ISO committee TC 283 has begun a Systematic Review of ISO 45001 that is expected to be completed in early 2027. Clause 6 on Planning is one of the key areas of focus for the committee. Once the systematic review is complete a revision will be finalized and the current version of the standard (ISO 45001:2018) will be repealed.
The revision process offers the opportunity to incorporate changes to the ISO High Level Structure (HLS). It also provides an opportunity to review areas of the standard that have caused confusion for users since it was first published in 2018. One of these areas is Clause 6, the planning part of the management system standard. This section is currently over 1100 words and three pages long. User have complained about confusing terms including risk, opportunity, OHS hazard OHS risk, other risks and other opportunities.
Simplify and Clarify Clause 6
For some users, these confusing terms make it difficult to comprehend what the standard is supposed to be managing. It also duplicates of requirements in other parts of the ISO 45001 standard. One proposal to simplify and clarify clause 6 would reduce the number of words from 1100 to a little over 300. Comments from other committee members of this proposal rang from “this is great, all standards should be this concise” to “this goes way too far and should not be considered”.
Make a Fresh Start
The concept is to begin the review clause 6 revision process with an almost clean sheet of paper and build on the text from there. If committee members believe that additional text is needed they should justly the addition including:
Why the addition is needed in the requirement part of the standard and not as guidance in the annex part of the standard
A description of what evidence auditors should look for a conformance to the requirement
It does not duplicate another requirement somewhere else in the standard.
If the additional desired text is more guidance than requirement it should be placed in the annex of the standard, not in the requirements part or perhaps, in an entirely different document like ISO 45002.
Reduce Confusing Terms
The streamlining proposal also clarifies what ISO 45001 is supposed to be managing by eliminating some confusing terms in clause 6. Terms like “Risk and Opportunity, “other risk” and “other opportunity” and replacing them with the term “OHS Hazard Risk”. This proposal for streamlining and simplifying clause 6 is already controversial with some members. It is likely to be hotly debated over the next few months as the ISO 45001 revision process gathers momentum in committee meetings later this fall..
The 3 big ISO standards are now under revision. ISO 14001, 45001 and 9001 are being reviewed and revised simultaneously. Recently, ECSI attended meetings of the US Technical Advisory Groups (TAG) for both ISO 14001, and 9001 in Washington DC where the upcoming revisions were discussed. We have also been participating in the US TAG to ISO 45001 and in meetings discussing revisions to that standard.
The revised standards will be released in a few years when organizations will be need to conform with the revisions. The following is a brief discussion of what to expect for revisions to each standard.
ISO 14001
ISO 14001 was first published in 1996. Since then, it has been revised twice. Once in 2004 and again in 2015. The 2015 revision incorporated a major change. This change involved converting the entire standard to the ISO High Level Structure (HLS). Although the revision will not introduce new requirements, it may make changes to clarify some of the key requirements such as the relationship between risk and opportunity and significant environmental aspects.
The revision will integrate changes to the HLS and address concerns raised by users of the standard over the past 9 years. Initially the ISO 14001 revision committee considered issuing an amendment with the few HLS changes. The committee thought that this would be easier and take less time than a full revision. The committee was also concerned about opening the standard up to a broader revision that could result in additional requirements.
Recently however, the committee discovered that the amendment option has significant drawbacks making it an unlikely choice. The amendment route would have resulted in issuance of a separate 28 plus page document to be used with the current 2015 version of the standard. Users would have to reference 2 different documents when using the new amended standard. The committee is looking at other amendment options, but it appears the only way to avoid the 2 document problem is to do a full revision and then issue a single revision document.
If a full revision does occur, it provides more opportunity to address sections of the standard that have caused confusion for users. Additionally, it creates an opportunity to take advantage of changes in the HLS that offer flexibility when using the term “risk and opportunity” in the planning section of the standard.
ISO 45001
The committee revising ISO 45001 has decided to do a full revision instead of just a limited amendment. This option avoids the 2 document problem created by the amendment route and gives the committee greater flexibility in what can be changed. This includes clarifying and streamlining parts of the standard that users have found confusing and redundant.
