ISO 45001:2018 Simplified. (Clause 8 Operation)

There are six (6) implementable clauses within ISO 45001:2018

Occupational Health and Safety Management Standard.

Within this series of posts over the next six weeks we will discuss the requirements to all six clauses and the correct interpretation thereof.

Clause 8: Operation This clause is significantly enhanced from OHSAS 18001. Not only does it remove the “option” of using the hierarchy of controls, instead making its use a specific requirement, it introduces new sub-clauses on procurement and change.

Organizations will need to plan how to implement change in a manner that does not introduce new (i.e., unforeseen) hazards or increase the OH&S risks, while also identifying the opportunities for improving OH&S performance that the change may enable. The new sub-clause on procurement provides recognition that the risks related to the supply chain are most effectively managed when they are taken into account at the very first stages of procurement—pre-tender and tender.

With ISO 45001, organizations have to establish procurement processes that conform to the OH&S MS, including defining OH&S criteria for the selection of contractors. New within this section is outsourcing. A responsible organization will establish control of those outsourced functions to achieve the intended outcomes of the OH&S MS. Controls can include things such as procurement and contractual requirements, training, and inspections.

Clause 8.1: Operational Planning and Control

Clause 8.1.1: General

Once it has gained an understanding of its OH&S hazards, the organisation should implement the operational controls that are necessary to manage the associated risks and comply with applicable OH&S legal requirements.

Operational planning and control of the processes are established and implemented to enhance occupational health and safety, by eliminating hazards or, if not practicable, by reducing the OH&S risks to levels as low as reasonably practicable for all relevant operational areas and activities.

The organisation can plan, implement and control its operational processes by establishing operating criteria and control the processes in accordance with these operating criteria. The operational controls selected should be maintained and evaluated periodically for their continuing effectiveness.

Examples of operational control of processes include:

  • Use of procedures, work instructions, process maps and systems of work;
  • Monitoring key characteristics and stipulated operating criteria;
  • Ensuring the competence of workers;
  • Establishing preventive or predictive maintenance and inspection programmes;
  • Developing specifications for the procurement of goods and services;
  • Applying controls related to contractors and other visitors to the workplace;
  • Ensuring compliance with legal and other requirements or manufacturers’ instructions for equipment;
  • Applying engineering and administrative controls;
  • Adapting work to workers by defining or re-defining how the work is organised, processes and working environments or by adopting an ergonomic approach when designing new, or modifying workplaces, equipment, etc.

When planning and developing operational controls, priority should be given to controls with higher reliability in preventing work-related injury and ill health.

Examples of processes needed include, but are not limited to those for:

  • Consultation and participation of workers;
  • Hazard identification and risk and opportunity assessment;
  • Determination of, and compliance with, legal and other requirements;
  • Planning, implementing and maintaining OH&S objectives;
  • Training;
  • Communication;
  • Control of documented information;
  • Management of change;
  • Procurement;
  • Contractor management;
  • Outsourcing;
  • Emergency preparedness and response;
  • Monitoring, measurement, analysis and performance evaluation;
  • Internal audits;
  • Management review;
  • Incident investigation;
  • Nonconformity and corrective action.

The organisation must co-ordinate the relevant parts of its OH&S management system with those of any other organisations with which it shares its workplace.

The organisation needs to maintain and retain documented information to the extent necessary to have confidence that the processes will be carried out as planned.

Clause 8.1.2: Eliminating Hazards and Reducing OH&S Risks

The organisation should apply the hierarchy of control measures for the elimination of hazards and the reduction of OH&S risks.   The hierarchy of controls provides a structured approach to eliminating hazards and reducing or controlling OH&S risks. This approach involves prioritising control actions in a sequential manner. Each control is considered less effective than the one above it. It is customary to combine several controls in order to effectively reduce the OH&S risks to a level that is as low as reasonably practicable.

When deciding what is reasonably practicable, best practices and technological options should be considered, in addition to financial, operational and business requirements.

