Embed Size (px)
Citation preview
OHSAS Project Group
Implementation Guidance for migrating from
OHSAS 18001:2007 to ISO 45001:2018
CONTENTS
1.0 INTRODUCTION
2.0 BACKGROUND ON ISO 45001 DEVELOPMENT PROCESS
3.0 USER GROUPS
4.0 IMPLEMENTATION GUIDANCE
4.1 GENERIC GUIDANCE
4.2 SPECIFIC GUIDANCE TO USER GROUPS
5.0 FREQUENTLY ASKED QUESTIONS
6.0 AUTHENTICITY OF INFORMATION REGARDING ISO 45001
1 Version: Rev 1
1. INTRODUCTION
This Implementation Guidance has been developed to assist users in understanding the issues that need to be considered when moving towards using ISO 45001.
A wide diffusion of this implementation guidance is recommended, in particular the comparison tables between OHSAS 18001:2007 and ISO 45001:2018. These show the correspondence between the clauses of the standards and can be found in Annex A at the end of this paper.
The development of ISO 45001 introduces a new 10 clause structure, several new requirements and new terms. Users will need to plan how to incorporate these changes into their occupational health and safety management system (OHSMS).
Additional information and guidance from ISO and its Project Committee 283 (ISO/PC 283) on ISO 45001 can be found on its web site at: https://committee.iso.org/pc283
2. BACKGROUND TO THE ISO 45001 DEVELOPMENT PROCESS
Prior to the development of a management system standard in ISO, a “Justification Study” is prepared to present a case for the proposed project. In relation to the development of ISO 45001 user needs were identified from the following:
a) The demands from users for the requirements of management system standards to be better aligned, to enable “integration” into their organization’s management systems.
This led to the development by ISO of a “High Level Structure” (often referred to as “Annex SL”) which provides a common clause sequence (structure), text, terms and definitions for its management system standards. This “High Level Structure” has been applied during the development of ISO 45001.
b) The OHSAS Project Group’s 2011 Survey of standards and certificates, which showed there are now more than 90000 certificates issued in 127 countries and the need for an ISO International Standard for this discipline.
The Justification Study identified that ISO 45001 would need to:1) enable organizations to provide safe and healthy working environments2) be generic and relevant to all types and sizes of organizations, operating in any sector, and be
able to accommodate diverse geographical, cultural and social conditions.3) be capable of being applied to the widest possible range of organizations with varying
degrees of maturity of their OHSMS4) specify the essential components of an OHSMS 5) enable organizations to demonstrate conformity to the requirements6) enable organizations to identity, assess and control their OH&S risks and improve their OH&S
performance7) align with other management system standards (in particular ISO 14001 for environmental
management systems).
2 Version: Rev 1
The expected benefits identified for ISO 45001:2018 include:I. Provides clarity on OHSMS issuesII. Enhanced leadership involvement and worker participation in the OHSMS III. Risk-based thinking for the OHSMS, as well as for OH&S risksIV. Alignment of the OH&S policy and objectives with the strategic direction of the organizationV. Integration of the OHSMS into the business processes of the organizationVI. Simplified language, common structure and terms
3. USER GROUPS
3.1 Individual organizations using OHSAS 18001
a) Current Users of OHSAS 18001This user group is defined as having completed, or being in the process of, implementing OHSAS 18001, regardless of whether they are certified or not, or whether they intend to be certified or not.
b) New Users A New User is defined as an organisation that is either beginning to use OHSAS 18001 or ISO 45001:2018 for the first time, or is a potential user of the standards in the future.
3.2 Other user groups
These are defined as being:a) National Standards Bodies (NSBs)b) Accreditation Bodies (ABs)c) Certification/Registration Bodies (CB/RBs)d) Trainers and Consultantse) Legislative or Regulatory Bodies
4. IMPLEMENTATION GUIDANCE
4.1 Generic guidance
All users groups are strongly advised to note the IAF’s Mandatory Document IAF MD 21: Requirements on the Migration to ISO 45001:2018 from OHSAS 18001:2007 (see: http://www.iaf.nu/upFiles/IAFMD21MigrationtoISO450012018Pub.pdf) for implementation of accredited certification to ISO 45001:2018, which details the agreed implementation plan for accredited certification, as follows:
a) Accredited certification to ISO 45001:2018 shall not be granted until the publication of ISO 45001:2018 as an International Standard.
