determine the boundaries and applicability of the OH&S management
system to establish its scope using the input from 4.1 and 4.2. An organization can choose to
implement an OH&S management system with respect to the entire organization, or to a
subdivision of the organization, provided this is consistent with its definition of its workplace.
However, once the workplace is defined, all the work-related activities and services of the
organization, or subdivision, within that workplace need to be included in the OH&S
management system.
Care should be taken in defining and documenting the scope of the OH&S management system,
to determine who, what and where, are to be covered, considering geographical, physical and
organizational boundaries. The scope should not be limited so as to exclude an operation or
activity that can have an impact on the OH&S performance of the organization.
The top management of the organization retains the freedom and flexibility to define the scope
of the OH&S management system. It may include the entire organization or specific operating
units of the organization. The organization should understand the extent of control or influence
that it can exert over activities, products and services. It is critical to the success of the OH&S
management system and to the credibility of the organization’s reputation to ensure that the
scope is not defined in a way that excludes activities, products, services or facilities that have or
can have significant impact on the OH&S performance, or in a way that evades its legal
requirements or other requirements or misleads interested parties.
Where the scope is limited to a subset of a larger organization, top management generally refers
to the top management of that part of the organization. However, top management at the higher
level of the organization can retain responsibility for directing and supporting the OH&S
management system. If the organization changes its sphere of control or influence, expands its
operations, acquires more property, or divests business lines or property, the scope should be
reconsidered, along with other changes likely to affect the OH&S management system.
When considering the scope of the OH&S it is important to understand that outsourced
functions and processes are considered to be in scope of the OH&S management system, even
though the organization that performs these activities is not within the scope.
The organization should maintain the scope as documented information and it is good practice
to make it available to interested parties. There are several methods for doing so, e.g. using a
written description, inclusion on a site map, an organizational diagram, a webpage, or posting a
public statement of its conformity. When documenting its scope, the organization can consider
using an approach that identifies the activities involved, the products and services that result,
and their application and/or the location where they occur.
Example 1
Example 2

Example 3
4.4 OH&S management system
An organization should determine the boundaries and applicability of the OH&S management
system to establish its scope using the input from 4.1 and 4.2. The top management of the
organization retains the freedom and flexibility to define the scope of the OH&S management
system. It may include the entire organization or a specific part(s) of the organization. However,
once the scope is defined, all the work-related activities and services of the organization, or
subdivision, within that scope need to be included in the OH&S management system.
Care should be taken in defining and documenting the scope of the OH&S management system,
to determine who, what and where, are to be covered, considering geographical, physical and
organizational boundaries. The organization should understand the extent of control or
influence that it can exert over activities, products and services. It is critical to the success of the
OH&S management system and to the credibility of the organization’s reputation to ensure that
the scope is not defined in a way that excludes activities, products, services or facilities that
have or can have significant impact on the OH&S performance, or in a way that evades its legal
requirements or other requirements or misleads interested parties.
Where the scope is limited to a subset of a larger organization, top management generally refers
to the top management of that part of the organization. However, top management at the higher
level of the organization can retain responsibility for directing and supporting the OH&S
management system. If the organization changes its sphere of control or influence, expands its
operations, acquires more property, or divests business lines or property, the scope should be
reconsidered, along with other changes likely to affect the OH&S management system.
When considering the scope of the OH&S it is important to understand that outsourced
functions and processes are considered to be in scope of the OH&S management system
according to the definition of “outsourcing” in ISO 45001:2018, even though the organization
that performs these activities are not within the scope.
The organization should maintain the scope as documented information and it is good practice
to make it available to interested parties. There are several methods for doing so, e.g. using a
written description, inclusion on a site map, an organizational diagram, a webpage, or posting a
public statement of its conformity. When documenting its scope, the organization can consider
using an approach that identifies the activities involved, the products and services that result,
and their application and/or the location where they occur.
Example 1
Example 2

Example 3
4.4 OH&S management system
This requirement in ISO 45001:2018 is a general statement concerning the establishment,

implementation, maintenance and continual improvement of an OH&S management system
within an organization. “Establish” implies a level of permanency and the system should not be
considered established until all its elements have been demonstrated implemented. “Maintain”
implies that, once established, the system continues to operate. This requires active effort on the
part of the organization. Many systems start well but deteriorate due to lack of maintenance.
Many of the elements of ISO 45001(such as checking and corrective action and management
review) are designed to ensure active maintenance of the system. “Continual improvement”
focuses on achieving the intended outcomes of the OH&S management system.
An OH&S management system should be viewed as way of organizing occupational health &
safety management in a way where OH&S management processes and other business processes
interact in order to achieve the intended outcomes of the OH&S management system and to
provide effective direction for an organization’s response to changing external and internal
issues.
The level of detail and complexity of the OH&S management system, the extent of
documentation and the resources devoted to it are dependent on the nature (size, structure,
complexity) of an organization and its activities.
Example 1
Example 2
Example 3
5 Leadership and worker participation

5.1 Leadership and commitment
This subclause in ISO 45001:2018 states a number of ways top management should
demonstrate their leadership and commitment necessary for the OH&S management system to

be successful and to achieve improved OH&S performance. The intent of this subclause is to
ensure that top management demonstrate leadership and commitment by taking an active role
in engaging, promoting, and ensuring, communicating and monitoring the performance and
effectiveness of the OH&S management system. The ways it can be applied are based on various
factors, such as the size and complexity of an organization, management style and
organizational culture.
Since the term “top management” is defined as the “person or group of people who directs and
controls an organization at the highest level” it should be clear that it is not the OH&S staff or
middle management that is accountable and responsible for the overall performance of the
management system. In other clauses in ISO 45001:2018 there are examples of further direct
“top management” responsibilities including the OH&S policy, organizational roles,
responsibilities and authorities as well as the management review. If the scope of the
management system covers only part of an organization, then top management refers to those
who direct and control that part of the organization.
Top management sets an organization’s mission, vision and values, considering its context, the
needs and expectations of its interested parties, and business objectives including the OH&S
policy and objectives and the integration of OH&S requirements in general business processes.
These are part in its strategic plans.
Top management’s commitment, accountability and leadership are vital for the successful
implementation of an effective OH&S management system, including the capability to achieve
intended outcomes. Top management should therefore take accountability for the effectiveness
of the organization’s OH&S management system and ensure that its intended outcomes are
achieved.
Top management’s commitment means providing physical and financial resources, as well as
direction. It includes active involvement and leading others to support the OH&S system and
communication of the importance of effective OH&S management. It also means ensuring that
processes for effective consultation and participation are established including promotion of
establishing effective occupational OH&S committees.
Another specific requirement in ISO 45001:2018 for top management is to ensure that workers
are protected from reprisals when they report e.g. injuries, ill health, unsafe conditions, near
misses, risks & opportunities to OH&S or to the management system.
Example 1
Example 2
Example 3
To be written........

5.2 OH&S policy
An OH&S policy defines the overall strategic direction of an organization with respect to
occupational health & safety and it is the responsibility of top management to establish,
implement and maintain the OH&S policy.
The organization’s OH&S policy should be “appropriate to the purpose, size and context of the
organization and to the specific nature of its OH&S risks and OH&S opportunities”. This means
that it should be specific enough to be focused on the issues that are significant for the
organization to keep workers safe and continually improve its OH&S performance.
It should enable persons under the control of the organization to understand the overall
commitment of the organization and how this can affect their individual responsibilities.
ISO 45001:2018 also states that the OH&S policy should provide a framework for setting OH&S
objectives. This means that key issues highlighted in the policy should be reflected in some way
in the OH&S objectives. The policy should also include commitments to fulfil relevant
requirements, eliminate hazards, reduce OH&S risks, continually improve the OH&S
management system and a commitment to consultation and participation of workers, and,
where they exist, workers’ representatives.
In developing its OH&S policy, an organization should consider:

— its mission, vision, core values and beliefs,
— coordination with other policies (corporate, integrated, etc.),
— the needs of persons working under the control of the organization,
— the hazards of the organization,
— legal requirements and other requirements to which the organization subscribes that relate
to its hazards,
— historical and current OH&S performance by the organization,
— opportunities and needs for continual improvement and the prevention of injury and ill
health,
— the views of interested parties,
— what is needed to establish realistic and achievable objectives.
The OH&S policy can be linked with or integrated with other policy documents of the
organization and should be consistent with the organization’s overall business policies.
The communication of the policy should assist in:
— demonstrating the commitment of top management and the organization to OH&S,
— increasing awareness of the commitments made in the policy statement,
— explaining why the OH&S system is established and is maintained,
— guiding individuals in understanding their OH&S responsibilities and accountabilities (see

4.4.2).

In communicating the policy, consideration should be given to how to create and maintain
awareness in both new and existing persons under the control of the organization. The policy
can be communicated in alternative forms to the policy statement itself, such as through the use
of rules, directives and procedures, wallet cards, posters, etc. In communicating the policy,
account should be taken of issues such as diversity in the workplace, literacy levels, language
skills, etc.
It is for the organization to determine how it wishes to make the policy available to its
interested parties, e.g. through publication on a web site, or by providing printed copies on
request.
The OH&S policy should be reviewed periodically to ensure that it remains relevant and
appropriate to the organization.
Change is inevitable, as legislation and societal expectations evolve; consequently, the

organization’s OH&S policy and OH&S management system need to be reviewed regularly to
ensure their continuing suitability and effectiveness. If changes are made to the policy, the
revised policy should be communicated to all persons working under the control of the
organization.
Example 1
Example 2
Example 3
5.3 Organizational roles, responsibilities and authorities
For the OH&S management system to be effective and deliver its intended outcomes it is
essential that roles, responsibilities and authorities are set by top management and understood
by the organization. Responsibilities and authorities can be assigned to one or more persons.
They should be able to make decisions and effect change to the area and/or processes to which
they have been assigned. It is essential to emphasise that although authority can be delegated,
the overall responsibility and accountability for the occupational health & safety management
system remains with top management. These responsibilities and authorities should be
maintained as documented information. Top management should:
- identify who needs to do what with respect to the management of OH&S and make sure
they are aware of their responsibilities and authority,
- ensure there is clarity of responsibilities at the interfaces between different functions (e.g.
between departments, between different levels of management, between workers,
between the organization and contractors, between the organization and its neighbours),

- assign the responsibility and authority for reporting on the performance of the OH&S
management system to top management in e.g. management meetings, reports, KPI’s and
reviews.
In some organizations, there could be a limited number of persons with the required
competence available to carry out the tasks required; it could be useful to plan for sharing roles
and responsibilities. Such plans are valuable during holidays, when managers are away from the
facility or in cases of accident or illness.
Top management should determine how to communicate the relevant roles, responsibilities and
authorities. This could be through the use of relevant documented information, e.g. procedures,
instructions, job/project/task descriptions, training/induction packages etc.
Example 1
Example 2
Example 3
Clause 5.4 in ISO 45001:2018 is unique and has really no equivalent in other ISO management
system standards so far. Perhaps others will follow as the involvement of others than top
management and experts one of the most important keys to successful management of most
anything. The requirements in ISO 45001:2018 basically states that:
1. You need to involve workers on all levels and functions and their representatives (where such
representatives exist) when the OH&S management system is developed, planned, implemented
as well as when it is being maintained.
2. The organization needs to make sure workers is given the opportunity to be consulted (be
given the opportunity to give their input and opinions) and/or participate (be involved in the
decision-making) by giving them adequate time, training, information to do so and remove or
minimize obstacles and barriers for involvement.
2. Organizations typically focus on involving management on all levels, and OH&S experts, but
not other non-managerial workers meaning e.g. workers on the shop floor, administrative staff,
sales staff or others on lower levels of the organization’s hierarchy. Since this happens a lot
there are specific requirements in ISO 45001:2018 that for some parts and processes of the
OH&S management system the organization needs to work extra hard on (emphasize) to
involve these workers. The requirements in this clause specifies when participation is needed
and also when instead consultation is needed.

