The new international standard ISO 45001, Occupational Health and Safety Management Systems Requirements, is finally out. After 4.5 years of development the standard was published on March 12, 2018. But after understanding what's changed, how can OHS professionals pragmatically approach meeting the standard?
ISO 45001 provides a framework for managing OHS risks and opportunities, and takes into account other International Standards in this area such as OHSAS 18001, the International Labour Organization's ILO-OSH Guidelines, various national standards, and the ILO's international labour standards and conventions. It combines common elements found in all of ISO’s management systems standards, and is intended to be applicable to any organization worldwide regardless of its size, type and nature.
The standard aims to integrate the management of health and safety risk with the overall processes, goals and objectives of an organization. An organization’s management system should take occupational health and safety (OHS) policies and integrate these into the operation and culture of an organization’s daily activities. For example, having set processes and documentation for recording occupational injuries and illnesses (in line with the OSH Act in the US) would be an illustration of how OHS policies should be integrated into the everyday activities of an organization.
ISO 45001 is a more holistic take on OHS management
With any policy, top management takes the responsibility to clearly plan and implement the processes that will apply to every function within the business. As clause 6 ‘Planning’ of the standard states, OHS objectives and plans should be consistent with the policy, accounting for legal and other requirements, and should be measurable, monitored, communicated and up to date.
Worker participation is also at the core of this standard. Since every member of staff forms an integral part of the management system, one of the key aspects of this standard is to have health and safety play a part in everyone’s role.
ISO 45001 looks at health and safety from a holistic perspective, allowing the overall incorporation of health and safety in the organization’s management processes. In comparison to the previous OHSAS 18001, ISO 45001 takes a more proactive approach to risk control by emphasizing the correction of deficiencies and focuses more on improvement. According to the Chair of the Project Committee that developed the standard, David Smith;
The approach is risk-based Plan, Do, Do, Check, Act (PDCA) and is focussed on minimising the risk of harm in the workplace. David Smith, Chair of Project Committee ISO/PC 283
Does your OHS management system have to be ISO 45001 certified?
No, your OHS management software does not have to be ISO 45001 certified, and even if the vendor pays for it to be so, it does not mean that you will be using it in the same way that was assessed.
Assessing OHS software within its context
As the ISO 45001 5-step action plan reads, a business should first examine their current system before starting the implementation of a new one. The standard emphasizes the fact that every organization is different and so is, therefore, the context in which OHS management systems are used. Rather than mandating a certain set of functions, the standard concerns a software system's functionality and its ability to adapt to the specific scenario it is being utilized for.
Hence, ISO 45001 does not state specific criteria for OHS performance, nor is it prescriptive about the design of an OHS management system. Any kind of system can comply with the requirements of the standard, provided that it is shown to be appropriate for the organization and is effective.
However, certification can be a useful tool to add credibility by demonstrating that your product or service meets the expectations of your customers. For some industries, certification is a legal or contractual requirement. (ISO certification is a seal of approval from a 3rd party body that a company runs to one of the internationally recognised ISO management systems.)
OHS software as a piece of the puzzle
Although the software you use is a key enabler when it comes to ISO certification, there are other factors that need to be considered; such as the engagement of staff when it comes to a change in process, and ensuring senior management are committed to making change happen, e.g. knowing who within the organisation is going to provide budget if, say, new guard rails are needed to protect employees. The standard also requires evidence to demonstrate that top management is committed and accountable, and that the responsibilities and authorities for relevant roles have been clearly assigned and communicated throughout the organization (top-down emphasis).
The role of your software
To talk about your OHS software being ISO 45001 certified is somewhat missing the point. Software has its part, managing hazard observations, risk assessments and follow up actions but ISO 45001 takes a more holistic approach concerning the engagement of staff, leadership and culture. Admittedly, these elements can be further supported by flexible software, although OHS software is certainly not a panacea.