Clause 6 (Planning) is one of the parts that has potential for improvement to make it more user friendly for small and medium sized organizations. Clause 6 of the standard in the current version was over 1100 words and three pages in length. One proposal being circulated for the revision by the committee would dramatically reduce the text by two thirds to only 318 words and 1 page.
There is also a proposal to refer to “OHS Hazard Risk” when describing what the OHSMS is supposed to be managing. It is thought that this may help reduce misuse of the terms “Risk” and “Hazard” interchangeably.
ISO 9001
The ISO 9001 committee has also chosen the full revision route. However, the committee is taking a more aggressive posture when deviating from the HLS. For over a decade ISO headquarters has insisted that it will not allow deviations from the HLS text for any of the standards. The ISO 9001 revision committee wants to exclude certain new requirements introduced by the updated HLS.
The committee believes the new HLS requirement about climate change is not applicable to a quality management system. Although the committee believes that climate change consideration is important, they believe including it as a requirement in 9001 is inappropriate.
Conclusion
The revision of the three big ISO standards is not expected to result in new significant or reorganization of the standards. The revisions are more likely to improve the standards by reducing unnecessary text and eliminating redundant requirements. Organizations who meet the requirements of the current ISO standards should not need to make big changes to their Environmental, Occupational Health and Safety (OHS) and Quality management systems. The revisions will also make these standards more accessible to small and medium sized businesses around the globe.
The terms OHS Hazards and OHS Risk have been in use for decades. But these terms are often misused by OHS professionals by casually interchanging them. This creates confusion about what an OHS management system is supposed to manage because there is a significant difference between an OHS Hazard and OHS Risk.
ISO 45001 defines the term “hazard” as a “source with a potential to cause injury and ill health”.
The standard also defines OHS risk as a “combination of the likelihood of occurrence of a work-related hazardous event(s) or exposure(s) and the severity of injury and ill health that can be caused by the event(s) or exposure(s)”. Using the terms hazard and risk interchangeably is a mistake. It is also confusing because a hazard is something that has the potential for harm. Risk is a measure of the likelihood and severity of harm from a hazard.
OHS hazards are identified using terms like burn, laceration, crush, struck by, over exposure, psychological harm and many others. To make sense in an OHS management system context, risk should be expressed as a value like high, medium or low risk.
In an OHS management system we identify hazards (hazard identification). We then assess the likelihood and severity of harm that could result from the hazard (risk assessment).
The term OHS Hazard Risk might be a better way to describe what ISO 45001 is supposed to manage. It may help stem the misuse of the terms hazard and risk in OHS management. The term OHS Hazard Risk also conveys the notion that OHS hazards are the source of risk. Additionally, it helps users of standards like ISO 45001 understand that OHS management is about addressing the risk (likelihood & severity) of harm. In an OHS management system we manage the risk not the hazard. Risk is managed by implementing controls to reduce the likelihood and/or the severity of the harm.
ISO recently amended all ISO management system standards (MSS) to include requirements for organizations to consider the effects of climate change. If your organization holds a current certification to ISO 9001, 14001 or 45001 you can expect to be asked “has your organization determined whether climate change is a relevant issue?” during your next certification audit.
This new requirement is the result of a change to the ISO Harmonized Structure (Appendix 2 of the Annex SL in the ISO/IEC Directives Part 1 Consolidated ISO Supplement). Here is more background on the Harmonized Structure also referred to as the High Level Structure and Annex SL.
ISO announced the new requirement in an IAF/ISO Joint Communique indicating the climate change text highlighted below is effective immediately for all MSS.
ISO HLS revised requirements for context determination
Most organizations certified to ISO 14001 should be able to answer auditors questions about climate change relevance. Other organizations with current certification to ISO 9001 and/or 45001 might find it more difficult to avoid a nonconformity to these new requirements if they don’t act soon. Each organizations context is different and will influence how they address climate change in their MSS
Contact us if you have questions about how these new requirements might effect your organization ISO certification status.
