from external provider. Development of control documents based on manufacturers recommendations.
The purchase of goods and services is a requirement for any business to function. The standard requires the organization to put controls in place to ensure those purchased goods and services do not introduce hazards and expose workers to harm including contractors.
PROCUREMENT
A robust procurement process is essential to control product and services inputs into an organization. Inputs may include raw materials for products, equipment including machinery, consumables such as cleaning products and workers conducting maintenance as part of a service agreement. The organization is required to develop a process which should include an assessment of the impact on safety of products and services prior to purchase. This may include obtaining product or material safety data from an external provider or by conducting a risk assessment. Risk assessment with an external provider may be considered during activities such as the purchase and installation of machinery. The assessment would identify potential hazards and suitable control measures to protect both organizational workers and contractors. Within the process, consider the delivery of products to ensure they are inspected against specified requirements prior to release. Consideration must also be made to ensure those products and services are legally compliant. This may be through the assessment of material safety data sheets, declarations of conformity or business registration with trade associations. Personnel who are responsible for procurement must ensure they utilize competent workers to assist with assessments and to communicate safety information relating to product or service. Health and safety information may include material safety data sheets, training, competence requirements and instructions for use. CONTRACTORS AND OUTSOURCING
Many businesses use the services of contractors (external providers) to fulfil gaps in processes and to complete tasks requiring specialist knowledge. The standard requires the organization to conduct an assessment on those contractors including due diligence competency checks. The organization may consider the use of contractor selection criteria to ensure services are within scope of the task. The organization must be satisfied there is a process to protect contractors (workers) and other workers who may be exposed to hazards due to their activities. During the procurement process written agreements may be established between the organization and contractor specifying the organization's rules. This may be supported by risk assessments and method statements conducted by both parties with communication of results. It is key that necessary checks have been made to ensure contractors are competent and may, in some circumstances, require confirmation of compliance to legal requirements. For example, certification to work on electrical switch gear or to work on a gas boiler. Once the procurement process has been completed it is good practice to support site activities with an induction program. This will provide contractor workers with an understanding of the rules including any specific requirements, for example, site hazards, authorized areas, near miss reporting processes, safe walking routes, emergency action plans, supervision and required permits to work. DOCUMENTED INFORMATION
The standard requires the organization to maintain documented information relating to the procurement of products and services including contractor arrangements. Below is a list of examples of documented information considered for retention:
Risk assessment and method statements between the organization and contractor
Material safety data sheets
Email exchanges relating to safety aspects
Certificates of conformity – Harnesses, guarding, emergency stops, PPE
Contractor permits and licenses
Completed external provider questionnaires
Worker training records
EMERGENCY PREPAREDNESS AND RESPONSE
Planning for unexpected events is a good all-round organizational discipline. The risk assessment process, for ISO 45001 identification of hazards, may have highlighted potential emergency situations with possible catastrophic consequences. Therefore, it is necessary to put control measures in place to mitigate for these potential events. Once emergency situations have been identified, which may involve workers at every level of the organization, a plan needs to be formulated and tested. Check that emergency preparedness and response have been tested within the internal audit plan. Testing emergency response plans are critical to raise awareness of potential events and ensure control measures function including supervision, individual responsibilities, suitability of training and communication. Below are some examples of when emergency plans will be required:
Event | Recommendation |
---|---|
Provision of first aid | Testing of first aid response, consider shift patterns, availability of equipment and competent staff etc. |
Evacuation drill | Method of raising the alarm, contacting the emergency services, accountability of workers, staged evacuation, changes in building layout etc. |
Bomb threat | Raising the alarm, what to do with workers – stay put or evacuate to a safe area, keeping away from windows, controlled method of raising the alarm. |
Chemical spillage | Raising the alarm, evacuation, containment, availability of Material Safety Data Sheets. |
Once the plan has been tested it is important to provide workers with feedback to learn from experience. Again, there is a requirement to have suitable information and records as documented information.
Performance evaluation is a constructive process that aims to improve an organization’s operation and is crucial to the ‘Plan, Do, Check and Act’ model prescribed by ISO 45001. These processes should help achieve and support organizational strategy and goals.
MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION
An organization should check, review, inspect and observe its planned activities to ensure they are occurring as intended. An organization must make sure they have determined the appropriate processes, so they can evaluate how well they are performing based on risk and opportunities. Monitoring generally indicates processes that can check whether something is occurring as intended or planned. The tables below provide examples of monitoring and specific control measures:
Event | Local Exhaust Ventilation System (LEV) |
---|---|
Monitoring | Appointed person to weekly inspect airflow of an LEV system to safely remove fumes from a process. |
Measurement | Use of a calibrated meter to check the airflow at two inspection locations of the system according to a specified Work Instruction. (Employee is trained and competent to use the equipment). |
Analysis | Review of recorded data determining the airflow efficiency of the system to ensure workers are safe. This may include trends. This would be in compliance with manufacturers specifications and regulatory requirements. |
Evaluation | The trend analysis indicates a reduction in airflow therefore maintenance is triggered to isolate and inspect the LEV system. |
Event | Safe Walking Routes |
---|---|
Monitoring | Appointed person daily site inspection of safe walking routes to ensure they are in a condition to prevent slips, trips and falls. |
Measurement | Visual inspection to ensure there are no obstructions outside of defined safe walking routes. (Usually measurement is associated with measurement equipment to obtain data). |
Analysis | Examination of results from inspections. In this case there may be a trend of equipment repeatedly left in the same location of a Safe Walking Route. |
Evaluation | Determination of root cause of why equipment is repeatedly left in the safe walking route. Resulting in allocation of designated safe place for equipment away from the safe walking route. |
Any equipment used to determine the measurement ‘indicator’ should be calibrated and maintained so that a high degree of confidence is gained in the credibility of data. The standard also requires the organization to implement a process to evaluate legal and other compliance including:
The frequency and method of evaluation
If action is needed, the process in which it will be evaluated and implemented
Maintain knowledge and understanding of its compliance status
Retain documented information to support the evaluation of legal and other requirements
In practice you may consider putting a list of compliance obligations within a spreadsheet as outlined under section 6 of this document. Periodically this process should be audited within the internal audit program to ensure all compliance obligations have been fulfilled. Audit results including compliance status should be communicated to senior leadership within the organization. Any outstanding or pending requirements can be actioned by the leadership team. This will ensure compliance to obligations and reduction in risk including potential prosecution.
INTERNAL AUDIT An internal audit is a systematic method to check organizational processes and requirements, as well as those detailed in the ISO 45001 standard. This will ensure the processes in place are effective and the procedures are being adhered to. The internal audit program will aid the organization to achieve the OH&S objectives and targets. It helps:
Monitor compliance to policy and objectives
Provide evidence that all necessary checks are carried out
Ensure all current legislative and other requirements are met
Assess the effectiveness of risk management
Worker engagement leading to a positive safety culture
Identify improvement using ‘fresh eyes’ to review a process
Aid continual improvement
Internal audits must be conducted by competent staff with a degree of impartiality to the area being audited. A risk-based approach can be applied to areas being audited with an increased focus on higher risk activities. Internal audits must be planned with an expectation of each process being audited in regular intervals. In addition to planned audits, unplanned audits may be conducted in reaction to problematic areas, near miss reports or incident data with focus on accident prevention. It is beneficial to communicate audit results to applicable interested parties including workers and set realistic completion timescales for identified ‘opportunities for improvement’ or ‘non- conformities’. Top Management must be aware of deficiencies within the system to ensure necessary resources can be allocated to mitigate the findings. Audit results will be reviewed as part of the management review process.
MANAGEMENT REVIEW Management Review is an essential element of the Occupational Health and Safety Management System. The aim of the review Bis for Top Management to assess the performance of the management system to ensure it has been effective and suitable for the needs of the business, ultimately preventing injury or harm to workers. The management review is also a planned activity to review objectives including compliance and to set new objectives. Usually management review meetings are conducted annually, however many organizations conduct management reviews every six months or quarterly to track the performance of the system. If more frequent meetings are conducted, often the meeting agenda is reduced with the full agenda occurring annually. The table on the following page provides an overview of prescribed management review agenda requirements:
9.3 Standard reference | Summary of requirement for Management Review agenda/clause reference point |
---|---|
a) | Provide a summary of the status of actions from the output of the previous management review. This will include completed or incomplete tasks and justifications for their status. This information can be pre-prepared for the meeting. |
b1) | Explain any changes to internal and external issues relevant to the context of the organization to ensure the needs and expectations of interested parties including workers are fulfilled. |
b2) | In addition to B1 note any changes or pending changes to legal and other requirements and actions to address compliance obligations. |
b3) | If there are any differences or changes to organizational risk and opportunities, they should be noted and explained and discussed in the section below. |
c) | Review whether compliance to OH&S policy and objectives have been achieved. It is good practice to place objectives within a table, align key performance indicators to achieve them and comments if they have or have not been achieved. This will also indicate compliance status of continual improvement. |
d1) | Discuss any incidents or non-conformities which have occurred since the last review period including trends. Are there any trends and what actions have been taken to prevent re-occurrence? |
d2) | Determine if monitoring and measuring has been effective in meeting expectations within the organization. If evidence suggests it has not been effective Top Management can influence improvement. |
d3) | Discuss the status of compliance to legal and other requirements. This may include evidence to support compliance including the methods of determination and sources of information. Discuss any pending legal and other requirements. |
d4) | Discuss results of internal audits and actions that have been taken to resolve any non-conformities. Discuss areas of improvement and areas which are performing well. |
d5) | Overview of consultation of workers. This may be feedback from safety committee meetings and actions to address risk and opportunities. Other processes to ensure workers are safe including contractor arrangements. |
d6) | Discuss risk and opportunities including performance of hazard identification and opportunities to mitigate harm to workers. The organization may wish to review significant findings of risk assessments. |
e) | With consideration of the information discussed in previous sections are there enough resources to maintain and continuously improve the management system. This could be human or financial. Top Management are key to influence improvement in this area. |
f) | Discuss communications with interested parties, this may include regulatory authorities or external providers who are providing materials which have an impact on safety. |
g) | General discussion with the provision of information how the OH&S management system is performing and how can it continually improve in the future. |
On completion of the management review meeting the organization must decide with senior leadership and support, what is needed to continuously improve OH&S and satisfy the standard. The following points outline the Management Review Meeting output requirements:
Provide a wide-ranging conclusion to the continuing stability, adequacy and effectiveness in achieving its intended outcomes
Identify continual improvement opportunities
Identify any required changes to the OH&S management system
Identify required resources
Identify any actions needed
Identify any integration improvements with other business processes. This may be further harmonization with ISO 9001 or ISO 14001 management systems
Any implications to the strategic direction of the business. This is a broad scope requirement to capture any topic to improve the OH&S management system
The organization is required to record the meeting minutes within documented information. This information must be communicated to the relevant interested parties and where applicable worker representatives. It is good practice to transfer management review objectives into a separate document with identified key performance indicators, expected completed timescales and delegated responsibilities. These objectives may be communicated via the organizations email or placed on notice boards.