Accredited certification of conformity to ISO 45001:2018 and/or national equivalents shall only be issued after the official publication of ISO 45001:2018 (currently targeted for 1st quarter of 2018), by an accredited certification body, and after a certification audit against ISO 45001:2018.
3 Version: Rev 1
b) Validity of certifications to OHSAS 18001:2007
OHSAS 18001:2007 certifications will not be valid after three years from publication of ISO 45001:2018.
The expiry date of certifications to OHSAS 18001:2007 issued during the migration period needs to correspond to the end of the three year migration period.
Timeline Dec 2017 / Jan 2018 Mar 2018 Mar 20213 year migration period
OHSAS 18001:2007
ISO45001:2018 FDIS ballot Publication ofInternational Standard
National Standards Bodies Translation Release of national standardAccreditation Bodies Accreditation update transition AccreditationCertification Bodies Certification update transition ISO 45001:2018 certificationTrainersAuditor Upgrade Certification update transitionCertified Organizations Certification update transition
KeyPreparation Commencement/
continuationEnd
Figure 1 - Implementation timetable for ISO 45001:2018, for all user groups
To benefit from the changes introduced into ISO 45001:2018, users (from all user groups) should note the recommendations given below. Recommendations for specific user groups are given in section 4.2 further down.
1) To get acquainted with the new edition of the standard use the following resources: Guidance available at https://committee.iso.org/pc283 The correspondence matrices between OHSAS 18001:2008 and ISO 45001:2018,
which provides a before and after view of the clauses (see Annex A below)
2) Determine the impact of the changes of the new version on your current use of OHSAS 18001 and plan any necessary remedial actions.
3) Use the Plan-Do-Check-Act (PDCA) methodology to manage the implementation. Note that the actions may need to vary according to your user group (see 4.2 below).
4.2 Guidance for specific user groups These recommendations complement the generic guidance to all user groups given in section 3.0 above.
4.2.1 Organizations using OHSAS 18001:2007
a) Current usersOrganisations that are already certified to OHSAS 18001:2007 should contact their certification/registration bodies (CB/RB) to agree a program for analysing the clarifications in ISO 45001:2018 in relation to their individual OHSMS and for upgrading their certificates.
4 Version: Rev 1
Certified organizations should bear in mind that OHSAS 18001:2007 certificates have the same status as new ISO 45001:2018 certificates during the co-existence period.
Organizations in the process of certification to OHSAS 18001:2008 should change to using ISO 45001:2018 and apply for certification to it (however, if your organization is nearing completion of its certification process, then it may be preferable for your organization to complete its certification to OHSAS 18001, and then look at converting to using ISO 45001).
b) New usersNew users should start by using ISO 45001:2018.
Note: Unaccredited certifications do not have the same status as accredited certifications, and organizations with unaccredited OHSAS 18001 certifications may require additional audit time in order to achieve accredited certification to ISO 45001.
4.2.2 National Standards Bodies
Information regarding ISO 45001 should be communicated to potential users by the national standards bodies (NSBs), in a timely manner. It is recommended that NSB actions be synchronized with the information flows from ISO, ISO/PC 283, the OHSAS Project Group and the IAF.
NSBs may find they are responsible, at a national level, for communicating the issues regarding the changes from OHSAS 18001:2007 to ISO 45001 to all interested parties. It is recommended that they coordinate their communications regarding these issues with other local interested parties (for example: ABs, CB/RBs, professional OH&S associations, etc.).
Translation Issues – Where NSBs need to provide translations of the standard into their own national languages, it is recommended that they start this as early as possible.
NSBs encountering any interpretation problems in the preparation of their translations of ISO 45001 should contact the ISO/PC 283 Secretariat for assistance.
