How to structure ISO 45001 documentation
Many people consider documentation to be the hardest step in the process of implementing a management system such as ISO 45001 (the international standard for Occupational Health and Safety Management Systems). The good news is that even though preparing documentation can be demanding and time-consuming, it isn’t the hardest part, because it can be done in a fairly straightforward way by using a structured approach. At the same time, it can also be said that the bad news is that after you’re done sweating over the documentation, the harder steps await. But that is a story for another day. This article will focus on the good news.
Two types of documents
The standard is based on the Plan-Do-Check-Act model, and the clauses are broadly arranged to fit into one or more of those four sections. Read this article: The importance of the Plan-Do-Check-Act cycle in OHSAS 18001 to learn more about the importance of Plan-Do-Check-Act cycle.
There are two types of documentation.
Firstly, there is, in the language of the standard, the “documented information” that is to be “maintained.” This means ordinary documents that are subject to review, revision, and update. They are mostly, but not exclusively, found in the Plan clauses of the standard (clauses 4, 5, and 6). Examples are the policy statement, responsibilities & authorities, OH&S objectives, and registers of risks, opportunities, legal and other requirements.
Secondly, there is documented information that is to be “retained.” These are records providing evidence of activities performed. They record the actions that are planned and carried out and their results. Predictably, most of these are generated under the Check and Act sections, that is, clauses 9 (Performance evaluation) and 10 (Improvement), but also in the Do section: clauses 7 (Support) and 8 (Operation).
Two categories of documents
The documentation (whether ordinary documents or records) itself falls into two categories: that which is required by the standard, and that which the organization itself determines to be necessary for effective operation (Clause 7.5.1 Documented information, General). Most of the latter will be at the operational level, consisting of standard operating procedures, work instructions, etc. This would be the Do section of the standard, i.e., clause 8 (Operation) and some of clause 7 (Support).
Structure of the documentation
The documentation can be said to exist on four levels, as shown in the diagram below:
Figure: Typical structure of documented information
Level 1 documentation presents policy information communicated by top management to provide the basis of the Occupational Health and Safety Management System. It must be aligned with the strategic direction of the organization. In terms of volume, this level has the least amount of content, but can be said to be the most important. It is the parent of the system, because all other documented information arises from the commitments made therein. Level 1 documentation will make references to level 2 documentation, where further detail will be found.
Level 2 provides the detail of the OH&S risks and opportunities faced by the organization (encompassing those arising from OH&S hazards, from issues other than OH&S hazards, and from legal and other requirements). More importantly, level 2 documentation will include what actions are to be taken to eliminate or mitigate the risks and leverage the opportunities. This includes action plans incorporated into the day-to-day business processes as operating criteria or as OH&S objectives. In addition, for the potential OH&S emergencies identified, an emergency plan must be documented, detailing the actions to be taken in the event of each specific emergency.
The action plans are intended to be implemented at the different functions and levels where they apply, in order to maintain and improve the system. This information can thus be structured such that different departments are issued with the documentation that is appropriate to their functions. This is more likely in large organizations with numerous and/or complex processes. However, because all processes are interdependent, it is important to ensure that this does not result in disjointed documentation and activities. Controls should be applied seamlessly across process and functional interfaces. The hazards, risks, opportunities, objectives, and legal and other requirements are typically captured in a series of cross-referenced registers, or they can even be compiled into a single document, especially in smaller organizations with fewer or less-complex processes.
Level 3 will consist of detailed work instructions where they are determined to be necessary. These will be referenced from level 2 documentation and will apply to specific operations where their necessity is determined by factors such as level of risk, complexity, competence, or legal obligation. Once again, it is important to incorporate these actions into the organization’s normal business processes.
Level 4 documentation consists of the records generated as outputs of the planned actions discussed above. Most of these result from the various performance evaluation processes that are undertaken to monitor the system’s performance, such as monitoring and measurement of operational controls, compliance with legal and other requirements, achievement of OH&S objectives, and internal audits, as well as records of incidents, nonconformities, and actions taken.
And, finally, closing the loop
The level 4 records are essential inputs into the management review process, which is itself a performance evaluation process done by top management. During the management review, top management examine the performance of the various parts of the system, and review any pertinent changes, especially in the organization’s context. The output will be an action plan aimed primarily at improving the effectiveness of the OH&S system in achieving its intended outcomes. This action plan, plus evidence of its implementation, provide the final and most important sign of committed top management, and a system that is worth its salt.
Use this free whitepaper: Checklist of Mandatory Documentation Required by ISO 45001 to find out exactly which documents and records are mandatory, and which are optional.