The purpose of an EHS audit follow-up is to check that EHS risk, including risk of noncompliance, is managed to a level that the organization considers acceptable. Noncompliance with applicable government laws and other requirements are examples of EHS risk sources that need to be controlled. An EHS audit checks that risk controls are in place and effective. Risk controls can be engineering controls like air pollution control devices, administrative controls like training and work instructions and others.
EHS Audit Findings
The results of an audit are called findings. These can either be positive findings that the controls are in place and effective, or negative. Negative findings are nonconformance’s. Positive findings are good news but not something the organization needs to act on. Positive findings confirm that “what should be is” and that “what should not be is not.
Negative findings however are actionable and create opportunities to improve EHS performance. In Part 2 of this EHS Compliance Audit series, we discussed how negative findings are written and communicated verbally at the end of the audit. As a follow-up to the active evidence gathering and verbal reporting, a written report should be prepared and distributed to document the results of the audit.
Preparing the EHS Audit Follow-Up Report
The audit report presents the results to the auditee and others and helps an organization gauge EHS performance. The report should be concise and to the point and the tone of the report should be factual and nonjudgmental.
A key part of the EHS audit follow-up report are the negative findings that were made during the audit. The EHS audit follow-up report formalizes the findings in a way that the auditee can act on them. The reported negative findings need to include enough information so that they can be investigated and ultimately fixed in a way that they do not happen again.
Here is an example outline for an EHS audit follow-up report.
Executive Summary
Background Purpose and Scope
Findings
Conclusions
Recommendations
Discussion
Appendices
Correction and Corrective Action
Negative EHS audit findings point to EHS risks that need to be better controlled. They are the result of a potential noncompliance with a legal requirement or discovery of some other issue. If left uncorrected they can increase risk and lead to enhanced legal action by a regulatory agency (knowing and willful violation). To avoid exposure to these enhanced penalties, it is important that organizations have a good corrective action process in place.
There are 5 steps in an effective corrective action processes.
Short Term Correction
Investigate the Cause
Identify a Corrective Action
Implement the Corrective Action
Verify the Corrective Action is Effective
The following is a brief description of these steps.
Short Term Correction
Findings that identify a potential serious risk need to be addressed as soon as possible. Continuing to operate equipment that exposes workers to injury after a finding is made is bad business. If a worker were to become injured after the nonconformance was reported the penalties and fines could escalate dramatically. A correction to quickly reduce the risk from the nonconformance needs to be put in place as soon as practical.
Investigate THE Cause
Once the correction has been put in place a corrective action plan needs to be established. Responsibility to investigate the cause of an audit finding should be assigned to someone with knowledge of and experience with the corrective action process. This knowledge and experience will help identify the root cause of the finding. Once the root cause is established an appropriate corrective action can be proposed that prevents the problem from recurring in the future.
Knowledge and use of root cause analysis tools like “5 Why Cause Analysis” ensure the cause of the unacceptable risk level is identified. Here is an example a “5 Why Cause Analysis”.
This example is for an incident that happened at a roll calendar for polishing extruded plastics sheets. An employee was caught in an in running nip between the rolls and luckily only sustained a recordable injury. This incident could have easily been an amputation or a fatality.
Why?
Answer
Why was the OHS hazard of being caught in the nip on the calendar not addressed?
The machine was new, and no one thought to do a Job Safety Analysis (JSA) before it was installed and operated.
Why did no one perform a JSA?
Performing a JSA to review potential OHS hazards and risk are not part of the capital investment approval process.
Why was OHS hazard and risk review not part of the capital investment process?
The manager of the extrusion department manager did not know that a JSA hazard and risk review should be undertaken for all new equipment as part of the purchase process.
Why was extrusion department manager unaware of the need to review hazards and risks for new equipment?
An existing employee had recently been promoted to manager of the extrusion department and they had not been informed of the requirement.
Why had the new extrusion department manager not been informed?
Our organization has not established a process to identify training needs and provide training to employees when they transfer to a new position within the company.
Table 1 – Example 5 why analysis
Identify a Corrective Action
Once the cause is established, a suitable corrective action can be identified to reduce the risk to an acceptable level. The effort needed to identify a suitable corrective action is proportional to the finding risk level. The higher the risk, the more effort needed to figure out the best way to address it. A finding that an emergency evacuation map could be hidden behind a door when it is opened, is much easier to correct than the finding of an ineffective control to treat wastewater discharge to a municipal sanitary sewer.