Consultation is required for determining overall legal requirements and other requirements,
assigning who does what, establishing the OH&S policy & objectives, operational controls,
monitoring and measurement as well as for the audit programme.
Participation is required for identifying hazards and assessment of risks & opportunities and for
determining action to manage these but also regarding competence, training, communication,
control measures and investigation on incidents and nonconformities as well as for taking
action on these.
Example 1
Example 2
Example 3
6 Planning
6.1 Actions to address risks and opportunities
Introductory subclause text?
6.1.1 General
Planning is critical for determining and taking the actions needed to ensure that the
occupational health & safety management system can achieve its intended outcomes. The
planning is an ongoing process, used both to establish and implement elements of the
management system and to maintain and improve them, based on changing circumstances and
inputs and outputs of the management system itself. The planning process can help an
organization identify and focus on those areas that are most important for preventing injury
and ill health. It can also assist the organization in fulfilling its legal requirements and other
requirements and other OH&S policy commitments and establishing and achieving its OH&S
objectives.
The organization should have (a) process(es) to determine risks and opportunities that need to
be addressed. The process starts with applying an understanding of the context in which the
organization operates, including issues that can affect the intended outcomes of the OH&S
management system (see 4.1) and relevant needs and expectations of workers and other
relevant interested parties. Along with the scope of the OH&S management system, these
become inputs that should be considered in determining the risks and opportunities that need
to be addressed. Information generated in the planning process is an important input for

determining operations that have to be controlled. This information can also be used in the
establishment and improvement of other parts of the OH&S management system, such as
identifying training, competency, monitoring and measurement needs.
The organization should maintain documented information about its risks and opportunities
but also about how these were determined, and actions needed to control these risks and
opportunities.
Example 1
Example 2
Example 3
6.1.2 Hazard identification and assessment of risks and opportunities
hazards have the potential to cause human injury or ill health. hazards therefore need to be
identified before the risks associated with these hazards can be assessed and, if no controls exist
or existing controls are inadequate, effective controls should be implemented according to the
hierarchy of controls.
An organization will need to apply the process of hazard identification and risk assessment to
determine the controls that are necessary to reduce the risks of incidents. The overall purpose of
the risk assessment process is to recognize and understand the hazards that might arise in the
course of the organization’s activities and ensure that the risks to people arising from these
hazards are assessed, prioritized and controlled to a level that is acceptable.
This is achieved by:
— developing a methodology for hazard identification and risk assessment,
— identifying hazards,
— estimating the associated risks, taking into account the adequacy of any existing controls (it
could be necessary to obtain additional data and perform further analysis in order to achieve
a reasonable estimation of the risks),
— determining whether these risks are acceptable, and
— determining the appropriate risk controls, where these are found to be necessary (workplace
hazards and the way they are to be controlled are often defined in regulations, codes of
practice, guidance published by regulators, and industry guidance documents).
The results of risk assessments enable the organization to compare risk reduction options and
prioritize resources for effective risk management. The outputs from the hazard identification,
risk assessment and determining control processes should also be used throughout the
development and implementation of the OH&S management system.

hazard identification and risk assessment methodologies vary greatly across industries, ranging
from simple assessments to complex quantitative analyses with extensive documentation.
Individual hazards can require that different methods be used, e.g. an assessment of long-term
exposure to chemicals can need a different method than that taken for equipment safety or for
assessing an office workstation. Each organization should choose approaches that are
appropriate to its scope, nature and size, and which meet its needs in terms of detail, complexity,
time, cost and availability of reliable data. In combination, the chosen approaches should result
in an inclusive methodology for the ongoing evaluation of all the organization’s OH&S risks.
The management of change (see 4.3.1.5) needs to be considered for changes in assessed risks,
determination of controls, or the implementation of controls. Management review should be
used to determine whether changes to the methodology are needed overall.
To be effective, the organization’s procedures for hazard identification and risk assessment
should take account of the following:
— hazards,
— risks,
— controls,
— management of change,
— documentation,
— ongoing review.
To ensure consistency of application, it is recommended that these procedure(s) be
documented.
Example 1
Example 2
Example 3
6.1.2.1 Hazard identification
hazard identification should aim to determine proactively all sources, situations or acts (or a
combination of these), arising from an organization’s activities, with a potential for harm in
terms of human injury or ill health. Examples include:
— sources (e.g. moving machinery, radiation or energy sources),
— situations (e.g. working at heights), or
— acts (e.g. manual lifting).

hazard identification should take into account all potential types of hazards in the workplace,
including physical, chemical, biological and psychosocial.
The organization should establish specific hazard identification tools and techniques that are
relevant to the scope of its OH&S management system.
The following sources of information or inputs should be considered during the hazard
identification process:
— OH&S legal requirements and other requirements, e.g. those that prescribe how hazards
should be identified,
— OH&S policy,
— monitoring data,
— occupational exposure and health assessments,
— records of incidents and sick days,
— reports from previous audits, assessments or reviews,
— input from workers, worker representatives and other interested parties,
— information from other management systems (e.g. for quality management or

environmental management),
— process review and improvement activities in the workplace,
— information on best practice and/or typical hazards in similar organizations,
— reports of incidents that have occurred in similar organizations,
— information on the facilities, processes and activities of the organization, including the
following:
• workplace design, traffic plans (e.g. pedestrian walkways, vehicle routing), site plan(s),
• process flowcharts and operations manuals,
• inventories of hazardous materials (raw materials, chemicals, wastes, products, sub-

products),
• equipment specifications,
• product specifications, material safety data sheets, toxicology and other OH&S data.
hazard identification processes should be applied to both routine and to non-routine (e.g.
periodic, occasional, or emergency) activities and situations. Examples of non-routine activities
and situations that should be considered during the hazard identification process include:
— facilities or equipment cleaning,

— temporary process modifications,
— non-scheduled maintenance,
— plant or equipment start-ups/shut-downs,
— off-site visits (e.g. field trips, customer supplier visits, prospecting, excursions),
— refurbishment,
— extreme weather conditions,
— utility (e.g. power, water, gas, etc.) disruptions,
— temporary arrangements,
— emergency situations.
One of the bigger challenges for many organizations is how to prevent ill health due to
organizational and social conditions in the work environment. Hazard identification should
consider the potential impact of:
- how work is organized,

- unhealthy workloads,
- inadequate resources,
- work hours,
- inadequate communication,
- victimization,
- harassment,
- bullying,
- poor management of work,
- work cultures that does not support the OH&S management system.
hazard identification should consider all persons having access to the workplace (e.g.
customers, visitors, service contractors, delivery personnel, as well as employees) and:
— the hazards and risks arising from their activities,
— the hazards arising from the use of products or services supplied to the organization by
them,
— their degree of familiarity with the workplace, and
— their behaviour.

Human factors, such as capabilities, behaviours and limitations, have to be taken into account
when evaluating the hazards and risks of processes, equipment and work environments. Human
factors should be considered whenever there is a human interface and take into account issues
such as ease of use, potential for operational errors, operator stress and user fatigue.
In considering human factors, the organization’s hazard identification process should consider
the following, and their interactions:
— the nature of the job (workplace layout, operator information, work load, physical work,
work patterns),
— the environment (heat, lighting, noise, air quality),
— human behaviour (temperament, habits, attitude),
— psychological capabilities (cognition, attention),
— physiological capabilities (biomechanical, anthropometrics/ physical variation of people).
In some instances, there can be hazards which occur or originate outside the workplace that can
have an impact on individuals within the workplace (e.g. releases of toxic materials from
neighbouring operations). Where such hazards are foreseeable, these should be addressed.
The organization could be obliged to give consideration to hazards created beyond the
boundary of the workplace, particularly where there is a legal obligation or duty of care
concerning such hazards. In some legal jurisdictions such hazards are instead addressed
through the organization’s environmental management system.
For the hazard identification to be effective the organization should use an approach that
includes information from a variety of sources, especially inputs from people who have
knowledge of its processes, tasks or systems, e.g.:
— observations of behaviour and work practices and analyses of the underlying causes of
unsafe behaviour,
— benchmarking,
— interviews and surveys,
— safety tours and inspections,
— incident reviews and subsequent analyses,
— monitoring and assessment of hazardous exposures (chemical and physical agents),
— workflow and process analysis, including their potential for creating unsafe behaviour.
hazard identification should be conducted by a person(s) with competence in relevant hazard

identification methodologies and techniques and appropriate knowledge of the work activity.
Checklists can be used as a reminder of what types of potential hazards to consider and to
record the initial hazard identification; however, care should be taken to avoid over reliance on
the use of checklists (see Annex C). Checklists should be specific to the work area, process or
equipment being evaluated.

Examples of potential emergency situations can include:
— fires and explosions,
— release of hazardous materials/gases,
— natural disasters, bad weather,
— loss of utility supply (e.g. loss of electric power),
— pandemics/epidemics/outbreaks of communicable disease,
— civil disturbance, terrorism, sabotage, workplace violence,
— failure of critical equipment,
— traffic accidents.
When identifying potential emergency situations, consideration should be given to emergencies

that can occur during both normal operations and abnormal conditions (e.g. operation start-up
or shut-down, construction or demolition activities).
Information that should be considered in identifying potential emergency situations includes

the following:
— the results of hazard identification and risk assessment activities performed during the
OH&S planning process (see 4.3.1),
— legal requirements,
— the organization’s previous incident (including accident) and emergency experience,
— emergency situations that have occurred in similar organizations,
— information related to accident and/or incident investigations posted on the websites of

regulators or emergency response agencies.
The organization should determine and assess how emergency situations will impact all
persons within and/or in the immediate vicinity of workplaces controlled by the organization.
Consideration should be given to those with special needs, e.g. people with limited mobility,
vision and hearing. This could include employees, temporary workers, contract employees,
visitors, neighbours or other members of the public. The organization should also consider
potential impacts on emergency services personnel while at the workplace (e.g. fire-fighters).
Information that should be considered in identifying potential emergency situations includes

the following:
— the results of hazard identification and risk assessment activities performed during the
OH&S planning process (see 4.3.1),
— legal requirements,
— the organization’s previous incident (including accident) and emergency experience,