From the results discussed in section 9 Management Review including the analysis and evaluation of OH&S performance, internal auditing and feedback from worker engagement
Non-conformity and corrective action
Incident investigation and corrective action
Accident investigation and corrective action
Compliance obligations including output from the introduction of new regulation
Several different methods of capturing improvement opportunities may be designed in the system based on the structure, activities and risk within the business discussed in section 4 and 6. The chosen methods must consider the following:
Means of reporting including incidents to the right groups of workers and interested parties
The timescale of reporting
How the information is going to be recorded as documented information for example near miss report cards, accident reports, defect reports, reports to senior leadership
Using workers to participate in investigations to determine root cause analysis
A structured system to prevent reoccurrence
Hierarchy of control measures to reduce risk as far as is reasonably practicable
Assessment of OH&S risks prior to the introduction of a corrective action to prevent the introduction of new hazards
Training and competence for workers and interested parties on the means of reporting OH&S hazards, incidents and opportunities for improvement
INCIDENT Unlike ISO 9001 Quality and ISO 14001 Environmental management systems, ISO 45001 introduces ‘Incident’ alongside non- conformity and corrective action. Clause 3 ‘Terms of Definition’ within the standard provides the parameters in which ‘incident’ can be interpreted and reported. An ‘incident’ is an occurrence that does not result in an injury and / or ill health. Therefore, the organization must implement a system of reporting that captures events which have not necessarily been foreseen within processes of the management system. Often these are referred to as ‘near misses’, ‘near-hit’ or a ‘close call’. When a near miss is reported there may be a process in which during the investigation the findings are recorded within a non-conformance report. Basic example process of reporting an incident leading to non-conformance, corrective action and continuous improvement:
Process | Event | Management System |
---|---|---|
Incident | ||
Near miss report card | ||
Corrective Action | ||
Investigation | ||
Risk-based thinking solution | ||
Communication | ||
Review | ||
Management Review |
Top tips to get the most out of your health and safety management system:
To have an effective OH&S management system the organization must have commitment from ‘Top Management’ to implement and continually improve
Develop the management system as a tool to protect workers and business interests and not just to satisfy the standard
Use ‘context’ to understand how the organization can internally and externally impact on OH&S including workers
Inform interested parties and workers of their objectives when implementing the standard to gain ‘buy in’ and generate a positive safety culture
When designing processes ensure that they are relevant to the environment they are intended to be used. In other words, do not overcomplicate the system
Build the requirements of the standard into existing processes and control – OHS is not an add-on
Consider integrating this standard into existing management systems such as ISO 9001 Quality and ISO 14001 Environmental. This will help embed OH&S into the thinking of both Top Management and Workers leading to a safe workplace
ISO 45001 FAQs
Integrated Quote Request Form
ISO 45001 Gap Guide
ISO 45001 Implementation Guide
Download Certification Logos
Annex SL Comparison Tool
Gap Analysis
Published on: 28/02/2012
Latest update: 20/09/2022
This article is not available in other languages
Workers should be protected from occupational risks they could be exposed to. This could be achieved through a risk management process, which involves risk analysis, risk assessment and risk prevention and control practices. In order to carry out an effective risk management process, it is necessary to have a clear understanding of the legal context, concepts, risk analysis, assessment and prevention and control processes and the role played by all involved. It is also desirable to base risk management on solid and tested methodologies.
Employers have to take the necessary measures for the safety and health protection of workers, including prevention of occupational risks. This is a basic legal obligation in all EU Member States. This basic legal obligation is stated in Council Directive of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work (Framework Directive 89/391/EEC [1] ), which was transposed by Member States’ into national laws. It should be noted that Member States can introduce more rigorous provisions to protect their workers.
For preventing occupational accidents and ill health, employers must carry out a risk assessment, and decide on prevention measures and, if necessary, to use personal protective equipment . It is recommended to review the risk assessment on a regular basis and in particular each time a change occurs at the workplace, e.g. the use of new work equipment or chemicals , changes in the work processes or modifications to the work organisation.
Risk assessment is not only a legal duty but also good for business. Avoiding and reducing risks reduces work-related accidents and health problems, leading to cost benefits and improved productivity. Risk assessment is a dynamic process that allows companies and organisations to put in place a proactive policy for managing occupational risks. Therefore, risk assessment constitutes the basis for implementation of appropriate preventive measures and, according to the Directive; it must be the starting point of any Occupational Safety and Health (OSH) Management system. An OSH Management system should be integrated in the company’s management system. An OSH Management system allows to develop a systematic approach to OSH [2] . Risk assessment is a step in the OSH risk management process.
Basic concepts in risk management are the definitions of hazard and risk.
Hazard: source or situation with a potential to cause injury and ill-health i.e. an adverse effect on the physical, mental or cognitive condition of a person [2] . Examples of physical hazardous sources or situations can be working on a ladder, handling chemicals or walking on a wet floor. Examples of psychosocial hazardous sources or situations are job content, job insecurity, isolation, bullying or harassment.
Risk: effect of uncertainty. Occupational health and safety risk: combination of the likelihood of occurrence of a work-related hazardous event or exposure(s) and the severity of injury and ill health that can be caused by the event or exposure s. [2]
A psychosocial risk is defined as a combination of the likelihood of occurrence of exposure to work-related hazard(s) of a psychosocial nature and the severity of injury and ill-health that can be caused by these hazards [3] . Hazards of a psychosocial nature include aspects of work organisation, social factors at work, work environment, equipment and hazardous tasks.
Risk assessment can be defined as the process of evaluating the risk to the health and safety of workers while at work arising from the circumstances of the occurrence of a hazard at the workplace [4] . This definition stems from the EU guide elaborated by the EU Commission to provide practical assistance for the implementation of the risk assessment requirements from the framework directive. However, it should be noted that the concept of risk assessment is not only used within the context of OSH but it can also relate to financial, environmental, socio-economic, technical and other aspects. A general framework on the risk assessment process is provided in standard ISO 31001. This standard describes risk assessment as the overall process of (1) risk identification, (2) risk analysis and (3) risk evaluation:
Following the methodology PDCA (Plan-Do-Check-Act) risk management is a systematic process that includes the examination of all characteristics of the work system where the worker operates, namely, the workplace, the equipment/machines, materials, work methods/practices and work environment. The aim of risk management is to identify what could go wrong, i.e. finding what can cause injury or harm to workers, and to decide on measures to prevent injuries and ill-health and implement the measures.
It is important that employers know where the risks are in their organisations and prevent or keep them under control to avoid putting employees, customers and the organisation itself at risk. The main goal of risk management is to eliminate or at least to reduce the risks according to the ALARP (as low as reasonably practicable) principle. A key aspect in risk management is that it should be carried out with an active participation/involvement of the entire workforce. Carrying out risk management requires a step-by-step approach.
The preparation of the risk management process involves several activities, namely:
Several means can be used to support these activities. For instance:
As referred, according to EU legislation employers are responsible for performing risk assessment regarding safety and health at work. Therefore, the overall responsibility for identifying, assessing and preventing risks at the workplace lies with the employer, who must guarantee that the occupational safety and health (OSH) risk management activities are properly executed.
The employer can delegate this function (not the responsibility) to occupational health and safety specialists and occupational physicians. The specialists may be part of the company staff (internal services) or be contracted outside (external services).
The participation of workers in the process of risk management in the field of safety and health at work is of fundamental importance, as workers have the best knowledge of their tasks and the associated risks. Participation also improves acceptance of the measures and facilitates their application in practice.
The risk analysis activities involve:
Risk assessment is the process of evaluation of the risks arising from a hazard, taking into account the adequacy of any existing controls. Several methods to perform risk assessment are available ranging from expert to participatory methodologies and from simple to complex methods. Which method for assessing risks is applied will depend on the nature of the workplace, the type of the tasks and work processes, and the technical complexity [4] . An overview and some guidance on risk assessment techniques can be found in IEC/ISO Standard 31010:2019 Risk management - Risk assessment techniques https://www.iso.org/standard/72140.html . Risk assessment involves evaluating, ranking, and classifying risks.
Risk evaluation involves the determination of a quantitative or qualitative value for the risk. Quantitative risk evaluation requires calculations of the two components of the risk: the probability that the risk will occur, and the severity of the potential consequences. This approach is seldom applied in practice.
Qualitative risk evaluation is more common and usually adopts a methodology based on a matrix. A risk assessment matrix consists of a two-dimensional grid with categories of harmful effects on one axis and categories of probability or likelihood on the other axis. The cells within the grid are used to indicate risk [6] . An example is shown in table 1.
Based on the risk values obtained during the risk evaluation phase, risks should be sorted and ranked according to their severity.
A decision whether or not a risk is acceptable results from the comparison of the obtained risk value with acceptability criteria based on legal requirements, principles of the hierarchy of prevention , standards, recommendations, evidence-based information on risks, adapting to innovation, etc.
It should be highlighted that a particularly careful assessment of individual risk exposure should be performed to workers of special groups (for example, vulnerable groups such as new or inexperienced workers), or to those most directly involved in the highest risk activities (i.e. the most exposed group of workers) [8] .
This risk classification is the baseline for selecting actions to be implemented and when defining the timescale, i.e. the urgency of the implementation of the corrective measures. As an example, table 1 includes a simple risk categorisation in 3 broad categories indicating a priority ranking for actions.
To have a consistent base for all risk assessments the company should first establish the acceptability criteria. This should involve consultation with workers representatives and other stakeholders and should take account of legislation and regulatory agency guidance, where applicable [8] .
At this stage actions are identified and implemented to avoid or reduce risks having in mind the protection of workers’ health and safety, as well as their monitoring over time. The measures implemented should be the ones that best protect everyone exposed to the risk. However, it is important not to forget that additional or different measures may be required to protect workers belonging to special groups, namely workers with special needs (such as pregnant women, young workers, aging workers and workers with disabilities) and maintenance workers, cleaners, contractors and visitors .
It is very important to take account of the number of individuals exposed to the risk when setting priorities and the timeline for the implementation of prevention and control measures. The risk prevention and control strategy includes the design, planning and implementing of adequate measures, as well as training and informing workers.
The first step is the design of the measures to eliminate risks. The risks that cannot be avoided or eliminated should be reduced to an acceptable level, i.e. the residual risk shall be minimised according to the ALARP (as low as reasonably practicable) principle. This means employers must perform a cost-benefit analysis to balance the cost (including money, time, trouble and effort) they could have to reduce a risk against the degree of risk [9] . It should be demonstrated that the cost involved in reducing the risk further would be grossly disproportionate to the benefit gained. The residual risk should be controlled.
