Blog ISO45001: Ten Steps to Certification

Step 1 – Project implementation

The first step before implementation is to ascertain that it will benefit the business.  This will require engaging with senior management to get their support. Without this support, implementing and embedding the management system will fail.

Next is to carry out a review of your business’s scope that is relevant to standard’s requirements. This can be done by undertaking a gap assessment of those areas to see what you already have in place and more importantly what is missing.

Using the results of the gap assessment develop an implementation project plan. This should be built around the requirements of the OHASMS standard.

All these actions will undoubtedly make the staff realise that something is happening, so let the staff know what is going on.  You can do this by delivering a number of overview presentations to let everyone in the business know and understand why you are implementing an OHASMS, the benefits and their role within it.

Step 2 - Scope, context and interested parties

Depending on the type of business you are running, you will need to decide what areas the Occupational Health and Safety Management System will cover. This is the scope of the management system.  It covers:

• The business’s functions
• Physical boundaries
• Products, services, and activities which will be covered by the OHASMS requirements

This should be clearly defined and documented as a factual statement.

One of the early requirements of the standard is identifying those interested parties that have an affect upon the management system. The obvious interested party are your employees, but others may include:

• Customers and clients
• Regulatory authorities (HSE/HSA)
• Suppliers, contractors, and subcontractors
• Insurers
• Local community and neighbours

In the UK, the HSE and HSA, as included in the list above, have legal and regulatory requirements that need to be maintained and documented. There are similar bodies in other countries and these need to be part of your interested parties.

Once this has been done it must be documented. All the information identified during this process must be maintained within a file, or part of the OHASMS manual as applicable.

Step 3 - OHASMS policy and roles, responsibilities, and authorities

As with most ISO management standards, clause 5 (Leadership) places emphasis on the responsibility of the executive management.  Auditors will want to see evidence that executive management are playing an active role. Not just during implementation, but throughout the lifetime of the OHASMS.

One important aspect of this involvement is to establish and document an OHAS Policy.  The policy should be based upon the results of your OHAS gap assessment, which will have identified key issues that apply to your business. The OHAS policy can include:

• Commitment to communicate your business’ OHAS aims and objectives to all staff, customers, and relevant interested parties
• Compliance to statutory, regulatory and ISO standard requirements
• Educate and train staff in OHAS issues
• Commitment to continually improve your OHAS performance

The policy must be aligned to your business’ direction and goals. When finalised and signed off by the executive management, it must be distributed to all areas of the business and to those interested parties that are relevant.

The standard also requires that the executive management ensures that roles, with their relevant responsibilities and authorities, are assigned to competent staff within the business. Once these positions are identified and filled, they must be communicated throughout the business and documented.

These positions would include, but not limited to:

• OHAS Manager
• Fire warden
• First aider
• OHAS administrator

The OHASMS must have a clear organizational structure, and this can be linked with a corresponding responsibility matrix.

It is the responsibility of those staff assigned to roles within the OHASMS to ensure that the management system conforms to the requirements of the standard. This includes reporting on the performance of the OHASMS to the executive management as required.

An important aspect of the ISO45001 standard is the consultation and participation of the workers. This is a continuous process of consultation with all members of the staff. It is effectively a two-way process between management and staff where health and safety matters are discussed, and to share ideas, views and information.  Using this information management can make clearer decisions on health and safety matters within the business.

Step 4 - OHASMS hazards, risks, opportunities, and OHAS objectives

The purpose of the OHASMS is to eliminate hazards where possible, reduce the risk of accidents within the workspace and identify opportunities to enhance the OHAS. Therefore you need to identify what hazards, risks and opportunities are there.

This is done through a process of hazard and risk identification and assessment. There are many ways to do this, but they all result in a list of hazards and potential identified risks or opportunities to eliminate risks and increase safety.

Once these have been identified, then you need to plan how you are going to deal with each.  Again this is a process that will be carried out, and there are many ways that it can be done.  The outcome will be a hazard log and risk/opportunity log, which will ‘catalogue’ each along with the relevant actions to reduce, eliminate or exploit them.

