|
A risk is acceptable
to a specific organization if it has been reduced
to a level that it can tolerate given its obligations, its
policies, and
its basic purpose.
|
|
An audit is a systematic evidence gathering
process. Audits must be
independent and evidence must be evaluated objectively to
determine
how well audit criteria are being met. There are three
types of audits:
first-party, second-party, and third-party. First-party
audits are internal
audits while second and third party audits are external
audits.
Organizations use first party audits to audit
themselves. First party
audits are used to provide input for management review and
for other
internal purposes. They're also used to declare that an
organization
meets specified requirements (this is called a
self-declaration).
Second party audits are external audits. They’re
usually done by
customers or by others on their behalf. However, they can
also be
done by regulators or any other external party that has an
interest
in an organization. Third party audits
are external audits as well.
However, they’re performed by independent organizations such
as registrars (certification bodies) or regulators.
ISO also distinguishes between combined audits and
joint audits.
When two or more management systems of different disciplines
are
audited together at the same time, it's called a combined
audit; and
when two or more auditing organizations cooperate to audit a
single auditee organization it's called a joint audit.
|
|
Competence means being able to apply
knowledge and skill to
achieve intended results. Being competent means
having the
knowledge and skill that you need and knowing how to apply
it. Being competent means that you’re qualified to do the
job.
|
|
Conformity is the "fulfillment of a
requirement". To conform means
to meet or comply with requirements and a requirement is a
need,
expectation, or obligation. There are many types of
requirements
including customer
requirements, quality
requirements, quality
management requirements, management requirements, product
requirements, service requirements, contractual
requirements,
statutory requirements, and regulatory requirements.
|
|
When organizations engage in consultation it
means that they seek
and receive the views and opinions of others before making
decisions.
In the context of OH&S, organizations often consult
managers, workers,
health and safety committees, and workers' representatives
before they
make decisions that could affect the health & safety of
these groups.
Consultation is not the same as participation.
While consultation
means receiving the views and opinions of others before
decisions
are make, participation means getting people
involved in the actual
decision making process itself.
|
|
An organization’s context is its business
environment. It includes
all of the internal and external factors and conditions that
affect its
products and services, have an influence on its OHSMS, and
are
relevant to its purpose and strategic direction.
An organization’s external context includes
all of the needs and
expectations of interested
parties, as well as its social, cultural,
legal, technological, regulatory, and competitive environment.
An organization’s internal context includes
its values, culture,
knowledge, and performance.
|
|
Continual improvement is a set of recurring
activities that are carried
out in order to enhance OH&S performance. Continual
improvements
can be achieved by carrying out internal audits,
self-assessments, and
management reviews. Continual improvements can also be
realized by
collecting data, analyzing information, setting objectives,
and taking
corrective actions.
|
|
A contractor is an organization that
provides services to another
organization in accordance with an agreed set of terms,
conditions,
and specifications.
|
|
Corrective actions are steps that
are taken to eliminate the causes of
existing nonconformities in order to prevent recurrence. The
corrective
action process tries to make sure that existing
nonconformities and
incidents don’t happen again.
|
|
The term documented
information refers to information that
must be controlled and maintained
and its supporting medium.
Documented information can be in any format and on any
medium
and can come from any source.
Documented information includes information
about the management
system and related processes. It also includes all the
information that
organizations need to operate and all the information that
they use
to document the results that they achieve (aka records).
|
|
Effectiveness refers to the degree to which
a planned effect is achieved.
Planned activities are effective if these activities are
actually carried out
and planned results are effective if these results are
actually achieved.
|
|
A hazard is any situation, substance,
activity, or event,
that could potentially cause human injury or ill health.
Hazardous situations can cause injury or ill
health.
Examples of potentially hazardous situations include
slippery
or uneven walking surfaces, cramped working conditions,
badly
ventilated areas, high altitudes, noisy locations, poorly
lit areas,
and confined spaces.