The measures to be implemented should be based on up-dated technical and/or organisational knowledge, and good practices using the following hierarchy order [10] [11] :
Mitigation measures.
The aim of implementation of prevention measures is to reduce the likelihood of injuries or ill-health. Several examples, also in hierarchical order, that can be used to achieve this objective are:
a) Using engineering or technical measures to act directly on the risk source, in order to
These measures are more efficient and economical when accomplished during the workplace design phase.
b) Using organisational or administrative measures for changing of behaviours and attitudes and promote a safety culture :
Implementation of Protection measures should consider, first, collective measures and then individual measures. Several examples of measures (sorted by priority) that can be used to achieve this objective are:
a) Collective Protection measures:
b) Individual Protection - use of Personnel Protective Equipment (PPE) to protect worker from the residual risk. The worker should participate in the selection of PPE and should be trained in its use.
When despite prevention and protective measures incidents, an injury or a cases of ill-health occurs, the company needs to be prepared (emergency preparedness) by implementing mitigation measures. The aim of mitigation measures is to reduce the severity of any damage to facilities and harm to employees and public. Several examples of measures that can be used to achieve this aim are: emergency plans, evacuation planning, warning systems (alarms, flashing lights), test of emergency procedures, exercises and drills , fire-extinguishing system, or a return-to-work plan.
Managers must know the risk their workers are exposed to. Workers must know the risks they are exposed to. Providing information and training courses to workers is a legal requirement in EU.
The risk management process should be reviewed and updated regularly, for instance every year, to ensure that the prevention measures implemented are adequate and effective. Additional measures might be necessary if the improvements do not show the expected results. This is also a highly recommendable procedure since workplaces are dynamic due to change in equipment, machines, substances or work procedures that could introduce new hazards in the workplace. Another reason is that new knowledge regarding risks can emerge ; either leading to the need of an intervention or offering new ways of avoiding or controlling the risk. The review of the risk management process should consider a variety of types of information and draw them from a number of relevant perspectives (e.g. staff, management, stakeholders).
In EU it is a legal obligation that employers make an assessment of the risks to safety and health at work, including those facing groups of workers exposed to particular risks (Framework Directive 89/391/EEC) and document the process. Documentation should provide an overview of the identified hazards, respective risks and subsequent measures implemented .
The risk management process plays a central role for any to ensure occupational health and safety and to prevent workplace injuries and ill-health. But, companies, especially smaller ones, sometimes lack the expertise and the resources to carry out risk assessments. The need for a simple, clear and cost-effective way to ensure compliance with the legislation and to foster a positive safety and health culture has led to the development and use of web-based tools. To assist Member States, EU-OSHA has created the OiRA tool , a web-based platform that enables the creation of sectoral risk assessment tools in any language in an easy and standardised way. The OiRA tool generator is provided free of charge to sectoral social partners and national authorities at EU and national level. All the OiRA tools are available on oiraproject.eu https://oiraproject.eu/en and can be used by workplaces to carry out risk assessments.
[1] Directive 89/391/EEC of 12 June 1989 on the introduction of measures to encourage improvements in the safety and health of workers at work (Framework Directive). Available at: https://osha.europa.eu/en/legislation/directives/the-osh-framework-directive/1
[2] ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use
[3] ISO 45003:2021 Occupational health and safety management - Psychological health and safety at work - Guidelines for managing psychosocial risks
[4] EC - European Commission, Guidance on Risk Assessment at Work, Luxembourg, 1996. Available at: http://osha.europa.eu/en/topics/riskassessment/guidance.pdf .
[5] Nunes, I. L., 'Risk Analysis for Work Accidents based on a Fuzzy Logics Model', 5th International Conference of Working on Safety - On the road to vision zero? Roros. Norway, 2010.
[6] Jensen RC, Bird RL, Nichols BW. Risk Assessment Matrices for Workplace Hazards: Design for Usability. Int J Environ Res Public Health. 2022 Feb 27;19(5):2763. Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8910355/
[7] BAuA. Schritt 3: Gefährdungen beurteilen. Available at: https://www.baua.de/DE/Themen/Arbeitsgestaltung-im-Betrieb/Gefaehrdungsbeurteilung/Grundlagenwissen/Prozessschritte-der-Gefaehrdungsbeurteilung/Autorenbeitraege/Schritt3.html
[8] BSI - British Standard Institutions, Occupational health and safety management systems — Guide, BS 8800, 2004.
[9] HSE - Health and Safety Executive, Principles and guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably practicable, 2011. Available at: http://www.hse.gov.uk/risk/theory/alarp1.htm#P14_1686
[10] NSW - New South Wales Government, Six steps to Occupational Health and Safety. Available at: http://www.une.edu.au/od/files/OHSSixsteps.pdf
[11] Harms-Ringdahl, L., Safety Analysis: Principles and Practice in Occupational Safety, Taylor & Francis, 2001.
EU-OSHA - European Agency for Safety and Health at Work, Risk assessment essentials. Available at: https://osha.europa.eu/en/publications/risk-assessment-essentials/view
EU-OSHA - European Agency for Safety and Health at Work, Management Leadership in Occupational Safety and Health – a practical guide. Available at: https://osha.europa.eu/en/publications/management-leadership-occupational-safety-and-health-practical-guide
EU Commission, Health and safety at work is everybody’s business. Available at: https://op.europa.eu/en/publication-detail/-/publication/cbe4dbb7-ffdc-11e6-8a35-01aa75ed71a1/language-en/format-PDF/source-85839760
ILO - International Labour Organisation, How can occupational safety and health be managed? Available at: https://www.ilo.org/global/topics/labour-administration-inspection/resources-library/publications/guide-for-labour-inspectors/how-can-osh-be-managed/lang--en/index.htm
IEC/ISO 31010:2019 Risk management - Risk assessment techniques https://www.iso.org/standard/72140.html .
ISO/TR 14121-2:2012 Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods https://www.iso.org/standard/57180.html
Select theme
Aditya Jain
Karla Van den Broek
Isabel Nunes
What is monitoring, measurement, analysis and evaluation for iso 45001.
Health and safety performance monitoring, measurement, analysis and evaluation is conducted through the collection of safety data and safety information from a variety of sources typically available to your organization.
Data availability to support informed decision-making is one of the most important aspects of the OH&S Management System. Using this data for safety performance monitoring and measurement are essential activities that generate the information necessary for safety risk decision-making.
Active monitoring, workplace inspections, statutory inspections, reactive monitoring, analysing & evaluating performance data, 9.1.2 evaluation of compliance.
To verify the safety performance and validate the effectiveness of safety risk controls requires the use of a combination of internal audits , workplace inspections and the establishment and monitoring of SPIs.
Assessing the effectiveness of the safety risk controls is important as their application does not always achieve the results intended. This will help identify whether the right safety risk control was selected and may result in the application of a different safety risk control strategy.
For small organizations, the low volume of data may mean that it is more difficult to identify trends or changes in the safety performance. This may require meetings to raise and discuss safety issues with appropriate expertise. This may be more qualitative than quantitative but will help identify hazards and risks for the organization.
Collaborating with other businesses or industry associations can be helpful, since these may have data that your organization does not have. For example, smaller businesses can exchange with similar organizations/operations to share safety risk information and identify safety performance trends. Organizations should adequately analyse and process their internal data even though it may be limited.
For businesses with many interactions and interfaces they will need to consider how they gather safety data and safety information from multiple organizations. This may result in large volumes of data being collected to be collated and analysed later. These organizations should utilize an appropriate method of managing such data.
9.1.1 general - monitoring and measurement.
The organization has to determine what it needs to monitor and measure. This includes the determination of the criteria against which the health and safety performance will be evaluated including appropriate indicators.
Performance measurement is an essential part of the safety and health management system.
Key purposes of performance measurement are to:
Periodically review the monitoring and measurement process to ensure that it remains suitable and effective, and leads to continual improvement of the health and safety management system.
Safety monitoring should be recorded on relevant templates and be analysed and discussed at health and safety committee meetings, in order to identify any underlying themes or trends which may not be apparent for looking at events in isolation.
Priorities should be established for necessary remedial action to ensure that safety issues are dealt with and completed within a reasonable time.
It is often necessary to use both active and reactive and monitoring data to determine whether objectives are achieved. An organization’s performance monitoring system should incorporate both active and reactive monitoring. Two types of monitoring are required:
No single measure will suitably convey the desired levels of performance, therefore, a mixed model of active (leading) and reactive (lagging) safety measures is necessary to fully define it. Active monitoring should be used to check compliance with the organization’s safety and health activities, for example to confirm that recently appointed staff have attended an induction course.
Reactive monitoring should be used to investigate, analyse, and record health and safety management system failures, including incidents, near misses, and ill-health cases.
The following are examples of methods that can be used to measure safety and health performance:
Active safety monitoring should be carried out which includes a review of the health and safety policy; action plans; routine inspections and checks to ensure that preventative and protective measures are in place and effective.
Active monitoring will reveal whether the health and safety management system is functioning correctly.
Typical active measures include:
Every organization should collect information to investigate the causes of substandard performance or conditions adequately. Documented procedures for carrying out these activities on a regular basis for key operations should be established and maintained.
The active monitoring system should include:
Active monitoring should be proportional to the hazard profile of the organization and should concentrate on areas likely to produce the greatest benefit and lead to the greatest control of risk.
Key risk control systems and related workplace precautions should therefore be monitored in more detail or more often (or both) than low-risk systems or management arrangements.
A workplace inspection is a regularly scheduled inspection of work areas, using a checklist to assist with the monitoring and identification of hazards. A system for inspecting workplace precautions is important in any active monitoring program.
It can form part of the arrangements for the preventative maintenance of plant and equipment, which may also be covered by legal requirements. Equipment in this category includes pressure vessels, lifts, cranes, chains, ropes, lifting tackle, scaffolds, trench supports, and local exhaust ventilation.
The aim of workplace health and safety inspections is to prevent work related accidents and ill health by identifying new hazards; and checking that preventative and protective control measures are implemented and effective.
Regular site workplace inspections will enable your organization to:
Health and safety representatives should assist Managers by helping to carry out routine inspections of their work areas and reporting the findings. They should also provide assistance, and be included in the investigation of accidents, near miss incidents, potential hazards and complaints by an employee relating to health, safety and welfare at work.
Managers and Supervisors are responsible for carrying out monthly routine inspections of their work area. The results of monthly inspections will be monitored by the Department Head in order to improve health and safety performance. Therefore, all inspections should be recorded on a checklist and a copy provided to the Department Head.
The personnel undertaking workplace health and safety inspections should already be familiar with the workplace activity, premises, equipment, personnel and procedures pertaining to their area of responsibility and should draw on this knowledge when planning the inspection taking into consideration:
Workplace inspections need to take account of premises, plant, housekeeping, procedures, activities and substances. Inspections should include other workplace precautions, such as those covering the use of premises, other places of work, and systems of work.
