ISO 45001:2018

ISO 45001:2018
OH&S-Implementation,
Clause by Clause OH&S-Requirements with
Explanation & Mandatory
Documentation
guidance for use
Developed By Pioneer Power Systems
Private Limited for Internal OH&S
Guidelines for it’s Employees.

April 2020
ISO 45001:2018
OH&S -Requirements
with guidance for use
Acknowledgements
This report was prepared by Pioneer Power Systems Private Limited for implementation of ISO 45001:2018,
it’s clause by clause explanation and mandatory documentation required to follow ISO 45001:2018.

Cover Images: ©PPS O&M Cleaning Operation at Bajaj Pune

Copyright © PPSPL, 2020

Disclaimer
This report was prepared by Pioneer Power Systems Private Limited for laying the foundation for
implementation of OH&S (ISO 45001:2018). This report explains how an organization can implement ISO
45001:2018, clause by clause explanation and documentation required to follow ISO 45001:2018 across
organization.

Cover Images: ©PPS

Copyright © Pioneer Power Systems Private Limited, 2020

Authors
Siddharth Talesra

Pioneer Power Systems Private Limited

Mansarovar, Jaipur

Project Number: pps-2019-271810

Project Partner: Pioneer Power Systems Private Limited

Submitted To
Clean max Enviro Energy Private Limited

ISO 45001:2018OH&S -Requirements with guidance for use

 Table of Contents
Table of Acronyms.................................................................................................. 4
Executive Summary ................................................................................................ 5
ISO 45001 Implementation Process ....................................................................... 5
Process & Process Approach .................................................................................. 7
Terms and definitions ........................................................................................ 7
Process Approach Impact....................................................................................... 7
The Plan-Do-Check-Act Cycle ................................................................................. 7
Context of the Organization ................................................................................... 8
Understanding the organization and its context ............................................... 8
Understanding the needs and expectations of interested parties .................... 8
Determining the scope of the OH&S Management System .............................. 8
OH&S Management System............................................................................... 8
Leadership .............................................................................................................. 8
Leadership and commitment ............................................................................. 8
Occupational Health & Safety Policy.................................................................. 9
Organizational Roles, responsibilities, and authorities...................................... 9
Consultation and participation of workers ........................................................ 9
Planning.................................................................................................................. 9
Actions to address risks and opportunities ........................................................ 9
General ........................................................................................................... 9
Hazard identification and assessment of risks and opportunities ............... 10
Determination of legal and other requirements.......................................... 10
Planning actions ........................................................................................... 10
Occupational health & safety objectives and planning to achieve them ........ 10
Occupational health & safety objectives ..................................................... 10
Planning to achieve occupational health & safety objectives ..................... 11
Support ................................................................................................................. 11
Resources ......................................................................................................... 11
Competence ..................................................................................................... 11
Awareness ........................................................................................................ 11
Communication ................................................................................................ 11
General ......................................................................................................... 11
Internal communication ................................................................................... 12
External communication .................................................................................. 12
Documented information ................................................................................ 12
General ......................................................................................................... 12
Creating and updating .................................................................................. 12
Control of documented information............................................................ 12

ISO 45001:2018OH&S -Requirements with guidance for use

 Operations............................................................................................................ 13
Operational control and planning .................................................................... 13
Emergency preparedness and response .......................................................... 13
Performance Evaluation ....................................................................................... 14
Monitoring, measuring, analysis, and evaluation ............................................ 14
General ......................................................................................................... 14
Evaluation of compliance ............................................................................. 14
Internal Audit ................................................................................................... 14
General ......................................................................................................... 14
Internal audit program ................................................................................. 14
Management Review ........................................................................................... 14
Improvement ....................................................................................................... 15
General ............................................................................................................. 15
Nonconformity and corrective action .............................................................. 15
Continual improvement ................................................................................... 15
Conclusion ............................................................................................................ 15
Checklist of Mandatory Documentation Required by ISO 45001 ........................ 16
Introduction ..................................................................................................... 16
Which documents and records are required? ..................................................... 17
Mandatory Documents ................................................................................ 17
Mandatory Records ...................................................................................... 17
Commonly Used Non-Mandatory Documents..................................................... 18
How to structure documents and records ........................................................... 18
Procedure for Determining Context of the Organization and Interested
Parties. ............................................................................................................. 18
Conclusion ............................................................................................................ 22
Documentation List for ISO 45001 Implementation ............................................ 23

ISO 45001:2018OH&S -Requirements with guidance for use

 Table of Acronyms
ISO International Organization for Standardization
ILO International Labour Organization
OH&S Occupational Health & Safety

ISO 45001:2018OH&S -Requirements with guidance for use

 Executive Summary
An organization is responsible for ensuring that it minimises the risk of harm to
the people that may be affected by its activities (e.g. its workers, its managers,
contractors, or visitors), and particularly if they are engaged by the organization
to perform those activities as part of their “occupation”.

There were, according to an estimate by the International Labour Organization

(ILO), 2.34 million deaths in 2013 as a result of work activities. The greatest
majority (2 million) are associated with health issues, as opposed to injuries. The
Institute of Occupational Safety and Health, IOSH, estimates there are 660000
deaths a year as a result of cancers arising from work activities.

ISO is developing an occupational health and safety (OH&S) management system

standard (ISO 45001) which is intended to enable organizations to manage their
OH&S risks and improve their OH&S performance. The implementation of an
OH&S management system will be a strategic decision for an organization that

2.34 Mi. can be used to support its sustainability initiatives, ensuring people are safer and
healthier and increase profitability at the same time.

