ISO 45001:2018 - Occupational Health and Safety Management Systems: Step by step implementation guide Part-07
Internal Audits and Management Reviews
Internal Audit Process
in ISO 45001
, outlines the execution of internal audits
by management in organizations. The internal audit must meet the criteria of the OHSMS
and the results (outputs) must be made presentable to top management and relevant personnel.
The internal audit plan must be well-scheduled and developed, with a thorough understanding of the OHSMS scope. The plan should be developed on the basis of risk assessments and former audit reporting.
The internal audit should be conducted more vigilantly than in the comparable standards of ISO 9001 (quality management system) and ISO 14001 (environmental management system).
The justification for conducting serious internal audits is simple: Nonproductive internal audits in an OH&S system, can threaten the health and safety of an organization’s workforce.
Question: How can it be ensured that an internal audit is as effective as it should be and that the consequent actions, safeguard the health and safety of the workforce?
Internal audit programme (Clause 9.2.1): Top management or their delegated personnel must perform the following:
(a) Plan, develop, apply and carry out an audit programme, that accounts for rate of occurrence, techniques, responsibilities, consultation, planning needs and reporting. It must also take into account the significance of processes and the results of former audits.
(b) Outline the criteria of the audit and its scope.
(c) Choose auditors and perform audits to ensure objectivity and non-bias in the audit process.
(d) Make sure the results of audits are presented to: the relevant managers, employees, and other interested parties.
(e) Take measures to remove any non-conformities and "continually improve health and safety performance".
(f) As always, produce documentation as proof of the audit and results.
NOTE: Management should conduct internal audits at consistent intervals, as part of their management review.
The internal audit should be performed at “scheduled intervals,” or additionally, if it is seen as helpful to the ISO 45001 system.
WHO?: The standard states that the choice of the auditor should ensure “impartiality and neutrality.” Also, the auditor must have knowledge, work experience, recognized training and be familiar with health and safety policies, objectives and performance. Managements should receive external advice from professionals, for their internal audits. This shows that the internal audit is a critical process.
HOW?: The internal auditor must have all the relevant information available, as part of the “input” of the auditing process, i.e. risk assessment, data and outcomes, health and safety performance results, stakeholder inputs and health and safety objectives. The auditor must also have full access to all of the information and people relevant to the performance of OH&S in the organization.
It is helpful, in terms of the continual improvement of the organization's OHSMS, when the auditor makes sound recommendations, based on the audit's findings and results.
In this manner, management will have a more objective framework to work with. Also, the internal audit fulfills the direct requirements and scope of the standard.
The ISO 45001 standard
), necessitates the review of the organization's OHSMS appropriateness and suitability, to be carried out by top management at scheduled intervals. Management review
enables an organization to systematically analyze and gauge the performance of its OHSMS
, to determine if it continues to be:
APPROPRIATE - processes, values and business systems
SATISFACTORY - is the management system applied properly?
USEFUL - does the management system achieve its intended results?
Management reviews should be completed on a regular basis, for example: quarterly, bi-annually or annually. Fractional management reviews of an organization's OHSMS, can be performed at more regular intervals, if needed.
A management review should include the following:
• The status of actions taken following previous management review(s)
• Internal and external issues that influence the OHSMS, for example risks and opportunities, the requirements and expectations of interested parties, legal and other requirements.
• Sufficient dialogue with internal and external interested parties
• An analysis of the resources needed for achieving an effective OHSMS
• Prospects for continuous improvement
Reviews should include information on the organization’s OH&S performance, including developments in the following:
1. The attainment of OH&S objectives
2. Incidents, accidents, nonconformities and corrective actions
3. Measurement and monitoring
4. The assessment of compliance with legal and other requirements
5. Internal and external audits
6. Participation, discussion and consultation with employees
7. Risks, prospects and opportunities
Decisions taken following a management review, should relate to:
1. The ongoing sufficiency, rationality and effectiveness of the OHSMS, with regard to the achievement of its intended results.