— emergency situations that have occurred in similar organizations,
— information related to accident and/or incident investigations posted on the websites of

regulators or emergency response agencies.
Example 1
Example 2
Example 3
6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management
system
Risk is the combination of the likelihood of an occurrence of a hazardous event or exposure(s)

and the severity of injury or ill health that can be caused by the event or exposure(s).
Risk assessment is a process of evaluating the risk(s) arising from a hazard(s), taking into
account the adequacy of any existing controls, and deciding whether the risk(s) is acceptable.
An acceptable risk is a risk that has been reduced to a level that the organization is willing to
assume with respect to its legal obligation, its OH&S policy and its OH&S objectives.
NOTE Some reference documents use the term “risk assessment” to encompass the entire
process of hazard identification, risk assessment and determining controls; ISO 45001 refer to
the individual elements of this process separately and use the term “risk assessment” to refer
explicitly to the second stage of this process.
Inputs to the risk assessment processes can include, but are not be limited to, information or
data on the following:
— details of location(s) where work is carried out,
— the proximity and scope for hazardous interaction between activities in the workplace,
— security arrangements,
— the human capabilities, behaviour, competence, training and experience of those who
normally and/or occasionally carry out hazardous tasks,
— toxicological data, epidemiological data and other health related information,
— the proximity of other personnel (e.g. cleaners, visitors, contractors, the public) who might
be affected by hazardous work,
— details of any work instructions, systems of work and/or permit-to-work procedures,
prepared for hazardous tasks,

— manufacturers’ or suppliers’ instructions for operation and maintenance of equipment and

facilities,
— the availability and use of control measures [e.g. for ventilation, guarding, personal
protective equipment (PPE), etc.],
— abnormal conditions (e.g. the potential interruption of utility services such as electricity
and water, or other process failures),
— environmental conditions affecting the workplace,
— the potential for failure of plant and machinery components and safety devices or for their
degradation from exposure to the elements or process materials,
— details of access to, and adequacy/condition of emergency procedures, emergency escape
plans, emergency equipment, emergency escape routes (including signage), emergency
communication facilities, and external emergency support, etc.,
— monitoring data related to incidents associated with specific work activities,
— the findings of any existing assessments relating to hazardous work activity,
— details of previous unsafe acts either by the individuals performing the activity or by others
(e.g. adjacent personnel, visitors, contractors, etc.),
— the potential for a failure to induce associated failures or disabling of control measures,
— the duration and frequency at which tasks are carried out,
— the accuracy and reliability of the data available for the risk assessment,
— any legal requirements and other requirements which prescribe how the risk assessment
has to be performed or what constitutes an acceptable risk, e.g. sampling methods to
determine exposure, use of specific risk assessment methods, or permissible exposure
levels.
Risk assessment should be conducted by a person(s) with competence in relevant risk
assessment methodologies and techniques and appropriate knowledge of the work activity.
An organization can use different risk assessment methods as part of an overall strategy for
addressing different areas or activities. When seeking to establish the likelihood of harm, the
adequacy of existing control measures should be taken into account. A risk assessment should
be detailed enough to determine appropriate control measures.
Some risk assessment methods are complex and appropriate to special or particularly
hazardous activities. For example, risk assessment
of a chemical process plant might require complex mathematical calculations of the
probabilities of events that could lead to a release of agents that might affect individuals in the
workplace or the public. In many countries, sector-specific legislation specifies where this
degree of complexity is required.
In many circumstances, OH&S risk can be addressed using simpler methods and can be
qualitative. These approaches typically involve a greater degree of judgment, since they place
less reliance on quantifiable data. In some cases, these methods will serve as initial screening
tools, to determine where a more detailed assessment is needed.
The risk assessment should involve consultation with, and appropriate participation by,
workers and take into account legal requirements and other requirements. Regulatory guidance
should be taken into account where applicable.

The organization should consider limitations in the quality and accuracy of the data used in the
risk assessments and the possible effect this could have on the resulting calculation of risk. The
higher the level of uncertainty in the data, the greater is the need for caution in determining
whether the risk is acceptable.
Some organizations develop generic risk assessments for typical activities that can occur in
several different sites or locations. Such generic assessments can be useful as a starting point for
more specific assessments but could need to be customized to be appropriate to the particular
situation. This approach can improve the speed and efficiency of the risk assessment process
and improve the consistency of risk assessments for similar tasks.
When the organization’s risk assessment method uses descriptive categories for assessing
severity or likelihood of harm, they should be clearly defined, e.g. clear definitions of terms such
as “likely” and “unlikely” are needed to ensure that different individuals interpret them
consistently.
The organization should consider risks to sensitive populations (e.g. pregnant workers) and
vulnerable groups (e.g. inexperienced workers), as well as any particular susceptibilities of the
individuals involved in performing particular tasks (e.g. the ability of an individual who is
colour-blind to read instructions).
The organization should evaluate how the risk assessment will take into account the number of
persons that might be exposed to a particular hazard. hazards that could cause harm to large
numbers of persons should be given careful consideration even when it is less likely for such
severe consequences to occur.
Risk assessments to evaluate the harm from exposure to chemical, biological and physical
agents might require measurement of exposure concentrations with appropriate instruments
and sampling methods. Comparison of these concentrations should be made to applicable
occupational exposure limits or standards. The organization should ensure that the risk
assessment considers both the short-term and long-term consequences of exposure and the
additive effects of multiple agents and exposures.
In some cases, risk assessments are performed using sampling to cover a variety of situations
and locations. Care should be taken to ensure that the samples used are sufficient and
adequately represent all the situations and locations being assessed.
The organization should document and keep the results of hazard identification, risk
assessments and determined controls.
The following types of information should be recorded:
— identification of hazards,
— determination of the risks associated with the identified hazards,
— indication of the levels of the risks related to the hazards,
— description of, or reference to, the measures to be taken to control the risks,
— determination of the competency requirements for implementing the controls (see 4.4.2).
When existing or intended controls are used in determining OH&S risks, these measures should
be clearly documented so that the basis of the assessment will be clear when it is reviewed at a
later date.
The description of measures to monitor and control risks can be included within operational
control procedures. The determination of competency requirements can be included within
training procedures.

It is a requirement that hazard identification and risk assessment be ongoing. This requires the
organization to consider the timing and frequency of such reviews, as affected by the following
types of issues:
— the need to determine whether existing risk controls are effective and adequate,
— the need to respond to new hazards,
— the need to respond to changes that the organization itself has made,
— the need to respond to feedback from monitoring activities, incident investigation,
emergency situations or the results of testing of emergency procedures,
— changes in legislation,
— external factors, e.g. emerging occupational health issues,
— advances in control technologies,
— changing diversity in the workforce, including contractors,
— changes proposed by corrective and preventive action.
Periodic reviews can help ensure consistency across risk assessments carried out by different
people at different times. Where conditions have changed, and/or better risk management
technologies have become available, improvements should be made as necessary.
It is not necessary to perform new risk assessments when a review can show that the existing or
planned controls remain valid.
Internal audits can provide an opportunity to check that hazard identifications, risk
assessments and controls, are in place and up-to-date. Internal audits can also be a useful
opportunity to check whether the assessment reflects actual workplace conditions and practice.
Example 1
Example 2
Example 3
6.1.2.3 Assessment of OH&S opportunities and other opportunities for the OH&S
management system
The organization should assess opportunities to improve both its OH&S performance and its
OH&S management system. This does not only mean considering opportunities as the flip side
of risks but opportunities can be seen from a much broader perspective where it means e.g.:
- preventing activities, practices and equipment from entering the workplace that may

result in new hazards;

- possibilities to improve the OH&S management system in various ways;
- opportunities to improve well-being even where no significant risks have been
determined;
- learning from other organizations, both from positive and negative examples;
Example 1
Example 2
Example 3
6.1.3 Determination of legal requirements and other requirements
The organization should have made a policy commitment to compliance with applicable legal
and other OH&S requirements that relates to its hazards (see 4.2). These legal requirements can
take many forms, such as:
— legislation, including statutes, regulations and codes of practice,
— decrees and directives,
— orders issued by regulators,
— permits, licences or other forms of authorization,
— judgements of courts or administrative tribunals,
— treaties, conventions, protocols.
Examples of “other requirements” can include:
— contractual conditions,
— agreements with employees,
— agreements with interested parties,
— agreements with health authorities,
— non-regulatory guidelines,
— voluntary principles, best practices or codes of practice, charters,
— public commitments of the organization or its parent organization, and
— corporate/company/organization’s requirements.

Some of these commitments or agreements can address a range of issues in addition to OH&S
matters. The OH&S management system need only address such commitments or agreements to
the extent that they relate to the organization’s hazards.
To meet its policy commitments, the organization should have a structured approach to ensure
that the legal requirements and other requirements can be identified, evaluated for
applicability, accessed, communicated and be kept up-to-date.
Depending on the nature of its hazards, operations, equipment, materials, etc., an organization
should seek out relevant applicable OH&S legislative or other requirements. This can be
achieved through the use of knowledge within the organization and/or through the use of
external sources such as:
— the internet,
— libraries,
— trade associations,
— regulators,
— legal services,
— OH&S institutes,
— OH&S consultants,
— equipment manufacturers,
— materials suppliers,
— contractors,
— customers.
From the results of the initial review, the organization should consider the legal requirements
and other requirements that are applicable to:
— its sector,
— its activities,
— its products, processes, facilities, equipment, materials, personnel,
— its location.
External resources, such as those previously listed, can be helpful in locating and evaluating
these requirements.
Having identified what is applicable, the organization’s procedure needs to include information
on how it can access the legal requirements and other requirements. There is no requirement to
maintain a library; it is sufficient that the organization be able to access the information when
needed.
The organization’s procedure should ensure that it can determine any changes that affect the
applicability of legal requirements and other requirements relevant to its hazards.
The organization’s procedure needs to identify who should receive information on legal
requirements and other requirements and ensure that relevant information is communicated to
them.
Further guidance on how legal requirements and other requirements should be taken into
account in an organization’s OH&S management system can be found throughout this document.

Example 1
Example 2
Example 3
6.1.4 Planning action
Having completed a risk assessment and having taken account of existing controls, the
organization should be able to determine whether existing controls are adequate or need
improving, or if new controls are required.
If new or improved controls are required, their selection should be determined by the principle
of the hierarchy of controls, i.e. the elimination of hazards where practicable, followed in turn by
risk reduction (either by reducing the likelihood of occurrence or potential severity of injury or
harm), with the adoption of personal protective equipment (PPE) as a last resort.
An organization should consider and plan how to take action to address hazards, legal
requirements and other requirements, potential emergency situations and risks and
opportunities that need to be addressed, as determined in 6.1.1 – 6.1.3. The organization should
plan to take action in a variety of ways using its OH&S management system processes or other
business processes. The organization should also determine the effectiveness of the actions
taken.
Planning to take action can include a single action, such as establishing an OH&S objective,
operational control, emergency preparedness, or another business process. Alternatively, the
organization can use a combination of actions that include OH&S objectives and operational
controls using the hierarchy of controls. In planning actions, the organization should consider
technological options and feasibilities, and financial, operational and business requirements. As
with any planned action, the potential for any unintended consequence should be considered,
e.g. short or long-term adverse impacts on occupational health & safety.
Example 1
Example 2
Example 3

6.2 OH&S objectives and planning to achieve them
6.2.1 OH&S objectives
Setting objectives is an integral part of the planning of an OH&S management system. An

organization should set objectives to fulfil the commitments established in its OH&S policy,
including its commitments to the prevention of injury and ill health.
The process of setting and reviewing objectives, and implementing programmes to achieve
them, provides a mechanism for the organization to continually improve its OH&S management
system and to improve its OH&S performance.
When setting OH&S objectives the organization needs to take into account the hazards or risks
& opportunities to OH&S or the management system, the legal requirements and other
requirements that it has identified. The organization should make use of this information
obtained from the planning process to determine whether it needs to set objectives for OH&S or
the OH&S management system risks or opportunities or to plan for anticipated future changes
in relation to any of its legal requirements or other requirements.
Objectives that are specific, measurable, achievable, relevant, and timely can enable progress
against the attainment of the objectives to be measured more readily by the organization
(sometimes such objectives are referred to as being “SMART”).
It is also advisable that the organization records the background and reasons for setting the
objectives, in order to facilitate their future review.
During the establishment of OH&S objectives, particular regard should be given to information
or data from those people most likely to be affected by individual OH&S objectives, as this can
assist in ensuring that the objectives are reasonable and more widely accepted. It is also useful
to consider information or data from sources external to the organization, e.g. from contractors
or other interested parties.
The OH&S objectives should address both broad corporate OH&S issues and OH&S issues that
are specific to individual functions and levels within the organization.
OH&S objectives can be broken down into tasks, depending on the size of the organization, the
complexity of the OH&S objective and its time-scale. There should be clear links between the
various levels of tasks and the OH&S objectives.
Specific OH&S objectives can be established by different functions and at different levels within
the organization. Certain OH&S objectives, applicable to the organization as a whole, can be
established by top management. Other OH&S objectives can be established by, or for, relevant
individual departments or functions. Not all functions and departments are required to have
specific OH&S objectives.