The workplace inspection should identify remedial actions necessary, by determining the extent to which procedures and controls are being complied with, as well as the condition of plant, equipment, and premises etc.
When conducting a workplace inspection, particular attention should be given to the existence and maintenance of suitable engineering controls (rather than the reliance on use of personnel protective equipment (PPE)); the arrangements to deal with emergencies; the availability of adequate current information; and if necessary, warnings regarding the nature of the plant/substance hazards concerned (e.g., where and how work activities are being carried out and the potentially exposed population).
Records should be maintained of any workplace health and safety inspections undertaken (copied to the appropriate Health and Safety Representatives) including any inspection notes and checklists raised, as well as any formal post inspection reports and action plans produced; these should be retained for a period of at least three years.
Workplace inspections should be carried out as determined by the level of risk to the area and work practices. The following offers a guide to the frequency; however, an assessment of each individual area needs to occur to determine the frequency.
A suitable program should take all risks into account but should be properly targeted. For example, low risks might be dealt with by general inspections every month or two, covering a wide range of workplace precautions such as the condition of premises, floors, passages, stairs, lighting, welfare facilities, and first aid.
Higher risks need more frequent and detailed inspections, perhaps weekly or even, in extreme cases, daily, or before use. An example of a pre-use check would be the operation of mobile plant. The inspection program should satisfy any specific legal requirements and reflect risk priorities.
Suitable schedules and performance standards for the frequency and content of inspection can help. The schedules can be supplemented with inspection forms or checklists, both to ensure consistency in approach and to provide records for follow-up action.
Inspections should be carried out by people who have the necessary skills and training to identify the relevant hazards and risks and who can assess the conditions found.
A properly thought-out approach to inspection will include:
For best results a manager and at least one other worker should be involved in the workplace inspections.
Particular note should be taken of the following:
If a hazard or a nonconformity is identified a corrective action must be identified. All corrective actions must have a person or persons allocated responsibility with time frames and priority. Priority should be determined by the level of risk posed by the hazard.
There are a number of specific legal requirements which require statutory examinations and inspections to be completed. This includes the requirement within COSHH 2002 Regulation 9 to thoroughly examine equipment such as local exhaust ventilation at least every 14 months.
Other requirements are in place for the inspection and certification of work equipment such as lifting equipment under LOLER 1998 Regulation 9 on an annual basis. The definition of lifting equipment includes any equipment used at work for lifting or lowering loads, including accessories used for anchoring, fixing or supporting it. It is now referred to as a Thorough Examination, which includes a PUWER 1998 Regulation 6 inspection as well.
PUWER 1998 requires employers to ensure all work equipment is safe for use, maintained in a safe condition and inspected to ensure it is correctly installed and does not subsequently deteriorate. Work equipment is any machinery, appliance, apparatus, tool or installation for use at work.
The PSSR 2000 Regulations apply to owners and users of pressure systems containing a relevant fluid including steam, gases under pressure and any fluid kept artificially under pressure which when released to atmosphere becomes a gas.
There is a legal requirement for Thorough Examination of pressure vessels that contain steam, compressed air and refrigerants. Pressure systems require to be inspected in accordance with a Written Scheme of Examination.
If the statutory inspection for any equipment has not been completed before the expiry date, which is shown next to the equipment description on the equipment rating label and/or certificate, no equipment can be used until statutory testing has been completed. As the equipment no longer complies with legislation it must be made safe by disabling the equipment at the earliest opportunity.
Employees may be asked or targeted with a questionnaire to rate their knowledge or attitude towards health and safety. This allows the measurement of the health and safety culture of the organization. Ask staff to explain the controls in place for their work and how they have been trained to implement these controls.
This method can be used in conjunction with other methods as the responses can be used to verify a number of aspects of the safety management system e.g., training records, risk assessments etc.
Monitoring worker health can be considered an active monitoring measure, as carrying out measurements of parameters such as hearing (through audiometry) can provide a measure of effectiveness of controls.
Health monitoring processes should systematically detect and assess any adverse effects of work on the health status of workers as it relates to their duties.
It is delivered through real time monitoring of exposure levels, medical assessment and biological monitoring of workers (e.g., blood/urine tests for checking chemical exposure).
This involves walking around the workplace on a set route and counting the number of hazards present on a regular basis. This allows you to acquire a picture on how that area/local manager is dealing with the H&S issues.
If the number of hazards is constantly rising then issues, once identified, are obviously not being dealt with.
Ad hoc visits to selected parts or the entire facility. Especially effective if carried out by senior departmental managers as this demonstrates their commitment to safety. The visit can provide staff with the opportunity to raise safety issues with senior staff. It is vital that concerns are documented and the actions taken are communicated to the individuals or groups who raised the issue(s).
An informal method of identifying potential problems. The results however will just be a 'snapshot' of current practices. This method can be used to identify hazards not previously considered or recently introduced. It can also be used to identify trends if records are kept. For example, observing the same hazard at different locations in the department or in the same location at different times.
These are identical to safety tours but only identify one specific type of hazard e.g., electrical/chemical etc. Sam pling implies an inspection that is limited either to certain areas of the workplace or to certain aspects of workplace activity.
Examination of risk assessments or codes of practice and comparing the requirements set with observed practices. This is a method of identifying whether risk control measures are being used in accordance with approved documentation.
An inspection is completed with the focus on observing unsafe actions rather than hazards associated with plant and premises.
If certain instruments are required for measuring and monitoring performance, the organization must institute and maintain procedures for calibrating and servicing the instruments. It must retain verification of these calibration and servicing activities.
Measuring instruments might include devices used to detect the presence of harmful gases, radiation, excessive noise or extreme temperatures. Ensure all relevant equipment is on an appropriate monitoring and calibration schedule .
Monitor and analyze reported incidents continuously for incident location, time or period, work process involved, type of hazard, direct and root-causes, etc., to spot trends and identify root-causes of groups of incidents.
Based on the trend analysis, the need to review or reassess any safety measure should be evaluated, documented and acted upon accordingly.
Reactive safety monitoring relies on taking action after incidents have been reported to prevent the re-occurrence of similar events. Reactive safety monitoring should be triggered after the event such as; injuries and cases of ill health; losses such as damage to property or equipment; incidents with the potential to cause injury, ill health or loss; hazards; weakness or omissions in the safety management system.
Typical reactive measures include:
A variety of safety related statistics can be used to assist in the monitoring and measuring of safety standards. Some measures may be used in-house such as the number of accidents causing injury, near misses, incidents or RIDDOR accidents.
These may be broken down further to give details of the type of accidents, their cause, the type of injury involved, the time of day or the grade/job of the person involved. This can be part of the organization’s monitoring arrangements for safety. The results of monitoring will be fed back into the safety management system in order to ensure continual improvement.
A system of internal reporting of all incidents (which includes ill-health cases) and incidents of non-compliance with the health and safety management system should be set up so that the experience gained may be used to improve the health and safety management system.
The organization should encourage an open and positive approach to reporting and follow-up and should also put in place a system of ensuring that reporting requirements are met.
The organization should establish procedures for investigating incidents to identify their causes (see 10.2), including possible deficiencies in the health and safety management system.
Those responsible for investigating accidents, and incidents should be identified and the investigation should include plans for corrective action, which incorporate measures for:
The organization should implement and record any changes in documented procedures resulting from corrective action .
Monitoring, measurement, analysis and evaluation of OH&S metrics must take into account business context, relevant third parties, policy risks, opportunities and objectives.
Ensure that performance monitoring and measurement results are retained as documented information.
After it is determined what will be monitored and measured, statistical techniques should be applied to interpret the resulting safety data to help your organization understand levels of safety performance and effectiveness.
Data can be collected and reported about a number of different unwanted events such as:
Statistical techniques assist in identifying, analyzing, interpreting the monitoring and measuring safety data that is collected and reported about a number of different parameters in the previous sections.
This data must be analysed and evaluated to see if there are any:
Trends – consistent increases/decreases in the number of and types of events over a period of time
Patterns – collections or hot-spots of certain types of events
This analysis usually involves converting the raw data (i.e., the actual numbers) into an incident rate so that more meaningful comparisons can be made.
Data on these indicators should be collected and analysed by the Health & Safety Department to ascertain any patterns or trends, and is converted into an incident rate – based on the hours worked - so that meaningful comparisons can be made from period to period.
For the analysis of nonconformities and incidents, appropriate statistical and non-statistical techniques are applied.
In addition to the analysis within the data sources, there is also analysis across the data sources to determine the extent and significance of the nonconformity or incident. The linkage of data from different data sources is referred to as ‘horizontal analysis’
Access to current relevant legislation, Standards, codes of practice, agreements and guidelines is primarily available through electronic media available via using http://www.legislation.gov.uk and other external internet sites. Where electronic information is inaccessible, relevant legislative material should be maintained in hardcopy format and controlled accordingly.
A legislative compliance reviews should assess the organization's health and safety policies, guidelines or procedures that comprise its OH&S management system against any legislative, industry codes of practice or standards at the desktop level.
Legislative compliance reviews should also be conducted when OH&S management system documentation is due for review or due to external changes, e.g., changes or introduction of legislation, codes of practice or national standards.
The compliance review should include identifying and referencing legislative requirements related to the health and safety policy, guideline or procedure and incorporating these needs into existing processes. The revised health and safety policy, guidelines or procedures as a result of the legislative compliance review must be communicated.
The Certification Auditor’s role is not to verify the result of the compliance audit, but to assess the effectiveness of the audit process and taken actions. An understanding of compliance status must be demonstrated. Therefore, your organization must have the means (inspections, tests, audits) that are frequent and robust enough to ensure that knowledge and understanding of compliance status is maintained.
The purpose of this procedure is to establish and define the roles and responsibilities for detailed health and safety monitoring, measurement, analysis and performance evaluation. The process includes the recording and tracking of progress against identified actions and targets which provide the mechanism for safety assurance that ensures our safety processes and systems are able to effectively manage our safety risks. Where assurance cannot be given, it provides an opportunity for prompt intervention and action planning. - this will give you a good idea of what to expect when you purchase the procedure.
|
|
Customers: 132 countries (July 2024) We are 100% confident in the quality and contents of our products. Used by thousands of organizations around the world, our templates have been sold online since 2002. Please read our Money Back Guarantee .
Five reasons to choose our templates.
This website uses cookies to ensure you get the best experience on our website, and to gather traffic statistics.
PRETESH BISWAS
Your Partner in ISO Standard compliance
1.0 purpose:.
To establish, implement & maintain a documented procedure for ongoing identification of the hazards, assessment of risks, and determination of necessary control measures.
