New approach to ISO 45001 documentation

With the new release of ISO 45001, the internationally recognized standard that replaces OHSAS 18001, we now have a greater assurance of what the requirements for documented information will be. In the new Occupational Health & Safety Management System (OH&SMS), this requirements section is one of the common elements that you will see handled the same way in all of the ISO management system standards, including ISO 9001, ISO 14001, ISO 27001, and many others.

Here is what this change could mean to your OH&SMS.

What is happening to documents and records in the standard?

In the current revision of OHSAS 18001, which is the current standard for an OH&SMS, there are separate requirements for documents and records within the standard. Documents are controlled under clause 4.4.5, which requires rules for approval, review & update, changes, legibility, and relevancy of available documents for use in the processes. Records, on the other hand, are controlled by clause 4.5.4, which requires rules for records to be identifiable, properly stored, protected, retrievable, and disposed at the end of a specified retention period. If you currently have an OH&SMS in place and you are using the requirements of OHSAS 18001, then these are the rules that you will already have in place for your documents and records.

In the ISO 45001 standard, there is now a new term that replaced “documents and records.” These materials are now called “documented information.” This concept includes all documented procedures and records that are currently mentioned in OHSAS 18001. Throughout the standard, where OHSAS 18001 would say you need a documented procedure or record for a certain requirement, ISO 45001 states that you need to retain documented information for certain requirements. Also, within ISO 45001 clause 7.5 (Documented information), there are requirements that need to be in place for all documented information. These include creating, updating, and control of documented information. The required steps include:

  • Ensuring that the document or record is identified
  • Ensuring that the document or record is approved before use
  • Controlling the document or record to be available where it is needed
  • Adequately protecting the document or record from deterioration or unintentional change
  • Storage of documents and records, including retention & disposition

For more on OH&S documentation, see these articles: How to structure health & safety documentation according to OHSAS 18001, and Which criteria to apply when deciding about OHSAS 18001 documentation.

What does this really mean for you?

The requirements for what needs to be documented essentially remain unchanged. This means that you still need certain documented information to meet the standard, as well as other documented information that you decide is necessary for your management system. Looking at the actual requirements for what you need to do with documented information, the requirements are basically the same as the ones that have been there for documents and records. These requirements, in a nutshell, are:

  • Can you tell what the information is, and whether it is approved?
  • Is the right information where you need it, when you need it?
  • Do you adequately control the information and dispose of it properly when it is no longer needed?

So, have the requirements changed that much? The answer is no. In general, if you have a method to control your documented procedures and a process to control your records, there is really nothing to change as the requirements for control are really the same. In fact, many companies already had one procedure for control of both documents and records, and this is also acceptable with the new standard requirements.

There is also nothing in ISO 45001 that says you need to start using the term “documented information” in your company. If other terminology works for you, then keep using it; the certification auditors will need to follow the terms you use, and this would not be the first time. So, take a minute to go over your procedure, or procedures, and see that everything is covered (it probably is). If this works for you, there is no need to confuse your employees by changing it, but keep in mind that the term “documented information” now includes more than just the procedures and records that were encompassed before. If, however, you think that you could benefit from changing the way you do things, then this is a good time to make that change. You will likely be going through other updates and training as you implement ISO 45001 after it is released, so this improvement can be communicated easily.

Make the system work for you

As always, it is important to remember why you are implementing an OH&SMS in the first place. It is not to please the ISO, or even to satisfy the auditors; you have this management system to better control and improve your OH&SMS. Make sure that the processes you implement work for you to achieve this improvement goal, rather than just being there to satisfy the requirements of the standard. You want your OH&SMS to give you benefits, not to be a burden.

To find out more about what is currently required for documentation in ISO 45001, see this white paper: Checklist of Mandatory Documentation Required by ISO 45001.

Advisera Mark Hammar
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.