4.2.3 Accreditation Bodies
ABs should refer to the IAF’s Mandatory Document IAF MD 21: Requirements on the Migration to ISO 45001:2018 from OHSAS 18001:2007 for the implementation of accredited certification to ISO 45001:2018 (see 4.1 above).
AB’s should be reminded that they can only grant accreditation for certification to ISO 45001:2018 after the official publication of the standard.
AB’s should train their assessors and verify their competence to assess CB’s providing ISO 45001:2018 certifications.
5 Version: Rev 1
4.2.4 Certification Bodies
CBs should refer to the IAF’s Mandatory Document IAF MD 21: Requirements on the Migration to ISO 45001:2018 from OHSAS 18001:2007 for the implementation of accredited certification to ISO 45001:2018 (see 4.1 above).
CBs should remember that certificates of conformity to ISO 45001:2018 and/or its national equivalent adoptions can only be issued after the official publication of the standard.
Prior to allowing their auditors to conduct audits against ISO 45001, it is important that accredited certification bodies ensure that their auditors are aware of:
the changes introduced in ISO 45001:2018 compared to OHSAS 18001, and their implications
the requirements of ISO/IEC TS 17021-10 Conformity assessment -- Requirements for bodies providing audit and certification of management systems -- Part 10: Competence requirements for auditing and certification of occupational health and safety management systems (The TS is due to be published concurrently with ISO 45001)
It is also important that other CB personnel (for example, those making certification decisions) are aware of the changes in ISO 45001:2018 compared to OHSAS 18001, and their implications.
4.2.5 Training Bodies and Consultants
All trainers and consultants should be aware of the changes introduced by ISO 45001:2018. All training bodies and consultants are recommended to determine the need for updating training programs and documentation, or any other changes necessary, to the services they provide.
4.2.6 Legislative or Regulatory Bodies
Where legislative or regulatory bodies have referenced or adopted OHSAS 18001 in their legislation or regulations or other communications, they should review ISO 45001 to determine if it is acceptable as an alternative. In the longer term, the legislation/regulations/ communications may need to be updated to reference or adopt ISO 45001. Until such updating occurs, it is recommended that the legislative or regulatory bodies should issue a communique to advise that they will accept ISO 45001 in place of OHSAS 18001.
5.0 FREQUENTLY ASKED QUESTIONS
While this Implementation Guidance provides recommendations on a number of issues facing the different user groups during the co-existence period, it does not address more general questions about ISO 45001. Instead ISO/PC 283 is preparing a set of frequently asked questions (FAQs) to provide such advice.
It is expected that the FAQs will be updated on a more regular basis than this Implementation Guidance. For the latest version of the FAQs, reference should be made to the open access web site at https://committee.iso.org/pc283
6 Version: Rev 1
6.0 AUTHENTICITY OF INFORMATION REGARDING ISO 45001:2018
The first point of contact for information regarding the requirements of ISO 45001:2018 should be your National Standards Body (for a listing of ISO’s member National Standards Bodies, see www.iso.org/members.htm).
Other recommended sources of information are:
• ISO’s web site www.iso.org provides gener al information regarding the ISO 45001:2018 development programme (as well as details of its member National Standards Bodies).
• ISO has a microsite dedicated to ISO 45001 at: https://spotlight.iso.org/iso45001
• The ISO/PC 283 web site, https://committee.iso.org/pc283 , provides detailed information on the ISO 45001 development programme and is updated on a regular basis.
7 Version: Rev 1
Annex A
Correspondence between OHSAS 18001:2007 and ISO 45001
Users should note that there will not be full correspondence between the requirements of the two standards on an equivalent topic, and that the following tables are an approximation only.
