Guidance on the use of this International Standard
A.4 Context of the organization
A.8.1 Operational planning and controls
1643
A.8.1.1 General
1644
Operational planning and controls should be established and implemented as necessary to enhance
1645
occupational health and safety, eliminate hazards or, if impossible, to reduce the OH&S risks to levels as
1646
low as reasonably practicable for operational areas and activities.
1647
When planning and developing operational controls, priority should be given to control options with
1648
higher reliability in preventing work-related injury and ill health. Operational controls can use a variety
1649
of different methods, for example:
1650
a) the introduction of procedures and systems of work;
1651
b) ensuring the competency of workers;
1652
c) establishing preventive / predictive maintenance and inspection programmes;
1653
d) specifications for the procurement of goods and services;
1654
e) compliance with preventive regulations and manufacturer's instructions for equipment;
1655
f) engineering controls (physical devices such as barriers) followed by administrative controls
1656
(warnings, safety signs, alarms and signals, or access control procedures and other work
1657
instructions).
1658
g) adapt work to workers.
1659
Work can be adapted to workers by, e.g.:
1660
— defining, or redefining, how it is organized;
1661
— the induction of new recruits;
1662
— defining, or redefining, processes and working environments to workers;
1663
— designing a new workplace and new equipment by using ergonomic approaches, etc.
1664
The OH&S management system’s processes and activities should be established to ensure that
1665
operational controls are implemented effectively (see 9.1.1), and actions taken to mitigate issues or
1666
determined nonconformities (see 10.1).
1667
A.8.1.2 Hierarchy of controls
1668
The hierarchy of controls is intended to provide a systematic approach to enhance occupational health
1669
and safety, eliminate hazards, and reduce or control OH&S risks. Each step is considered less effective
1670
than the one before it. It is usual to combine several steps in order to succeed in reducing the OH&S risks
1671
to a level that is as low as reasonably practicable.
1672
The following examples are given to illustrate measures that can be implemented at each level:
© ISO 2016 – All rights reserved 42
a) hazard elimination: avoiding risks, adapting work to workers, e.g. : integrate health, safety and
1674
ergonomics when planning new workplaces; create physical separation of traffic between
1675
pedestrians and vehicles;
1676
b) substitution: replacing the dangerous by the non-dangerous, or the less dangerous; combating the
1677
risks at source; adapting to technical progress, e.g. : replacing solvent based paint by water based
1678
paint;
1679
c) engineering controls: implement collective protective measures, e.g. : isolation; machine guarding;
1680
ventilation systems; mechanical handling; noise reduction; protecting against falls from height by
1681
using guard rails;
1682
d) administrative controls: giving appropriate instructions to workers, e.g.: lock out processes;
1683
periodical safety equipment inspections; health and safety coordination with subcontractors’
1684
activities; induction; forklift driving licenses; rotation of workers;
1685
e) personal protective equipment (PPE) : provide adequate PPE, and instructions for PPE utilization
1686
and maintenance, e.g. : safety shoes; safety glasses; hearing protection; chemical and liquid resistant
1687
gloves; electrical protection gloves; cutting resistant gloves.
1688
A.8.2
Management of change
1689
The objective of a management of change process is to enhance occupational health and safety at work,
1690
by minimizing the introduction of new hazards and OH&S risks into the work environment as changes
1691
occur, such as in technology, equipment, facilities, work practices and procedures, design specifications,
1692
raw materials, staffing changes, and standards or regulations. Depending on the nature of an expected
1693
change, the organization should use an appropriate methodology(ies) for assessing the OH&S risks and
1694
the OH&S opportunities of the change. The need to manage change can be an outcome of the planning
1695
process (see 6.1.4).
1696
The organization should plan how to implement a change in a manner that does not introduce new
1697
(unforeseen) hazards (see 6.1.4) or increase the OH&S risks. Additionally, the organization should use
1698
this process to find OH&S opportunities, such as less hazardous and/or toxic alternatives in order to
1699
continue to reduce the OH&S risks to workers and/or others who are responsible for handling or working
1700
with the products, materials, etc.