2. Areas for continual improvement.
3. Requirements for modifications to the system.
4. Additional resources required.
5. Other actions required.
6. Opportunities to integrate the OHSMS further/differently with business processes, e.g. quality, the environment, continuity etc.
7. Impacts on the strategic direction of the organization
Continuous Improvement Steps
Management must identify (Clause 10) opportunities for improvement and apply mandatory actions to attain the intended results of its OHSMS.
Management must develop (Clause 10.2), apply and carry out processes, together with investigations, reports and measures, to identify and manage OH&S-related incidents and nonconformities. When an incident or a nonconformity exists, management must:
• Respond in time
• Take measures to manage and correct it
• Manage any consequences
The involvement of employees and the participation of other interested parties must be assessed. This is a requirement for corrective action, in order to eradicate the root causes of the nonconformity or incident and to ensure it does not occur elsewhere. This is achieved through the following:
• Analyzing the reasons for the nonconformity or incident
• Review/update existing assessments of OH&S risks (see 6.1)
• Identify and apply any actions required, involving a hierarchy of controls
• Analyze any new potential health and safety risks or modified hazards
Management must retain documentation as proof of:
A. Nonconformities or incidents following measures taken
B. The outcomes of measures and corrective actions
C. Communication with the relevant employees, employee representatives, or other interested parties
It is important that a 'root cause analysis' is performed following a nonconformity or incident, in order to avoid its recurrence.
Examples of nonconformities and OH&S-related incidents:
INCIDENTS: Near misses, injuries, poor health, impacts to property or equipment that could result in health and safety risks, body, skin, bone damage, hearing loss, eye-sight loss, asbestosis.
NON-CONFORMITIES: Safety equipment not working properly, inability to comply to legal requirements, safety processes or guidelines not being followed; contractors working in a hazardous way on-site.
When a nonconformity or incident occurs, the organization must respond in a timely way. The assessment of the requirement for corrective action(s), should be agreed with the relevant employees and interested parties.
The goal of an incident-investigation is to identify what occurred, why it occurred and what can be done to avoid it occurring again.
Professional investigators must account, not only for immediate causes, they must also focus on root causes and the corrective measures that need to be taken.
All incidents have causes. These can involve a cluster of factors, together with human behavior, activities, processes and equipment.
Investigations should highlight gaps that require improvement. The extent of the investigation, is proportional on the extent of the OH&S-related incident and its impact.
The incident should be documented and presented internally and externally, were appropriate, to regulatory bodies.
Who investigates? The investigation of incidents and nonconformities should be performed by a party/parties who are not reliant on the activities being analyzed and should include an employee representative.
Organizations are responsible for corrective actions concerning the management of change and the hierarchy of controls. They are also responsible for making modifications to the OHSMS by:
A. Updating process maps
B. Revising procedures
C. Updating the risk register
Instances of corrective actions involving a hierarchy of controls:
• Eradicate hazards
• Use less dangerous materials
• Re-engineer or change machinery and tools
• Modify the rate of using equipment
• Enforcing the use of personal protective equipment (PPE)
Failures and Timing
The emphasis of root cause analysis is aversion. Root cause analysis recognizes numerous contributory factors, including the following:
• Lack of communication
• Equipment failure
• Gaps in signage/notices/warnings/documentation
While root cause analysis is being carried out, an organization may have to perform immediate short term actions, in order to avoid recurrence of an incident or nonconformity.
This can be a component of the implemented corrective action. Root cause analysis and the reporting of incidents without delay, can assist with the permanent removal of hazards.
The concept of continuous improvement
is referenced in other management systems (Annex SL
), for example: ISO 14001
, ISO 9001
as well as in the ISO 45001:2018 standard
Measures an organization can take to implement 'continuous improvement' in their OHSMS include:
• Enhancing a culture that supports OH&S
• Encourage the participation of employees (recognition and application)
• Use up-to-date training, practices, technology and equipment
• Promote good working practices
• Accept proposals and advice from interested parties
• Acquire the latest knowledge of occupational health and safety in the workplace
• Source better supplies and make better use of materials
• Promote worker competence
• Attain improved performance using minimal resources