NOTE: The term “occupational safety and health” (“OSH”) is often used in place
Deaths in 2013 as a result of of “occupational health and safety” (“OH&S”).
work activities performed not
considering basic health & safety An organization’s activities can pose a risk of injury or ill-health, and can result in
protocols. a serious impairment of health, or even fatality, to those working on its behalf;
consequently, it is important for the organization to eliminate or minimize its
OH&S risks by taking appropriate preventive measures. An organization’s OH&S
management system can translate its intentions to prevent incidents into a
systematic and ongoing set of processes (supported by the use of appropriate
methods and tools) and can reinforce the organization’s commitment to
proactively improving its OH&S performance.

It is logical that those working closest to an OH&S risk will be knowledgeable

about it. As such, the participation of workers in the establishment,
implementation and maintenance of an OH&S management system can play an
important role in ensuring that the risks are managed effectively. ISO 45001
emphasizes the need for worker participation in the functioning of an OH&S
management system, as well as requiring that an organization ensures that its
workers are competent to do their assigned tasks safely.

This handbook is designed to help employees involved in establishing and

maintaining an OH&S Management System within their respective organizations.

ISO 45001 Implementation Process

Most of the management system published by ISO (International Organization for
Standardization) works on the principle of plan, do, check and act, which is
normally referred as the PDCA cycle. This particular thinking has brought a
revolution in manufacturing and service sectors. The PDCA concept is an ongoing
activity to continually improve the organization. ISO 45001 is also based on PDCA
thinking.

ISO 45001:2018OH&S -Requirements with guidance for use

 Obtain Obtain Obtain
Management Management Management
Support Support Support

Establish
Establish
Project Plan(Not Budget (Human Resource Project (Not
Project (Not
Mandatory) Mandatory) Plan) Mandatory)

List of Legal &

Identify Context Other Identify Context Identify Context
Requirements

Monitoring & Measurement with record of Results.

Define Scope,
Management, OH&S Objective, Targets OH&S Manual (not
Commitment &
OH&S Policy Mandatory)
and Programs
Responsiblities
Communication with Interested Parties

Identify OHSAS Mandatory & Additionally Identify OHSAS

Define Process & hazards, risks &
hazards, risks & Identified Processes and
opportunities Procedures opportunities
Procedures

Implement Process, Records of Implement Process, Implement Process,

Procedures & Control Implementation Procedures & Control Procedures & Control

Perform Training and Perform Training and Perform Training and

Awareness Programs Training Records Awareness Programs
Awareness Programs

Choose a Certification Choose a Certification Choose a Certification

Body Body Body

Records
Operate the OH&SMS identified by Operate the OH&SMS Operate the OH&SMS
OH&SMS

Conduct Internal Internal Audit Conduct Internl Audits

Audits Corrective Actions
Report

Management Management Review

Management Review Management Review
Review Records

Stage-1Certification Stage-1 Audit Stage-1Certification

Audit (Documentation Report (from Corrective Actions Audit (Documentation
Review) Review)
Registrar)

Stage-2 Audit Stage-2 Certification

Stage-2 Certification
Audit (Main Audit) Report (from Corrective Actions Audit (Main Audit)
Registrar)

Note: This Diagram shows the steps for ISO 45001 implementation and certification.

ISO 45001:2018OH&S -Requirements with guidance for use

 Process & Process Approach
Terms and definitions
Process: This can be defined as a series of activities and actions that can be
repeated consistently to produce a transformation from a series of inputs into a
defined output.

Process approach: Occupational health & safety systems, similarly to other

management systems, use a combination of sequences and interactions to
produce a desired output. When all activities and actions are managed, together
with consideration towards each other and the end result, this method is known
as the “process approach.” A process approach will also specify the
responsibilities of process owners, rather than providing generic responsibilities.
Therefore, when a company has an OH&S Management System that is
considered to be an active and fluid system, taking into account all variables and
their effects on the objectives – this is considered a process approach.

Inputs: These are a collection of elements that may be required to feed a

process, for example resources, raw materials, and machinery.

Outputs: These are the results of a process, whether desirable or undesirable

outputs, such as wastage or pollution. It should be noted that an output is not
always a final element, but may only be the input into the next process in a
chain.

Process Approach Impact

Using the process approach is a critical part of compliance and certification
according to the ISO 45001:2018 standard, but it does not guarantee
occupational health & safety or financial benefit in isolation. However, a
process-based Occupational Health & Safety Management System is a useful
tool that provides continuity through operations, creating a link between
policies, requirements, performance, objectives, and actions, and thereby
reducing negative impacts to occupational health & safety.

The process approach, therefore, becomes the most effective method of

managing and mitigating occupational health & safety hazards and risks, given
that it allows for a more analytical and systemic view of process interactions and
their effects, rather than focusing on more local problems that arise within the
process. The management of the OH&S Management System by a system that
has been developed with a full understanding of the relationship of the
interacting processes and their effects will yield more short- and long-term
benefits to the organization seeking to implement and maintain ISO
45001:2018.

The Plan-Do-Check-Act Cycle

The “Plan-Do-Check-Act” cycle (PDCA) is critical to the operation of the
Occupational Health & Safety Management System as specified by ISO
45001:2018, in terms of achievement against set objectives and continual
improvement. It can be described as follows:

Plan: the establishment of objectives, and the processes that may deliver them,
in harmony with the Occupational Health & Safety Policy established by the
organization

ISO 45001:2018OH&S -Requirements with guidance for use

 Do: the implementation of the planned processes

Check: the monitoring and measuring of results versus the Occupational Health
& Safety Policy, including all commitments, objectives, and criteria, and the
reporting of them

Act: the consequent actions taken to ensure continual improvement

It should be noted that the PDCA cycle is a recognized management system

methodology that is used across various business management systems, but its
use is both compulsory and highly beneficial within ISO 45001:2018. The
standard is written so that the sections of the ISO 45001:2018 standard easily fit
into this PDCA cycle.