Example 1
Example 2
Example 3
6.2.2 Planning to achieve OH&S objectives
In order to achieve the objectives a programme(s) should be established. A programme is an

action plan for achieving all the OH&S objectives, or individual OH&S objectives. For complex
issues more formal project plans can also need to be developed as part of the programme(s).
In considering the means necessary to establish the programme(s) the organization should
examine the resources required (financial, human, infrastructure) and the tasks to be
performed. Depending on the complexity of the programme established to achieve a particular
objective, the organization should assign responsibility, authority, and completion dates for
individual tasks to ensure that the OH&S objective can be accomplished within the overall
timeframe.
The OH&S objectives and programme(s) should be communicated (e.g. via training and/or
group briefing sessions, etc.) to relevant personnel.
Reviews of programme(s) need to be conducted regularly, and the programme(s) adjusted or

modified where necessary. This can be as part of management review, or more frequently.
Example 1
Example 2
Example 3

7 Support
7.1 Resources
The requirement here in ISO 45001:2018 is very general stating that the organization needs to
determine the resources needed to establish, implement and maintain the OH&S system. When
doing that the organization should consider:
— the financial, human and other resources specific to its operations,
— the technologies specific to its operations,
— infrastructure and equipment,
— information systems, and
— the need for expertise and training.
— externally provided resources;
— competence;
— financial, human and other resources specific to its activities, products and services.
Resources should be provided in a timely and efficient manner. Resources and their allocation
should be reviewed periodically, e.g. via management review, to ensure they are sufficient to
carry out OH&S programmes and activities, including performance measurement and
monitoring. For organizations with established OH&S management systems, the adequacy of
resources can be at least partially evaluated by comparing the planned achievement of OH&S
objectives with actual results. In evaluating adequacy of resources, consideration should also be
given to planned changes and/or new projects or operations.
Knowledge is an important resource for establishing or improving the occupational health &
safety management system. When addressing future challenges, the organization should take
into account its current knowledge base and determine how to acquire or access the necessary
additional knowledge.
Example 1
Example 2
Example 3

7.2 Competence
Knowledge, understanding, skills, or abilities enable an individual to gain the necessary

competence with regard to OH&S performance. All workers of an organization that affect or can
affect its OH&S performance, including its ability to fulfil legal requirements and other
requirements, should be competent based on training, education, experience, or a combination
of these, as determined by the organization. The competence requirements for workers are not
limited to those doing work that have or can have significant impacts on health & safety, but
also those who manage a function or undertake a role which is critical to achieving the intended
outcomes of the OH&S management system.
Many organizations do not have access to all of these competencies and they may procure
competent service providers to ensure the achievement of the intended outcomes of the OH&S
management system. To enable workers to work and/or act safely, the organization should
ensure that they:
— have the necessary competence to perform tasks that can impact on OH&S,
— are, where necessary, trained to achieve the required awareness/ competence.
The organization should require that contractors are able to demonstrate that their employees
have the competence and/or appropriate training to work safely.
NOTE Competence and awareness do not mean the same thing. Awareness is to be conscious of
something, e.g. OH&S risks and hazards. Competence is the demonstrated ability to apply
knowledge and skills.
In determining what activities or tasks could impact on OH&S the organization should consider
those which:
— the organization’s risk assessment has determined, creates an OH&S risk in the
workplace,
— are intended to control OH&S risks,
— are specific to the implementation of the OH&S management system.
Management should determine the competence requirements for individual tasks. The
organization can seek external advice in defining competence requirements. When determining
the competence required for a task, the following factors should be considered:
— roles and responsibilities in the workplace (including the nature of the tasks to be
performed, and their associated OH&S risks),
— the complexity and requirements of operating procedures and instructions,
— the results from incident investigations,
— legal requirements and other requirements,
— individual capability (e.g. literacy, language skills, etc.).
The organization should give specific consideration to the competency requirements for those
person(s) who will be:
— the top management appointee,

— performing risk assessments,

— performing exposure assessments,
— performing audits,
— performing behavioural observations,
— performing incident investigations,
— performing tasks identified by risk assessment that can introduce hazards.
The organization should ensure that all personnel, including top management, are competent
prior to permitting them to perform tasks that can impact on OH&S. An organization should
determine and assess any differences between the competence needed to perform an activity
and that possessed by the individual required to perform the activity. These differences should
be addressed through training or other actions, e.g. additional education and skills
development, etc., taking into account the existing capabilities of the individual.
OH&S competence requirements should be considered prior to recruiting new personnel,
and/or the reassignment of those already working under the control of the organization. The
organization should consider the roles, responsibilities and authorities, in relation to its OH&S
risks and the OH&S management system, in determining its training or other actions needed for
those persons working under its control (including contractors, temporary staff, etc.)
The training or other actions should focus on both competency requirements and the need to
enhance awareness. Training programmes and procedures should take account of OH&S risks
and individual capabilities, such as literacy and language skills. For example, it could be
preferable to use pictures and diagrams or symbols that can be easily understood. The
organization should determine if the training materials are needed in multiple languages or if
the use of translators is necessary.
The organization should evaluate the effectiveness of the training or actions taken. This can be
done in several ways, e.g. by written or oral examination, practical demonstration, observation
of behavioural changes over time, or other means that demonstrate competency and awareness.
Documented information can be useful to ensure that identified competency needs are
addressed, track progress on closing any gaps, and to enable communication of relevant
information to interested parties. At a minimum, appropriate documented information should
be retained as evidence of competence.
NOTE The ILO-OSH:2001 guidelines in clause 3.4.4 recommend that “Training should be
provided to all participants at no cost and should take place during working hours if possible”.
Example 1
Example 2
Example 3

7.3 Awareness
While being competent is about being able to do your job in the right way all workers needs to
be aware of a number of things to keep themselves and other safe and support the intended
outcomes of the OH&S management system. The organization should ensure that they are
aware of e.g.:
— the organization’s OH&S policy and OH&S objectives,
— hazards and OH&S risks & opportunities that are relevant to them and their
workplace(s) to keep them and others safe,
— relevant work and emergency procedures;
— what they can do to make the OH&S management system effective and improve the
OH&S performance and the importance of doing this,
— the possible consequences for not acting in accordance with legal or other
requirements including other OH&S management system requirements,
— OH&S incidents and investigations that are relevant to them and their workplace(s)
— how to remove themselves from imminent and seriously dangerous work situations
(and that they have the right to do that).
Awareness programmes should be provided for contractors, temporary workers and visitors,
etc., according to the OH&S risks to which they are exposed.
Example 1
Example 2
Example 3
7.4 Communication
7.4.1 General
An organization should establish processes for communication relevant to the OH&S

management system, taking into account the organization’s legal requirements and other
requirements. These processes should determine:
— what information that needs to be communicated internally and externally,

— when it needs to be communicated,

— with whom it needs to be communicated,
— how it needs to be communicated.
It is practical to consider at least three types of communication:
a) internal communication among the various levels and functions of the organization;
b) communication with contractors and other visitors to the workplace;
c) receiving, documenting and responding to relevant communications from external
interested parties.
The organization should effectively communicate information concerning its hazards and its
OH&S management system to those involved in or affected by the management system, in order
for them to actively participate in, or support, the prevention of injury and ill health, as
applicable.
When developing communication processes, the organization could consider the following
steps:
- determine the target audience and their information needs,
- select information relevant to the audience’s needs and the availability of information,
- decide on appropriate communication methods and media,
- evaluate and periodically determine the effectiveness of the communications process.
In doing this the organization should take into account e.g.:
- local culture(s), preferred styles, available technologies, organizational complexity,

structure and size,
- barriers to effective communication in the workplace such as illiteracy or language,
- legal requirements and other requirements,
- the effectiveness of the various modes and flows of communication across all functions
and levels of the organization,
- other types of communication in the organization and their effectiveness.
OH&S issues can be communicated to employees, visitors and contractors via means such as
OH&S briefings and meetings, induction/orientation talks, etc., newsletters, posters, emails,
suggestion boxes/schemes, websites and notice boards containing information on OH&S issues.
To be effective, the organization’s communication processes should provide it and its persons
with the ability to:
— transmit and receive information quickly and to act on it;
— build trust and transparency;
— transmit the importance of the OHS management systems and improving OH&S
performance;
— identify opportunities for improvement.

Example 1
Example 2
Example 3
7.4.2 Internal communication
It is important to effectively communicate information about OH&S risks and the OH&S
management system at various levels and between various functions of the organization.
This should include information:
— relating to management’s commitment to the OH&S management system (e.g. programmes
undertaken, and resources committed to improving OH&S performance),
— concerning the identification of hazards and risks (e.g. information on process flows,
materials in use, equipment specifications and observation of work practices),
— about OH&S objectives and other continual improvement activities,
— relating to incident investigation (e.g. the type of incidents that are taking place, factors that
can contribute to the occurrence of incidents, results of incident investigations),
— relating to progress in eliminating hazards and risks (e.g. status reports showing progress
of projects that have been completed or are underway), relating to changes that can impact
on the OH&S management system.
It is important to develop and maintain procedures for communicating with contractors and
other visitors to the workplace. The extent of this communication should be related to the OH&S
risks faced by these parties.
The organization should have arrangements in place to clearly communicate its OH&S
requirements to contractors. The communication should be appropriate to the hazards and
risks associated with the work to be performed. In addition to communicating performance
requirements, the organization should communicate the consequences associated with
nonconformity with OH&S requirements.
Contracts are often used to communicate OH&S performance requirements. There can be a need
to supplement contracts with other on-site arrangements (e.g. pre-project OH&S planning
meetings) to ensure that appropriate controls are implemented to protect individuals at the
workplace.
The communication should include information about any operational controls related to the
specific tasks to be performed or the area where the work is to be done. This information should
be communicated before the contractor comes on-site and then supplemented with additional
or other information (e.g. a site tour), as appropriate, when the work starts. The organization
should also have procedures in place for consultation with contractors when there are changes
that affect their OH&S (see 4.4.3.4).