If new or improved controls are required, their selection should be in accordance with the hierarchy of controls whereby priority is given to the elimination of hazards, where practicable, followed by risk reduction (either by reducing the likelihood of occurrence or potential severity of injury or harm), with the adoption of PPE as the last resort.

The following examples illustrate the application of the hierarchy of controls.

Elimination: removing the hazard; discontinuing the use of hazardous chemicals, applying ergonomic approaches when planning new workplaces such as the use of mechanised instead of manual packaging; eliminating monotonous work practices; removing fork-lift trucks from an area.

Substitution: replacing the hazardous with less hazardous such as replacing solvent-based paint by water-based paint, changing slippery floor tiles, or lowering voltage, pressure or temperature requirements for equipment.

Engineering controls/ work reorganisation: isolating people from hazard; implementing collective protective measures (e.g. isolation, machine guarding, ventilation systems); addressing mechanical handling; reducing noise; protecting against falls from height by using guard rails; reorganising work to avoid lone working, unhealthy work hours, workload; reducing the effect of monotonous work by rotating workers.

Administrative controls including training: conducting periodic safety equipment inspections; conducting training to prevent bullying and harassment; managing health and safety co-ordination with subcontractors’ activities; conducting induction training; providing instruction on how to report incidents and nonconformities; changing the work patterns (e.g. shifts) of workers; managing a health or medical surveillance programme for workers who have been identified as at risk (related to hearing, hand-arm vibration, respiratory disorders, etc.); giving appropriate instructions to workers (e.g. entry control processes, emergency); safety signs

Personal protective equipment (PPE): providing adequate PPE, including clothing and instructions for PPE utilisation and maintenance (e.g. safety shoes, safety glasses, hearing protection, gloves).

In applying the hierarchy of controls consideration should be given to the relative costs, risk-reduction benefits and reliability of the available options.

Clause 8.1.3: Management of Change

The organisation is required to establish a process for the implementation and control of planned temporary and permanent changes that influence its OH&S performance such as:

  • New products, processes or services;
  • Changes to work locations, working conditions, processes, procedures, equipment, or the company’s organisational structure;
  • Changes to applicable legal and other requirements;
  • Changes in knowledge or information concerning hazards and associated risks;
  • Developments in knowledge and technology

The company is required to control both temporary and permanent changes, to review the consequences of unintended changes and, where applicable, to take action to mitigate any adverse effects that might arise as a result of the occurrence of change.

The overall purpose of the management of change process is to minimise the introduction of new hazards and risks into the workplace as a result of changes in:

  • Technology
  • Plant and equipment
  • Facilities
  • Work practices and procedures
  • Design specifications
  • Raw materials
  • Company personnel
  • Standards or regulations

Depending on the nature of any anticipated change, the company must use a suitable methodology for assessing the risks and the opportunities that might arise as a result of the change.

The company must ensure that new, unforeseen hazards are not introduced, or the risk profile increased as a result of the introduction of the change. Where the company decides to implement the change, it must ensure that all affected employees are properly informed and are competent to cope with the change.

The management of change process should include consideration of the following questions to ensure that any new or changed risks are acceptable:

  • Have new hazards been created?
  • What are the risks associated with the new hazards?
  • Have the risks from other hazards changed?
  • Could the changes adversely affect existing risk controls?
  • Have the most appropriate controls been chosen, bearing in mind usability, acceptability and both the immediate and long-term costs?

Clause 8.1.4: Procurement

Clause General

The organisation must establish, implement and maintain a process to control the procurement of products and services in order to ensure their conformity to its OH&S management system.

Procurement processes should be used to control potential hazards and reduce OH&S risks associated with the purchase and introduction of products, hazardous chemicals, raw materials, equipment and ancillary services into the workplace.  The process should also address the need for consultation and communication on the procurement process with interested parties such as workers, contractors and visitors.