Context of the Organization

Understanding the organization and its context
This clause is found in all ISO management system standards, and it requires the
organization to determine all internal and external issues that may be relevant
to the achievement of the objectives of the OH&S Management System itself.
This includes all elements which are, and may be capable of, affecting these
objectives and outcomes in the future.

Understanding the needs and expectations of interested parties

The standard now requires the organization to assess who the interested parties
are in terms of its OH&S Management System, what their needs and
expectations may be, and consequently, if any of these should become
compliance obligations.

Determining the scope of the OH&S Management System

The scope and boundaries of the OH&S Management System must now be
thoroughly examined and defined considering the aforementioned interested
parties and their needs, plus resulting compliance obligations. Also requiring
consideration are the OH&S Management System functions and physical
boundaries, and all products, services, and activities, including the organization’s
ability to exert control on external factors, with the results of the whole
definition included in the OH&S Management System and kept critically as
“documented information.”

OH&S Management System

The standard indicates that an OH&S Management System should be
established to achieve the desired outcomes by using interacting processes to
deliver continual improvement. The ultimate objective is to improve the
organization’s occupational health & safety performance.

Leadership
Leadership and commitment
This clause reminds the user that the organization and top management retain
responsibility for the performance of all internal and external performance
factors at all times. It therefore makes perfect sense that the Occupational
Health & Safety Policy and objectives are aligned with each other, and with the
strategic policies and overall direction of the business, including integration with
other business systems, where applicable. Provision must be made for resources
to ensure that the OH&S Management System can be operated efficiently, and

ISO 45001:2018OH&S -Requirements with guidance for use

 top management must ensure that the people with responsibility within the
OH&S Management System have the correct support, training, and guidance to
complete their tasks effectively. Communication is also critical from a leadership
perspective, and communication methods and frequencies must be defined and
established for both internal and external interested parties. In summary, it is
the responsibility of the leadership of the organization to show an enhanced
level of leadership, involvement, and co-operation in the operation of the OH&S
Management System.

Occupational Health & Safety Policy

Top management has the responsibility to establish the previously mentioned
Occupational Health & Safety Policy, which is appropriate for the organization in
terms of the size, scope, activities, and ambitions of the organization, and
provides a formal framework for setting objectives. Obviously, the policy should
include a commitment to eliminate hazards and reduce risks, to prevent
workplace injury, and to consult with workers. Meeting compliance and
regulatory factors is clearly another key element, and a method of capturing and
recording this must be established. Finally, and vitally, the Occupational Health
& Safety Policy must provide a commitment to the continual improvement of
the OH&S Management System and its results. Critically, the Occupational
Health & Safety Policy must be maintained as documented information, be
communicated within the organization, and be available to all interested parties,
as appropriate.

Organizational Roles, responsibilities, and authorities

The standard states that it is the responsibility of top management to ensure
that roles, responsibilities, and authorities are delegated and communicated
effectively. The responsibility shall also be assigned to ensure that the OH&S
Management System meets the terms of the 45001:2018 standard itself, and
that the performance of the OH&S Management System can be reported
accurately to top management.

Consultation and participation of workers

When it comes to the health & safety of workers, it is vital that these same
workers are consulted about the OH&S Management System and participate in
implementing the processes necessary to secure a safe workplace. To this end,
the organization needs to determine the processes necessary to consult with
workers at all levels of the organization in all aspects of development, planning,
implementation, performance evaluation, and improvement actions of the
OH&S Management System.

Planning
Actions to address risks and opportunities
General
This clause replaced “preventive action” in the previous OHSAS 18001 standard.
The current standard states that the organization should establish, implement,
and maintain the processes needed to address the requirements of the whole of
the planning section itself. When planning the OH&S Management System,
considerations need to be made regarding the context of the organization
(section 4.1) and the needs and expectations of interested parties (section 4.2),
as well as the scope of the OH&S Management System.

ISO 45001:2018OH&S -Requirements with guidance for use

 Risk and opportunity must be considered with respect to these elements, as well
as legal and regulatory issues, and the organization’s Occupational Health &
Safety hazards themselves. This outcome needs to ensure that the OH&S
Management System can meet its intended outcomes and objectives, that any
external factors that may affect performance are avoided, and that continual
improvement can be achieved.
In terms of emergency situations, the organization is required to determine any
situations that may occur and have a resulting occupational health & safety risk.
Again, it is vital that documented information is retained concerning the risks
and opportunities considered and addressed in the planning phase in order to
satisfy the terms of the clause.

Hazard identification and assessment of risks and opportunities

ISO 45001:2018 asks organizations to consider, in a proactive manner, all
occupational health & safety hazards within the organization’s control. Changes
or planned future changes to services also have to be taken into account, as do
any abnormal situations that may arise that are reasonable for the organization
to predict – for example, if you are about to launch a new product that needs
radically new production processes or materials. Again, the organization needs
to maintain documented information on this clause and its elements, and
communication to the appropriate levels with effective frequency needs to be
planned and undertaken. In terms of documented information, if you ensure
that all actual and associated risks, the criteria you use to define them, and your
significant occupational health & safety risks are documented, then you will
satisfy the terms of this clause.

Determination of legal and other requirements

This is a relatively straightforward, but obviously vital part of the ISO
45001:2018 standard. The organization must decide what legal and other
requirements are related to its occupational health & safety hazards and how to
best access them, decide how they apply to the organization, and take them into
consideration when establishing, operating, and delivering continual
improvement through the OH&S Management System. Documented evidence
needs to be recorded for these obligations, also.

Planning actions
In this clause, the standard states that the organization shall plan to take actions
to address its occupational health & safety hazards, risks and opportunities, and
compliance obligations, all of which we have discussed above. These also need
to be implemented into the organization’s OH&S Management System and
associated business processes. The task of evaluating the effectiveness of these
actions also must be considered, with technological, financial, and operational
considerations all taken into account.