1701
The organization should specify and assign adequate resources for the implementation of a change.
1702
As part of the change management process, the organization should review potential changes to hazards
1703
and OH&S risks (see 6.1). The implementation of a decision to change should ensure that all affected
1704
workers are properly informed and are competent to cope with the change.
1705
A.8.3
Outsourcing
1706
An outsourced process is one that fulfils all of the following:
1707
a) it is within the scope of the OH&S management system;
1708
b) it is integral to the organization’s functioning;
1709
c) it is needed for the OH&S management system to achieve its intended outcome;
1710
d) liability for conforming to requirements is retained by the organization;
© ISO 2016 – All rights reserved 43
e) the organization and the external provider have a relationship where the process is perceived by
1712
interested parties as being carried out by the organization.
1713
A.8.4
Procurement
1714
Prior to procuring goods and services, the organization should identify appropriate procurement
1715
controls. The procurement controls should be used to identify and evaluate potential OH&S risks
1716
associated with e. g. products, hazardous materials or substances, raw materials, equipment, or services
1717
before their introduction into the workplace. Considerations could include requirements for supplies,
1718
equipment, raw materials, and other goods and related services purchased b y the organization to
1719
conform to the organization’s OH&S objectives and its need for information, participation and
1720
communication (see 7.4).
1721
The organization should verify that equipment, installations and materials are adequate before being
1722
released for use by its workers, e. g. that:
1723
a) equipment is delivered according to specification and is tested to ensure it works as intended;
1724
b) installations are commissioned to ensure they function as designed;
1725
c) materials are delivered according to their specifications;
1726
d) any usage requirements, precautions or other protective measures are communicated and made
1727
available.
1728
A.8.5
Contractors
1729
The organization may delegate authority to those best capable of identifying, evaluating, and controlling
1730
OH&S risks, including to contractors. This recognizes that some contractors possess specialized
1731
knowledge, skills, methods, and means. However, this delegation does not eliminate the organization’s
1732
responsibility for the health and safety of its workers.
1733
Contractors can be specialists in maintenance, construction, operations, security, landscaping, facility
1734
upkeep, janitorial, sanitation or clean-up of production processes, and a number of other functions.
1735
Contractors can also include consultants or specialists in administrative, accounting, and other functions.
1736
An organization can achieve coordination of its contractors' activities through the use of contracts that
1737
clearly define the responsibilities of the parties involved. An organization can use a variety of tools for
1738
managing contractors' health and safety performance, including contract award mechanisms or pre-
1739
qualification criteria which consider past health and safety performance, safety training, or health and
1740
safety capabilities, as well as direct contract requirements.
1741
The relationships between an organization and its contractors can be both diverse and complex, and
1742
involve very different types and levels of OH&S risks. How an organization manages these relationships
1743
can vary, depending on the nature of the services provided and the risks identified. The degree of
1744
coordination should depend on factors such as the terms of the contract, the nature of the hazards and
1745
risks, the type and size of the operations, and the duration of the work on the site. When defining how it
1746
will coordinate, the organization should give consideration to the reporting of hazards between itself and
1747
its contractors, controlling worker access to hazardous areas, and procedures to follow in emergencies.
1748
If a contractor does not have an OH&S management system, then the organization should specify how the
1749
contractor will coordinate its activities with the organization's own OH&S management system processes
© ISO 2016 – All rights reserved 44
(such as those used for confined space entry, lockout/tagout, exposure assessment, and process safety
1751
management), and for the reporting of work-related injuries and ill health.
1752
The organization should verify that contractors are capable of performing their tasks before being
1753
allowed to proceed with their work, e.g. by verifying that:
1754
a) OH&S performance records are satisfactory;
1755
b) qualification, experience and competence criteria for workers are specified;
1756
c) training and other worker requirements were undertaken;
1757
d) resources, equipment and work preparations are adequate and ready for the work to proceed.
