See the latest EHS federal and state regulatory updates due to COVID-19

The ISO 45001:2018 Occupational Health and Safety Management System (OHS MS) standard was published in March 2018, as part of a broader effort by the International Organization for Standardization (ISO) to update and align all of the specification standards for the management of Environmental, Energy, Health and Safety, and Quality (EEHSQ). The objective of this effort was to implement an international OHS MS standard to replace the OHSAS 18001 standard. It included making structural changes in accordance with a model that is affecting all new ISO standards, Annex SL, as well as addressing broader national and international OHS elements and ensuring adherence to the basic principles of OHSAS 18001. The timeframe for transition to the ISO 45001 standard is three years from its date of issuance.

This article is part of a series of articles addressing the new OH&S Management System Standard (Article 1: EQ Spring 2018: OH&S Management System Standard Overview and Key Changes; and Article 2: December 5, 2018: Role of Effective Governance) and discusses Operational Planning and Control, which specifically considers Management of Change and Procurement. We plan to publish future articles on risk and opportunity, OHS objectives, communication, and needs and expectations of interested parties.

Structure of the New OHS MS Standard

The ISO 45001 standard involves a new organizational structure that is being implemented for all ISO management system standards, Annex SL. The revised versions of the ISO 14001 and ISO 9001 standards and the new ISO 45001 standard are organized in accordance with this new structure. A Plan-Do-Check-Act model is retained for all management system standards, with the clauses designed to better facilitate implementation of integrated management systems. This new high-level structure is illustrated in Table 1.

Table 1. ISO 45001:2018 OHS MS Standard Structure
1. Scope6. Planning
2. Normative References7. Support
3. Terms and Definitions8. Operation
4. Context of the Organization9. Performance Evaluation
5. Leadership & Worker Participation10. Improvement

A brief overview of the new Annex SL elements and how they are incorporated into the ISO 45001:2018 standard is provided below.

  • Context of the Organization - Understand organizational context and OHS MS scope, with an emphasis on needs/expectations of workers and other interested parties.
  • Leadership - Ensure management commitment, policy, roles/responsibilities and authorities, and worker participation, with an emphasis on responsibility and accountability among top management.
  • Planning - Identify hazards and risks, legal and other obligations, and develop risk/opportunity actions and target setting, with an emphasis on tangible outcomes and results.
  • Support - Consider resources, competence, awareness, communications, and documented information, with an increased emphasis on improving external outreach.
  • Operation - Conduct operational planning/control and emergency preparedness/response, with an increased emphasis on management of change and procurement.
  • Performance Evaluation - Monitor and measure performance, new requirements for analysis and evaluation, as well as internal audit and management review.
  • Improvement - Identify nonconformance/corrective actions and reiterate the requirement for continual improvement.

Focus on Operational Control

Operational control provides the mechanism to establish and implement processes needed to enhance OHS management, either by eliminating hazards or reducing OHS risks to levels as low as reasonably practical. While there are numerous examples of how this may be accomplished, the new standard further emphasizes the OHS hierarchy of controls, which provides a systematic approach to enhance OHS, eliminate hazards, and reduce or control OHS risks.

EQ Spring 2019 ISO article Fig 1 Hierarchy of ControlsFigure 1 illustrates this hierarchy of controls, which is based on eliminating hazards wherever possible and, where not possible, managing hazards preferentially as high on the hierarchy as possible. While use of personal protective equipment is standard for all operations, removing the hazard or isolating workers from the hazard, even determining safer ways to perform a task, is preferred. This construct provides an excellent lead in to the topic of management of change.

Management of Change

A management of change (MoC) process enhances OHS at work by proactively managing the introduction of new hazards and OHS risks into the work environment. While cited in two clauses in the OHSAS 18001 standard, MoC occupies its own distinct clause in the ISO 45001 standard. To better understand its importance, consider MoC in a broader business context.

Businesses are constantly changing based on internal and external factors, with several of these factors illustrated in Figure 2.