Occupational health & safety objectives and planning to achieve

them
Occupational health & safety objectives
The standard advises that occupational health & safety objectives should be
established at appropriate levels and intervals, having considered the identified
occupational health & safety hazards, risks and opportunities, and compliance
obligations. The characteristics of the set objectives are important, too: they

ISO 45001:2018OH&S -Requirements with guidance for use

 need to be consistent with the organization’s Occupational Health & Safety
Policy, measurable where possible, able to be monitored, communicated
effectively, and be such that they can be updated when circumstances require.
Once more, it is mandatory that documented information is kept outlining this
process and its outputs.

Planning to achieve occupational health & safety objectives

The standard advises on the elements that need to be determined to ensure
that objectives can be achieved. This can be thought of in terms of what needs
to be done, when it needs to be done by, what resources are required to
achieve it, who is responsible for the objectives being achieved, how results are
to be measured and progress ensured, and consideration on how these
objectives can be implemented within existing business systems.

Support
Resources
Simply put, the standard advises the organization that the resources required to
achieve the stated objectives and show continual improvement must be made
available.

Competence
Employee competence must meet the terms of the ISO 45001:2018 standard by
ensuring that the people given responsibility for OH&S Management System
tasks are capable and confident. Related to this, it stands to reason that the
experience, training, and/or education of the individual must be of the required
standard, and that any necessary training is identified and delivered – with
measurable actions taken externally or internally to ensure that this level of
competence exists. Predictably, this process and its outputs need to be recorded
as documented information for the OH&S Management System.

Awareness
Awareness is closely related to competence in the standard. Employees must be
made aware of the Occupational Health & Safety Policy and its contents, any
current and future impacts that may affect their tasks, what their personal
performance means to the OH&S Management System and its objectives,
including the positives or improved performance, and what the implications of
poor performance may be to the OH&S Management System. Additionally, the
standard demands that workers be aware that they can remove themselves
from work situations that they consider to be a danger to their life or health.

Communication
General
Processes for internal and external communication need to be established and
recorded as documented information within the OH&S Management System.
The key elements that need to be decided, actioned, and recorded are what
needs to be communicated, how it should be done, who needs to receive the
communication, and at what intervals it should be done. It should be noted here
that any communication outputs should be consistent with related information
and content generated by the OH&S Management System for the sake of
consistency.

ISO 45001:2018OH&S -Requirements with guidance for use

 Internal communication
The standard advises the organization that information should be
communicated at various levels and with various frequencies as deemed
suitable, and that the organization must ensure that the nature and frequency
of communication allows continual improvement to result from the
communication process itself.

External communication
Once again, the organization is advised by the standard to ensure that
communication relevant to the OH&S Management System takes place as per
the established process, with the goal of ensuring that compliance obligations
and objectives are met.

Documented information
General
“Documented information,” which you will have seen mentioned several times
during this guide, refers to the documents and records that are necessary for
the OH&S Management System. The requirements are designed to allow each
organization to have the ability to shape documented information to their own
requirements in general, with the exception of the mandatory components
mentioned specifically in the standard and, therefore, this guide. The ISO
45001:2018 standard advises us that the OH&S
Management System should include all documented information that it declares
mandatory, and anything viewed as critical to the OH&S Management System
and its operation. It should also be noted that the amount of documented
information that an organization requires would differ according to the size,
operating sector, and complexity of compliance obligations faced by the
business.

Creating and updating

The standard advises that documentation created by the OH&S Management
System needs to include appropriate identification, description, and format so
that it is can be easily understood what the documented information is for.
There is also a need to review and approve the documented information for
suitability and accuracy before release.

Control of documented information

The standard advises that documentation created by the OH&S Management
System should be available and fit for purpose where and when needed,
reasonably protected against damage or loss of integrity and identity, and that
the processes of distribution, retention, access, retrieval, preservation and
storage, control, and disposition are adequately provided for. It should be noted
that documented information from external sources should be similarly
controlled and handled, and that viewing and editing access levels should be
carefully considered and controlled.

ISO 45001:2018OH&S -Requirements with guidance for use

 Operations
Operational control and planning
While the standard acknowledges that operational control will greatly depend
on the size, nature, compliance obligations, and occupational health & safety
hazards of an organization, the scope is given to the individual organization to
plan and ensure the desired results are achieved. The methods suggested by the
standard are that processes should be designed in such a way that consistency is
guaranteed and error eliminated, technology is used to improve control, and it is
ensured that personnel are trained and competent. Processes should be
performed in an agreed and prescribed manner; those processes should be
measurable, and the documented information should match the requirements
to ensure operational control.
An essential part of operational control lies in eliminating hazards and reducing
OH&S risks. This can be carried out through a hierarchy of controls, from
elimination of the hazard to the use of personal protective equipment. Change
in the OH&S Management System also needs to be managed in order to
maintain the integrity of the OH&S performance. Procurement, including
contractors and outsourcing of functions and processes, must also be
considered and controlled. Appropriate measures must be taken to define and
control the competency of outsourced service suppliers, including their effect on
the OH&S Management System processes. As ever, opportunities for
improvement must always be considered and identified.
The standard also recognizes that the degree of control the organization has
over an outsourced product or service can vary from absolute, if taking place
onsite, to very little, if the activity takes place remotely. However, it is suggested
that there are factors that, nonetheless, should be considered. As expected,
compliance obligations should be considered and controlled, all direct and
associated occupational health & safety risks should be evaluated and
controlled, as should risks and opportunities associated with the provision of the
service itself.
Emergency preparedness and response
Emergency preparedness and response is a key element in the mitigation of
occupational health & safety risk. The standard informs us that it is the
responsibility of the organization to be prepared, and a number of elements
should be considered and planned for. Actions to mitigate incidents must be
developed, as well as internal and external communication methods and
appropriate methods for emergency response.
Consideration of varying types of occupational health & safety incidents needs
to be made, as do root cause analysis and corrective action procedures to
respond to incidents after they occur. Regular emergency response testing and
relevant training need to be considered and undertaken, and assembly routes
and evacuation procedures defined and communicated. Lists of key personnel
and emergency agencies (think clean-up agencies, local emergency services, and
local occupational health & safety offices or agencies) should be established and
made available, and it is often good practice to form partnerships with similar
neighbouring organizations with whom you can share mutual services and
provide help in the event of an occupational health & safety incident.