Hazardous substances can cause injury or ill
health.
Examples of potentially hazardous substances include
corrosive
and toxic chemicals, flammable and explosive materials,
dangerous
gases and liquids, radioactive substances, particulates,
poisons,
bacteria, and viruses.
Hazardous activities can cause injury or ill
health.
Examples of potentially hazardous activities include
dangerous
tasks, unnatural movements and postures, heavy lifting,
repetitive
work, interpersonal conflicts, bullying, and intimidation.
Hazardous events can cause injury or ill health.
Examples of potentially hazardous events include explosions,
implosions, collisions, vibrations, fires, leaks, releases,
chemical
reactions, electric shocks, falling objects, loud noises,
structural
breakdowns, software failures, equipment malfunctions, and
unscheduled shutdowns.
Hazards can also be classified as follows:
- Chemical hazards
- Biological hazards
- Thermal hazards
- Electrical hazards
- Structural hazards
- Acoustical hazards
- Mechanical hazards
- Radiological hazards
- Psychological hazards
|
|
Hazard identification is a process that
involves recognizing that
an OH&S hazard exists and then describing its
characteristics.
|
|
An injury or ill health is an adverse effect
on someone's physical, mental,
or cognitive condition. Adverse effects include disease,
illness, and death.
|
|
An incident is a work related occurrence or
event during which injury,
ill health, or fatality actually occurs, or injury, ill
health, or fatality could
have occurred.
An accident is a type of incident. It is a
work-related event during which
injury, ill health, or fatality actually occurs. It is a
type of incident.
A close call, near miss, or near
hit is also a type of incident. It is a
work-related event during which injury, ill health, or
fatality could
have occurred, but didn’t actually occur.
|
|
An interested party
is anyone who can affect, be affected by, or
believe that they are affected by a decision or activity. An
interested
party is a person, group, or organization that has an
interest or a
stake in a decision or activity.
|
|
In the context of this ISO 45001 2018 standard, a requirement
is an
OHSMS need, expectation, or obligation. It can be stated or
implied
by an organization, its customers, or other interested
parties.
Legal requirements are compulsory.
Organizations must comply
with them. Other requirements, may be compulsory or
voluntary;
organizations may be forced to comply with them or they may
choose to comply with them.
|
|
A management system is a set of
interrelated or interacting elements
that organizations use to formulate policies and objectives
and to
establish the processes that
are needed to ensure that policies
are
followed and objectives are achieved. These
elements include
structures, programs, procedures, practices,
plans, rules, roles,
responsibilities, relationships, contracts, agreements, documents,
records, methods, tools, techniques, technologies, and
resources.
There are many types of management systems.
Some of these include
quality management systems,
environmental management
systems,
financial management systems,
information security management
systems, business
continuity management
systems, emergency
management systems, disaster management systems, food safety
management systems, risk management systems, and, of course,
occupational health and safety management systems.
The scope or focus of a management system
could be restricted to
a specific function or section of an organization or it
could include
the entire organization. It could even include a function
that cuts
across several organizations.
|
|
Measurement is a process that is used to
determine
a value. In most cases this value will be a quantity.
|
|
To monitor means to determine the status of
an activity, process,
or system at different stages or at different times. In
order to determine
status, you need to supervise and to continually check and
critically
observe the activity, process, or system that is being
monitored.
|
|
Nonconformity is a nonfulfillment or failure
to meet a requirement.
A requirement is a need, expectation, or obligation. It can
be stated
or implied by an organization or interested parties.
|
|
An objective is a result you intend to
achieve. Objectives can be
strategic, tactical, or operational and can apply to an
organization
as a whole or to a system, process, project, product, or
service.
Objectives may also be referred to as targets, aims, goals,
or intended outcomes.
