ISO 45001:2018

Occupational Health and Safety Management Systems

What is ISO 45001:2018?

As per ILO, more than 7 600 people die daily due to work-related accidents or diseases.

ISO 45001 is an internationally agreed-upon standard, in simple words, a set of international best practices aimed to reduce occupational injuries and diseases, thereby helping both the employers and the economy at the national level due to losses from early retirements, staff absences, and increased insurance premiums.

Which businesses or organizations ISO 45001 is most suitable for?

The simple answer is ALL organizations.

The standard is applicable regardless of the size, type, and nature of products &/or services, so it can be an SME, a global conglomerate, an NGO, a charity, an academic institution, or a government organization.

The cost of poor health and safety standards in the workplace

The absence of effective OHS management systems will lead to an increase in the accidents and ill-health of the workers, resulting in indirect costs such as those arising from:

  • Lost &/or delayed production
  • Time spent in investigations
  • Damage to plant and equipment
  • Cleanup activities
  • Absences as a result of accident or ill-health
  • Recruitment and training of replacement staff and labour
  • Action by the regulatory authorities
  • The civil claim by the injured parties
  • The rise in insurance premiums

There are also indirect costs related to

  • Poor staff morale leading to unrest and high turnover rate
  • Damage to image & reputation of the organization which can in a loss of orders
To which this standard contributes

ISO 45001:2018


Something with the potential to cause harm (e.g. a substance, a part of a machine, a method of work, a form of energy, or a situation).


Includes death, injury, physical or mental ill health, damage to property or the environment, loss of production or any combination of the above.


An unplanned and undesired event that results in harm.


An unplanned and undesired event that could have resulted in harm, often called a “near miss”.


A measure of the likelihood that the harm from a particular hazard will occur, as well as taking into account the possible severity of the harm.

Risk is expressed as

Risk = likelihood of occurrence X severity of a hazard


A state in which there is exposure to a hazard; the opposite of safety; often used in terms such as dangerous condition, danger area, danger zone, etc.


A state in which exposure to hazards has been adequately controlled; the opposite of dangerous e.g. safe plant, safe system of work, etc.

Risk management

The process of hazard identification, risk assessment, risk evaluation, determination of controls and their implementation, monitoring and review.

Risk assessment

Obtaining the risk score by multiplying probilitity rating with risk rating.

Risk evaluation

Obtaining risk rating through comparison of risk score with the risk criteria e.g. low, medium, high.

Acceptable risk 

is a risk that has been reduced to a level that we are prepared to accept with respect to our legal obligations, OHS policy and objectives.

Context of an organization

  • external and internal issues pertaining to the strategic direction of an organization;
  • relevant interested parties and their needs and expectations.

Note: The external and internal issues can be used as input for determining relevant interested parties and their needs and expectations. This information in turn is used as input to the risks and opportunities.

Review of external and internal issues

External and internal issues can change over time, therefore, this information should be monitored regularly by reviewing e.g. in quarterly management review meetings.

Moreover, the interested parties and their relevant requirements can vary among different products and services and can change due to unforeseen circumstances or intentional reactions to markets.

Therefore, the organization should have robust systems in place to monitor and review the relevant requirements of its interested parties.

Monitoring and reviewing can be accomplished by using the organizational processes related to customer requirements; and design and development of products and services.

Sources of information

Information about external and internal issues can be found from many sources, such as through internally documented information including minutes of meetings, in the local and international media, websites, professional and technical publications, conferences, through interaction with customers and regulators, and other stakeholders.