In addition to the specific OH&S requirements for activities carried out on-site the following
could also be relevant to the organization when developing its procedure(s) for
communications with contractors:
— information about individual contractors’ OH&S management systems (e.g. their
established policies and procedures to address pertinent hazards),
— legal requirements and other requirements that impact on the method or extent of
communication,
— previous OH&S experience (e.g. OH&S performance data),
— the existence of multiple contractors at the worksite,
— staffing for accomplishing OH&S activities (e.g. exposure monitoring, equipment
inspections),
— emergency response,
— the need for alignment of the contractor’s OH&S policies and practices with those of the
organization and other contractors at the worksite,
— the need for additional consultation and/or contractual provisions for high-risk tasks,
— requirements for the assessment of conformance with agreed OH&S performance criteria,
— processes for incident investigation, reporting of nonconformities and corrective action,
— arrangements for day-to-day communications.
For visitors (including delivery people, customers, members of the public, service providers,
etc.), communication can include warning signs and security barriers, as well as verbal or
written communication. Information that should be communicated includes:
— OH&S requirements relevant to their visit,
— evacuation procedures and responses to alarms,
— traffic controls,
— access controls and escort requirements, any personal protective equipment (PPE) that
needs to be worn (e.g. safety glasses).
Example 1
Example 2
Example 3

7.4.3 External communication
The organization needs to have process(es) in place for receiving, documenting and responding
to relevant communications from external interested parties.
The organization should provide appropriate and consistent information about its hazards and
its OH&S management system in accordance with its OH&S policy and applicable legal
requirements and other requirements. This can include information concerning its normal
operations or potential emergency situations.
External communication process(es) often include the identification of designated contact

individuals. This allows for appropriate information to be communicated in a consistent
manner. This can be especially important in emergency situations where regular updates are
requested and/or a wide range of questions need to be answered and the organization should
have in place a process for communicating with external interested parties in case of emergency
situations that could affect or concern them.
An organization can also find it useful to document its processes for external communication.
Example 1
Example 2
Example 3
7.5 Documented information
7.5.1 General
An organization should develop and maintain adequate documented information to ensure that
its OH&S management system is operating effectively, is understood by workers and other
relevant interested parties, and that processes associated with the OH&S management system
are carried out as planned. Documented information should be collected and maintained in a
way that reflects the culture and needs of the organization.
Typical inputs include the following items:
— details of the documentation and information systems the organization develops to support
its OH&S management system and OH&S activities, and to fulfil the requirements of ISO
45001:2018,
— details of responsibilities and authorities,

— information on how the local documented information is used, and constraints that this can
put on the physical nature of documentation, or the use of electronic or other media.
The organization should review its documentation and information needs for the OH&S
management system, before developing the documentation necessary to support its OH&S
processes.
In deciding what documentation is required the organization should determine where there is
any risk that a task, through lack of written procedures or instructions, will not be performed in
the required manner.
The organization can choose to document its management system in the form of a manual,
which constitutes an overview or summary of the system with a description of the main
elements and can provide direction to related documented information. The structure of any
such OH&S management system manual need not follow the clause structure of ISO 45001 or
any other standard.
The extent of the documented information can differ from one organization to another. Creating
unnecessary or complicated documented information can diminish the effectiveness of the
OH&S management system. When considering the extent of the documented information it
creates, the organization can therefore consider the benefits of documented information for
effectiveness, continuity and continual improvement of the OH&S management system.
Documented information can be controlled in any medium (paper, electronic, photos and
posters) that is useful, legible, easily understood and accessible to those needing the
information contained therein.
If processes of the OH&S management system are aligned with those from other management
systems, the organization can combine relevant OH&S documented information with
documented information of these other management systems.
Example 1
Example 2
Example 3
7.5.2 Creating and updating
There is no requirement to develop documented information in a particular format in order to

conform to ISO 45001, nor is it necessary to replace existing documentation such as manuals,
procedures, or work instructions where these adequately describe required arrangements. If
the organization already has an established, documented OH&S management system, it can
prove more convenient and effective for it to develop, for example, an overview document
describing the inter-relation between its existing procedures and the requirements of ISO
45001.

Account should be taken of the following:
— the responsibilities and authorities of the users of the documented information, as this
should lead to consideration of the degree of security and accessibility that needs to be imposed
(particularly with electronic media) and change controls,
— the manner in which physical documentation is used, and the environment in which it is
used, as this can require consideration of the format in which it is presented (e.g. an instruction
could be incorporated into a sign rather than a paper document). Similar consideration should
be given concerning the environment for the use of electronic equipment for information
systems.
When creating and updating documented information related to the OH&S management system,
the organization should ensure appropriate:
- identification and description (e.g. a title, date, author, reference number or combination
of these);
- format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
- internal review and approval for suitability and adequacy.
Example 1
Example 2
Example 3
7.5.3 Control of documented information
Control of OH&S management system documented information is important to ensure that:

— information can be identified with the appropriate organization, division, function, activity,
contact person;
— information maintained by the organization is regularly reviewed, revised as necessary and
approved by authorized personnel prior to issue;
— current versions of relevant documented information are available at all locations where
operations essential to the effective functioning of the system are performed, including
those necessary to ensure requirements are met;
NOTE Where the availability of documented information is not practicable, actions that
conform to prescribed practices can be considered adequate.

— information that is obsolete is promptly removed from all points of issue and from places
and situations of use (in some circumstances, e.g. for legal and/or knowledge preservation
purposes, documented information that is obsolete can be retained as evidence of the
results achieved).
Documented information can be effectively controlled by:
— developing an appropriate format that includes unique titles, numbers, dates, revisions,
revision history and authority;
— assigning the review and approval of documented information maintained by the
organization to individuals with enough technical capability and organizational authority;
— maintaining an effective distribution system.
The organization should determine which types of documented information is required for the
OH&S management system to work efficiently and effectively. A good starting point is the
requirements for documented information stated in ISO 45001 which are:
 the scope of the OH&S management system
 the OH&S policy
 OH&S organizational roles, responsibilities and authorities
 risks & opportunities
 risks assessment methodology(ies) and criteria
 legal requirements and other requirements
 OH&S objectives and plans to achieve them
 evidence of relevant competencies
 evidence of the organization’s communication
 documented information of external origin determined by the organization to be
necessary for the planning and operation of the OH&S management system
 documented information for operational planning and control to the extent necessary to
have confidence that the processes have been carried out as planned
 on the process(es) and on the plans for responding to potential emergency situations
 evidence of the results of monitoring, measurements, analysis and performance
evaluation
 evidence of the implementation of the audit programme and the audit results
 results from evaluation of compliance
 evidence of the results of management reviews
 the nature of incidents and nonconformities and any subsequent actions taken;
 the results of any action and corrective action, including their effectiveness
 evidence of continual improvement (this could be the results of monitoring,
measurements, analysis and performance evaluation)
 .... and other documented information determined by the organization as being
necessary for the effectiveness of the OH&S management system.

Example 1
Example 2
Example 3
8 Operation
8.1 Operational planning and control
8.1.1 General
Once it has gained an understanding of its hazards, the organization should implement the
operational controls that are necessary to manage the associated risks and comply with
applicable OH&S legal requirements and other requirements. The overall objective of OH&S
operational controls is to manage the OH&S risks to fulfil the OH&S policy. Information to be
considered when establishing and implementing operational controls includes:
— OH&S policy and objectives,
— results of hazard identification, risk assessment, evaluation of existing controls and

determination of new controls (see 4.3.1),
— management of change processes (see 4.3.1.5),
— internal specifications (e.g. for materials, equipment, facilities layout),
— information on existing operating procedures,
— legal requirements and other requirements to which the organization subscribes (see
4.3.2),
— product supply chain controls related to purchased goods, equipment and services,
— feedback from participation and consultation (see 4.4.3),

— the nature of, and extent to which, tasks are to be performed by contractors and other
external personnel,
— access to the workplace by visitors, delivery personnel, service contractors, etc.
When developing operational controls, priority should be given to control options with higher
reliability in preventing injury or ill health, consistent with the hierarchy of controls, i.e. this
should start with redesign of equipment or processes to eliminate or reduce hazard(s),
improved signage/warnings for hazard avoidance, improved administrative procedures and
training to reduce the frequency and duration of the exposure of persons to inadequately
controlled hazards, and lastly the use of personal protective equipment (PPE) to reduce the
severity of injury or exposure.
The operational controls need to be implemented, evaluated on an ongoing basis (4.3.1.8) to
verify their effectiveness, and integrated into the overall OH&S management system.
The organization should stipulate operating criteria where they are necessary for the
prevention of injury or ill health. Operating criteria should be specific to the organization, its
operations and activities, and be related to its own OH&S risks, where their absence could lead
to deviation from the OH&S policy and objectives.
Examples of operating criteria can include:
a) for hazardous tasks
— use of specified equipment, and procedures/work instructions for its use,
— competency requirements,
— use of specified entry control processes and equipment,
— authorities/guidelines/instructions/procedures for individual risk assessment prior to
immediate commencement of the task;
a) for hazardous chemicals
— approved chemical lists,
— exposure limits,
— specific inventory limits,
— specified storage locations and conditions;
b) for task involving entry into hazardous areas
— specification of personal protective equipment (PPE) requirements,
— specified conditions for entry,
— health and fitness conditions;
c) for tasks involving work performed by contractors
— specification of OH&S performance criteria,
— specification of competency and/or training requirements for contractor personnel,
— specification/inspection of contractor provided equipment;
d) for hazards to visitors
— entry controls (sign-in/sign-out, access limitations),

— personal protective equipment (PPE) requirements,

— site safety briefings,
— emergency requirements.
Operational controls should be reviewed on a periodic basis to evaluate their ongoing suitability
and effectiveness. Changes that are determined to be necessary should be implemented.
In addition, procedures should be in place to determine circumstances where new controls
and/or modifications of existing operational controls are needed. Proposed changes to existing
operations
should be evaluated for hazards and risks before they are implemented. When there are
changes to operational controls, the organization should consider whether there are new or
modified training needs.
Operational controls should be established and implemented as necessary to manage the OH&S
risks to an acceptable level, for operational areas and activities, e.g. purchasing, research and
development, sales, services, offices, off-site work, home based working, manufacturing,
transportation and maintenance.
Operational controls can use a variety of different methods, e.g. physical devices (such as
barriers, access controls), procedures, work instructions, pictograms, alarms and signage.
NOTE It is preferable that warning signage is based on accepted design principles, emphasizing
standardized graphical symbols and minimizing the use of text, and that when text is required,
accepted signal words, e.g. “danger” or “warning”, are used. For further guidance see relevant
international or national standards.
The organization should establish operational controls to eliminate, or reduce and control, the
OH&S risks that could be introduced into the workplace by employees, contractors, other
external personnel, members of the public and/or visitors. Operational controls can also need to
take into account situations where OH&S risks extend into public areas or areas controlled by
other parties (e.g. when employees of the organization are working at a client’s site). It is
sometimes necessary to consult with external parties in such circumstances.
Examples of areas in which OH&S risks typically arise, and examples of their associated control
measures, include:
a) general control measures
— regular maintenance and repair of facilities, machinery and equipment to prevent unsafe
conditions from developing,
— housekeeping and maintenance of clear walkways,
— traffic management (i.e. the management of the separation of vehicle and pedestrian
movements),
— provision and maintenance of workstations,
— maintenance of the thermal environment (temperature, air quality),
— maintenance of the ventilation systems and electrical safety systems,
— maintenance of emergency plans,
— policies related to travel, bullying, sexual harassment, drug and alcohol abuse, etc.,
— health programmes (medical surveillance programmes),