This is also the time to identify and set OHAS objectives.  These objectives should be SMART, aligned to your OHAS policy and aim to enhance the efficiency of the OHASMS.  OHAS objectives can have a direct effect on the safety and welfare of your staff.  Once these objectives have been set, they must be:

• Communicated within the business and to interested parties as required
• Monitored and updated or amended as necessary

The planning of objectives must include how they will be achieved. So, prior to finalising objectives, ensure that there is a clear statement on:

• What will be done
• What resources are needed
• Who is responsible for the objective(s)
• When it will be completed
• How it will be measured and evaluated
• How the actions will be integrated in your business processes

Step 5 – OHASMS support

In order for the OHASMS to run effectively and achieve its desired outcomes, the right people with the right skillsets must be in the right roles.  As mentioned in Step 3, the standard requires that the business has identified the relevant roles, associated responsibilities and competency levels for staff involved within the business’ OHASMS. The business must also ensure that the equipment or infrastructure needed to support the OHASMS is capable and in sufficient supply.

Your OHAS staff may not the have the necessary skills or competencies identified for the role assigned to them. So, a training programme should be setup to develop these staff members.  This will need to be documented, as an auditor may want to see evidence of this.

There is also a requirement to put into place an awareness programme for all staff, not just OHASMS staff. This was mentioned at the start of this blog.  By involving staff, (remember in Step 3, workers consultation), as much as possible and delivering a series of awareness meetings, it will reduce the resistance to implementing and embedding the OHAS. However, as the OHASMS matures, and for new staff joining, continued awareness training is required, especially if there are changes being made that could affect them, or their actions during an incident.

To ensure that policies, processes, procedures and plans in your OHASMS are understood and used effectively they will need to be communicated across the business to the relevant areas and people.

A communication plan can be defined which would include:

• What needs to be communicated
• When it needs to be communicated
• To whom it needs to be communicated to
• What are the processes for communication
• Who is responsible for communication

This needs to be documented in the form of a table or procedure.

Step 6 - Documented information

You need to establish a procedure for the creation, numbering, reviewing, updating, archiving and eventual deletion of all documented information within the OHASMS, this includes all forms and checklists etc.

One person or a small team should be identified to be responsible for ensuring that document control is maintained. They would ensure that any new, modified, archived or deleted documents are correctly documented as required, reviewed prior to issue, and more importantly stored in the right locations.  They would also be responsible for ensuring that superseded documents are removed from circulation and version control.

Documented information pertains to all processes, procedures, plans, forms, and reports that are associated to the OHASMS. These can be in any media, such as paper, electronic, jpeg etc. However, they must all follow the numbering system as defined in your documented information procedure.

Step 7 – Operational

All the required controls and processes identified and documented need to be rolled out across the business too.  Having a schedule to work to will help the roll out and put the procedures and controls in place in a logical order.

With all the changes coming online, a process needs to be established to control those changes. The ISO45001 standard requires that the business has this process to control any planned permanent or temporary changes. These could include, but not limited to:

• Changes in work conditions
• Working procedures and practices
• Staffing and personnel
• Machinery
• Standards and regulations (including legal requirement changes)
• New technology

Another process that must be implemented is for product procurement. This is to ensure that new equipment that your staff will be using has been verified against:

• Risk assessments carried out prior to purchase and placement
• Fits within the legal requirements that are mandatory or regulatory to the business’s activities
• Has the technical specification and instructions supplied

Other areas to be considered is the use of contractors and subcontractors on your site(s). A process to verify that the contractor(s) can carry out their roles by checking their:

• Qualifications, competencies and work experience
• Their equipment is in date, calibrated etc.
• Any relevant health and safety records

A process for the induction of contractors into your OHAS requirements, use of PPE (where necessary), legal requirements and emergency procedures, followed by an acknowledgement in the form of a signed statement by each contractor to say the have read and understood them should be implemented.

This brings us nicely to emergency procedures.  You’ve identified hazards and potential risks, defined and implemented controls to mitigate or reduce the risk of incidents from them, however, we need to prepare for incidents arising from them.