Tools used for determining external and internal issues

The tools that can be used include

  • Brainstorming;
  • Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis;
  • Political, Economic, Social, Technological, Legal, Environmental (PESTLE) analysis; and
  • Asking “what if” questions.
Examples of external issues
Factor Issues
supply chain Relationships with external providers e.g. contractors and suppliers
cultural and social unemployment rates at local level, how safety is perceived, education levels, public holidays and working days
political political stability, public investments, infrastructure and its quality, trade agreements at the international level
technological updates in technology; materials and equipment
statutory and regulatory requirements Regulations pertaining to the workforce, work environment, and licenses/approvals
other Location of operations, and changes to any of the above
Examples of internal issues
Resource needs Financial capital, numbers and capabilities of workers, technologies
Human resources organizational knowledge, competence of persons, safety culture, relationships with unions
Governance of the organization The way the organization is managed e.g. organizational hierarchy, rules and procedures for decision-making, and its business objectives
other size and nature of work (what it does or makes), the overall performance of the organization

Examples of relevant interested parties

These include

  • workers at all levels
  • customers
  • legal and regulatory authorities
  • Parent organizations
  • external providers including suppliers, contractors, and sub-contractors
  • workers’ organizations e.g. trade unions
  • owners, shareholders, clients, visitors
  • insurers
  • the local community
  • the general public and
  • the media

Methods to understand the needs and expectations of relevant interested parties

The examples include reviewing tender documents or orders received, reviewing statutory and regulatory requirements with legal compliance departments, lobbying and networking, participating in events arranged by the relevant associations, benchmarking, market surveillance, reviewing supply chain relationships, conducting customer and or user surveys.

Examples of relevant interested party requirements

These include customer requirements regarding safety, contracts (which have been entered into with customer or external providers), industry codes and standards, agreements with community groups or non-governmental organizations, legal requirements for the product or service provided, memoranda of understanding, permits; licenses or other forms of authorization, orders issued by regulatory agencies, treaties, conventions and protocols, agreements with public authorities, voluntary principles or codes of practice, voluntary labeling or environmental commitments, and policies for employees.

Sr # Interested party Needs and expectations
1 employees provision of an excellent work environment

continually engage with them through competent supervision in order to help them identify and tap into their hidden strengths

mentoring so that the gaps are identified and issues resolved timely

2 regulators compliance with health and safety laws as otherwise occupational health and safety of workers will be compromised and the organization itself can be at risk as the law-breaking leads to prosecution and closing out of the business
3 supply chain e.g. contractors All the contractual commitments fulfilled
4 Shareholders e.g. owners High return on investment e.g. money invested should result in an effective management system
5 local community There should be no risk to their health and safety
6 top management

the company must remain compliant at all times and maintain its reputation

retain a competent workforce through a positive safety culture


Consultation shall take place at every stage of the process for risk management in order to foster co-operation and develop partnerships among management, staff, contractors and other stakeholders.

Prior to undertaking any risk assessment, depending on the complexity of the process or task, the relevant staff who carry out the task or involved in the process should be consulted on how the task is undertaken to gain an understanding of the hazards involved. This in turn will help identify and implement measures to control risk without complicating the processes. The following should be consulted on the risk management process

  • workers;
  • supervisors;
  • safety and health officers/representatives;
  • safety and health committee;
  • contractors/sub-contractors; and
  • other relevant stakeholders.

Consultation is beneficial throughout the risk management process in many ways

  • it brings together different areas of expertise and those who have day-to-day experience can provide valuable input;
  • this allows ownership by workers;
  • this increases the chances that workers commit to implementing control measures, as they will understand why these are being imposed;
  • this increases the morale of the workers;
  • this will help reduce the turnover rate, as staff feel they are being listened to and involved;
  • this improves communication, trust, and teamwork;
  • this improves productivity due to better decision-making; and
  • this contributes to developing a positive safety culture.

When to Undertake a Risk Assessment

The Risk assessment is an ongoing process and should be conducted as and when required as follows

  • at regular or scheduled intervals
  • when planning or making a change to hierarchy, a procedure, process or practice;
  • external factors e.g. emerging occupational health issues;
  • when introducing new plant, equipment, substances and materials;
  • after an incident happens including a near miss and dangerous occurrence;
  • major changes in staff or introduction of new workers;
  • when there is a change in the legislation; and
  • at the start of high-risk activities e.g. presence of a high level of risk associated with a specific work activity e.g. confined space entry.