Applicable for the activities, process, products & services covered under the scope of EHS Management System at XXX.
EHS MR & CFT Members.
4.1 Hazard – source or situation with a potential for harm in terms of human injury or ill health, or a combination of these.
4.2 Risk – the combination of the likelihood and consequence(s) of a specified hazardous event occurring.
4.3 Normal – Is a condition/situation, which occurs whenever the activity/ service is carried out according to the planned arrangement. This may happen during routine activity. Note: Planned arrangements are defined in the control plans, process sheets, work instructions, do’s and don’ts, etc. Eg: Noise generation while machining operations.
4.4 Abnormal – Is a condition/ situation, which occurs due to deviation from planned arrangements. This may happen during a non-routine activity. Eg: Finger entrapment between tools in Machining operation & Potential risk of electrocution due to the short circuit while carrying out electrical maintenance.
4.5 Emergency – Is an undesirable situation resulting from unforeseen and uncontrollable events leading or having the potential to lead to intolerable consequences. Eg: Fire in FO Storage area.
4.6 Routine – Daily activities/ Services carried out in the plant.
4.7 Non-routine – Occasional activities/ services carried out in the plant. These generally support activities comprising A/c maintenance, hydrostatic testing of pressure vessel, etc
4.8 Visitor – Is any person visiting the company and is not involved in carrying out any of the routine or non-routine activity. Eg. Suppliers, Vendors, consultants, auditors, neighbors and the legal authorities.
4.9 Risk assessment – Overall process of estimating the magnitude of risk and deciding whether the risk is tolerable or not.
4.10Acceptable risk – Risk that has been reduced to a level that can be tolerated by the organization having regard to its legal obligations and its own OH&S policy.
4.11 Site – A work area, the organizational unit that falls under the scope of the XXX EHSMS and within which an EHSMS is being implemented.
This procedure is designed for the identification of hazard, risk assessment and defining the necessary applicable controls methods. While defining, the organization has referred to the complexity of the operations, suitability of the methodologies of risk assessment, workplace conditions, and expert guidance.
The risk assessment process is based on the following steps:
6.1 hazard identification:.
6.1.1 Responsibility:CFT
6.1.2 Activity
The OHS risks shall be identified through Cross Functional Team (CFT) and the following points shall be considered:
Note: – All these considerations shall apply to normal /abnormal/emergency conditions in which a risk may be present.
6.2.1 Responsibility:CFT
6.2.2 Activity
Note: – Identification of risks based on other factors like accidents, incidents, and reports of planned inspections/task observation / critical task analysis / Safety Audit / Internal and External Audits shall also be done.
6.3.1 Responsibility: CFT and EHS MR
6.3.2 Activity
Evaluate the risks for loss exposures identified through the above means, in HIRA through giving severity and probability ratings, which shall be recorded in the HIRA format to arrive at Risk Level for each loss exposure / Risk identified. Follow the methodology of HIRA activities covered in relevant work instruction.
The planning committee shall ensure that the OH&S risk and determined controls are taken into account when identifying, Matrix, the EHS CFT will tally HIRA considered and rank them for their severity.
Discomfort | Person feels Discomfort | |
First aid. | First aid is required | |
Absence less then 3 days | Minor injury / Health problem leading to Hospitalization | |
Absence more than 3 days Hospitalization) | Major injury / Health Problem leading to Hospitalization | |
Catastrophic | Permanent disability PD /or Death |
Probability due to injury, first aid, incident/accident, exposure of chemical, etc. it comes to the rating scale, the CFT should consider normal operating conditions, abnormal conditions (i.e. shut down & startup) as well as the risk associated with reasonably foreseeable or emergency situations .
Improbable | The accident will never happen | |
Remote / Rare | The accident will happen with warning | |
Likely with warning | The accident will happen with warning | |
Likely without warning | The accident will happen without warning | |
Probable / Certain | Very Risky situation and accident or Health Problem will definitely happen. |
0 to 4 | Insignificant | ||
5 to 8 | Tolerable | ||
9 to 12 | Moderate | ||
13 to 16 | Significant | ||
17 to 25 | Intolerable |
Establish the Level of Significance
Level of significance can be determined by using the following formula
Significant Risk Level (RL): Highest possible rating is 25 & above 12 as criteria for significance. The RL rating above 12 considered as significant Risk.
► If Severity & Probability Scale – 5 are considered as significant aspect.
► Injury, First aid, ill health, and Legal requirements are considered a significant aspect in spite of their score rating.
CFT shall review and make the corresponding changes in HIRA half yearly or as and when needed to determine other aspects that can still be considered in setting objectives, program, operational controls and new rating of previously identified significant risk.
1 | HIRA Register | EHS-RG-03 |
2 | Legal Register | EHS-RG-01 |
3 | List of Significant Risk | EHS-ML-13 |
Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt . View all posts by Pretesh Biswas
Please turn AdBlock off as it affects the revenue of the blogger. The blogger has spent time and money to get you information. Please help him
Please turn AdBlock off
Subscribe now to keep reading and get access to the full archive.
Type your email…
Continue reading
A common characteristic of organizations successful in improving workplace ergonomics is that ergonomics is managed as a process -- one that systematically identifies and effectively reduces the level of employee exposure to the risk factors known to cause musculoskeletal disorders (MSDs).
Typically, ergonomics improvement processes are based on a continuous improvement model such as the quality (ISO 9001), environmental (ISO 14001) or safety (OHSAS 18001 or ANSI Z10) models. Each of these management system models provides a common and familiar set of steps for managing environmental and safety risk, including MSD risks. The ISO 45001 Safety Management System standard provides a new, and soon to be common, model that can be used as an effective system for managing ergonomics.
MSD injuries continue to be a major loss in today's workplace. Fortunately, what causes MSDs is well known. The three primary risk factors are awkward posture, high force and exposure time (either long duration or high repetition).
Exposure to a combination of two or all three of these risk factors increases the chance of developing discomfort, pain and/or an MSD. The threshold for each risk factor varies by body part. Large joint structures, like the shoulder and knee, have a higher tolerance for each risk factor than smaller joints. Results of epidemiologic studies have been used to develop valid, quantitative MSD risk assessment methods. In turn, these assessment methods enable safety professionals and engineers to calculate the level of risk based on the exposure to combined MSD risk factors. Applying this information to the dose-response relationship of MSD risk factors is a key measure in a continuous improvement process.
The programs and processes used to reduce MSDs vary widely among practitioners. In the 1990s, both OSHA and NIOSH promoted the implementation of an ergonomics program that included key elements and activities but did not include a specific sequence or prescribed process. The advent of total quality management (TQM) and EHS management systems launched the approach of managing safety (and ergonomics) risk as an ongoing process versus an episodic program, which leads us to management systems, specifically ISO 45001.
A safety management system provides a structured approach that enables an organization to control its occupational health and safety risks and improve performance. All safety management systems evolved from the quality management system (ISO 9001), which in turn was based on the Shewhart Cycle of continuous improvement (Plan-Do-Check-Act).
"To improve performance, you need to improve the system rather than focus on the individuals" -- W. Edwards Deming
ISO 45001 is an international safety management system standard. It is the product of a project committee, representing 58 countries, to establish a common, global safety management system that is consistent in steps and language with the current environmental and quality management system. The final standard was published on March 15, 2018.
ISO 45001 can also be a model on which to structure an ergonomics improvement process. This could be a standalone improvement process or an element of an organization's complete safety management system. The content of ISO 45001 aligns closely with the four steps of the Shewhart Cycle (Table 1).
So, we have the concept of a management system at a high level, but what does it look like to manage an ergonomics process as a management system?
Safety management systems focus on reducing the risk of occupational injuries, illnesses and fatalities. This means that to improve workplace ergonomics, one must control the cause of MSDs.
"Manage the cause, not the results" -- W. Edwards Deming
Using the proposed content of ISO 45001 (Table 1) as a systematic process, we present the key elements and activities in an ergonomics management system. Leadership, Worker Participation, and Consultation
Whether managing business performance, safety or MSD reduction, an organization's performance will not improve without leadership commitment, support and sponsorship from those at the very top. Top leaders must demonstrate commitment and hold individuals accountable for their roles in the ergonomics improvement process.
Policy is a clear statement of the common direction and belief set by leadership. It establishes "true north," the common goal that aligns all people and activities involved in improvement. Establishing a risk reduction-based goal will focus your organization on systematically identifying and reducing MSD risks proactively. This is the foundation of an effective ergonomics improvement process; it keeps people on track and focused, and allows you to hold individuals accountable for their involvement and results.
Next, establish organizational roles, responsibilities, accountabilities and authorities. This means defining the distinct roles and responsibilities of people involved in the ergonomics process, and empowering them. These roles typically include a sponsor (top manager), ergonomics process lead, subject matter experts (ergonomics team members, safety committee members, ergonomists), engineers and maintenance, managers and supervisors, employees, medical staff, and safety staff. Well-defined roles and responsibilities should be used to hold individuals accountable for their involvement and results, and become the learning objective from which to design or specify training in ergonomics.
Employee participation, consultation, and representation in any process or project are critical for ensuring that workplace changes are made and improvements sustained. This is true for line employees (it is their workplace) and for engineers and maintenance personnel who are key in designing new, and modifying existing, workplaces and tools to reduce risk.
In this step, identify where action to address risk opportunities is needed. Valid quantitative MSD risk assessment tools enable subject matter experts to conduct exposure assessments and determine if exposure in a task is above or below the established threshold. They can then quickly and accurately determine the level of exposure to MSD risk factors by body part and job task; this makes it possible to combine results into a risk map across multiple workplaces.
Many risk assessment tools measure exposure for a single body joint. In addition, a few whole-body assessment tools combine all exposures into a single risk score that reflects exposure for the entire body. An example is the risk priority score (RPS) in Figure 2, which combines exposures of different body parts with the total time spent performing a task. The RPS reflects the cumulative exposure in the task for use in prioritizing and selecting tasks to address.
Based on assessment findings, (Table 1) establish objectives and plans to reduce risk. Identify those tasks and workstations with exposure exceeding the threshold for MSD risk (Table 2). Combined into a risk map, this allows leaders to prioritize, select, and plan workplace changes. Plans should not be based solely on risk level, but balanced with ease of change, number of people benefitting from the improvement, product life-cycle status, trends in production volumes, productivity and quality improvements, and leveraging scheduled maintenance time and equipment change opportunities.
Well-defined resources, including people, their time and funding, are necessary (Figure 3). In addition to understanding their responsibilities, individuals need to know the amount of time allotted for them to support the ergonomics process. Also determine the funding available for improvements; lack of this information has been identified as a challenge for many.
To ensure that people are successful in supporting the ergonomics improvement process, they must be prepared with the skills, knowledge, ability and competence to meet their defined responsibilities. Competence is achieved through training. The learning objectives of any training should be based on the responsibilities.