Furthermore, the ISO authors recognize that every organization is different, therefore they have not made the standard overly prescriptive – in other words, the standard does not contain any detailed specification that must be adhered to. For example, if you are currently using the Fishbone method for root cause analysis you will not need to swap this out for 5 Whys.
Not all OHS software is ISO 45001 certified, primarily for the reason that vendors recognize it is used in a different context per client. However, ISO 45001 does have a number of ramifications for all software systems. In no particular order, there are three elements for you, as an OHS professional to consider
1. Is your OHS software flexible?
Unsurprisingly, configurability is the number one buyer criteria in independent analyst firm Verdantix’ market research. Regardless of whether the solution is cloud based or hosted on internal servers, ISO 45001 agrees that your application needs to be flexible to meet your needs. Flexibility of your system makes it easier for an organization to meet the need to improve safety as and when required. This means being able to amend workflows, add or edit fields and drop-down lists, and change parameters when it comes to follow up actions and notifications.
Another area in terms of flexibility that is often missed is the flexibility of reporting. Be wary of software vendors that rely heavily on standard reports. Management Reporting, also known as Business Intelligence (BI), has gone through transformational change over the past couple of years making self -service reporting a reality. There are plenty of health and safety departments out there that prove this.
Pro-Sapien client LBC TT, an independent operator of midstream and downstream bulk liquid storage facilities for chemicals, oils and refined petroleum products, is using Excel Services to deliver their own OHS performance reports. This gives LBC full control over their data and allows the OHS department to amended real-time reports as and when required. (screenshot of a report)
A good vendor will work with you from the outset to provide tailored Business Intelligence and Key Performance Indicators (KPIs) that are aligned with the goals and objectives set out within your ISO 45001 framework.
2. Are you engaging your staff in the process?
One of the key principles of ISO 45001 is the engagement of staff in processes – there is not much point in engaging staff if the system cannot reflect the changes that you make. As a vendor we are keen to make our software meaningful for your users, so for every deployment we workshop our software with the client, bringing in various stakeholders before producing a specification.
On the point of engagement, ISO 45001 refers to ‘Context’: various OHS elements such as organisational culture, skillsets and safety critical processes. The standard promotes that staff are the best people to consult with when determining what health and safety strategies will be a good fit for the organisation and what won't, and your OHS software application needs to reflect this ability to engage.
3. Is your software and your vendor supportive of continuous improvement?
Another crucial element of ISO 45001 is continuous improvement. The OHS software you implement should support this, be it the management of training records and accreditations for staff, or creating follow up actions off the back of incidents and ensuring they have been completed on time.
In addition to the various processes, one should consider how your vendor will support you when it comes to continuous improvement that is perhaps out with the scope of your existing system. At Pro-Sapien, we build in a block of time to client agreements so that our customers are not limited to just support and maintenance of the solution at hand; they can also request amendments and changes to the system that are inevitable in the everchanging business environment of today.
Three points for your pragmatic approach to ISO 45001
In summary, when looking at ISO 45001, businesses should consider whether they benefit from the accreditation, i.e. if you’re looking to work with organizations that require this, or whether you should use the framework of the standard to improve health and safety without pursuing the lengthy and expensive process of getting certified. It is therefore essential to know the requirements of the new standard and examine your current OHS system to see what tools are available to you. This may be a good time to review the program.
Since ISO 45001 does not specify the type of OHS system organizations should use, the three elements we recommend you consider are:
- Configurability; your software must be flexible to meet your specific functional needs.
- Engagement with users; determining the type of system that fits the context of your organization's people and making it easy for them to use.
- Support and service; your software must facilitate continuous improvement, as must your vendor support and advise on your amendments.
Your software does not need to be ISO 45001 certified by the vendor for it to support you in meeting the standard, and the reverse is also true; just because the software is certified before you buy it, does not mean you will be operating at the standard's quality.
Crucially, the standards set out on March 12 do not stop with your software (as we have discussed). But by making sure your OHS management software is flexible, easy to use, and supportive of performance improvements, you're on the right, pragmatic path.