OH&S objectives are generally based on
or derived from an
organization’s OH&S policy and must be consistent with
it.
|
|
OHSMS is either a standalone management
system or one part of a larger
management system. It is a set of interrelated or
interacting elements that
organizations use to implement their OH&S policies, to
achieve their OH&S
objectives, and to manage their OH&S processes.
These elements include structures, programs,
procedures, practices,
plans, rules, roles, regulations, responsibilities,
relationships, contracts,
agreements, documents, records, methods, tools, techniques,
technologies, and resources.
|
|
OH&S objectives are specific OH&S
results that organizations set for
themselves and wish to achieve. Your organization’s OH&S
objectives
should be both measurable and consistent with its OH&S
policy.
|
|
An OH&S opportunity is a circumstance or
a set of circumstances
that could lead to the improvement of OH&S performance.
|
|
OH&S performance is all about results and
effectiveness. Whenever
organizations prevent injury and ill health and provide safe
and healthy
workplaces, they are achieving good results and being
effective.
|
|
An occupational health and safety (OH&S)
policy statement should
express top management's commitment to the prevention of
work-related
injury and ill-health and to the provision of a safe and
healthy workplace.
It should also make a commitment to the implementation,
maintenance,
and improvement of the occupational health & safety
management
system (OHSMS). And it should allow workers to set OH&S
objectives and it should encourage action..
|
|
ISO 45001 defines OH&S risk as the “combination
of the likelihood of
occurrence of a work-related hazardous event(s) or
exposure(s) and
the severity of injury or ill health that can be caused by
the event(s)
or exposure(s).”
ISO 45001 accepts the more traditional definition of
risk and rejects the
newer ISO 31000 definition (discussed below) when it defines
OH&S risk.
The more traditional definition of risk combines three
elements: it starts
with a potential event and then combines its probability
with its potential
severity. A high risk event would have a high likelihood of
occurring and
have a severe impact if it actually occurred.
|
|
An organization can be a single person or a
group that achieves its
objectives by using its own
functions, responsibilities, authorities,
and relationships. It can be a company, corporation,
enterprise, firm,
partnership, charity, association,
or institution and can be
either
incorporated or unincorporated
and be either privately or
publicly
owned. It can also be an operating unit that is part of a
larger entity.
|
|
When an organization makes an arrangement
with an outside
organization to perform part of a function or process,
it is referred
to as outsourcing. To outsource means to
ask an external organization
to perform part of a function or process normally done
inhouse. While
an outsourced organization is beyond the scope of your QMS,
the
outsourced process or function itself falls within your
scope.
|
|
When people are involved in decision making, it's
called participation.
Workers, workers' representatives, and health and safety
committees
are often asked to participate in organizational decision
making.
Participation is not the same as consultation. While
consultation
means receiving the views and opinions of others before
decisions
are make, participation means getting people
involved in the actual
decision making process itself.
|
|
According to ISO, the term performance
refers to a measurable result.
It refers to the measurable results
that activities, processes, products,
services, systems and organizations are able to achieve.
Whenever they
perform well it means
that acceptable results are being achieved and
whenever they perform poorly, unacceptable results
are achieved.
|
|
A policy is a general commitment, direction, or intention and is
formally stated by top management. A quality policy
statement should
express top management's commitment to the implementation
and
improvement of its quality management system and should
allow
managers to set quality objectives.
|
|
A procedure is a way of carrying out a
process or an activity.
Procedures may or may not be documented.
|
|
A process is a set of activities that are
interrelated or that interact
with one another. Processes
use resources to transform inputs
into outputs. Processes are interconnected because the
output
from one process often becomes the input for another
process.
While processes usually transform inputs
into outputs, this
is not always the case. Sometimes inputs become outputs
without transformation.
Organizational processes
should be planned and carried
out under controlled conditions. An effective process is one
that realizes planned activities and achieves planned
results.
|
|
A requirement is a need, expectation, or
obligation. It can be stated or
implied by an organization, its customers,
or other interested parties.