1758
A.8.6
Emergency preparedness and response
1759
The organization should identify foreseeable emergencies applicable to its operations and plan its
1760
response; such emergencies can occur both during and beyond normal working hours, and can arise due
1761
to both natural and man-made causes. Identified emergencies should be assessed based on their OH&S
1762
risks. The organization should focus on proactive control measures (e.g. the reduction of ignition sources)
1763
not only on reactive risk controls, such as fire-fighting equipment and evacuation.
1764
A.9 Performance evaluation
1765
A.9.1
Monitoring, measurement, analysis and evaluation
1766
A.9.1.1 General
1767
Monitoring, measurement, analysis and evaluation should be appropriate to the size and nature of the
1768
organization and to its OH&S performance.
1769
Monitoring and measuring results are used by an organization during its evaluations of OH&S
1770
performance.
1771
a) Examples of what could be monitored and measured to meet the requirements of this International
1772
Standard can include, but are not limited to:
1773
1) progress on meeting policy commitments, achieving objectives, and continual improvement;
1774
2) occupational health complaints, health surveillance of workers and work environment
1775
monitoring;
1776
3) work related incidents, injuries and ill health, and complaints, including trends;
1777
4) the effectiveness of operational controls and emergency exercises, or to evaluate the need to
1778
modify or introduce new controls (see 8.1);
1779
5) proactive and reactive actions affecting the organization’s OH&S performance;
1780
6) performance of the OH&S management system;
1781
7) competence (7.2);
© ISO 2016 – All rights reserved 45
b) Examples of what could be monitored and measured to evaluate the fulfilment of legal requirements
1783
can include, but are not limited to:
1784
1) identified legal requirements ( have all applicable legal requirements been determined, and are
1785
the organization’s records of them kept up-to-date);
1786
2) the status of identified gaps in compliance;
1787
c) Examples of what could be monitored and measured to evaluate the fulfilment of other requirements
1788
can include, but are not limited to:
1789
1) union-employer agreements;
1790
2) standards and codes;
1791
3) corporate and other policies, rules and regulations;
1792
4) insurance requirements;
1793
d) Criteria are what the organization should compare its performance against:
1794
1) Examples are benchmarks against:
1795
i) other organizations;
1796
ii) standards and codes;
1797
iii) the organization’s own codes and objectives;
1798
2) The organization should use the criteria to set its internal objectives for monitoring and
1799
measurement;
1800
3) To measure criteria, indicators are typically used, for example:
1801
i) If the criterion is a comparison of incidents, the organization may choose to look at frequency,
1802
type, severity, or number of incidents; then the indicator could be the determined rate within
1803
each one of these criteria;
1804
ii) If the criterion is a comparison of completions of corrective actions, then the indicator could
1805
be the percentage completed on time.
1806
Methods include:
1807
— Monitoring can involve continual checking, supervising, critically observing or determining the
1808
status in order to identify change from the performance level required or expected. Monitoring can
1809
be applied to the OH&S management system, to processes or to controls. Examples include the use of
1810
interviews, reviews of documented information and observations of work being performed;
1811
— Measurement generally involves the assignment of numbers to objects or events. It is the basis for
1812
quantitative data and is generally associated with the evaluation of safety programmes and health
1813
surveillance. Examples include the use of calibrated or verified equipment to measure exposure to a
1814
hazardous substance or the counting of the required safe distance from a hazard;
© ISO 2016 – All rights reserved 46
— Analysis is the process of examining data to reveal relationships, patterns and trends. This can mean
1816
the use of statistical operations, including information from other similar organizations, to help draw
1817
conclusions from the data. This process is most often associated with measurement activities;
1818
— Evaluation is an activity undertaken to determine the suitability, adequacy and effectiveness of the
1819
subject matter to achieve the established objectives of the OH&S management system. This activity
1820
is most often associated with monitoring activities.
1821
Occupational health complaints, health surveillance of workers and work environment monitoring are
1822
important elements. Where this is appropriate, suitable medical monitoring or follow-up of workers can
1823
be required. This can assist in the early detection of signs and symptoms of harm to health and to assess
1824
the effectiveness of prevention and control measures.