Procedure for the Risk Assessment

Note that there is no single methodology for hazard identification and risk assessment that will fit all OHS situations. An appropriate methodology ranging from simple assessment to complex quantitative analysis can be used on a case-by-case basis. However, the approach selected should be appropriate to scope, nature and size, and meet the needs in terms of detail, complexity, time, cost and availability of reliable data.

Step One – Identify the Hazards

Hazard identification is about identifying substances, sources, situations, acts, or a combination of these, with a potential for harm in terms of injury or ill health and damage to property. The following should be considered for hazard identification

  • OHS legal and other requirements that prescribe how hazards must be identified;
  • incident record including ill health;
  • previous audit reports;
  • best practices e.g. typical hazards and incident reports in similar organizations;
  • input from staff and views of other interested parties, both voluntary and as a result of consultation; and
  • information on processes and facilities including workplace layout, traffic plans, site plans, process flowcharts, operation and maintenance manuals, hazardous materials inventories, equipment specifications, product specifications, material safety data sheets, monitoring data, occupational exposure and health assessments.

Different classes of hazards, such as physical, chemical, biological, psychosocial, etc. are considered.

The human factors that are considered include

  • the nature of the job;
  • the environment e.g. heat, light, dust, and noise;
  • human behavior e.g. fatigue;
  • psychological capabilities e.g. cognition, attention.

Both routine and non-routine activities and situations such as periodic, occasional, or emergencies are considered. The non-routine activities and situations include

  • cleaning, maintenance, refurbishment, start-ups/shut-downs;
  • field trips and international travel;
  • extreme weather conditions;
  • temporary arrangements;
  • emergency situations.

The hazard identification techniques that are employed include

  • benchmarking;
  • site tour;
  • checklist;
  • interview;
  • incident review;
  • monitoring data e.g. exposures to chemical and physical agents;
  • judgments based on experience;
  • flow charts review;
  • brainstorming;
  • systems analysis;
  • scenario analysis;
  • systems engineering techniques.

Manufacturers’ instructions or data sheets can also help to identify hazards and put risks into their true perspective.

The tool to be used depends on the nature of the activities under review, the types of risks involved, and the purpose of the risk assessment. The following table summarizes the hazard identification tools and techniques.


OHS Hazard Type of Hazard Tools
slip and trips, electricity, noise, dust, temperature extremes, fire, explosion, portable tools, machinery, pressure systems, compressed gases, working at height, confined areas, vehicles, work with animals, lone working, late working, irregular or unusual activities e.g. maintenance. physical
  • site tour
  • inspection
  • feedback from the worker, contractors, visitors
water contamination, chemical fumes, storage and handling of hazardous materials chemical
foul smell, stagnant air, biological wastes, bacterial colonies, fungus, pollen, stagnant water, infestations, unclean urinals, etc. biological
long working hours, fatigue, anxiety, poor/limited communication or coordination, distractions due to noise, lack of amenities, sexual harassment, bullying, etc. psychosocial interviews and employee feedback, monitoring excessive hours worked, sickness records, and complaints.

Step Two – Identify Who Might be Harmed and How

Following are considered

  • all those having access to the workplace including employees, customers, visitors, contractors, and delivery personnel;
  • persons who may have additional difficulties, such as new or expectant mothers, people with special needs, and young or inexperienced workers;
  • end users of products and services;
  • hazards pertaining to the use of products and services provided by third parties;
  • who might be harmed and how, as this will help to determine control measures during risk assessment;

Step Three – Evaluate and Select Additional Control Measures

Risk evaluation is about developing an understanding of the risk. It provides insight into deciding whether risks need to be controlled and the most appropriate and cost-effective risk treatment strategies.