A specified requirement is one that has been stated (in a
document for
example), whereas an implied requirement is a need,
expectation, or
obligation that is common practice or customary.
There are many types of requirements. Some of these
include customer
requirements, quality
requirements, quality management requirements,
management requirements, product requirements, service
requirements,
contractual requirements, statutory requirements, and
regulatory
requirements.
|
|
According to ISO 45001, “risk is the effect of
uncertainty”. This cryptic
definition is based on a similar definition of risk found in
the ISO 31000
risk management standard. According to ISO 31000, risk is
the “effect
of uncertainty on objectives” and an effect is a
positive or negative
deviation from what is expected. Both definitions are
essentially
the same. The following will explain what this definition
means.
ISO 31000 recognizes that all of us operate in an
uncertain world.
Whenever we try to achieve an objective, there’s always the
chance
that things will not go according to plan. Every step has an
element
of risk that needs to be managed and every outcome is
uncertain.
Whenever we try to achieve an objective, we don't always get
the
results we expect. Sometimes we get positive results and
sometimes we get negative results and occasionally
we get both.
The traditional definition of risk combines three
elements: it
starts with a potential event and then combines its
probability with
its potential severity. A high risk event would have a high
likelihood
of occurring and a severe impact if it actually occurred.
While ISO 31000 defines risk in a new and unusual
way, the old and
the new definitions are largely compatible. Both definitions
talk about
the same phenomena but from two different perspectives. ISO
thinks
of risk in goal-oriented terms while the traditional
definition thinks of
risk in event-oriented terms. These two definitions can and
do co-exist. They’re two different ways of talking about the
same phenomena.
ISO provides a conceptual definition of risk while
the traditional
formulation operationalizes this general definition: it
explains how
to quantify risk. It argues that the amount or level of risk
can be
calculated by combining probability and severity.
ISO 45001 actually rejects this ISO 31000 definition
of risk when
it defines OH&S risk. Instead of accepting the ISO 31000
definition,
ISO 45001 defines OH&S risk as the “combination of the
likelihood
of occurrence of a work-related hazardous event(s) or
exposure(s)
and the severity of injury or ill health that can be caused
by the
event(s) or exposure(s).
|
|
Risk assessment is a process that is made up
of three separate
processes: risk identification, risk analysis, and risk
evaluation. Risk
identification is a process that is used to find,
recognize, and describe
the risks that could affect the achievement of objectives. Risk
analysis
is a process that is used to understand the nature, sources,
and causes
of the risks that you have identified and to estimate the
level of risk. It
is also used to study impacts and consequences and to
examine the
controls that exist. Risk evaluation is a process
that is used to
compare risk analysis results with risk criteria in order to
determine whether or not a specified level of risk is
acceptable or tolerable.
|
|
Risk criteria are terms of reference and are
used to evaluate the
significance or importance of your organization’s risks.
They are
used to determine whether a specified level of risk is
acceptable
or tolerable. Risk criteria should reflect your
organization’s values,
policies, and objectives, should be based on its external
and internal
context, should consider the views of stakeholders, and
should be
derived from standards, laws, policies, and other
requirements.
|
|
The term top management normally refers to
the people at
the top of an organization. It refers to the people who
provide
resources and delegate authority and who coordinate, direct,
and control organizations.
However, if the scope of a management system covers
only part
of an organization, then the term top management
refers, instead,
to the people who direct and control that part of the
organization.
|
|
The term worker is defined as anyone who
performs work or
work-related activities that are under an organization's
control.
Workers include both managers and nonmanagers and include
both employees and non-employees (i.e., contractors, agency
workers, and external product and service providers). They
could be permanent or part-time, regular or temporary, and
paid or unpaid; all of these people are defined as workers.
|
|
A workplace is a place where an
organization’s work is performed.
A place is an organization’s workplace only if it is under
its control,
at least to some extent. How much responsibility an
organization has
over OH&S depends on how much control it has over its
workplace.
|