ISO 45001:2018OH&S -Requirements with guidance for use

 Performance Evaluation
Monitoring, measuring, analysis, and evaluation
General
The organization not only has to measure occupational health & safety progress,
but it should also consider its significant hazards, compliance obligations, and
operational controls when tackling this clause. The methods established should
have considerations to ensure that the monitoring and measuring periods are
aligned with the needs of the OH&S Management System for data and results;
that the results are accurate, consistent, and can be reproduced; and that the
results can be used to identify trends. It should also be noted that the results
should be reported to the personnel with the authority and responsibility to
initiate action on the basis of the outputs themselves.
Evaluation of compliance
The standard recognizes that evaluation requirements will vary from
organization to organization based on factors such as size, compliance
obligations, sector worked in, past history and performance, and so on, but
suggests that regular evaluation is always required. If the result of a compliance
evaluation reveals that a legal requirement is unfulfilled, the organization needs
to assess what action is appropriate, possibly up to contacting a regulatory body
and agreeing on a course of action for repair. This agreement will now see this
obligation become a legal requirement. Where a non-compliance is identified by
the OH&S Management System and corrected, it does not automatically
become a non-conformity.
Internal Audit
General
Internal audits and auditors should be independent and have no conflict of
interest over the audit subject, the standard reminds us, and it should be noted
that non-conformities should be subject to corrective action. When considering
the results of previous audits, the results of previous internal and external audits
and any previous non-conformities and resulting actions to repair them should
be taken into account.
Internal audit program
The 45001:2018 standard refers us to ISO 19011 for the internal audit program,
but when you are establishing your program there are several rules you can
subscribe to in order to ensure that your program is effective. Base your internal
audit frequency on what is reasonable for your organization in terms of size,
sector you operate in, compliance obligations, and risk to the health and safety
of workers. Decide what is reasonable for you, whether that is bi-annually,
quarterly, or whatever you deem suitable. Keep in mind that this schedule can
be changed, preferably through management review and leadership guidance,
in the event of changes that necessitate extra internal audit activity.

Management Review
It should be noted that, contrary to popular belief, the management review
does not have to be done all at once; it can be a series of high-level or board
meetings with topics tackled individually, although it should be on a strategic
and top management level. Complaints from interested parties should be
reviewed by top management, with resultant improvement opportunities
identified. It should be remembered that the management review generally is
the one function that must be carried out accurately and diligently to ensure

ISO 45001:2018OH&S -Requirements with guidance for use

 that the function of the OH&S Management System and all resulting elements
can follow suit. It goes without saying that all details and data from the
management review must be documented and recorded to ensure that the
OH&S Management System can follow the specific requirements and general
strategic direction for the organization detailed there.

Improvement
General
Outputs from management reviews, internal audits, and compliance and
performance evaluations should all be used to form the basis for improvement
actions. Improvement examples could include corrective action, reorganization,
innovation, and continual improvement programs.
Nonconformity and corrective action
Prevention of incidents and elimination of hazards is a key facet of the OH&S
Management System, and this is specifically addressed in the definition of
organizational context (4.1) and assessing risks and opportunities (6.1). Taking
action to correct and control problems when they occur, and then to investigate
and take corrective action for the root causes of these problems when it is
necessary, are critical to prevent recurrence of process nonconformity.
Continual improvement
Through all of the actions to improve the overall OH&S Management System,
the organization can achieve enhanced OH&S performance and promote a
culture that supports worker participation in making the OH&S Management
System better.

Conclusion
ISO 45001:2018 provides organizations with guidance to mitigate occupational
health & safety risks and reduce impacts within the organization. The ultimate
goal of ISO 45001:2018 implementation is to improve occupational health &
safety performance; but, delivering on all of the clauses of the standard and
truly understanding them can benefit your organization in many ways.
Accreditation and compliance can bring reputational, motivational, and financial
benefits to your organization through improved efficiency and reductions in
injuries, along with improvements in your procurement chain. All of these
elements are closely related to your organization’s ability to deliver satisfaction
to your customers, and fulfil the expectations and wishes of your stakeholders,
while protecting the health & safety of your workers.

ISO 45001:2018OH&S -Requirements with guidance for use

 Checklist of Mandatory Documentation Required by ISO
45001
Introduction
The documentation needed for implementation of ISO 45001 includes any
documents explicitly required by the standard, plus any additional documents
that the company determines to be necessary for effective maintenance of the
OH&SMS based on ISO 45001. Many companies go overboard with
documentation in the belief that they need to document every single process
that is in place in their organization, without realizing that this is not necessary
to meet the requirements of the ISO 45001 standard. While trying to fulfil
standard requirements, organizations tend to generate too many documents to
be on the “safe side.”

Although it is sometimes helpful, this can be counterproductive, because it

makes the implemented processes and respective OH&SMS harder to use and
maintain, as well as making the OH&SMS a bureaucratic burden. With this
approach, organizations miss opportunities to improve their processes for their
own benefit, as well as that of their customers.