The cause analysis process should have an approval step to confirm the cause analysis was performed with skill and that the corrective action is aligned with the identified cause of the finding. This review and approval can be done by the auditor who made the finding or others in the organization who can impartially review the cause and proposed corrective action.
If the cause and/or the proposed corrective action are found to be deficient during the review, the assignees should be consulted and asked to rethink the cause analysis and corrective action. The evaluation and approval of potential corrective actions requires striking a balance between risk and opportunity. It is not possible to reduce all risk levels to zero.
Some processes have hazards with risk that are difficult to control and the organization needs to think carefully about what level of risk it is willing to accept. In running nips on plastic extrusion rollers is a good example. It is very difficult to properly guard an in running nip on these machines. The guard would prevent the process from working properly.
As a result, the corrective action cannot be the elimination of the hazard or installation of a physical guard (engineering control). Instead, there may need to be several independent controls such as installing a rope e-stop, providing training to employees on how to operate the process safely and even evaluating the operators competence to ensure they understand the hazard and the associated risk.
Once both the cause and the corrective action(s) are approved the assignee should be authorized to implement the corrective action.
Implement the Corrective Action
The implementation of the chosen corrective action may take days, weeks or even months depending on what needs to be done. Moving an emergency evacuation sign to a better location can be done almost immediately while designing and installing an upgraded wastewater treatment process may take many months.
Verify the Corrective Action is Effective
Verification that the corrective action has been implemented and that it is effective is the last step in the process. It confirms that the problem causing risk, has reduced that risk. The verification can be done upon completion of the corrective action or during the next audit. When the corrective action is verified, it can be closed.
Tracking EHS Audit Corrective Action Progress
Historically, keeping track of progress toward completing corrective action was done with paper forms that went from in-basket to in-basket. Once complete they were placed in a file drawer for storage. Later, electronic methods including excel spreadsheets and other types of electronic documents were used with some success. However, these tracking methods require much effort and often lead to miscommunications or missed deadlines of incomplete corrective actions for findings. The result was the corrective action process was not successful in reducing risk in a timely fashion and increased risk to the organization.
Within the last few years cloud-based applications have emerged that solved many of the problems with paper or spreadsheet corrective action tracking systems. These applications allow quick access to users and are readily accessible almost anywhere.
Applications like CorrectTrack establish users permissions to view, change, verify and approve corrective actions. A permissions based peer review process also helps ensure that corrective actions are investigated thoroughly and verified before they are closed.
Other advantages of a cloud based app like CorrectTrack are:
Notify persons of status changes of a CA
Define a standard process for doing CA
At a glance dashboards for users
Provide notifications when CAs are coming due, or past due
Provide a record of who changed what, when and why
User permissions allow visibility of the CA system to leadership
Conclusion
Effective corrective action processes are powerful tools that help organizations improve EHS performance over time. Investing in, and continually improving the corrective action process will provide a significant short term and long term return.
This EHS Audit Follow-up post is part 3 of a three part article on EHS Auditing. Part 1 and 2 discussed how to plan an EHS audit and conduct an EHS audit. This concludes our three-part series on EHS audits.
We welcome and encourage feedback on this series. Contact us directly at kalehner@envcompsys.com and 262-949-2965, or visit us online for more information: ECSI or CorrectTrack.
RDO Equipment Co. Founded in 1968, RDO Equipment Co. sells and supports agriculture, construction, environmental, irrigation, positioning, and surveying equipment from leading manufacturers, including John Deere, Vermeer, and Topcon. RDO Equipment Co. is a total solutions provider with more than 75 locations across the United States and partnerships in Africa, Australia, Mexico and Ukraine. RDO contacted ECSI for assistance in developing an Occupational Health and Safety Management System to help improve its OHS performance.
