SHP asked Richard Green to explain the new health and safety standard, ISO 45001 and it means for occupational health and safety (OH&S) professionals and auditors.
Richard Green is head of technical services at IRCA, the leading professional body for management system auditors, which represents auditors in over 120 countries. He is a current serving member of the UK committee responsible for the preparation, review and amendment of British standards relating to OH&S, including ISO 45001.
Where has ISO 45001 come from?
ISO 45001 will replace BS OHSAS 18001 as the definitive occupational health and safety management system standard.
OHSAS 18001 was first published in 1999 to fill a gap where there was no international standard for OH&S. In recent years there has been a rapid increase in the use of OHSAS 18001 and recent surveys report that approximately 90,000 OH&S certifications have been awarded in over 127 countries.
In 2013, ISO approved the creation of a new project committee to transform OHSAS 18001 into an ISO standard, ISO 45001.
What’s the timeline for its development?
Development of all ISO management system standards follows an established process and sequence: working draft (WD), committee draft (CD), draft international standard (DIS), final draft (FDIS) followed by the standard’s publication.
The committee draft of ISO 45001 (ISO/CD 45001) was published in July for comment and ballot. Following feedback from the committee draft, we are expecting the DIS in April 2015. The FDIS should be published in June 2016, followed by the final ISO 45001 standard in October 2016.
These timings are only a rough guide, however. They can change depending on the amount of comments received.
What are the main changes from OHSAS 18001?
The stated purpose of ISO 45001 is “to enable an organisation to proactively improve its OH&S performance in preventing injury and ill-health”, whereas the purpose of OHSAS 18001 is “to enable an organisation to control its OH&S risks and improve its OH&S performance”. Some will argue that this puts more emphasis on seeking continual improvement, not only by addressing OH&S risks but also through other initiatives like health, education and training. Others may argue that this simply clarifies previous intent.
Familiar concepts and requirements in ISO 45001 include application of the Plan-Do-Check-Act model, setting policy, setting objectives, carrying out internal audits and management review. In many cases the current requirements have been carried over from OHSAS 18001.
ISO/CD 45001 does place more emphasis on risk management and ongoing assessment of risks and opportunities to prevent, or reduce, undesired effects. There is also a strengthening of the requirement to demonstrate and understand compliance status at all times.
One of the newer areas that ISO 45001 will focus on is the organisation’s ‘context’ (e.g. the environment in which it operates, including its supply chain and local communities). What evidence will auditors be seeking to establish satisfactory management in this area?
At the highest level there is no change in that the audit evidence assembled must provide objective evidence that the standard’s requirements are being met. It’s when we move into the detail that things get a little more interesting. In ISO 45001, context is defined by clauses 4.1 and 4.2.
Clause 4.1 requires the organisation to determine the external and internal issues that are relevant to its purpose and objectives, and that affect its ability to achieve the intended outcomes of its OH&S management system.
Clause 4.2 requires the organisation to determine the interested parties (stakeholders) that are relevant to its OH&S management system and the relevant interests of these interested parties.
The auditor must confirm that the organisation has determined both its internal and external issues, the relevant interests of interested parties and that it has considered the resultant information when determining the scope of its OH&S management system.
The standard does not prescribe a methodology for determining these things, nor does it specify what the outcome from the exercise should look like. What matters to the auditor is that the organisation can prove it has completed this task.
The auditor then needs to consider whether the result the organisation has arrived at is an appropriate reflection of their context.
This is where things could get interesting. For example, the auditor might believe that the organisation has not identified its internal and external issues correctly, and in order to challenge the organisation over context, the auditor will need to have a thorough and contemporary understanding of the sector in which the organisation operates, as well as its mode of operation. This means that in future, auditors will require a much higher level of research and planning before conducting audits.
Because the issues an organisation faces and the interests of relevant interested parties change through time, I would expect to see evidence that the organisation is revisiting its context periodically to ensure it remains up to date.
What about leadership?
The challenges around auditing leadership are different. The standard is clear in terms of what top management needs to do to evidence its commitment to the occupational health and safety management system.
Because these requirements are clear the auditor might assume it will be straightforward to assess these. But the challenge going forward is that organisations will have much greater freedom in how they wish to structure their systems and record evidence of compliance.
The OH&S manual, procedures and records have all been replaced by ‘documented information’, which can take almost any form and format that the organisation chooses.
As a result, the auditor is likely to be faced in the future with a wide variety of electronic and paper-based evidence sources which they will then need to interpret in order to determine compliance or otherwise. This may mean certain auditors will need to improve both their IT and analytical skills.
The second challenge for auditors is an interpersonal one. Top management means those at the highest level of the organisation such as the CEO and board – not the OH&S manager. As there are requirements now that cannot be delegated, top management will need to become accustomed to being audited and auditors will need to become accustomed to auditing them.
Not all auditors will feel comfortable with this. Indeed, in some cultures the notion of challenging top management is completely alien. Auditors will need to learn to speak the language of the boardroom, and be able to converse with top management over context, objectives, strategy and risk. IRCA recognises that some may struggle to make this step up, which is why we are mandating transition training for auditors who will be impacted by the release of ISO 45001.
What is IRCA’s involvement with this health and safety standard?
IRCA runs an OH&S certification scheme for individual auditors, and also certifies OH&S auditor training courses run by external training providers.
Our individual auditor scheme is based on OHSAS 18001 and tests individuals’ ability to audit against this standard.
We have seen growing demand for our OH&S auditor training courses, which are based on OHSAS 18001. All of our training providers will need to revise their courses when ISO 45001 is released.
What are IRCA’s plans for updating and testing auditor competence for auditing to the new ISO 45001 standard?
Whenever a standard changes the first step is for IRCA to fully assess the revised requirements. This allows us to make an informed judgement as to whether auditors simply need to acquire new knowledge or whether they must also acquire new skills.
If we conclude that new knowledge alone is sufficient, then we would typically require the auditor to undertake a prescribed amount of continuous professional development (CPD).
In those instances where the changes are more significant, however, requiring the auditor to also improve their existing skills and expertise, we will mandate transition training. In these instances, registered auditors are required to attend an IRCA-approved transition training course within a prescribed period of time in order to maintain their registrations.
Although we won’t see the final version of ISO 45001:2016 for some time we can already say with certainty that this revision will be significant. It will require auditors to use new evidence sources, to understand and assess organisational context and to be comfortable with challenging top management. It will also require changes to be made to the way audits are planned, conducted and reported.
As a result, we have decided to mandate a 1.5-day transition training course for all IRCA OH&S management system auditors. The details of this will not be finalized until the contents of the FDIS are known – expected in mid-2016.
At FDIS stage, we will also revise our core OH&S auditor training courses, along with our associated examination papers.
What does the new standard mean for organisations and OH&S professionals?
By the time ISO 45001 is published in 2016 the new concepts will, for many organisations and individuals, be tried and tested because they also appear in the updated quality management system (ISO 9001) and environmental management system (ISO 14001) standards due to be released in 2015.
Organisations operating quality, environment and OH&S management systems will have a unique opportunity to align and integrate these three, if they wish.
Organisations and OH&S professionals should be aware that at this committee draft stage, technical changes may still occur. I would therefore recommend that while you can make preparations, significant changes shouldn’t be implemented until the final draft international standard is issued.
For more information visit www.irca.org