Awareness, information and communication of an ergonomics improvement process occurs at a couple of levels and times. When preparing to launch a site process, communicate the goal, metrics to track, who is responsible for certain elements of the process and the planned timeline for implementation. After the process has been launched and established, all employees should receive regular communication of progress to the risk-reduction goals, and be made aware of specific case studies illustrating risk reduction.
Operational planning and control means changing the workplace to reduce the level of exposure to MSD risk factors. The "ergonomics" of a workplace will not improve without changing the workplace and design of the work performed. Within the hierarchy of controls, most ergonomics improvements fall under the first and most effective type of control, engineering controls. The effectiveness of engineering controls was validated by Goggins et al. (2008) when they found that the cost effectiveness of several MSD control methods was highest when the level of exposure was eliminated or reduced through engineering changes to the workplace.
Managing change involves leveraging opportunities during equipment changes and service, and when bringing in new equipment and processes to improve ergonomics. In other words, include ergonomics in prevention through design. The cost to include ergonomics design criteria when specifying, and selecting new equipment, tools, furniture, and layout is significantly less than the cost to retrofit equipment in place. The purchasing process should be leveraged as a gatekeeper to ensure that only properly designed, low-MSD-risk equipment is introduced.
Since MSDs result from chronic exposures, the emergency preparedness and response section of ISO 45001 seems out of place. However, this portion of the ergonomics improvement process ensures that there is a system in place to manage MSD injuries when they do occur.
Performance Evaluation
Performance evaluation occurs at three levels: at individual workstations, across the organization and in response to MSD injuries.
To monitor, measure and evaluate ergonomics improvements at each workstation, conduct a follow-up MSD risk assessment using the same quantitative risk assessment method that was used for initial assessment (Figure 4). Compare the "before" risk score with the "after" risk score to verify that the exposure to MSD risk was reduced to an acceptable level, and is being maintained.
In addition to verifying the effectiveness of ergonomics improvements, follow-up assessments enable you to measure the amount of risk reduction resulting from a specific control.
The second level of performance evaluation is an internal audit of the site or company ergonomics process. A systematic review of the policy, goals, responsibilities and plans established in the planning steps identifies how well plans and goals are met. The results of the internal audit should be communicated through a management review.
Improvement
Checking for risk reduction resulting from workstation improvements and audits will generate a list of incidents, nonconformity and corrective action. Incidents refer to the investigation of suspected MSD injuries. A best practice for injury root cause analysis is to begin the investigation of MSD injuries with a quantitative risk assessment. This helps to focus the investigation on factors known to cause MSDs and helps to maintain a data-driven, repeatable process. Include the same valid MSD risk assessment tools used during Planning.
Every management system includes an element to ensure that non-conformity is addressed and corrective actions are taken and completed. Non-conformance may indicate equipment and tools not designed to established design criteria, risk exposure at a task exceeds the acceptable level, improvement goals and metrics are not being met, or a site ergonomics process is falling short of company standards. In each case, tracking non-conformance, ensuring action and holding individuals accountable for corrective action are essential for success.
Continual Improvement
This is the final step to sustain the ergonomics improvement process over time -- through staffing and management changes, expense controls and market fluctuations -- and to learn from and adjust the process to fit future needs, resources and priorities.
Best practices for sustaining the ergonomics improvement process described in this article include the following: Ensure that adequate controls and actions are in place (and supported by top management) to reduce MSD risk factors to the lowest level achievable. Apply effective risk-reduction controls at other similar tasks and workstations. Provide necessary resources to continually find and reduce MSD risks. Regularly review and track the status of the ergonomics process and plans within the normal business tracking process. Involve all levels of the organization in identifying and addressing MSD risks in daily operations.
And finally, manage MSD risks and ergonomics as a process that follows a common or familiar set of steps. ISO 45001 uses terminology and structure, like quality and environmental management systems, to enable you to do just that within your organization and across your enterprise.
Deming, W.E. (1982). Out of the Crisis. Massachusetts Institute of Technology. Center for Advanced Educational Services, Cambridge, Mass.
Goggins, R., Spielholz, P., & Nothstein, G. (2008). Estimating the effectiveness of ergonomics interventions through case studies: implications for predictive cost-benefit analysis. Journal of Safety Research, 39(3), 339-344.
Humantech, Inc. (2014). Summary of Benchmarking Study Results: Cost and Return on Investment of Ergonomics Programs. Retrieved March 3, 2018, from https://www.humantech.com/resources/whitepapers/
International Organization for Standardization (ISO). (2015). Draft International Standard ISO/DIS 45001. Occupational Health and Safety Management Systems– Requirements with Guidance for Use.
Humantech, Inc. (2011). Summary of Benchmarking Study Results: Elements of Effective Ergonomics Program Management. Retrieved March 3, 2018, from https://www.humantech.com/resources/whitepapers/
U.S. Department of Health and Human Services, Public Health Services, Centers for Disease Control and Prevention, National Institute for Occupational Safety and Health (1997). Musculoskeletal Disorders and Workplace Factors, A Critical Review of Epidemiologic Evidence for Work-Related Musculoskeletal Disorders of the Neck, Upper Extremity, and Low Back. Cincinnati: NIOSH.
Walt Rostykus, CSP, CPE, CIH, FAIHA is a principal consultant with Humantech Inc., a provider of workplace improvement and ergonomics solutions.
Rick Barker, CPE is a senior technical ergonomics manager with VelocityEHS | Humantech , a provider of cloud-based environment, health, safety (EHS) and sustainability solutions.
GoTranscript is the chosen service for top media organizations, universities, and Fortune 50 companies.
One of the Largest Online Transcription and Translation Agencies in the World. Founded in 2005.
Speaker 1: What is information security risk? Information security risk is simply a combination of the impact that could result from a threat compromising one of your important information assets and the likelihood of this happening. Risk management in ISO 27001. ISO 27001 requires that you implement a risk management system to help you manage the security of your important information assets. The backbone of this is formed from the need to develop and implement an appropriate and effective information security risk management methodology. ISO 27001 risk management. You should develop and implement a risk management methodology which allows you to identify your important information assets and to determine why they need protecting. It is important to note here that when information security is mentioned people immediately start thinking about confidentiality aspects but the availability and integrity aspects also need to be taken into consideration as these are important components of information security. Once this has been achieved your methodology needs to be able to identify the likelihood of something going wrong and what can be done to mitigate this risk. In a nutshell it enables you to quantify the impact and the likelihood elements of information security risk and then go on to do something about it. ISO 27001 risk management framework. There are several discrete stages of an ISO 27001 risk management methodology. First of all it is important to understand the information security context of your organisation. Once this has been achieved you can perform a risk assessment which includes the need to identify your risks, analyse them and evaluate them. You then need to determine a suitable treatment for the risks you have assessed and then implement that treatment. It is vitally important that you do not see this as a one-off exercise. Your risk management methodology should be designed to be iterative. This enables you to not only review the status of risks you have previously identified taking into consideration any potential changes in context but it also enables you to identify new risks. The high-level stages of a risk management methodology as described above should be thought of as a framework that enables risk management to be embedded within key processes throughout your organisation so that any identified risks are comparable. ISO 27001 risk management context. The first stage of your risk management methodology needs to identify what is important to you or your organisation from an information security point of view. ISO 27001 requires you to determine the context of your organisation, part of which means that you need to be able to identify the information security related issues that you face along with who the internal and external interested parties are and what their needs and expectations are. It is important to also understand what your risk appetite is at this stage as we will need this information later. Once you have done this you are able to determine what is important about the different information assets under your control. ISO 27001 risk management. What is risk appetite? Risk appetite is simply the amount and type of risk you are willing to accept or retain in order to allow business operations to proceed. This is important because too much security can sometimes compromise your operational viability whereas too little will reduce the confidence of your stakeholders. Some types of organisations are willing to accept more risk than others. For example a hedge fund manager is likely to take more risk in order to make greater profits over a short space of time whereas a pension fund manager generally prefers a less risky steady growth approach. ISO 27001 risk assessment methodology. Risk identification. Once you have determined the context you can go ahead and conduct a risk assessment. The first part of a risk assessment is to identify the risks that you face. This can be broken down into three elements. The first element is to identify your information assets. An information asset is any information that has value to you. There are several different ways to calculate the value of an asset but it is important that you not only consider the confidentiality needs of the information but also the integrity and availability requirements. The second element of risk identification is threat analysis. You need to have a process which enables you to identify all of the threats which are applicable to the assets you have identified. If a particular threat is applicable then it is also a good idea to think about how probable it is that the threat will materialise. For example if you use windows-based computer systems which are connected somehow to the internet the probability of them being affected by a virus is probably very high if you do nothing to stop it. Whereas if you are using an Apple Mac which is never connected to the internet the probability is very low. The third element of risk identification is the need to determine if there are any vulnerabilities that would allow a threat that you have identified to cause an impact on your asset. To carry on with the example we have just used if you have an antivirus system installed and running on your internet connected windows computers you are less vulnerable to this particular threat than if you didn't. ISO 27001 risk assessment methodology Risk analysis. One of the useful aspects of the output from an effective risk assessment is the ability to prioritise your risks. This is important as you may not have sufficient resources to fully mitigate every risk that you identify. This means that it is important to somehow quantify your risks. To do this we need to know two things. First how much of an impact would be felt if a compromise occurred and second what is the likelihood of that threat occurring. One good idea is to use a set of scales to record values in these areas. For example using a scale of one to five we could say how impactful it would be if the confidentiality of an asset were breached. Clearly breaches of confidentiality would cause a greater impact for some assets for example HR records than others like the staff canteen menu. A second one to five scale could be used to determine the likelihood of a breach occurring and we would take into consideration the threat and vulnerability information we spoke about earlier in order to do this. ISO 27001 risk assessment methodology. Risk evaluation. Risk evaluation is a relatively simple process as it requires you to identify whether or not the risk that you have identified is above or below appetite. To do this the first thing we need to do is calculate the value of the risk which simply means multiplying the impact and likelihood values together. We have a range of possible values which result from multiplying the two one to five scales together. The appetite is stated within the methodology as a particular value on the five by five matrix. If a particular risk is above this value then it is above appetite which means that it can then be flagged for treatment. Anything below appetite can be accepted and monitored for change. ISO 27001 risk treatment methodology. Your risk management methodology needs to include a methodology for determining the most appropriate treatment for the risks that you have identified. There are four possible treatments to choose from. These are accept, reduce, transfer and avoid. You may come across different terms used for these such as tolerate, treat, transfer and terminate. This example is known as the four Ts however they take the same approach. ISO 27001 risk treatment methodology accept or tolerate. One of the four treatments provides you with the ability to accept risk. We have already seen that this is possible as it is likely that you will simply accept risks that are below appetite. However you can also make an informed decision to accept risks in certain circumstances such as where there is a legal requirement preventing you from taking the desired action or you have insufficient resources to do so. These cases should be few and far between though and should always be approved by appropriate management and regularly reviewed. ISO 27001 risk treatment methodology reduce or treat. The second treatment option is to reduce or treat the risk. This is done through