1825
The frequency of monitoring and measurement should be appropriate to the size and nature of the
1826
organization and its OH&S performance, and to changes in OH&S risk.
1827
The organization should ensure that frequencies of monitoring and measurement are in alignment with
1828
analysis and evaluation of its OH&S risks, risks, OH&S opportunities, and opportunities.
1829
A.9.1.2 Evaluation of compliance with legal requirements and other requirements
1830
The organization should prioritize its actions based on the identified compliance gaps.
1831
A.9.2
Internal audit
1832
A.9.2.1 Internal audit objectives
1833
An organization’s own requirements for its OH&S management system audits may be additional to those
1834
required by this International standard.
1835
Internal audit objectives can be based on:
1836
a) an organization’s own policies, requirements and top management’s OH&S priorities;
1837
b) standards;
1838
c) results of both OH&S risk and risk assessments ;
1839
d) results of previous audits, including contractor audits;
1840
e) incidents, corrective actions and nonconformities;
1841
f) worker participation;
1842
g) needs and expectations of interested parties;
1843
h) level of maturity of the management system;
1844
i) performance evaluation results.
© ISO 2016 – All rights reserved 47 A.9.2.2 Internal audit process
1846
When planning its internal audits the organization should take into consideration the importance of the
1847
processes concerned to the OH&S management system. This can include items such as the impact the
1848
processes have on risk assessment outcomes.
1849
The extent of the audit programme should be based on the size and nature of the organization, as well as
1850
the complexity and level of maturity of the OH&S management system.
1851
Small and medium enterprises (SMEs) can establish objectivity and impartiality of the internal auditor
1852
by creating processes that separate their role as an internal auditor from their normal assigned duties.
1853
SMEs can also use external organizations in this role.
1854
A.9.3
Management review
1855
Clarifying the terms used in relation to management review:
1856
a) Suitability: The extent to which the management system fits and is right for the organization ‘s
1857
purpose, operations, culture and business systems;
1858
b) Adequacy: The extent to which the management system is sufficient in meeting the applicable
1859
requirements;
1860
c) Effectiveness: The extent to which planned activities are realised and planned results achieved.
1861
The management review topics listed in 9.3 a) to g) need not be addressed all at once; the organization
1862
should determine when and how the management review topics are addressed.
1863
Management reviews are a critical part of the continual improvement of the management system. The
1864
purpose of these reviews is for top management to undertake a strategic and critical evaluation of the
1865
performance of the management system, and to recommend improvements.
1866
This review should not be just a presentation of information, but should focus on assessing OH&S
1867
performance and identifying opportunities for continual improvement. It is up to the organization to
1868
determine appropriate measures for the effectiveness of the OH&S management system.
1869
Management reviews should include an evaluation of how well the OH&S management system is
1870
integrated with other business processes and the strategic direction of the organization. Management
1871
reviews can include information about, for example, suppliers and contractors, internal changes in the
1872
organization, and security concerns.
1873
Reviews can present information in a manner (for example a scorecard) that focuses on the management
1874
system elements most in need of the attention of top management. Reviews may be scheduled to coincide
1875
with other management reviews, or to meet other business or management system needs.
1876
The adequacy of resources in item 9.3 g) includes the training and competency of workers.
1877
A.10 Improvement
1878
A.10.1
Incident, nonconformity and corrective action
1879
Separate processes may exist for incident investigations and nonconformities depending on the
1880
organization's requirements.
© ISO 2016 – All rights reserved 48
Examples of incidents, nonconformities and corrective actions include but are not limited to:
1882
a) incidents: work related near-miss events, injuries and ill health, exposures to health hazards,
1883
occupational diseases, property and equipment damage where it can lead to OH&S risks, and vehicle
1884
accidents;
1885
b) nonconformities: protective equipment not functioning properly, failure to apply legal requirements,
1886
or prescribed procedures not being followed;
1887
c) corrective actions: (as indicated by the hierarchy of controls; see 8.1.2) elimination of hazards,
1888
substitution to safe materials, design or modification to equipment or tools, development of
1889
procedures, improving the competence of affected workers, changes in frequency of use, or use of
1890
personal protective equipment.