The level of risk is calculated by multiplying the rating for both consequence and probability as follows

Risk = consequence score X likelihood score

The criteria for probability rating, consequence rating and risk rating are presented in the following tables.

Statistical analysis and calculations can be used for the estimation of consequences and likelihood. Where no reliable or relevant past data is available, subjective estimates may be made reflecting the degree of belief that a particular event will occur.

When analyzing consequences and likelihood, the most pertinent sources of information and techniques shall be used.

Sources of information include

  • past records;
  • practice and relevant experience;
  • relevant published literature;
  • economic, engineering or other model;
  • specialist and expert judgment.

Techniques include

  • structured interview of experts;
  • use of a multi-disciplinary group of experts;
  • evaluation using a questionnaire; and
  • use of models and simulations.

Where appropriate, the confidence placed on estimates of levels of risk shall be included and the assumptions made shall be clearly stated.

Factors for evaluation such as those listed below will help in the assessment of relative consequence

  • health effect e.g. long/short term effects, degree of injury and illness, disability and fatality;
  • damage to assets e.g. plant, premises.

The inputs to the risk assessment process include as follows

  • control measures in place, for example, ventilation, guarding, PPE, etc.
  • human capabilities, behavior, and competence – those who normally and/or occasionally carry out hazardous tasks
  • permit-to-work procedures;
  • monitoring data e.g. incident and ill health, toxicological data, epidemiological data;
  • tasks being carried out, their duration, frequency and location;
  • failure of components of plant and machinery components and safety devices or their degradation;
  • size, shape, surface character, and weight of materials to be handled; distances and heights to which materials have to be moved and raised;
  • manufacturers’ instructions for the operation and maintenance of equipment and machinery; the availability and use of control measures –
  • abnormal conditions including interruption of electricity and water, or other process failures
  • emergency procedures in regard to various aspects including access to; and adequacy of; emergency equipment, escape routes, communication facilities, and support personnel, etc.
  • any existing assessments
  • the potential for a failure to cascade associated failures or disable control measures
  • the adequacy, accuracy, and reliability of the data available for risk assessment
  • any legal or other requirements in regard to risk assessment

Step Four – Implement the Selected Control Measures

After categorizing the risk as low, medium or high, corrective action is planned in order to manage the hazard at an acceptable or at a level that is ‘as low as reasonably practicable (ALARP)’. For hazards with low risk, action is not required.

Where risks are already controlled, the effectiveness of the controls is monitored to decide whether they are sufficient or not.

Where the risk is assessed to be medium or high, additional control measures are always considered and implemented for which the following hierarchy is applicable

  • elimination of the hazard, where possible;
  • substitution e.g. use of less hazardous substances;
  • engineering e.g. isolation, exhaust ventilation;
  • administrative e.g. standard operating procedure, frequent work breaks, job rotation, housekeeping;
  • personal protective equipment (PPE), however, this option should be used as a last resort only.

In the process of selection of controls, the following should be considered

  • legal requirements;
  • international standards
  • guidelines;
  • OSH policy;
  • availability of resources;
  • costs and benefits; and
  • the status of scientific and technical knowledge.

To demonstrate ALARP, it requires considering various options to reduce risk to a level whereby cost and or effort for further reduction will go out of proportion.

When the mitigation measures are identified, an action plan shall be formulated as follows

  • proposed actions;
  • responsibilities;
  • training needs for the relevant parties;
  • the time frame for completion of actions;
  • performance measures; and
  • reporting and monitoring requirements e.g. review for effective closeout of the action plan.

Any relevant work procedures should also be updated pertaining to the new control measures and relevant persons should be informed about the control measures being implemented; particularly the reasons for changes.

Adequate supervision shall verify that the new control measures are being implemented and used correctly.

Step Five – Monitor and Review

Factors that may affect the likelihood and consequences of an outcome may change, as may the factors that affect the suitability or cost of the mitigation options. It is therefore necessary to repeat the risk management cycle regularly e.g. bi-annually.

