.svg)
Set to replace OHSAS 18001 by 2021, ISO 45001 is proving a real hit with organizations wishing to continuously improve and enhance their occupational health and safety practices. One year after its publication, however, the way in which certain requirements are taken into account is raising questions. Here is our feedback and advice.
ISO 45001: a reference framework for health and safety in the workplace
The ISO 45001 international standard on occupational safety and health (OSH) management systems was published in March 2018. It provides a framework for all organizations wishing to improve their OHS performance. Structured, like the ISO 9001 and ISO 14001 standards around ten chapters, it enables companies to gradually deploy an organization and practices designed to limit workplace accidents, occupational illnesses and promote employee well-being.
This standard deliberately places workers at the heart of the risk prevention process, notably by requiring extensive consultation of workers and their representatives, as well as their participation in the implementation, performance assessment and improvement actions of the OHS management system.
ISO 45001 is also different from other EHS standards (ILO-OSH, OHSAS 18001, etc.) in that it requires much greater involvement and commitment on the part of management, with the need to define internal and external issues, risks and opportunities, and to identify the expectations of interested parties. In this way, health and safety are no longer the sole concern of EHS specialists, but become an integral part of the management of the plant's activities.
ISO 45001, a year after its publication, questions remain
Since the publication of ISO 45001 just over a year ago, many companies have begun the certification process. However, there are still a number of questions to be answered when it comes to taking certain requirements into account. Here's our assessment and advice.
6.1: actions to address risks and opportunities
According to ISO 45001, "when determining the risks and opportunities that need to be taken into account for the OHS management system and its expected results, the organization shall in particular take into account legal and other requirements".
Remember: legal and other requirements can be taken into account by keeping a close eye on European directives, and also on applicable requirements with a deferred application date.
6.1.2.2: assessment of other OHS management system risks
In addition to the assessment of OHS risks, ISO 45001 involves "identifying and assessing other risks associated with the establishment, implementation, operation and maintenance of the OHS management system".
What are these other risks, and how do we meet this requirement? Is it during the management review, when management reviews the OHS management system to ensure that it is still appropriate, adequate and effective? A system evaluation grid setting out rating criteria could be used to meet this requirement and assess risks such as an inadequate audit program, lack of ATEX expertise, etc.
As this point 6.1.2.2 is written in the Planning chapter, it is not a tool for reaction or improvement, but rather for prevention.
Can these other risks be linked to the organization's context, i.e. its issues, stakeholders and field of application? If so, isn't there any redundancy between requirements 4.1 (understanding the organization and its context), 4.2 (understanding the needs and expectations of workers and other interested parties), 4.3 (determining the scope of application)? This would appear to be the case.
Please note: the processing of requirements 4.1, 4.2, 4.3 and 9.3 (management review) enables us to meet requirement 6.1.2.2. Other risks linked to the OHS management system may, for example, be: insufficient resources due to the need to mobilize them to respond to the implementation of a new production line, the introduction of a new EDM tool, etc.
6.1.3: process for determining legal and other requirements
ISO 45001 implies that "the organization shall establish, implement and maintain a process for determining the updated legal and other requirements that are applicable to its hazards and risks". This requirement calls for the creation of a "process", as is the case in the other chapters.
How should we understand this notion of process? Is it necessary, as was the case in ISO 14001 version 2004, to establish and maintain a procedure? To meet this requirement, the organization can establish a procedure, a process (a set of correlated or interacting activities that transforms inputs into outputs) or a diagram describing the activity of determining legal and other requirements. Documented information must be kept as evidence of the conformity assessment result(s).
Remember: an effective response could involve the deployment of an application to identify compliance obligations andassess the organization'scompliance with them, as well as the implementation of a communication plan to comply with ISO 45001, which "asks you to determine what you need to communicate about".
8.1.4.2: controlling risks related to external contractors
ISO 45001 includes the obligation to take into account and control OHS risks and hazards associated with external parties: subcontractors and suppliers. The standard stipulates that "the organization shall coordinate its procurement of goods and services with its external stakeholders, to identify hazards and to assess and control OHS risks arising from the activities and operations of external stakeholders affecting the organization. The organization shall ensure that the requirements of its OHS management system are fulfilled by external parties and their workers".
Unlike ISO 14001, ISO 45001 does not include the notion of influence. Which subcontractors and suppliers should be included? Suppliers of rank n, n+1, n+2, n+3...? According to what OHS performance criteria? How can we check that the criteria have been met?
Remember: determining which suppliers to take into account involves characterizing the organization's influence on suppliers who have an impact on the organization.