ISO 45001:2018OH&S -Requirements with guidance for use

 Which documents and records are required?
Mandatory Documents
Clause of ISO
Mandatory Documents
45001:2018
Scope of the OH&S Management System 4.3
OH&S Policy 5.2
Responsibilities and authorities within the OH&SMS. 5.3
OH&S process for addressing risks and opportunities 6.1.1
Methodology and criteriafor assessment of OH&S risks 6.1.2.2
OH&S Objectives and plans for achieving them 6.2.2
Procedure for emergency preparedness and response 8.2

Mandatory Records
Clause of ISO
Mandatory Records
45001:2018

OH&S risks and opportunities and actions for addressing them 6.1.1

Legal and other requirements 6.1.3

Evidence of competence 7.2
Evidence of communications 7.4.1
List of external documents 7.5.3
Plans for responding to potential emergency situations 8.2
Results on monitoring, measurements, analysis and
9.1.1
performance evaluation
Maintenance, calibration or verification of monitoring
9.1.1
equipment
Compliance evaluation results 9.1.2
Internal audit program 9.2.2
Internal audit results 9.2.2
Results of management review 9.3
Nature of incidents or nonconformities and any subsequent
10.2
action taken
Results of any action and corrective action, including their
10.2
effectiveness
Evidence of the results of continual improvement 10.3

These are the documents and records that are required to be maintained for the
ISO 45001 Occupational Health and Safety Management System, but you should
also maintain any other records that you have identified as necessary to ensure
your management system can function, be maintained, and improve over time.

ISO 45001:2018OH&S -Requirements with guidance for use

 Commonly Used Non-Mandatory Documents
ISO 45001 contains a certain number of requirements to “establish, implement
and maintain a process.” These requirements are not necessarily transformed
into documentation; but, considering the complexity of some processes that fall
under this category, it can be beneficial for the organization to take these
processes into account when deciding what should be documented in addition
to the mandatory documents.

Clause of ISO
Documents Title
45001:2018
Procedure for Determining Context of the Organization and
4.1
Interested Parties
OH&S Manual 4
Procedure for Consultation and Participation of Workers 5.4
Procedure for Hazard Identification and Assessment 6.1.2.1
Procedure for Communication 7.4.1
Procedure for Document and Record Control 7.5
Procedure for Operational Planning and Control 8.1
Procedure for Change Management 8.1.3
Procedure for Internal Audit 9.2
Procedure for Management Review 9.3
Procedure for Incident Investigation 10.2
Procedure for Management of Nonconformities and
10.2
Corrective Actions

How to structure documents and records

ISO 45001 doesn’t have a lot of requirements regarding documentation, so it is
imperative that you optimize the volume of your OH&SMS documentation by
trying to develop documentation that meets all requirements, while remaining
simple and light. Instead of just documenting every single requirement of the
standard, the organization should focus on the most important information and
provide a sufficient amount of information to its employees to ensure
compliance with the standard and legal requirements.

The following recommendations take into consideration the best practice in

developing OH&SMS documentation:

OH&S Manual. The manual is not a mandatory document, but very often is an
essential part of the OH&SMS. This document is a summary of your entire OH&S
management system with reference to the procedures and records within the
system, and it is a good place to put all important information that didn’t fit into
any other document of your OH&SMS.

Procedure for Determining Context of the Organization and

Interested Parties.
This is a new requirement in the Occupational Health and Safety Management
System, and it can be a good idea to document not only the results of
determining the context, but also the process itself. This document can define
what elements of the context need to be considered, who will participate, what
methodologies will be used, and how often information on the context will be
revised. The Procedure for Determining Context of the Organization and

ISO 45001:2018OH&S -Requirements with guidance for use

 Interested Parties can be of great help in initial implementation of the standard
and these new requirements.

OH&S Scope. This document is usually rather short and is written at the
beginning of the ISO 45001 implementation. Normally, it is a stand-alone
document called Scope of the OH&SMS, although it can be merged into an
OH&S Manual, which defines the limitations of the OH&S management system
within your company, and identifies what elements are included and how they
interact.

OH&S Policy. The OH&S Policy is intended to be a company’s documented

intention to meet legal compliance, prevent occupational health and safety
hazards, and continually improve. The Policy is a focus for the company to work
toward and should readily convey the goal of the organization. It is often
documented in an OH&S Manual and sometimes posted throughout the
organization as a way of communicating to all employees, because it is
important that every employee understand how the Policy relates to his or her
job.

Roles and responsibilities within the OH&SMS. There are two options for
documenting this requirement. The first is to have a general document that will
define roles and responsibilities within the OH&SMS for the entire organization.
The second is to have roles and responsibilities documented within different
OH&S documents, such as procedures and work instructions. Both approaches
are OK, and it is up to the organization to decide what is the most appropriate
approach.

Consultation and participation of workers. The standard requires the

organization to implement, establish, and maintain a process for consultation
and participation of workers at all applicable levels and functions in
development, planning, implementation, performance implementation, and
actions for improvement of the OH&SMS. Although it is not required, it can be
beneficial to the organization to document the mechanisms and resource
provision for the consultation and participation and define the responsibilities. If
you want to decrease the documentation, this procedure can be merged with
the communication process into the Procedure for Communication,
Participation and Consultation.

Methodology and criteria for assessment of OH&S risks. In order to address

risks and opportunities, the organization needs to identify them first and assess
what risks and opportunities are worth addressing. The standard requires the
organization to establish criteria and methodology for assessing risks and
opportunities and identifying the significant ones on which the organization
needs to focus. The methodology and criteria can be merged with the Procedure
for Addressing Risks and Opportunities and OH&S hazards into Procedure for
Addressing Risks and Opportunities and OH&S Hazards in order to decrease the
number of documents within the OH&SMS.