— training and awareness programmes relating to the use of particular controls (e.g. permit-
to-work systems),
— access controls;
b) performance of hazardous tasks
— use of procedures, work instructions, or approved working methods,
— use of appropriate equipment,
— pre-qualification and/or training of personnel or contractors for hazardous tasks,
— use of permit-to-work systems, pre-approvals, or authorizations,
— procedures controlling the entry and exit of personnel to hazardous work sites,
— controls to prevent ill health;
c) use of hazardous materials
— established inventory levels, storage locations and storage conditions,
— conditions of use for hazardous materials,
— limitations of areas where hazardous materials can be used,
— secure and safe storage provisions and control of access,
— provision of and access to material safety data and other relevant information,
— shielding of radiation sources,
— isolation of biological contaminants,
— knowledge in the use of and availability of emergency equipment (4.4.7);
d) facilities and equipment
— regular maintenance and repair of facilities, machinery and equipment to prevent unsafe
conditions from developing,
— housekeeping and maintenance of clear walkways, and traffic management,
— provision, control and maintenance of personal protective equipment (PPE),
— inspection and testing of OH&S equipment, such as guarding, fall arrest systems, shutdown
systems, rescue equipment for confined spaces, lock-out systems, fire detection and
suppression equipment, exposure monitoring devices, ventilation systems and electrical
safety systems,
— inspection and testing of material handling equipment (cranes, forklifts, hoists and other
lifting devices);
e) purchase of goods, equipment and services
— establishment of OH&S requirements for goods, equipment and services to be purchased,
— communication of the organization’s own OH&S requirements to suppliers,
— pre-approval requirements for the purchase or transport/ transfer of hazardous chemicals,
materials and substances,
— pre-approval requirements and specifications for the purchase of new machinery and
equipment,

— pre-approval of procedures for the safe operation of machinery, equipment, and/or the safe
handling of materials prior to their use,
— selection and monitoring of suppliers,
— inspection of received goods, equipment and services, and (periodic) verification of their
OH&S performance,
— approval of the design of OH&S provisions for new facilities;
c) contractors
— establish criteria for the selection of contractors,
— communication of the organization’s own OH&S requirements to contractors,
— evaluation, monitoring and periodic re-evaluation, of the OH&S performance of contractors;
d) other external personnel or visitors in the workplace.
As the knowledge and capabilities of visitors or other external personnel vary greatly, this
should be considered when developing controls. Examples can include:
— entry controls,
— establishing their knowledge and capabilities prior to permitting the use of equipment,
— provision of advice and training as necessary,
— warning signage/administrative controls,
— methods for monitoring visitor behaviour and supervising their activities.
Example 1
Example 2
Example 3
8.1.2 Eliminating hazards and reducing OH&S risks
When an organization has identified hazards and determined risks it needs to have a process in
place to eliminate hazards, or where this is not possible, reduce the OH&S risks by using a
hierarchy of controls. The hierarchy starts with elimination which is the most effective way of
preventing injury and ill health and ends with the lowest level which is having to use personal
protective equipment where other controls have not been possible. In many cases a
combination of controls is needed to reduce the OH&S to a level that is acceptable if the hazard
can’t be eliminated.
The following provides examples of implementing the hierarchy of controls:

a) Elimination – modify a design to eliminate the hazard, e.g. stop using hazardous chemicals,
introduce mechanical lifting devices to eliminate manual handling, eliminating monotonous
work or work that causes negative stress; removing fork-lift trucks from an area.;
b) Substitution – substitute with less hazardous processes, operations, materials or equipment
including reducing the system energy (e.g. lower the force, amperage, pressure,
temperature, etc.) or to e.g. change from manual customer complaints handling to online
automatic complaints handling;
c) Engineering controls and reorganization of work – install collective protective measures
like ventilation systems, guard rails, lifting support, machine guarding, interlocks, sound
enclosures, etc. and reorganization to protect workers from working alone, unhealthy work
hours and workload, or to prevent victimization.
d) Administrative controls including training – conducting periodic safety equipment
inspections; conducting training to prevent bullying and harassment; managing health and
safety coordination with subcontractors’ activities; conducting induction training;
administrating forklift driving licences; providing instructions on how to report incidents,
nonconformities and victimization without fear of retribution; changing the work patterns
(e.g. shifts) of workers; managing a health or medical surveillance programme for workers
who have been identified as at risk (e.g. related to hearing, hand-arm vibration, respiratory
disorders, skin disorders or exposure); giving appropriate instructions to workers (e.g.
entry control processes).safety signs, hazardous area marking, photo-luminescent signs,
markings for pedestrian walkways, warning sirens/lights, alarms, safety procedures,
equipment inspections, access controls, safe systems of working, tagging and work permits,
etc.;
e) Personal protective equipment (PPE) – safety glasses, hearing protection, face shields,
safety harnesses and lanyards, respirators and gloves.
In applying the hierarchy consideration should be given to risk reduction benefits, and
reliability of the available options.
An organization should take into account:
— the need for a combination of controls, combining elements from the above hierarchy (e.g.
engineering and administrative controls),
— established good practice in the control of the particular hazard under consideration,
— adapting work to the individual (e.g. to take account of individual mental and physical
capabilities),
— taking advantage of technical progress to improve controls,
— using measures that protect everyone [e.g. by selecting engineering controls that protect
everyone in the vicinity of a hazard in preference to personal protective equipment (PPE)],
— human behaviour and whether a particular control measure will be accepted and can be
effectively implemented,
— typical basic types of human failure (e.g. simple failure of a frequently repeated action,
lapses of memory or attention, lack of understanding or error of judgement, and breach of
rules or procedures) and ways of preventing them,
— the need to introduce planned maintenance of, for example, machinery safeguards,
— the possible need for emergency/contingency arrangements where risk controls fail,

— the potential lack of familiarity with the workplace and existing controls of those not in the
direct employment of the organization, e.g. visitors, contractor personnel.
Once the controls have been determined the organization can prioritize its actions to implement
them. In the prioritization of actions, the organization should take into account the potential for
risk reduction of the planned controls. It is preferable that actions addressing a high-risk
activity or offering a substantial reduction of risk take priority over actions that have only
limited risk reduction benefit.
In some cases, it is necessary to modify work activities until risk controls are in place or apply
temporary risk controls until more effective actions are completed. For example, the use of
hearing protection as an interim measure until the source of noise can be eliminated, or the
work activity segregated to reduce the noise exposure. Temporary controls should not be
regarded as a long-term substitute for more effective risk control measures.
Legal requirements, voluntary standards and codes of practice can specify appropriate controls
for specific hazards. In some cases, controls will need to be capable of attaining “as low as
reasonably practicable” (ALARP) levels of risk.
The organization should conduct ongoing monitoring to ensure that the adequacy of the
controls is being maintained (see 4.5.1).
NOTE The term “residual risk” is often used to describe the risk that remains after controls have
been implemented.
Example 1
Example 2
Example 3
8.1.3 Management of change
The organization should manage and control any changes that can affect or impact its hazards
and risks. This includes changes to the organization’s structure, personnel, management system,
processes, activities, use of materials, etc. Such changes should be evaluated through hazard
identification and risk assessment prior to their introduction.
The organization should consider hazards and potential risks associated with new processes or
operations at the design stage as well as changes in the organization, existing operations,
products, services or suppliers. The following are examples of conditions that should initiate a
management of change process:
— new or modified technology (including software), equipment, facilities, or work
environment,

— new or revised procedures, work practices, designs, specifications or standards,

— different types or grades of raw materials,
— significant changes to the site’s organizational structure and staffing, including the use of
contractors,
— modifications of health and safety devices and equipment or controls.
The management of change process should include consideration of the following questions to
ensure that any new or changed risks are acceptable:
— have new hazards been created?
— what are the risks associated with the new hazards?
— have the risks from other hazards changed?
— could the changes adversely affect existing risk controls?
— have the most appropriate controls been chosen, bearing in mind usability, acceptability
and both the immediate and long-term costs?
Emergency planning should also be reviewed as a part of the ongoing management of change.
Changes in operations can introduce new potential emergencies or necessitate that changes be
made to emergency response procedures. For example, changes in facility layout can impact
emergency evacuation routes.
Example 1
Example 2
Example 3
8.1.4 Procurement
8.1.4.1 General
This requirement in ISO 45001:2018 concerns hazards and OH&S risks related to products,
equipment, materials and services that are externally sourced and introduced in the
organization’s workplace(s). There needs to be a process in place to prevent these from adding
new hazards or raising OH&S risks to workers. This process should include any needs for
consultation and communication and that workers are kept safe by ensuring that:
a) equipment is delivered according to specification and is tested to ensure it works as

intended;

b) installations are commissioned to ensure they function as designed;
c) materials are delivered according to their specifications;
d) any usage requirements, precautions or other protective measures are communicated and
made available.
Example 1
Example 2
Example 3
8.1.4.2 Contractors
The organization should have a procedure(s) for consulting with contractors and other external
interested parties, where appropriate. There can be a need for the organization to consult with
regulators concerning certain OH&S matters (e.g. applicability and interpretation of OH&S legal
requirements), or with emergency services.
In considering the need for consultation with contractors on changes that can affect their OH&S,
the organization should take account of the following:
— new or unfamiliar hazards (including those that can be introduced by the contractor),
— reorganization,
— new or amended controls,
— changes in materials, equipment, exposures, etc.,
— changes in emergency arrangements,
— changes in legal or other requirements.
For consultation with external parties, the organization should give consideration to factors
such as:
— changes in emergency arrangements,
— hazards that can impact neighbours, or hazards from neighbours, changes in legal or other
requirements.
Example 1

Example 2
Example 3
8.1.4.3 Outsourcing
When outsourcing, the organization needs to have control of the outsourced functions and
process(es) to achieve the intended outcome(s) of the OH&S management system. In the
outsourced functions and process(es), the responsibility for conforming to the requirements of
this document is retained by the organization.
The organization should establish the extent of control over outsourced function(s) or
process(es) based upon factors such as:
— the ability of the external organization to meet the organization’s OH&S management
system requirements;
— the technical competence of the organization to define appropriate controls or assess the
adequacy of controls;
— the potential effect the outsourced process or function will have on the organization’s
ability to achieve the intended outcome of its OH&S management system;
— the extent to which the outsourced process or function is shared;
— the capability of the organization to achieve the necessary control through the application
of its procurement process;
— opportunities for improvement.
In some countries, legal requirements address outsourced functions or processes.
Example 1
Example 2
Example 3