Other factors that may necessitate the need to review more frequently are

  • changes in legal and regulatory requirements;
  • identification of new hazards, results of monitoring, the outcome of incident investigation, results of audits, emergency(ies), mock drills reports;
  • significant changes to processes, products and services;
  • best practices e.g. learning in similar organizations;
  • external factors such as emerging occupational health issues;
  • advancement in regard to the control and monitoring technologies;
  • assessment of OHS opportunities and other opportunities to the OHS management system.

Examples of Opportunities

The opportunities to improve OHS performance include

  • considering hazards and risks when planning and designing a new facility, buying equipment and introducing a new process and other planned changes;
  • managing monotonous work e.g. by rotating workers to other activities; and
  • using technology to improve OHS performance e.g. automating high-risk activities.

The opportunities to improve the OHS management system can include

  • more visible support from top management e.g. highlighting OHS performance in strategic business plans;
  • improving culture pertaining to safety and training;
  • enhancing process for the incident investigation; and
  • enhanced worker participation in OHS-related decision-making; and
  • collaborating with other organizations in forums, which focus on OHS.

Additional Guidance

Each organization should choose an appropriate way to assess risks, taking into account its own context. The methods selected should be such that the level of risk is balanced with the detail, complexity, cost, time, and availability of data that is reliable too.

Workers involved in the day-to-day activities should participate in the assessment of risks so that a full understanding is gained.

Consequences of both short-term and long-term exposure should be considered and how risks can increase by other factors e.g. exposure to fumes in a well-ventilated space can present a much lower risk than the same exposure in a confined space, but the level of risk can be increased by additional factors such as extreme temperature or prolonged exposure.

Appropriate methods and criteria for risk assessment should be considered for various types of hazards e.g. assessment of stress is different from exposure to chemicals.

If an assessment method uses descriptions for assessment of severity or likelihood of harm, they should be clearly defined i.e. clear definitions of terms such as likely/unlikely, minor/major/catastrophic are needed to endure that people interpret them in the same way.

The organization should also consider risks that are not directly related to the occupational health and safety of people but pertain to the OHS management system itself e.g.

  • failure to address the needs and expectations of the interested parties;
  • inadequate planning or allocation of resources;
  • an ineffective audit program;
  • poor succession planning in regard to the key roles; and
  • poor engagement by top management.

Table 1: Consequence Rating

Area Insignificant Consequences (Score = 1) Minor Consequences (Score = 2) Moderate Consequences (Score = 3) Major Consequences (Score = 4) Catastrophic Consequences (Score = 5)
Human health and safety

Minor injuries, which may require self-administered first aid.

Injured personnel can continue to perform normal duties.

Injuries requiring on-site treatment by medical practitioner.


Personnel unable to continue to perform duties.

Serious injuries requiring off-site treatment by medical practitioner, or

Immediate evacuation to hospital.

Potential long-term or permanently disabling effects.

Single fatality. Multiple fatalities.
Production loss Incident without causing production loss. Production loss or delay of up to one week. Production loss or delay of one week to one month. Production loss or delay for > a month. Loss of license to operate or ability to produce indefinitely.
Financial loss Compensation, fines, cost to repair, plant damage of

< $5K

compensation, fines, cost to repair, plant damage of

$5K – $50K

Compensation, fines, cost to repair, plant damage of

$50K – $500K

Compensation, fines, cost to repair, plant damage of

$500K – $10M.

Compensation, fines, cost to repair, plant damage

> $10M.

Table 2: Probability Rating


Frequency Probability


Occurs frequently



Occurs several times per year



Has occurred more than once



Has occurred



Never occurred


 Table 3: Risk Rating


(From Table 2)

Consequence (From Table 1)

Insignificant (1)

Minor (2) Moderate (3) Major (4)

Catastrophic (5)

Rare (1)


2 3 4 5
Possible (2) 2 4 6 8


Likely (3)

3 6 9 12 15

Often (4)


8 12 16


Frequent (5) 5 10 15 20


15 – 25

Extreme Risk Activity should not proceed in its current form.