Process for addressing OH&S risks and opportunities. Unlike other

management system standards that follow Annex SL and the High-Level
Structure defined by the ISO, ISO 45001 requires the organization to document
the process for addressing risks and opportunities. The procedure for addressing
risks and opportunities must cover the actions taken by the organization to
determine risks and opportunities and can be merged with the Procedure for
Addressing Risks and Opportunities and OH&S Hazards.

ISO 45001:2018OH&S -Requirements with guidance for use

 Procedure for Hazard Identification and Assessment. The methodology and
criteria for assessment of occupational health and safety hazards is often a legal
requirement, so the standard doesn’t require this procedure explicitly. In case
you already have this procedure documented due to legal requirements, you
can just make reference to it in your OH&S Manual and avoid writing an
additional procedure. If such legal requirements do not exist, it can be beneficial
for the organization to have such a procedure to assess the OH&S hazards. In
this case, it can be merged with procedure for addressing risks and
opportunities into the Procedure for Addressing Risks and Opportunities and
OH&S Hazards.

For more information, see: How to identify and classify OH&S hazards.

Legal and other requirements. It is important for your company to know and
understand the legal requirements that apply to your business practices. To
make this work, you need to devise a way to ensure that you know which laws
apply, and how you will keep up to date on legal changes. In addition to these
legal obligations, the obligations towards other interested parties must be
identified as well.

This is a part of the identification of interested parties and their needs and
expectations, so it should be done during this process. The standard requires
compliance obligations to be documented and evaluated on a regular basis.

OH&S objectives and plans for achieving them. The objectives are derived from
the goal stated in the OH&S Policy, and are the main method used by companies
to focus this goal into plans for improvement. The objectives are intended to be
S.M.A.R.T. (specific, measurable, achievable, realistic, and time-based) and
should have relevance at all levels of the company, meaning that all employees
should understand how their jobs support meeting the OH&S objectives and the
plans for achieving those objectives.

Evidence of competence. Keep records to prove that you identified what

competencies are required for the crucial processes in your OH&SMS, and how
employees met these competencies. If the competencies were not met by
individuals responsible for the action, how did you address the training
discrepancies to close the gaps?

Communication process. ISO 45001 requires the organization to perform

communication, participation, and consultation with employees, subcontractors,
and relevant external parties on issues regarding occupational health and safety.
It is also required to process, document, and respond to relevant
communication from external interested parties. Unlike ISO 14001, which
requires the organization to make a decision as to whether it will inform its
neighbours or not, ISO 45001 requires the organization to take into
consideration information from external interested parties regarding
occupational health and safety.

Procedure for Document and Record Control. How do you approve, update,
and re-approve your documents? When a document is changed, how do you
identify changes, and make sure that people who need the current document
have it and stop using older documents? How do you make sure the documents
can be read, and how do you control documents that come from outside of your
organization for use? How do you maintain your records that show your
OH&SMS is implemented and maintained, including how you identify, store, and

ISO 45001:2018OH&S -Requirements with guidance for use

 protect the records so that they can be retrieved as necessary, for the correct
amount of time, and destroyed when no longer needed but not before?

List of External Documents. Although this record is not explicitly required, the
standard requires external documents necessary for the OH&SMS to be
identified and controlled. Keeping a record of all external documents relevant to
the OH&SMS is the best way to meet this requirement and demonstrate
compliance with it.

Procedure for Operational Planning and Control. When you have identified that
your operations can have a negative impact on occupational health and safety,
you need to put controls in place to mitigate the risks and prevent the injuries
and health problems from happening. In order to have a known and consistent
way of doing what is needed to avoid the occurrence, you will need to create
operational control procedures. If no situations are present, you need to ensure
that there is no deviation from the policy and objectives, or related significant
hazards, and then these procedures are not required.

Procedure for Change Management. The standard requires the organization to

implement a process for controlling and planning temporary and permanent
changes in the OH&SMS. The purpose of this process is to ensure compliance
with the legal and the standard requirements and to review the consequences
of unintended changes in order to mitigate any adverse effects on employees
occupational health and safety. Changes also can result in potential OH&S
opportunities.

Emergency preparedness and response process. When there is a risk that an

emergency might happen (such as a chemical spill), you need to have plans in
place to respond and react to the emergency and limit the environmental
damage you will cause. Also, it is necessary to ensure that the emergency plan
will be followed by the employees, and this is done by testing the emergency
response plans and periodically reviewing and revising the process and plans.

Monitoring, measuring and analysis of OH&S performance. When you identify

a key characteristic of a process, you will also need to determine whether this
characteristic can have a significant OH&S risk if it is not controlled by the
company. When this is the case, the organization needs to document what
information needs to be monitored so that employees can react to changes in
performance and avoid the occupational health and safety hazards.

Maintenance, calibration or verification of monitoring equipment. In your

processes, you may need to monitor and measure critical elements of the
OH&SMS to ensure compliance with legal requirements. As an example, you
may need to measure the concentration of a chemical in your workplace. When
you do this, you need to use calibrated equipment to ensure your
measurements are accurate and maintain records of these calibrations.

Management review. It is recommended for organizations to have a procedure

for management review where the organization can define the inputs and
outputs of the management review, as well as the persons responsible for
providing the information and conducting the management review. As a result
of the management review, the organization needs to produce the record with
all necessary outputs of this process.

ISO 45001:2018OH&S -Requirements with guidance for use

 Incident investigation and reporting. Occupational health and safety incidents
are big problems for the organization, even if they don’t result in injuries of the
employees. Such incidents need to be investigated in order to determine the
cause of the incident and take measures to prevent similar incidents from
happening in the future. Records about incident investigation and subsequent
actions taken need to be recorded.

Management of Nonconformities and Corrective Actions. With the

Occupational Health & Safety Management System, you will find that you have
non-conformances occur within your processes that you will need to correct,
and when you investigate the root causes of these problems you will have
corrective actions taken. You will need to keep records of these activities to
show improvement.