8.2 Emergency preparedness and response
The organization should have a process for preparing and responding to potential emergency
situations that have been identified in the planning process. This should include planning of
response, training, testing, evaluating and improving performance, communication and
retaining documented information. The process should also take into account applicable legal
requirements and other requirements.
The organization should determine and assess how emergency situations will impact all
persons within and/or in the immediate vicinity of workplaces controlled by the organization.
Consideration should be given to those with special needs, e.g. people with limited mobility,
vision and hearing. This could include employees, temporary workers, contract employees,
visitors, neighbours or other members of the public. The organization should also consider
potential impacts on emergency services personnel while at the workplace (e.g. fire-fighters).
The organization should also periodically test its emergency preparedness and seek to improve
the effectiveness of its response activities and procedure(s).
NOTE Where the procedure is combined with other emergency response procedure(s), the
organization needs to ensure that it addresses all potential OH&S impacts and should not
presume that the procedures relating to fire safety, or environmental emergencies, etc., will be
sufficient.
Emergency planning should also be reviewed as a part of the ongoing management of change.
Changes in operations can introduce new potential emergencies or necessitate that changes be
made to emergency response procedures. For example, changes in facility layout can impact
emergency evacuation routes.
Emergency response should focus on the prevention of ill health and injury, and on the
minimization of the adverse OH&S consequences to a person(s) exposed to an emergency
situation.
A procedure(s) for responding to emergency situations should be developed and should also
take into account applicable legal requirements and other requirements.
The emergency procedure(s) should be clear and concise to facilitate their use in emergency
situations. They should also be readily available for use by emergency services. Emergency
procedure(s) that are stored on a computer or by other electronic means might not be readily
available in the event of a power failure, so paper copies of emergencies procedure(s) ought to
be maintained in readily accessible locations.
Consideration should be given to the existence and/or capability of the following, in developing
emergency response procedure(s):
— inventory and location of hazardous materials storage,
— numbers and locations of people,
— critical systems that can impact on OH&S,
— the provision of emergency training,
— detection and emergency control measures,
— medical equipment, first aid kits, etc.,
— control systems, and any supporting secondary or parallel/ multiple control systems,
— monitoring systems for hazardous materials,

— fire detection and suppression systems,

— emergency power sources,
— availability of local emergency services and details of any emergency response
arrangements currently in place,
— legal requirements and other requirements,
— previous emergency response experience.
When the organization determines that external services are needed for emergency response
(e.g. specialist experts in handling
hazardous materials and external testing laboratories), pre-approved (contractual)
arrangements should be put in place. Particular attention should be paid to staffing levels,
response schedules and emergency service limitations.
Emergency response procedure(s) should define the roles, responsibilities and authorities of
those with emergency response duties, especially those with an assigned duty to provide an
immediate response. These personnel should be involved in the development
of the emergency procedure(s) to ensure they are fully aware of the type and scope of
emergencies that they can be expected to handle, as well as the arrangements needed for
coordination. Emergency service personnel should be provided with the information required
to facilitate their involvement in response activities.
Emergency response procedures should give consideration to the following:
— identification of potential emergency situations and locations,
— details of the actions to be taken by personnel during the emergency (including actions to
be taken by staff working off-site, by contractors and visitors),
— evacuation procedures,
— responsibilities, and authorities of personnel with specific response duties and roles during
the emergency (e.g. fire-wardens, first-aid staff and spill clean-up specialists),
— interface and communication with emergency services,
— communication with employees (both on-site and off-site), regulators and other interested
parties (e.g. family, neighbours, local community, media),
— information necessary for undertaking the emergency response (plant layout drawings,
identification and location of emergency response equipment, identification and location of
hazardous materials, utility shut-off locations, contact information for emergency response
providers).
The organization should determine and review its emergency response equipment and material
needs.
Emergency response equipment and materials can be needed to perform a variety of functions
during an emergency, such as evacuation, leak detection, fire suppression,
chemical/biological/radiological monitoring, communication, isolation, containment, shelter,
personal protection, decontamination, and medical evaluation and treatment.
Emergency response equipment should be available in sufficient quantity and stored in
locations where it is readily accessible; it should be stored securely and be protected from being
damaged. This equipment should be inspected and/or tested at regular intervals to ensure that
it will be operational in an emergency situation.

Special attention should be paid to equipment and materials used to protect emergency
response personnel. Individuals should be informed of the limitations of personal protective
devices and trained in their proper use.
The type, quantity and storage location(s) for emergency equipment and supplies should be
evaluated as a part of the review and testing of emergency procedures.
Personnel should be trained in how to initiate the emergency response and evacuation
procedures (see 4.4.2).
The organization should determine the training needed for personnel who are assigned
emergency response duties and ensure that this training is received. Emergency response
personnel should remain competent and capable to carry out their assigned activities.
The need for retraining or other communications should be determined when modifications are
made that impact on the emergency response.
Periodic testing of emergency procedures should be performed to ensure that the organization
and external emergency services can appropriately respond to emergency situations and
prevent or mitigate associated OH&S consequences.
Testing of emergency procedures should involve external emergency services providers, where
appropriate, to develop an effective working relationship. This can improve communication and
cooperation during an emergency.
Emergency drills can be used to evaluate the organization’s emergency procedures, equipment
and training, as well as increase overall awareness of emergency response protocols. Internal
parties (e.g. workers) and external parties (e.g. fire department personnel) can be included in
the drills to increase awareness and understanding of emergency response procedures.
The organization should maintain records of emergency drills. The type of information that
should be recorded includes a description of the situation and scope of the drill, a timeline of
events and actions and observations of any significant achievements or problems. This
information should be reviewed with the drill planners and participants to share feedback and
recommendations for improvement.
Review of emergency preparedness and response procedure(s) should be done periodically.
Examples of when this can be done are:
— on a schedule defined by the organization,
— during management reviews,
— following organizational changes,
— as a result of management of change, corrective action, or preventive action (see 4.5.3),
— following an event that activated the emergency response procedures,
— following drills or tests that identified deficiencies in the emergency response,
— following changes to legal requirements and other requirements,
— following external changes impacting the emergency response.
When changes are made in emergency preparedness and response procedure(s), these changes
should be communicated to the personnel and functions that are impacted by the change; their
associated training needs should also be evaluated.

Example 1
Example 2
Example 3
9 Performance evaluation
9.1 Monitoring, measurement, analysis and performance evaluation
9.1.1 General
An organization should have a systematic approach for measuring and monitoring its OH&S
performance on a regular basis, as an integral part of its overall management system.
Monitoring involves collecting information, such as measurements or observations, over time,
using equipment or techniques that have been confirmed as being fit-for-purpose.
Measurements can be either quantitative or qualitative. Monitoring and measurements can
serve many purposes in an OH&S management system, such as:
— tracking progress on meeting policy commitments, achieving objectives and targets, and
continual improvement,
— monitoring exposures to determine whether applicable legal requirements and other
requirements to which the organization subscribes have been met,
— monitoring incidents, injuries and ill health,
— providing data to evaluate the effectiveness of operational controls, or to evaluate the need
to modify or introduce new controls,
— providing data to proactively and reactively measure the organization’s OH&S performance,
— providing data to evaluate the performance of the OH&S management system, and
— providing data for the evaluation of competence.
To achieve these purposes, an organization should plan what will be measured, where and
when it should be measured, what measurement methods should be used, and the competence
requirements for the persons who will perform the measurements. To focus resources on the
most important measurements, the organization should determine the characteristics of
processes and activities that can be measured and the measurements that provide the most
useful information. The organization needs to establish process(es) for performance
measurement and monitoring to provide consistency in measurements and enhance the
reliability of data produced.

The results of measurement and monitoring should be analysed and used to identify both
successes and areas requiring correction or improvement.
The organization’s measuring and monitoring should use both reactive and proactive measures
of performance but should primarily focus on proactive measures in order to drive performance
improvement and injury reduction.
a) Examples of proactive measures include:
— assessments of compliance with legal requirements and other requirements,
— the effective use of the results of workplace safety tours or inspections,
— evaluation of the effectiveness of OH&S training,
— use of OH&S behaviour-based observations,
— use of perception surveys to evaluate OH&S culture and related employee satisfaction,
— the effective use of the results of internal and external audits,
— completion of legally required and other inspections as scheduled,
— the extent to which programme(s) (see 4.3.3) have been implemented,
— the effectiveness of the employee participation process,
— the use of health screening,
— exposure modelling and monitoring,
— benchmarking against good OH&S practices,
— work activity assessments.
b) Examples of reactive measures include:
— monitoring of ill health,
— occurrences and rates of incidents and ill health,
— lost time incident rates, lost time ill health rates, actions required following assessments by
regulators, actions following receipt of comments from interested parties.
OH&S monitoring and measurement equipment should be suitable, capable and relevant for the
OH&S performance characteristics to be measured.
To assure the validity of results, monitoring equipment used to measure OH&S conditions (e.g.
sampling pumps, noise meters, toxic gas detection equipment, etc.) should be maintained in
good working order and calibrated or verified, and adjusted if necessary against measurement
standards, traceable to international or national measurement standards. If no such standards
exist, the basis used for calibration should be recorded.
Where computer software or computer systems are used to gather, analyse, or monitor data,
and can affect the accuracy of OH&S performance results, they should be validated to test their
suitability, prior to use.
Appropriate equipment should be selected and be used in a way that will provide accurate and
consistent results. This could involve confirming the suitability of sampling methods or
sampling locations or specifying that the equipment be used in a specific way.
The calibration status of measuring equipment should be clearly identified to the users. OH&S
measuring equipment whose calibration status is unknown, or which is known to be out of

calibration, should not be used. Additionally, it should be removed from use, and be clearly
labelled, tagged, or otherwise marked, to prevent misuse.
Calibration and maintenance should be performed by competent personnel.
Example 1
Example 2
Example 3
9.1.2 Evaluation of performance
An organization should establish, implement and maintain a process(es) for periodically

evaluating its compliance with the legal requirements and other requirements.
Evaluation of the organization’s compliance should be performed by competent persons, either
from within the organization and/or using external resources.
A variety of inputs can be used to assess compliance, including:
— audits,
— the results of regulatory inspections,
— analysis of legal requirements and other requirements,
— reviews of documents and/or records of incidents and risk assessments,
— interviews,
— facility, equipment and area inspections,
— project or work reviews,
— analysis of test results from monitoring and testing,
— facility tours and/or direct observations.
The organization’s processes for the evaluation of compliance can depend on its nature (size,
structure and complexity). A compliance evaluation can encompass multiple legal requirements
or a single requirement. The frequency of evaluations can be affected by factors such as past
compliance performance or specific legal requirements. The organization can choose to evaluate
compliance with individual requirements at different times or at different frequencies, or as
appropriate.
A compliance evaluation programme can be integrated with other assessment activities. These
can include management system audits, environmental audits or quality assurance checks.
Similarly, an organization should periodically evaluate its compliance with other requirements
to which it subscribes. An organization can choose to establish a separate process for

conducting such evaluations or it can choose to combine these evaluations with its evaluations
of compliance with legal requirements (see above), its management review process or other
evaluation processes.
The results of the periodic evaluations of compliance with legal or other requirements need to
be documented.
Example 1
Example 2
Example 3
9.2 Internal audit
9.2.1 General
Internal audits of an organization’s OH&S management system should be conducted at planned

intervals to determine and provide information to management on whether the system
conforms to planned arrangements and has been properly implemented and maintained. The
results can be used to identify opportunities for improving the organization’s OH&S
management system.
Example 1
Example 2
Example 3
9.2.2 Internal audit programme
The organization should establish an internal audit programme to direct the planning and
conduct of internal audits and to identify the audits needed to achieve the audit programme
objectives. The audit programme, and the frequency of internal audits, should be based on the

nature of the organization’s operations, in terms of its hazards, risks and opportunities that
need to be addressed, the results of previous internal and external audits, and other relevant
factors (e.g. changes affecting the organization, monitoring and measurement results and
previous emergency situations). Outsourced processes that have audit provisions as controls
should be considered in the planning of the audit programme.
The organization should determine the frequency of the internal audits. The audit programme
can, for example, cover one year or multiple years, and can consist of one or more audits. Each
internal audit need not cover the entire system, so long as the audit programme ensures that
all organizational units and functions, system elements and the full scope of the occupational
health & safety management system are audited periodically.
The internal audits should be planned and conducted by an objective and impartial auditor or
audit team, aided by technical expert(s), where appropriate, selected from within the
organization or from external sources. Their collective competence should be sufficient to
achieve the audit objective and to meet the scope of the particular audit and provide confidence
as to the degree of reliability that can be placed on the results.
The results of an internal audit can be provided in the form of a report as the basis for
verification and used to correct or prevent specific nonconformities, or to achieve one or
more audit programme objectives, and to provide input to the management review.
The organization should retain documented information as evidence of implementation of the

audit programme and the audit results.
NOTE Guidance on management system auditing is provided in ISO 19011
Example 1
Example 2
Example 3
9.3 Management review
An organization’s top management should, at intervals that it determines, conduct a review of

its OH&S management system to evaluate the system’s continuing suitability, adequacy and
effectiveness.
The management review should cover consideration of status of actions from previous
management reviews and changes in internal and external issues relevant to the OH&S
management system including requirements, risks and opportunities, adequacy of resources
and opportunities for continual improvement.