the implementation of controls. ISO 27001 provides you with a list of 114 best practice controls that can be used to mitigate the risks that you have identified. These can be used in combination in order to increase their effectiveness and of course you can also add controls of your own that do not appear in ISO 27001. ISO 27001 risk treatment methodology transfer. The third risk treatment option is to transfer the risk. The transfer option involves the use of third parties to help you mitigate your risks. You could do this for example by offloading some of the financial impact of something going wrong by taking out an insurance policy. Another way of doing this is to outsource the responsibility for implementing and operating technical controls to a third party such as an IT managed service provider. It is important to note here that although responsibility for financial impact or the management of operational controls can be transferred to a third party, the accountability associated with the risk cannot. In other words you will still be held accountable by your stakeholders if something goes wrong. ISO 27001 risk treatment methodology avoid or terminate. The fourth risk treatment option is to simply avoid the risk. As we have discussed before there are three component parts to risk. The impact felt by the organisation following a breach of confidentiality, integrity or availability for an information asset, a threat that could cause this impact and a vulnerability that would allow it to do so. It is possible to avoid risk completely by eliminating one or more of these three elements. However it is unlikely that we would be able to completely remove all threats or all vulnerabilities which leaves us only with one viable option which is to remove the impact. This is done by removing the asset or stopping the processes that are associated with the identified risk. For example to avoid the risks associated with the taking of credit card payments remove that process and only deal in cash. There are obvious issues associated with taking this approach as it is unlikely to be looked upon too favourably by your stakeholders especially if the process is revenue generating. This is the reason why this particular risk treatment methodology is rarely used. ISO 27001 risk treatment methodology controls. The most common option chosen to treat risks other than maybe accept in more mature ISMS's is to reduce the risk. This is done by implementing controls or improving existing ones to address the risk. There are three main operational types of control. Administrative or people-based controls, technical or logical controls and physical or environmental controls. Within these three operational types there are several different tactical uses of controls such as those that are designed to prevent a threat from materialising, those that are designed to deter people from carrying out an undesired action, those that detect if a threat has materialised or those that enable you to recover from a situation after the threat has been dealt with and there are several others. Operational types and tactical uses of controls are not mutually exclusive and can and should be used where possible in combination to provide a greater depth of security. ISO 27001 risk management monitor and review. It is important to ensure that any actions you take to address the risks you have identified are monitored and reviewed to ensure that they have the desired effect. Part of the monitor and review process should also include a review of context before the risk assessment is re-performed. This will allow you to identify and take into consideration any changes that may have happened either internally within your organisation or externally such as changes in legislation or changes to the threat environment. Thus you are able to identify if risks that have previously been identified are getting worse or hopefully better and you will also be able to identify any new risks. ISO 27001 risk assessment frequency. Risk management and therefore risk assessment is an iterative process and each iteration should take into consideration lessons learned from the previous iteration and should take into consideration any internal or external changes thus enabling continual improvement. There is no hard and fast rule on the frequency of risk assessment but URM recommends that the frequency is no less than annual. This does not necessarily mean that you should set aside a certain amount of time at a certain point in the year to conduct a risk assessment although of course you can do this if you wish. It just means that each time 12 months has elapsed you should aim to have completed the next iteration. So you could spread the workload over the 12 month period by performing smaller risk assessments on a subset of areas at more frequent intervals if this is more manageable. ISO 27001 risk management governance. Throughout the risk management process you need to ensure that you communicate effectively with any interested parties. It may be useful to put together a RACI to help you with this as all the way through the process different people will need to be held responsible, some will need to be held accountable, some will need to be consulted in order to identify all of the pertinent information we need to perform an effective risk assessment and some people, for example the management team, will need to be informed through effective reporting of your risk status. ISO 27001 risk management policy and process. As with all key processes associated with an effective ISMS it is a good idea to implement a risk management policy. This enables you to set the risk management and risk assessment criteria, appetite and roles and responsibilities out within a document that everyone is required to implement throughout the business. This should of course be underpinned by the risk management methodology and any required documented processes to enable risk management to be embedded throughout the organisation. So how can URM help? URM can offer a range of information risk management consultancy and training services, most notably our accredited five-day practitioner certificate in information risk management training course. In addition URM has also developed an information risk management module abrisca 27001, specially to meet the risk assessment requirements of ISO 27001. For more information email us or give us a call.
Partner Panel
Company Training Account
Implementation, maintenance, training, and knowledge products for Information Security Management Systems (ISMS) according to the ISO 27001 standard.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
All required policies, procedures, and forms to implement an ISMS according to ISO 27001.
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful ISMS.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance and training products for critical infrastructure organizations for the European Union’s Network and Information Systems cybersecurity directive.
All required policies, procedures, and forms to comply with the NIS 2 cybersecurity directive.
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Compliance and training products for personal data protection according to the European Union’s General Data Protection Regulation.
All required policies, procedures, and forms to comply with the EU GDPR privacy regulation.
Accredited courses for individuals and privacy professionals who want the highest-quality training and certification.
Implementation, training, and knowledge products for Quality Management Systems (QMS) according to the ISO 9001 standard.
All required policies, procedures, and forms to implement a QMS according to ISO 9001.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for Environmental Management Systems (EMS) according to the ISO 14001 standard.
All required policies, procedures, and forms to implement an EMS according to ISO 14001.
Accredited courses for individuals and environmental professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 14001 and the EMS using Advisera’s proprietary AI-powered knowledge base.
Implementation and training products for Occupational Health & Safety Management Systems (OHSMS) according to the ISO 45001 standard.
All required policies, procedures, and forms to implement an OHSMS according to ISO 45001.
Accredited courses for individuals and health & safety professionals who want the highest-quality training and certification.
Implementation and training products for medical device Quality Management Systems (QMS) according to the ISO 13485 standard.
All required policies, procedures, and forms to implement a medical device QMS according to ISO 13485.
Accredited courses for individuals and medical device professionals who want the highest-quality training and certification.
Compliance products for the European Union’s Medical Device Regulation.
All required policies, procedures, and forms to comply with the EU MDR.
Implementation products for Information Technology Service Management Systems (ITSMS) according to the ISO 20000 standard.
All required policies, procedures, and forms to implement an ITSMS according to ISO 20000.
Implementation products for Business Continuity Management Systems (BCMS) according to the ISO 22301 standard.
All required policies, procedures, and forms to implement a BCMS according to ISO 22301.
Implementation products for testing and calibration laboratories according to the ISO 17025 standard.
All required policies, procedures, and forms to implement ISO 17025 in a laboratory.
Implementation products for automotive Quality Management Systems (QMS) according to the IATF 16949 standard.
All required policies, procedures, and forms to implement an automotive QMS according to IATF 16949.
Implementation products for aerospace Quality Management Systems (QMS) according to the AS9100 standard.
All required policies, procedures, and forms to implement an aerospace QMS according to AS9100.
Implementation, maintenance, training, and knowledge products for consultancies.
Handle multiple ISO 27001 projects by automating repetitive tasks during ISMS implementation.
All required policies, procedures, and forms to implement various standards and regulations for your clients.
Organize company-wide cybersecurity awareness program for your client’s employees and support a successful cybersecurity program.
Accredited ISO 27001, 9001, 14001, 45001, and 13485 courses for professionals who want the highest-quality training and recognized certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Find new clients, potential partners, and collaborators and meet a community of like-minded professionals locally and globally.
Implementation, maintenance, training, and knowledge products for the IT industry.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Compliance, training, and knowledge products for essential and important organizations.
Documentation to comply with NIS 2 (cybersecurity), GDPR (privacy), ISO 27001 (cybersecurity), and ISO 22301 (business continuity).
Implementation, training, and knowledge products for manufacturing companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for transportation & distribution companies.
Implementation, training, and knowledge products for schools, universities, and other educational organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), and GDPR (privacy).
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for telecoms.
Implementation, maintenance, training, and knowledge products for banks, insurance companies, and other financial organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), GDPR (privacy), and NIS 2 (cybersecurity).
Implementation, training, and knowledge products for local, regional, and national government entities.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), GDPR (privacy), and NIS 2 (cybersecurity).
Implementation, training, and knowledge products for hospitals and other health organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).
Implementation, training, and knowledge products for the medical device industry.
Documentation to comply with MDR and ISO 13485 (medical device), ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).
Implementation, training, and knowledge products for the aerospace industry.
Documentation to comply with AS9100 (aerospace), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Implementation, training, and knowledge products for the automotive industry.
Documentation to comply with IATF 16949 (automotive), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Implementation, training, and knowledge products for laboratories.
Documentation to comply with ISO 17025 (testing and calibration laboratories) and ISO 9001 (quality).
With the release of ISO 45001:2018 , there are new requirements for assessing risks and opportunities in the Occupational Health & Safety Management System (OH&SMS). So, how does this differ from the previous requirements for assessing hazards and risks in OHSAS 18001 , and are these requirements still in the standard? In short, these requirements in ISO 45001 cover two different types of risk for the individual processes and for the overall OH&SMS, and both assessments are needed for a good OH&SMS.
The previously existing requirements in the OHSAS 18001:2007 standard were quite simply written, even though the task was rather large. In brief, for all of your activities, processes and work areas, you must identify what hazards exist for the occupational health and safety of all involved (including contractors and visitors). Once these hazards were identified, you would then identify what risks exist for the hazards and what controls you needed to put in place to mitigate the risks present.
For example, if you had a large machine, you might identify that there is a pinch point hazard when the machine was running. The risk of this pinch point could be injury to any worker, contractor or visitor who put their hand in the way of the machine while it was running. To mitigate this risk, you could put a guard in place to prevent hands from entering the pinch point and have a lock-out/tag-out procedure to ensure that the machine could not run without the guard in place during maintenance.
The requirements to assess risks of the processes are still part of the planning for the OH&SMS. Controlling the risk from your processes is an important part of ensuring the health and safety of people within your facilities. As the backbone of the OH&SMS, this assessment of the hazards and risks posed by the organization’s activities is still a critical part of what is needed to improve occupational health & safety performance.
For a better understanding about hazards and risks in the OH&SMS see this article: How to identify and classify OH&S hazards and How to perform risk assessment in OHSAS 18001 .
Along with the above requirements, there are new conditions for assessing the risks and opportunities of the overall Occupational Health & Safety Management System. These new requirements come from the standard ISO format for all management systems, called Annex SL. This format includes the assessment of the context of the organization with respect to the purpose of the management system, including the internal and external issues that affect it. The next step in the standard is to identify all of the interested parties for your management system, and what their needs and expectations are.