RDO also wanted to show its business partners, customers and employees, their commitment to keeping employees safe. RDO chose to align the OHS management system with ISO 45001. They also decided to initially seek certification from an accredited certification body for their corporate headquarters and one of the company stores. Their intention is to certify the remaining 42 stores over the year or so. ECSI conducted an initial gap assessment that helped RDO identify gaps that needed to be filled before getting certified.
Gaps were entered into a database application tool (CorrectTrack) and assigned to the OHSMS implementation team for follow-up. One of the gaps identified was the need for a comprehensive Job Hazard/Job Safety analysis. ECSI helped develop process maps that supported JHA/JSA development at one of the RDO maintenance facilities. Below is an example of how the results of the JHA/JSA risk analysis were recorded.
This tool helped RDO evaluate the effectiveness of existing risk controls and identify priority hazards for additional risk reduction. The tool also helped internal auditors identify what material risks need to be audited during the internal audit process.
ECSI also helped RDO train its internal auditors in performing audits to the ISO 45001 standard. This was done in a three day combined internal audit training and actual audit at the corporate headquarters and one of the RDO maintenance facilities. ECSI assisted RDO in preparing for several management review meetings that were conducted prior to the Stage 1 and Stage 2 audits by an accredited certification body. Congratulations RDO on a successful outcome to the ISO 45001 implementation and certification process.
ISO 45001 is an international standard that helps organizations improve Occupational Health and Safety (OHS) performance. The ISO 45001 standard can be used to ensure workers are safe by protecting them from workplace injury and ill health. As the Vice Chair of the US Technical Advisory Group to ISO 45001, I have been seeing a significant rise in awareness of ISO 45001 benefits. Environmental Compliance Systems, Inc has also helped many organizations plan, implement and integrate an ISO 45001 OHSMS with their other business management systems. A recent webinar produced with ASSP describes the many benefits of an ISO 45001 OHSMS. Here is a link to free ASSP webinar: https://player.vimeo.com/video/844292169?. Please watch if you are interested in improving your organizations OHS performance.
Here is a webinar we lead for ASSP on Covid-19 recently. The webinar discusses how organizations can use occupational health and safety management system audits and the corrective action process to respond to Covid-19 challenges.
Leadership commitment to a management system is critical to its performance. Encouraging support is sometimes challenging. The management review process required by ISO management system standards can help gain leadership commitment.
Do’s and Don’ts
Coordinate management review with management other business review meetings. Conducting “management review” during regular business review meetings gives the sense that the management systems is part of the overall business. Management reviews conducted infrequently and apart from the other important business management meetings leads to a silo-ed perception of the management system.
Make management review value added. Ensure the information being presents is actionable by leadership. Give them a few choices for recommendations with supporting information and ask them to decide. They will appreciate your opinion and recommendations to help make decisions.
Do the Math and Have Backup.
Defend your recommendations for improvement with cost and return on investment information. Showing leadership how the management system helps save and even makes money, contributes to their support and commitment.
Take Good Notes
Recording leadership decisions during the management review helps ensures follow-up. Records of management review are also evidence of their leadership commitment, especially during audits.
Timely Management Review Follow-up
Follow-up on management review recommendations in a timely fashion and report on progress at the next management review opportunity. This will enhance leaderships perception of the management system, their support and commitment.
Management Review Frequency
Most organizations perform periodic reviews of the business performance to make sure things are going along smoothly and to make any course corrections needed. Integrating the ISO system management review with these regular business review meetings will help ensure that:
Management system performance issues are addressed in a timely fashion
The management system is integrated with all other business processes
Timely information is provided to leadership to help make important business decisions
Management Review Inputs
Management review meetings should not necessarily address all management review inputs during each meeting. Management review inputs that should be reviewed at every management review include:
Follow-up from previous management reviews
Status of actions from previous management reviews;
Status of corrective actions and incident investigation
Progress toward achieving objectives.
Management review inputs to be reviewed less frequently and as needed such as
Customer Complaints and interested party concerns
Changes including new compliance obligations
Adequacy of resources
changes in risks and how they are being addressed
Audit results
Management Review Outputs
The purpose of management review is to ensure the management system is able to achieve it intended outcomes. The outputs of management review are an important part of the Act part of the Plan-Do-Check-Act continual improvement cycle. It is where leadership has the opportunity to review the information generated in the “Check part of the PDCA cycle and intervene (Act) and continually improve the management system
Records of management review are the notes of the meeting (output notes). They are required by all ISO management system standards. Outputs are what leaderships asks the organization to do to improve performance. These records are also excellent evidence of leadership commitment during third party audits.