1891
Root cause analysis refers to the practice of exploring all the possible factors associated with an incident
1892
by asking what happened and why it happened, to provide the input for what can be done to prevent it
1893
from happening again.
1894
When determining the root cause of an incident or nonconformity, the organization should use methods
1895
appropriate to the nature of the incident or nonconformity being analysed. This analysis can identify
1896
multiple system failures including factors related to communication, competence, fatigue, equipment or
1897
procedures.
1898
Root cause analysis should be focused on prevention and not on blame or punishment.
1899
Actions, including corrective actions, (see 10.1d)) should be based on the nature of the incident or
1900
nonconformity and should be implemented in a timely manner.
1901
Reviewing the effectiveness of corrective actions (see 10.1e)) refers to the extent the implemented
1902
corrective actions adequately control the root cause(s).
1903
A.10.2 Continual improvement
1904
Continual improvement is a step by step approach to improve the OH&S management system over time.
1905
The objectives in 10.2.1 are intended as the minimum an organization needs to consider.
1906
The following is a list of clauses and subclauses in this International Standard which can provide inputs
1907
into continual improvement:
1908
a) Clause 4 ‘Context of the organization’;
1909
b) 5.4 ‘Participation, consultation and representation’;
1910
c) 6.1 ‘Actions to address risks and opportunities’;
1911
d) 6.2 ‘OH&S Objectives and plans to achieve them’ ;
1912
e) 7.4 ‘Information and communication’;
1913
f) 9.1 ‘Monitoring, measurement, analysis and evaluation’;
1914
g) 9.2 ‘Internal audit’;
1915
h) 9.3 ‘Management review’;
© ISO 2016 – All rights reserved 49
i) 10.1 Incident, nonconformity and corrective action.
1917
Additional examples of issues to identify opportunities include, but are not limited to:
1918
— new technology;
1919
— good practices, both internal and external to the organization’s;
1920
— suggestions and recommendations from interested parties;
1921
— new knowledge and understanding of health and safety related issues;
1922
— new or improved materials;
1923
— changes in worker capabilities or competence;
1924
— achieving improved performance with fewer resources (i.e. simplification, streamlining etc.).
© ISO 2016 – All rights reserved 50
Bibliography
1926[1] ISO 9001, Quality management systems — Requirements
1927
[2] ISO 14001, Environmental management systems — Requirements with guidance for use
1928
[3] ISO 19011, Guidelines for auditing management systems
1929
[4] ISO 31000, Risk management — Principles and guidelines
1930
[5] ISO 37500, Guidance on outsourcing
1931
[6] ISO 39001, Road traffic safety (RTS) management systems – Requirements with guidance for use
1932
[7] ISO Guide 73, Risk management — Vocabulary
1933
[8] ILO Guidelines on Occupational Safety and Health Management Systems (ILO-OSH 2001); International
1934
Labour Office, Geneva, http://www.ilo.org/safework/info/standards-and-instruments/lang--
1935
en/index.htm
1936
[9] ILO International Labour Standards (including those on occupational safety and health)
1937
http://www.ilo.org/normlex (click on "instruments", then "Conventions and Recommendations by 1938
subject") 1939
[10]OHSAS 18001 Occupational health ans safety management systems – Requirements; OHSAS Project
1940
Group; July 2007, 2nd ed., 34p.; London; ISBN 978 0 580 50802 8
1941
[11] OHSAS 18002 Occupational health and safety management systems – Guidelines for the
1942
implementation of OHSAS 18001:2007; OHSAS Project Group; Nov 2008, 2nd ed., 88p.; London; ISBN 978
1943
0 580 61674 7
1944 1945
© ISO 2016 – All rights reserved 51