It should also review trends in incidents and nonconformities, corrective actions and continual
improvement, monitoring and measurement results including from evaluation of compliance,
audit results and trends in consultation and participation of workers.
The output from management review should focus on decisions related to how to improve the
OH&S management system to better achieve its intended outcomes. Management reviews
should be retained as documented information and key results communicated to workers and
their representatives.
In planning for a management review it is important to consider key issues to focus on that may
be of higher importance for achieving the intended outcomes of the OH&S management system
and who needs to participate given in discussions about these issues.
A management review can coincide with other management activities (e.g. board meetings,
operational meetings) or can be conducted as a separate activity. Management review can be
coordinated with the organization’s planning and budgeting cycle, and OH&S performance can
be evaluated during top management’s review of its overall business performance, so that
decisions on priorities and resources for the OH&S system are balanced with other business
priorities and resource needs.
Example 1
Example 2
Example 3
10 Improvement
10.1 General
The organization should determine ways of improving its OH&S management system thorough
input from e.g.:
- monitoring, measurement, analysis and evaluation related to OH&S performance and
fulfilment of compliance obligations;
- audits of its occupational health & safety management system;
- management review:
- incident, nonconformity and corrective action
In order to achieve the intended outcomes of the OH&S management system, the organization
should take actions necessary to address these identified opportunities for improvement,

including controlling and correcting nonconformity, and enhance its OH&S performance
through continual improvement of the suitability, adequacy and effectiveness of its OH&S
management system.
Example 1
Example 2
Example 3
10.2 Incident, nonconformity and corrective action
Incident investigation is an important tool for preventing reoccurrence of incidents and

identifying opportunities for improvements. It can also be used for raising the overall OH&S
awareness in the workplace.
The organization should have a process(es) for reporting, investigating and analysing incidents.
The purpose of this is to provide structured, proportionate and timely approach for determining
and dealing with the underlying (root) cause(s) of the incident.
All incidents should be investigated. The organization should seek to prevent the under-
reporting of incidents. In determining the nature of the investigation, the resources needed, and
the priority to be given to investigation of an incident, account should be taken of:
— the actual outcome and consequences of the incident, and
— the frequency of such incidents and their potential consequences.
In developing those procedures, the organization should give consideration to the following:
— the need for a common understanding and acceptance of what constitutes an “incident” and
the benefits that can be gained from its investigation,
— that reporting should capture all types of incidents, including major and minor accidents,
emergencies, near-misses, instances of ill health and those that take place over a period of
time (e.g. exposure),
— the need to meet any legal requirements relating to the reporting and investigation of
incidents, e.g. maintenance of a register of accidents,
— defining the assignment of responsibilities and authorities for the reporting of incidents and
subsequent investigations,
— the need for immediate action to deal with imminent risks,
— the need for investigation to be impartial and objective,
— the need to focus on determining causal factors,
— the benefits of involving those with knowledge of the incident,

— defining the requirements for the conduct and recording of the various phases of the
investigation process, such as:
 gathering facts and collecting evidence, in a timely manner,
 analysing the results,
 communicating the need for any identified corrective action and/or preventive
action,
 providing feedback into the processes for hazard identification, risk assessment,
emergency response, OH&S performance measurement and monitoring and
management review.
Those assigned to conduct incident investigations should be competent.
For an OH&S management system to be effective on an ongoing basis, an organization should
have a procedure(s) for identifying actual and potential nonconformities, making corrections
and taking corrective and preventive action, preferably preventing problems before they occur.
The organization can establish individual procedures to address corrective and preventive
action, or a single procedure to address both.
Nonconformity is a non-fulfilment of a requirement. A requirement can be stated in relation to
the OH&S management system or in terms of OH&S performance. Examples of issues that can
give rise to nonconformities include:
a) for OH&S management system performance
— failure of top management to demonstrate commitment,
— failure to establish OH&S objectives,
— failure to define responsibilities required by an OH&S management system, such as
responsibilities for achieving objectives,
— failure to periodically evaluate compliance with legal requirements,
— failure to meet training needs,
— documentation being out of date or being inappropriate,
— failure to carry out communications;
b) for OH&S performance
— failure to implement the planned programme to achieve improvement objectives,
— consistent failure to achieve performance improvement objectives,
— failure to meet legal or other requirements,
— failure to record incidents,
— failure to implement corrective action in a timely manner,
— consistent high rates of illness or injury that are not being addressed,
— deviations from OH&S procedures,
— introduction of new materials or processes without appropriate risk assessments being
conducted.
Inputs into corrective action and preventive action can be determined from the results of:
— periodic tests of emergency procedures,

— incident investigations,
— internal or external audits,
— the periodic evaluations of compliance,
— performance monitoring,
— maintenance activities,
— employee suggestion schemes and feedback from employee opinion/satisfaction surveys,
— exposure assessments.
Identification of nonconformities should be made part of individual responsibilities, with
individuals closest to the work being encouraged to report potential or actual problems.
Corrective actions are actions taken to eliminate the underlying (root) cause(s) of identified
nonconformity or incidents in order to prevent recurrence.
Once nonconformity is identified, it should be investigated to determine the cause(s), so that
corrective action can be focused on the appropriate part of the system. An organization should
consider what actions need to be taken to address the problem, and/or what changes need to be
made to correct the situation. The response and timing of such actions should be appropriate to
the nature and scale of the nonconformity and the OH&S risk.
Preventive actions are actions taken to eliminate the underlying (root) cause(s) of the potential
nonconformity or potential undesirable situations, in order to prevent occurrence.
When a potential problem is identified, but no actual nonconformity exists, preventive action
should be taken using a similar approach
as for corrective action. Potential problems can be identified using methods such as
extrapolating corrective action of actual nonconformities to other applicable areas where
similar activities occur, or hazard analysis.
The organization should ensure that:
— where new or changed hazards or the need for new or changed controls have been
determined, the proposed corrective or preventive actions will be taken through a risk
assessment, prior to implementation,
— corrective actions and preventive actions are implemented,
— the results of corrective action and preventive action are recorded and communicated,
— there is follow-up to review the effectiveness of the actions taken.
Example 1
Example 2
Example 3

10.3 Continual improvement
This clause in ISO 45001:2018 focuses on the importance of ensuring that the OH&S
management system leads to continual improvements and shows some of the key drivers of this
including:
- promotion of a culture in the organization that supports prevention of injury and ill
health as a core value;
- involvement of workers an all levels in improving the OH&S management system.
The organization should continually evaluate its OH&S management system and its
performance to identify how it can be improved. Top management should be involved directly
in this evaluation through the management review process.
Example 1
Example 2
Example 3

Annex A
(informative)
Annex title e.g. Example of a figure and a table
A.1 Clause title autonumber

Use subclauses if required e.g. A.1.1 or A.1.1.1. For example:
A.1.1 Subclause autonumber
A.1.1.1 Subclause autonumber
Type text.
Figure A.1 — Example
Table A.1 — Example

Bibliography
[1] ISO #####-#, General title — Part #: Title of part
[2] ISO #####-##:20##, General title — Part ##: Title of part

ISO-TC283 N0364 ISO NWIP 45002 - Updated Preliminary Draft For Consideration in Kigali

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ISO-TC283 N0364 ISO NWIP 45002 - Updated Preliminary Draft For Consideration in Kigali

Загружено:

Авторское право:

Доступные форматы

ISO/TC 283 N 364

Email of secretary: sally.swingewood@bsigroup.com

ISO NWIP 45002 - updated preliminary draft for consideration in Kigali

Document type: Other committee document

Date of document: 2019-08-22

Expected action: INFO

Background: This draft is provided as a starting document for the

Committee URL: https://isotc.iso.org/livelink/livelink/open/tc283

ISO 45002:2019 (Preliminary draft)

Occupational Health & Safety Management Systems -

ISO copyright office

© ISO 2019 – All rights reserved 1

2 © ISO 2019 – All rights reserved

8.1.4.1 General ............................................................................................................................................................. 58

© ISO 2019 – All rights reserved 3

ISO (the International Organization for Standardization) is a worldwide federation of national

4 © ISO 2019 – All rights reserved

© ISO 2019 – All rights reserved 5

Occupational health & safety management systems – General

This document provides guidance for an organization on the establishment, implementation,

3 Terms and definitions

— ISO Online browsing platform: available at https://www.iso.org/obp

— IEC Electropedia: available at http://www.electropedia.org/

6 © ISO 2019 – All rights reserved

© ISO 2019 – All rights reserved 7

8 © ISO 2019 – All rights reserved

© ISO 2019 – All rights reserved 9

10 © ISO 2019 – All rights reserved

© ISO 2019 – All rights reserved 11

12 © ISO 2019 – All rights reserved

© ISO 2019 – All rights reserved 13

4 Context of the organization

4.1 Understanding the organization and its context

In order for an organization to establish, implement, maintain and continually improve an

14 © ISO 2019 – All rights reserved

How to implement these requirements?

© ISO 2019 – All rights reserved 15

How to implement these requirements?

16 © ISO 2019 – All rights reserved

4.3 Determining the scope of the OH&S management system

How to implement these requirements?

© ISO 2019 – All rights reserved 17

4.4 OH&S management system

How to implement these requirements?

18 © ISO 2019 – All rights reserved

4.4 OH&S management system

This requirement in ISO 45001:2018 is a general statement concerning the establishment,

How to implement these requirements?

5 Leadership and worker participation

5.1 Leadership and commitment

© ISO 2019 – All rights reserved 19

How to implement these requirements?

20 © ISO 2019 – All rights reserved

5.2 OH&S policy

In developing its OH&S policy, an organization should consider:

The communication of the policy should assist in:

— demonstrating the commitment of top management and the organization to OH&S,

— increasing awareness of the commitments made in the policy statement,

— explaining why the OH&S system is established and is maintained,

— guiding individuals in understanding their OH&S responsibilities and accountabilities (see

© ISO 2019 – All rights reserved 21

Change is inevitable, as legislation and societal expectations evolve; consequently, the

How to implement these requirements?