The organisation should ensure that purchases are safe for use by workers by confirming that:

  • Equipment is supplied in accordance with a technical specification such as CE-marking and, where appropriate, is tested to ensure that it functions as intended;
  • Equipment is supplied in accordance with legal requirements;
  • Where appropriate, risk assessments are carried out in advance of the use of the equipment;
  • Installations are commissioned to ensure that they function as designed;
  • Materials are supplied in accordance with technical specifications;
  • Usage requirements, precautions or other protective measure are communicated and made available to workers, contractors and others who could be adversely affected.
Clause Contractors

The organisation must co-ordinate its procurement process with its contractors, in order to identify hazards and to assess and control the OH&S risks arising from:

  • Contractors’ activities and operations that impact or have the potential to impact the organisation;
  • The organisation’s activities and operations that impact or have the potential to impact contractors’ workers;
  • Contractors’ activities and operations that impact or have the potential to impact other interested parties in the workplace such as visitors or the public.

Contractor activities include the full gamut of services provided to organisations including maintenance, construction, facilities, security, cleaning, waste management and a number of other functions. Contracting activities can also encompass consultants, accountants, administrators and other specialist service providers.

The organisation must ensure that the requirements of its OH&S management system are met by contractors and their workers. The procurement process should define and apply occupational health and safety criteria in the selection of contractors, ideally in contract documents or service level agreements (SLAs).

How the organisation manages often diverse and complex relationships with contractors can vary, depending on the nature and extent of the service provided and the hazards and risks associated with it. When co-coordinating with contractors, the organisation should consider the reporting of hazards between itself and its contractors, controlling worker access to hazardous areas, and procedures to follow in emergencies.

The organisation should specify how the contractor will co-ordinate its activities with the organisation’s own OH&S management system processes (e.g. those used for lock-out tag-out, confined space entry, exposure assessment and process safety management, etc.) and for the reporting of incidents.

The organisation must verify that contractors are capable of performing their tasks before being allowed to proceed with their work, by, for example:

  • Reviewing the contractor’s OH&S management system documentation such as risk assessments, procedures/work instructions/method statements, OH&S manual/Safety Statement;
  • Confirming that the contractor’s OH&S performance records are satisfactory (review HSA/HSE prosecutions, notifiable accidents or dangerous occurrences, improvement or prohibition notices);
  • Assessing the contractor’s understanding of its OH&S legal and other obligations;
  • Determining that qualification, experience and competence criteria for workers are specified and have been met (e.g. through training);
  • Resources, equipment and work preparations are adequate and ready for the work to proceed;
  • Checking the contractor’s emergency and evacuation plans and procedures and level of preparedness in the event of an emergency;
  • Reviewing the contractor’s process for incident investigation, and reporting of non-conformities and corrective actions;Assessing contractor OH&S consultation, communication and participation with and of its workforce and other relevant interested parties including the organisation;
Clause Outsourcing

Outsourcing (or sub-contracting) is the employment of an external organisation to perform one or more processes in the OHSMS. This can include system processes (e.g. internal auditing, etc.) as well as operational processes (e.g. welding, recruitment, component sterilisation, etc.).

Responsibility for conforming to the requirements of the ISO 45001 is vested in the organisation, because the outsourced process remains part of the organisation’s OHSMS, including the necessary controls exerted on the outsourced process for OH&S purposes.

The organisation must establish appropriate controls both to ensure that the external provider understands what is required of it and to give itself assurance that these are being pursued in a responsible way.

The organisation must verify that its outsourcing arrangements are compliant with legal requirements and are consistent with achieving the intended outcomes of the OH&S management system.

The type and degree of control to be applied to outsourced functions and processes must be defined within the OH&S management system and should be based on criteria such as:

  • The ability of the external organisation to meet the organisation’s OH&S management system requirements;
  • The technical competence of the organisation to identify hazards, assess risks, determine appropriate controls and understand its obligations in relation to OH&S legislation;
  • The potential effect the outsourced processes may have on the organisation’s ability to achieve the intended outcomes of its OHSMS;
  • The extent to which the outsourced process or function is shared;
  • The capability of the organisation to achieve the necessary controls through the application of its procurement process;
  • Opportunities for improvement.

Controls can include contractual requirements, training, inspections and risk assessments.

Join our mailing list to receive upcoming posts:


Get In Touch

Scroll to Top