Table A.1 - Correspondence between ISO 45001 and OHSAS 18001:2007ISO 45001 OHSAS 18001:2007
Context of the organization (title only) 4 - New requirement[see also 4.6 h) in Management review]
Understanding the organization and its context
4.1 - New requirement[see also 4.6 h) in Management review]
Understanding the needs and expectations of workers and other interested parties
4.2 4.4.3.2 Participation and consultation (in part)[see also 4.6 b) and c) in Management review]
Determining the scope of the OH&S management system
4.3 4.1 General requirements (in part)
OH&S management system 4.4 44.1
Management systemGeneral requirements
Leadership and worker participation (title only)
5 4.4.3 Communication, participation and consultation (title only)
Leadership and commitment 5.1 4.4.1 Resources, roles, responsibility, accountability and authority
OH&S Policy 5.2 4.2 OH&S policyOrganizational roles, responsibilities
and authorities5.3 4.4.1 Resources, roles, responsibility,
accountability and authorityConsultation and participation of
workers5.4 4.4.3.2 Participation and consultation
Planning (title only) 6 4.3 Planning (title only)Actions to address risks and
opportunities (title only)6.1 4.1
4.3.1General requirementsHazard identification, risk assessment and
determining controlsGeneral 6.1.1 4.4.6 Operational ControlHazard identification and assessment
of risks and opportunities (title only)
6.1.2 4.3.1 Hazard identification, risk assessment anddetermining controls
Hazard identification 6.1.2.1
4.3.1 Hazard identification, risk assessment anddetermining controls
Assessment of OH&S risks and other risks to the OH&S management system
6.1.2.2
4.3.1 Hazard identification, risk assessment anddetermining controls
Identification of OH&S opportunities and other opportunities to the OH&S management system
6.1.2.3
- New Requirement
Determination of legal requirements and other requirements
6.1.3 4.3.2 Legal and other requirements
Planning action 6.1.4 4.4.6 Operational ControlOH&S objectives and planning to
achieve them (title only)6.2 4.3.3 Objectives and programme(s)
OH&S objectives 6.2.1 4.3.3 Objectives and programme(s)Planning to achieve OH&S objectives 6.2.2 4.3.3 Objectives and programme(s)Support (title only) 7 4.4 Implementation and operation (title only)Resources 7.1 4.4.1 Resources, roles, responsibility,
accountability and authority
8 Version: Rev 1
Competence 7.2 4.4.2 Competence, training and awarenessAwareness 7.3 4.4.2 Competence, training and awarenessCommunication 7.4 4.4.3.1 CommunicationGeneral 7.4.1 4.4.3.1 CommunicationInternal communication 7.4.2 4.4.3.1 CommunicationExternal communication 7.4.3 4.4.3.1 CommunicationDocumented information (title only) 7.5 4.4.4
4.5.4DocumentationControl of records
General 7.5.1 4.4.44.5.4
DocumentationControl of records
Creating and updating 7.5.2 4.4.54.5.4
Control of documentsControl of records
Control of documented information 7.5.3 4.4.54.5.4
Control of documentsControl of records
Operation (title only) 8 4.4 Implementation and operation (title only)Operational planning and control (title
only)8.1 4.4.6 Operational control
General 8.1.1 4.4.6 Operational controlEliminating hazards and reducing OH&S
risks8.1.2 4.3.1
4.4.6
Hazard identification, risk assessment anddetermining controlsOperational control
Management of change 8.1.3 4.3.1
4.4.6
Hazard identification, risk assessment anddetermining controlsOperational control
Procurement (title only) 8.1.4 4.4.6 Operational controlGeneral 8.1.4.