An emergency procedure needs to be defined and documented for each identified risk. Once documented they need to be tested to ensure that they actually are fit for purpose. Depending upon the risk, this could be a table top exercise or a full blown ‘feet on the ground’ exercise. But each emergency needs to be exercised on a regular basis, so a schedule needs to be created and adhered to.  By exercising the emergency procedures, you will be able to identify areas missed, additional resources that would be required, any outside assistance that would need to be notified, i.e., fire brigade, ambulance, HSE, etc.

All exercises need to be documented, as an auditor may want to see evidence that they have been carried out.

Step 8 - Performance review

Prior to certification it is vital to check that the OHASMS is effective and ensure it meets its intended outcomes.  This is done through completing some of the scheduled emergency exercise scenarios, review of documented information, internal audits, and management review meetings.

Throughout the lifetime of your management system you will need to carryout internal audits. This can be carried out by your own staff or outsourced to another company, this is known as a 2^nd party audit.

If you decide to have your own auditors, then you will require at least two auditors. This is because an auditor cannot audit themselves. They should attend an audit workshop on how to conduct an audit on the required standard. They don’t need to be experts in every aspect of your business, but will be expected to be able to identify, through evidence gathered during an audit, if the requirements of the OHASMS are being met.

A series of internal audits should cover all areas within the scope of the OHASMS over a 12-month period. Results of the internal audits are one of the inputs to the management review meeting.

Any nonconformities identified during internal audits must be followed-up to check that corrective actions agreed have been implemented and whether they have achieved their intended solutions.

A management review meeting of the OHASMS should be conducted at least twice a year for a business newly certified. This will allow executive management to check that objectives are going to meet their goals, any nonconformities found during internal audits have been closed, and that emergency procedure exercises have taken place. If any of these areas are up to requirements, then there is 6 months to get them sorted before the surveillance audit.

Within the standard itself there is a list of the required areas to be reviewed. These include:

• Changes in external and internal issues that are relevant to your OHAS
• OHAS policy and objectives
• Resources for the OHAS
• Opportunities for continual improvement

There are other areas, and it is a good idea to purchase a copy of the ISO45001:2018 standard so you are aware of what is needed.

Minutes of the management review must be kept as this is part of the evidence an auditor will review to ensure that you are compliant in that area of the standard.

Step 9 - Update gap assessment plans and actions

Having completed the management review meeting you should be well placed to decide if you are ready for certification.  To help do this review your initial gap assessment to check that all the identified noncompliant and partially compliant areas have been checked off.  Any that are still outstanding need to be addressed as soon as possible and before certification takes place.

Designate a member of staff to be responsible for closing outstanding actions in their relevant departments. Don’t forget to set realistic timelines for their closure and allow for assessment of the ‘fix’.

In some circumstances, if you have a noncompliance still outstanding, but an action plan in place and being actively employed, the certification auditor could note that for review at the next audit.

Take a final check of the ISO45001 implementation plan and update as necessary.

Step 10 - Plan your certification needs

If you haven’t already got a certification body in mind, now is the time to do some research to find a suitable certification body. These are the people who will audit you against the requirements of the standard and can award you certification.

During your research get quotes and timelines from several potential certification bodies. Although they all serve the same purpose, they all have different costings, so shop around. The most expensive may not be the best choice for your business.

Leave enough time before the certification audit to do an in-house pre-certification audit.  This is a final sweep to pick-up any overlooked areas and to also satisfy yourself that everything is in place.

A final thought, any management system takes time to implement and embed. Don’t expect to be certificated within 3 or 4 months of starting implementation. You are setting yourself up to have a OHASMS that will not fulfil the reason for its implementation.  Allow 6-12 months to fully implement and embed the OHASMS. At the end of the day a well implemented and embedded OHASMS will enhance your OHAS responsibilities, help prevent injury, potentially save lives,  save you time and money, and allow you to recover from an incident quickly and efficiently.

Written by Ted Spiller, CertiKit’s Compliance Consultant. Ted is an expert in many ISO management systems; he is a Lead Auditor for ISO9001 and ISO14001, and an Auditor for ISO45001 and ISO22301.

More ISO45001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO45001:2018 standard, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free ISO45001 Resources