Conclusion
The goal of management review is to provide information to leadership that it can act on. Planning and conducting good management reviews will enhance leaderships opinion and support of the management system.
The ISO High-Level Structure (HLS) is the basis for all management system standards and is now being revised by ISO. These changes will affect all management system standards. Users of ISO management system standards such as ISO 14001, 9001 and 45001 will need to evaluate how these changes will affect the organizations ISO management systems.
Introduced in 2012, the HLS was created to help better integrate quality, environmental and health and safety management systems. Prior to its introduction ISO 9001 had a different structure that ISO 14001 that complicated integration of the management core processes such as corrective action and management review. The HLS solved that problem. The revision introduced a new name for the HLS and it is now called Annex L, Appendix 2.
The revision will also introduce guidance on use of the HLS for standard writers and users. This guidance is called Annex L, Appendix 3. Both Annex L, Appendix 2 and 3 will be combined as a table.
Proposed Structure of Annex L Appendix 2&3
Appendix 2 is in the final stages of an initial “limited” revision and not yet available to the public. Appendix 3 is in mid-stage revision and should be approaching the final stage later this year.
Here are a few of the most important changes to Annex L, Appendix 2 from the “limited” revision:
Definition of Risk
A lengthy debate is ongoing within ISO about if a revision to the definition of “Risk” is needed. “Risk” is currently defined in the HLS as “the effect of uncertainty”. Some within ISO argue that a better definition is “the effect of uncertainty on objectives“.
Others fear that the addition of the words “on objectives” to the definition of risk will cause confusion in standards like ISO 9001, 14001 and 45001. They believe this because these standard have a specific requirement to create measurable “objectives” within the management system.
The debate over the definition of risk has lead to several proposals including eliminating the definition of risk entirely from the HLS. A subgroup has been assigned the task of sorting this difficult issue and the results will be reflected in a future revision of the HLS. For now however the definition of “risk” will remain as it is in the HLS.
Expected Outcomes Vs Results
The previous version of the HLS used the term “expected outcomes” to describe the results organizations should expect from its ISO management system. Some users found the term “expected outcomes” confusing so it has been changed to “expected results”. The change was also made to simplify translation to other languages.
Outsourced Processes
The old HLS used the term “outsourced processes”. Manufacturers sometimes send their products to other organizations who perform specialized processes like heat treating or electroplating. This relationship between organizations was called “outsourcing” in the previous version of the HLS. The concept of “outsourced processes” however does not apply as well to other disciplines such as environmental management or health and safety management systems.
The term “external provider” is now being used in place of outsourced process. This change has been made in response to several comments that found the term “outsource” unclear. The use of external provider clarifies that outsourced, contracted, and purchased products, services and processes all need to be controlled by the management system.
Documented Information
The use of the terms “maintain” and “retain” to describe what needs to be done with certain types of documents in the management system has been replaced with the term “shall be available”. This change has been made to avoid confusion between maintaining and retaining documented information. This change is not expected to impact organizations with mature document control process and management systems.
Internal Audits
This part of the HLS has been substantially reorganized. The title of 9.2.1 was changed to General and 9.2.2 Internal Audit Program has been added. This change has been made for ease in understanding. Now the two distinct concepts covered in the paragraph (what an audit program entails and what should be considered when establishing an audit program) are listed separately.
Effects of the Annex L, Appendix 2 and 3 Revisions (Whats Next?)
The revision of Annex L is not expected to have a significant immediate effect on ISO standards or ISO management system audits. The revisions will not requires revision of any of the ISO management system standards until these standard are revised and updated as required by ISO. However, organizations in the process of implementing an ISO management system or integrating a new discipline specific standard such as ISO 45001 into an existing management system structure, should anticipate that these changes will appear in future revisions of ISO management system standards.