Once it is recognized that a change must occur, a mechanism is needed to ensure that the outcome of the anticipated change is in fact achieved. If there is no such mechanism, the effect or benefit of the change may not be fully realized. This is where MoC comes into play, and is particularly important from an OHS perspective.

EQ Spring 2019 ISO article Fig 2 Change factors for businessesThe standard requires establishment of processes for the implementation and control of planned temporary and permanent changes that may affect OHS performance. While not as all-encompassing as the numerous considerations in a business enterprise, the standard requires a systematic approach to managing changes that may have OHS consequences. The key requirements are illustrated in Figure 3. Additionally, the consequences of unintended changes should be addressed, taking action to mitigate any adverse effects.

Companies that struggle with addressing MoC differently between facilities may choose to establish a cross-cutting process to implement throughout the company. However, the development process for an enterprise approach may take considerable time, especially if the intent is to develop and implement a process that addresses multiple management systems.

Fortunately, MoC in an OHS context that has been in play for some time (e.g., it is a specific requirement of Process Safety Management), and there are many tools available to jump start development of such a process. Because MoC can crosscut several functions in an organization (e.g., maintenance, manufacturing, environment, OHS, quality), it is essential to assess the relevance to each function of any proposed change. In fact, having a multi-functional MoC process is a best practice. An effective MoC process should apply MoC commensurate with the potential risk, and thus screen out changes that represent low risk. Finally, an effective MoC process must address prompt closure of resulting action items. Lack of or delayed closure can present additional risks.


EQ Spring 2019 ISO article Fig 3 key requirements to managing change with OHS consequencesThe Operation clause of the new standard also addresses procurement, which is particularly important as companies acquire raw materials and products, procure services and technology, and may outsource processes. To the extent that a company exercises control or can influence contractors and outsourced processes, procurement is a critical component in an OHS MS. At a minimum, the standard requires that companies establish, implement, and maintain processes to control the procurement of products and services in order to ensure their conformity to the OHS management system.

From the perspective of contractors, the requirements are reflected in Figure 4. The OHS MS establishes the requirements and expectations for dealing with contractors. But managing contractors is not just a function of how they do their work at a company's site. Contractor performance must be addressed throughout the procurement lifecycle, from communicating specific requirements, to selecting contractors based on their competence and OHS performance, to managing their performance and providing feedback. This process also must be able to measure conformance with expectations-if these expectations are not met, there must be a mechanism to ensure continual improvement on the part of the company and the contractor. Not meeting expectations or failing to demonstrate continual improvement can lead to establishing corrective actions needed to continue the contracting relationship.

The clause also deals specifically with outsourcing, to ensure that outsourced functions and processes are controlled in accordance with requirements and to achieve intended outcomes. The type and degree of control to be applied to these functions and processes must be defined within the OHS MS. However, while the outsourcing process and requirements can be documented in the OHS MS, these activities can be more difficult to influence or control, particularly if the outsourced process is not performed in close proximity to the site implementing an OHS MS.

While managing contractors and outsourced processes can be a formidable task, several commercial solutions address supply chain risk management, including prequalification, supplier auditing, insurance monitoring, worker EQ Spring 2019 ISO article Fig 4 Procurement requirementsmanagement, performance analytics, and other aspects. Additionally, there are state- and industry-specific organizations devoted to ensuring that contractors are pre-registered and have proper training, drug testing, competence, etc. and meet other requirements to be cleared for use as contractors.


Operational planning and control is a critical cog in an OHS MS wheel, as it provides the mechanism to plan, implement, control, and maintain processes needed to meet requirements of the OHS management system. The OHS hierarchy of controls provides the framework for how best to manage hazards and risks. Management of Change provides a mechanism to anticipate and manage changes that may have associated OHS hazards and risks, both planned and unintended. Because contractors and outsourced processes operate under some level of company control or influence, they must be managed under the auspices of an OHS MS to ensure their safety, as well as that of the company's employees and its assets.

Trinity Consultants supports organizations in developing management systems and preparing for certification to EEHSQ-related ISO standards, including the new ISO 45001 standard. For assistance, please contact John Fillo at