Evidence of the results of continual improvement. This is a completely new

requirement aiming to ensure that the organization takes actions towards
improvement of its OH&SMS and to provide evidence that those actions are
taken. In addition, this kind of record can be useful during the next management
review to assess the effectiveness of the improvement actions.

Conclusion
ISO 45001 implementation can turn into a problematic project if you don’t set it
up correctly right from the beginning. The documentation that is required by the
standard, extended by non-mandatory documents, forms a significant part of
the OH&SMS implementation. Knowing what the standard requires as
mandatory documentation helps the organization to be well prepared for the
certification audit. On the other side, decisions regarding the addition of non-
mandatory documents should represent a balance between the competence of
employees, and administrative controls that can help the organization avoid
nonconformities. Implementing both mandatory and non-mandatory
documents in an optimal scope increases the efficiency of the OH&SMS and
creates benefits for both the organization itself and its customers.

ISO 45001:2018OH&S -Requirements with guidance for use

 Documentation List for ISO 45001 Implementation
Doc. ISO 45001
# Document Name Mandatory
Code Clause
Procedure for Document and Record
1 0 Control 7.5 7.5
2 0.1 Appendix 1 – List of Internal Documents
3 0.2 Appendix 2 – List of External Documents 7.5.3 Yes
Appendix 3 – Registry of Records for
4 0.3 Detention/ Central Archive
5 1 Project Plan
6 2 OH&S Policy 5.2 Yes
7 2.1 Appendix 1 – OH&S Objectives 6.2.2 Yes
8 3 OH&S Manual
Procedure for Determining Context of
9 4 the Organization and Interested Parties 4.1;4.2
Appendix 1 – List of Interested Parties,
10 4.1 Legal and Other Requirements 4.2;6.1.3
Appendix 2 – Compliance Evaluation
11 4.2 Record 9.1.2 Yes
Appendix 3 – Scope of the OH&S
12 4.3 Management System 4.3 Yes
Competence, Training and Awareness
13 5 Procedure 7.2;7.3
14 5.1 Appendix 1 – Training Program 7.2
15 5.2 Appendix 2 – Training Record 7.2 Yes
16 5.3 Appendix 3 – Record of Attendance 7.3
Procedure for Addressing Risks and
17 6 Opportunities and OH&S Hazards 6.1 Yes
Appendix 1 – Registry of Key Risks and
18 6.1 Opportunities 6.1.1 Yes
19 6.2 Appendix 2 – Hazard Evaluation Record 6.1.2
Appendix 3 – List of Workplaces and
20 6.3 Employees with Significant Risk
Procedure for Communication,
21 7 Participation and Consultation 5.4;7.4
Appendix 1 – Record of External
22 7.1 Communication 7.4.1 Yes

23 7.2 Appendix 2 – Employee Feedback Report 7.4.2

24 8 Procedure for Operational Control 8.1
25 8.1 Appendix 1 – SOP for Chemical Hazards 8.1 Yes *

26 8.2 Appendix 2 – SOP for Ergonomic Hazards 8.1 Yes *

Appendix 3 – SOP for Environmental and
27 8.3 Physical Hazards 8.1 Yes *
Appendix 4 – SOP for Radioactive
28 8.4 Hazards 8.1 Yes *
29 8.5 Appendix 5 – SOP for Electrical Hazards 8.1 Yes *

ISO 45001:2018OH&S -Requirements with guidance for use

 Doc. ISO 45001
# Document Name Mandatory
Code Clause
Appendix 6 – SOP for Working on Height
30 8.6 Hazards 8.1 Yes *
Appendix 7 – SOP for Display Screens and
31 8.7 Posture Hazards (Office Hazards) 8.1 Yes *
Appendix 8 – SOP for Personal Protective
32 8.8 Equipment 8.1 Yes *
Appendix 9 – Good Practice for
33 8.9 Maintenance of Tools and Machinery 8.1 Yes *
Appendix 10 – SOP for Operating Heavy
34 8.10 Machinery 8.1 Yes *
Appendix 11 – Equipment Calibration
35 8.11 Record 9.1.1 Yes *
36 9 Procedure for Change Management 8.1.3
Appendix 1 – Change Actions Plan and
37 9.1 Review 8.1.3
Procedure for Emergency Preparedness
38 10 and Response 8.2
39 10.1 Appendix 1 – Fire Safety Policy 8.2 Yes
Appendix 2 – Emergency Response Drill
40 10.2 Record 8.2
41 11 Procedure for Incident Investigation 10.2
Appendix 1 – Incident Investigation
42 11.1 Report 10.2 Yes

Procedure for the Management of

43 12 Nonconformities and Corrective Actions 10.2
Appendix 1 – OH&S Nonconformity
44 12.1 Record 10.2 Yes
45 12.2 Appendix 2 – Corrective Action Record 10.2 Yes
Appendix 3 – Registry and Status for
46 12.3 Corrective Actions and Nonconformities 10.2
47 13 Procedure for Internal Audit 9.2
48 13.1 Appendix 1 – Internal Audit Checklist
Appendix 2 – Annual Program of Internal
49 13.2 Audits 9.2.2 Yes
50 13.3 Appendix 3 – Internal Audit Plan 9.2.2
51 13.4 Appendix 4 – Internal Audit Report 9.2.2 Yes
52 14 Procedure for Continual Improvement 10.1;10.3
Appendix 1 – Continual Improvement
53 14.1 Plan and Review 10.3 Yes
54 15 Procedure for Management Review 9.3
Appendix 1 – Matrix of OH&S
55 15.1 Performance 9.1.1
Appendix 2 – Management Review
56 15.2 Minutes 9.3 Yes

ISO 45001:2018OH&S -Requirements with guidance for use