Finally, taking these issues, interested parties and expectations into account, the company must assess what risks and opportunities exist for the company with respect to the management system. For the OH&SMS this means the risks and opportunities that could affect the company’s ability to enhance OH&S performance, fulfill compliance obligations and achieve OH&S objectives. Many companies have a strategic planning function which addresses these requirements of the standard. If you have more than one management system in place (such as a quality management system or environmental management system), this same process can be used for all of them.
For instance, as part of your ongoing assessment of legal requirements, you may have learned that there is an upcoming change in the law that will make it illegal to use a certain cancer-causing chemical that is needed for creating your product. As this is the case, you have an opportunity to make changes to your product that allow you to find a replacement chemical that is less hazardous to the occupational health & safety of your workforce. There is also a risk that the replacement chemical is actually more hazardous to the people who need to use it. It is these risks and opportunities that you will need to address.
Likewise, if you identify that a company is introducing a new type of machine guard that will make it much easier to prevent accidents you may start investigating how this could be incorporated into your machinery ahead of the government approval for the product. You would not install the new guard, but instead start the process so that it could be more quickly implemented once the approval for the guard was granted.
Any company that has implemented an Occupational Health & Safety Management System knows that the assessment of risk, and the management of the controls to address risk, is critical for managing occupational health & safety. Assessment of risks and determining what needs to be done about them has always been a part of the OH&SMS, and this has not changed. The only real change is to include an additional focus for the important task of risk assessment, and the assessment of opportunities that can be pursued to benefit your company, which can help you with OH&S improvement.
For a better understanding where risks and opportunities fit into the implementation process, see this Diagram of ISO 45001 Implementation Process .
Diagram of the ISO 45001 Implementation Process
Free diagram that outlines the steps for your ISO 45001 implementation
Upcoming free webinar, related products.
Integrated iso 9001/14001/45001 toolkit.
You may unsubscribe at any time. For more information, please see our privacy notice .
ISO 18128:2024 Information and documentation — Records risks — Risk assessment for records management , developed by Working Group 19 (WG 19), addresses the need for a structured approach to assessing risks related to records management. This International Standard offers organizations a comprehensive framework for identifying, analyzing, and evaluating risks associated with records, ensuring that records continue to meet business, legal, and regulatory requirements throughout their lifecycle.
ISO 18128 provides practical methods for conducting effective risk assessments within records management systems. It guides organizations in identifying potential risks, evaluating their impact, and prioritizing actions to safeguard their information assets. This framework is designed to enhance the way organizations manage their records, making it easier to address the unique risks posed by increasingly complex regulatory and business environments.
The standard’s approach to risk assessment for records management includes several critical features:
Risk Identification : The standard guides organizations through the process of identifying risks, focusing on records and the systems, processes, and controls that manage them. It encourages documentation of potential risks and vulnerabilities that could impact the integrity, accessibility, or security of records.
Risk Analysis : Once risks are identified, the standard offers techniques for analyzing them. This includes evaluating the likelihood and potential impact of each risk, which helps organizations prioritize actions based on their operational and regulatory context.
Risk Evaluation : The standard provides guidelines for evaluating the identified risks, assisting organizations in determining which risks are most significant and need immediate attention. By understanding the risk landscape, organizations can better align their records management practices with business objectives and legal obligations.
One of the key strengths of this ISO standard is its versatility. Whether an organization is small or large, in the public or private sector, the framework can be adapted to meet specific needs. It recognizes the diverse nature of organizational structures, regulatory environments, and business activities, offering a flexible approach that can be tailored accordingly.
The standard also acknowledges the complexity of modern business environments, including factors like outsourcing, partnerships, and intricate supply chains. By doing so, it provides a more holistic view of risk management that goes beyond internal operations to include external influences.
A critical element of the risk assessment process outlined by the standard is defining the organization's boundaries. This involves determining the scope of the assessment, which ensures that all relevant aspects of records management are taken into account. Understanding the scope helps organizations focus their risk assessments more effectively and allocate resources where they are most needed.
It is important to note that while this standard provides a detailed framework for identifying and evaluating risks, it does not directly address how to mitigate those risks. Risk mitigation strategies vary widely across organizations and industries, depending on their unique requirements and operational contexts. Instead, the standard serves as a foundational tool for understanding risks, enabling organizations to develop their mitigation plans based on the identified risks and organizational priorities.
This standard is valuable not only to records management professionals but also to auditors, compliance officers, risk managers, and any individuals responsible for managing or overseeing information systems. It provides a unified approach that enhances the ability to assess risks and supports better decision-making across departments.
The release of this ISO standard marks an important advancement in the field of records management. Offering a structured approach to risk assessment, it empowers organizations to proactively manage risks related to their records. Whether an organization is facing regulatory scrutiny or seeking to optimize internal processes, this standard provides essential guidelines that can be applied to protect and preserve the integrity of records.
By adopting this risk-based approach to records management, organizations can ensure that their records continue to serve their business needs while remaining compliant with legal and regulatory obligations. This new ISO standard is poised to become a critical tool in the records management landscape, offering practical guidance for organizations across various sectors.
COMMENTS
What is the methodology to manage risk according to ISO 45001? Once both types of risks are assessed, there is a common requirement in the standard to plan actions to address the risk (clause 6.1.4 Planning actions). During the assessment of each risk above, there is a decision on the necessity to take action to reduce or eliminate the risk and ...
Introduction The introduction of Clause 6.1.2 of ISO 45001, focusing on hazard identification and assessment of risks and opportunities, is a crucial aspect of occupational health and safety management systems. This clause plays a key role in helping organizations identify potential hazards and risks in the workplace, as well as opportunities for improvement. By effectively implementing this ...
6.1.2.1 Hazard Identification. Clause 6.1.2.1 of ISO 45001:2018 is identical to the hazard identification and risk evaluation in OHSAS 18001. The cornerstone of the OHMS is the hazard identification and risk assessment process. The importance of this section of the health and safety management system cannot be overstated.
ISO 45001 starts with some general information in clause 6.1.1 on considering your internal and external issues, relevant interested parties, and the scope of your OH&S management system during this risk assessment process. Next, clause 6.1.2.1 requires the identification of hazards in the management system.
Clause 6.1 Actions to address risk and opportunities is divided into 4 main sub-clauses, with 6.1.1 giving an overview of the planning requirements. Planning should be proportionate to the level of risk and the objectives of the organization. When determining the organization's risks and opportunities, the standard is looking to see that clause ...
Key elements include leadership commitment, worker participation, hazard identification and risk assessment, legal and regulatory compliance, emergency planning, incident investigation and continual improvement. ISO 45001 utilizes the Plan-Do-Check-Act methodology to systematically manage health and safety risks.
Conclusion. In conclusion, ISO 45001 risk assessment is a fundamental process for ensuring occupational health and safety. By following the systematic approach outlined in the standard, organizations can create a safer and more secure work environment, protecting both employees and their reputation. ISO 45001 SWOT Analysis.
Introduction Hazard identification, risk assessment, and control plans are crucial components of a successful health and safety management system, especially when aiming to meet the requirements of ISO 45001. This template provides a structured approach to identifying hazards, assessing risks, and implementing controls to mitigate risks in the workplace. By utilizing this template ...
Learn about ISO 45001 Clause 6.1.2.2 and understand the assessment of OH&S risks and other risks to the management system. ... a methodology is to use a risk matrix that includes the criteria set by the organization. ... The risk assessment needs to consider how these existing controls will influence the Likelihood and Consequence of an ...
ISO 45001:2018(en) ×. ISO 45001:2018(en) ... Note 1 to entry has been modified to clarify the types of methods that may be used for determining and evaluating results. 3.28. occupational health and safety performance. OH&S performance. ... IEC 31010, Risk management ? Risk assessment techniques [12] ILO. Guidelines on occupational safety and ...
The ISO 45001 standard suggests the factors that should be taken into account for risk management, such as the activities of all people in your workplace, routine and non-routine activities, equipment factors, hazards identification, machinery, and legal obligations and compliance. It is also advisable to consult all stakeholders, especially ...
Hazard Identification & Risk Assessment Procedure. This risk management framework will define your company's current risk management processes and methodologies, training methods, reporting procedures, hazard identification procedures, risk assessments, risk appetites, and determining controls. Let's look at the procedure for ISO 45001 clause ...
Having chosen the methodology for risk assessment determined in clause 6.0, the organization will use the 'Hierarchy of Controls' outlined in section 6 to eliminate or reduce hazards to the lowest practicable risk. ... The risk assessment process, for ISO 45001 identification of hazards, may have highlighted potential emergency situations ...
Several methods to perform risk assessment are available ranging from expert to participatory methodologies and from simple to complex methods. ... ISO 45001:2018 Occupational health and safety management systems — Requirements with guidance for use [3] ISO 45003:2021 Occupational health and safety management - Psychological health and safety ...
9.1.2 Evaluation of Compliance. Monitoring, Measuring & Analysis Procedure. To verify the safety performance and validate the effectiveness of safety risk controls requires the use of a combination of internal audits, workplace inspections and the establishment and monitoring of SPIs. Assessing the effectiveness of the safety risk controls is ...
As per Annex A (Guidance on the use of ISO 45001:2018 standard) of ISO 45001:2018 standard it further explains: ... Hazard identification and risk assessment methodologies vary greatly across industries, ranging from simple assessments to complex numerical methods with extensive documentation. Individual hazards might require that different ...
5.0 Introduction: This procedure is designed for the identification of hazard, risk assessment and defining the necessary applicable controls methods. While defining, the organization has referred to the complexity of the operations, suitability of the methodologies of risk assessment, workplace conditions, and expert guidance.
Results of epidemiologic studies have been used to develop valid, quantitative MSD risk assessment methods. In turn, these assessment methods enable safety professionals and engineers to calculate the level of risk based on the exposure to combined MSD risk factors. ... ISO 45001 uses terminology and structure, like quality and environmental ...
ISO 27001 risk assessment methodology. Risk evaluation. Risk evaluation is a relatively simple process as it requires you to identify whether or not the risk that you have identified is above or below appetite. To do this the first thing we need to do is calculate the value of the risk which simply means multiplying the impact and likelihood ...
Find out what has changed with the requirements for risks and opportunities in ISO 45001 and how it differs from OHSAS 18001 health & safety. Get a FREE ISO 45001 Internal Auditor exam worth $649 with your ISO 45001 toolkit purchase. ... The only real change is to include an additional focus for the important task of risk assessment, and the ...
ISO 18128:2024 Information and documentation — Records risks — Risk assessment for records management, developed by Working Group 19 (WG 19), addresses the need for a structured approach to assessing risks related to records management.This International Standard offers organizations a comprehensive framework for identifying, analyzing, and evaluating risks associated with records ...