14.4.6 Operational control
Contractors 8.1.4.2
4.3.1
4.4.3.14.4.3.24.4.6
Hazard identification, risk assessment anddetermining controlsCommunicationParticipation and consultationOperational control
Outsourcing 8.1.4.3
4.3.24.4.3.14.4.6
Legal and other requirementsCommunicationOperational control
Emergency preparedness and response 8.2 4.4.7 Emergency preparedness and responsePerformance evaluation (title only) 9 4.5 Checking (title only)Monitoring, measurement, analysis and
performance evaluation (title only)9.1 4.5.1 Performance measurement and
monitoringGeneral 9.1.1 4.5.1 Performance measurement and
monitoringEvaluation of compliance 9.1.2 4.5.2 Evaluation of complianceInternal audit (title only) 9.2 4.5.5 Internal auditGeneral 9.2.1 4.5.5 Internal auditInternal audit programme 9.2.2 4.5.5 Internal auditManagement review 9.3 4.6 Management reviewImprovement (title only) 10 4.6 Management reviewGeneral 10.1 4.6 Management reviewIncident, nonconformity and corrective
action10.2 4.5.3
4.5.3.14.5.3.2
Incident investigation, nonconformity, corrective action and preventive action (title only)
Incident investigationNonconformity, corrective action and
preventive actionContinual improvement 10.3 4.2
4.3.34.6
OH&S PolicyObjectives and programme(s)Management review
9 Version: Rev 1
Table A.2 - Correspondence between OHSAS 18001:2007 and ISO 45001 OHSAS 18001:2007 ISO 45001
Management system 4 4.4 OH&S management systemGeneral requirements 4.1 4.3
4.4
Determining the scope of the OH&S management system
OH&S management systemOH&S policy 4.2 5.2
10.3OH&S PolicyContinual improvement
Planning (title only) 4.3 6 Planning (title only)Hazard identification, risk assessment
and determining controls4.3.1 6.1
6.1.2
6.1.2.16.1.2.2
8.1.2
8.1.38.1.4.2
Actions to address risks and opportunities (title only)
Hazard identification and assessment of risks and opportunities (title only)
Hazard identificationAssessment of OH&S risks and other
risks to the OH&S management system
Eliminating hazards and reducing OH&S risks
Management of changeContractors
Legal and other requirements 4.3.2 6.1.3
8.1.4.3
Determination of legal requirements and other requirements
OutsourcingObjectives and programme(s) 4.3.3 6.2
6.2.16.2.210.3
OH&S objectives and planning to achieve them (title only)
OH&S objectivesPlanning to achieve OH&S objectivesContinual improvement
Implementation and operation (title only)
4.4 78
Support (title only)Operation (title only)
Resources, roles, responsibility, accountability and authority
4.4.1 5.15.3
7.1
Leadership and commitmentOrganizational roles, responsibilities
and authoritiesResources
Competence, training and awareness 4.4.2 7.27.3
CompetenceAwareness
Communication, participation and consultation (title only)
4.4.3 5 Leadership and worker participation (title only)
Communication 4.4.3.1
7.47.4.17.4.27.4.38.1.4.28.1.4.3
CommunicationGeneralInternal communicationExternal communicationContractorsOutsourcing
Participation and consultation 4.4.3.2
4.2
5.4
8.1.4.2
Understanding the needs and expectations of workers and other interested parties
Consultation and participation of workers
ContractorsDocumentation 4.4.4 7.5
7.5.1Documented information (title only)General
Control of documents 4.4.5 7.5.27.5.3
Creating and updatingControl of documented information
10 Version: Rev 1
Operational Control 4.4.6 6.1.16.1.48.1
8.1.18.1.2
8.1.38.1.48.1.4.18.1.4.28.1.4.3
GeneralPlanning actionOperational planning and control (title
only)GeneralEliminating hazards and reducing OH&S
risksManagement of changeProcurement (title only)GeneralContractorsOutsourcing
Emergency preparedness and response 4.4.7 8.2 Emergency preparedness and responseChecking (title only) 4.5 9 Performance evaluation (title only)Performance measurement and
monitoring4.5.1 9.1
9.1.1
Monitoring, measurement, analysis and performance evaluation (title only)
GeneralEvaluation of compliance 4.5.2 9.1.2 Evaluation of complianceIncident investigation, nonconformity,
corrective action and preventive action (title only)
4.5.3 10.2 Incident, nonconformity and corrective action
Incident investigation 4.5.3.1
10.2 Incident, nonconformity and corrective action
Nonconformity, corrective action and preventive action
4.5.3.2
10.2 Incident, nonconformity and corrective action
Control of records 4.5.4 7.57.5.17.5.27.5.3
Documented information (title only)GeneralCreating and updatingControl of documented information
Internal audit 4.5.5 9.29.2.19.2.2
Internal audit (title only)GeneralInternal audit programme
Management review 4.6 4
4.1
4.2
9.31010.110.3
Context of the organization (title only)Understanding the organization and its
contextUnderstanding the needs and
expectations of workers and other interested parties
Management reviewImprovement (title only)GeneralContinual improvement
11 Version: Rev 1