8 – 12

High Risk

Activity should be modified to include remedial planning and action and be subject to detailed OSH assessment.

4 – 6

Moderate Risk

Activity can operate subject to management and/or modification.

1 – 3

Low Risk

No immediate action is required, unless escalation of risk is possible.

Examples of OHS Objectives and Targets

Serial #

Description of objectives and targets


Develop and implement a management system with an emphasis on occupational health


Reduce manual lifting operations by 50 % by introducing equipment to assist workers with heavy lifting, to prevent back injuries


Make provision for social activities and achieve a 50 % uptake


Achieve a 50 % increase in the participation of workers in health improvement discussions


The following should be considered when establishing OHS objectives; setting targets and planning actions to achieve them.

  • developed in functions and at levels, as appropriate;
  • reviewed and approved;
  • SMART: specific, measurable, achievable, relevant and time-bound;
  • established in consultation with the process owners and other relevant staff;
  • review frequency defined and records of review maintained; and
  • communicated to relevant staff.

These shall

  • be consistent with OHS policy;
  • take into account the applicable requirements e.g. legal and contractual;
  • results of the assessment of risks and opportunities; and
  • results of consultation with workers and/or their representatives.

These should not be confused with the KPIs e.g. lost time injuries, total reported case frequency (TRCF), lost time injury severity rate (LTISR), lost time injury frequency rate (LTIFR), # of near misses and first aid cases.

These should not be vague and confused with the tasks that are required to be performed as a matter of routine job e.g.

  • review policies and procedures in line with the legal requirements;
  • increase OHS trainings by 50 %;
  • timely execution of internal audits and management review meetings; and
  • increase in “compliance by the suppliers”.

The objectives should be set in such a way that aims to enhance the efficiency and effectiveness of the management systems as well as improve the OHS performance.

Benefits of Participation and Consultation  

Consultation is a two-way process, allowing staff to raise concerns, influence decisions on the management of safety and health as staff are often the best people to understand the risks in the workplace, and involving them in making decisions shows them that you take their safety and health seriously.

Participation is about joint decision making e.g. joint risk assessment and agreeing on actions, establishing OHS policy and objectives.

Involving workers is a key requirement for the effectiveness of OHS management systems as it enables the organization to make informed decisions.

A workforce that feels valued and involved in decision-making plays a big part in a high-performing workplace. Empowering your workforce, giving them the right skills, and getting them involved in making decisions shows them that you take their safety, health and well-being seriously. They not only raise concerns but offer solutions too. There can be an impact far beyond safety and health management if the workforce is not engaged in OSH issues, which affect them.

Regularly walking around the workplace, talking to workers and observing how things are done shall help identify hazards. Conducting a survey of workers can provide valuable information about work-related health issues such as workplace bullying, stress, as well as muscular aches and pains that can signal potential hazards.


non-managerial staff should be encouraged to participate  in regard to

  • determination of the mechanisms for their consultation and participation;
  • identification of hazards and assessment of risks and opportunities;
  • determination of actions to eliminate hazards and reduce OHS risks;
  • determining competence requirements, training needs, and delivery and evaluation of training;
  • determining what needs to be communicated and how to communicate e.g. the best way to share specific information by considering issues such as language, literacy and learning disabilities;
  • determining control measures and their implementation and use; and
  • incident investigation, non-conformities and determining corrective actions.

To reduce barriers to participation, all staff should be informed and encouraged regarding their opportunities to participate and who their representatives on OHS matters are.

Managers at all levels should operate an ‘open door’ policy and encourage all staff, however junior, to raise both concerns about, and suggestions for improving OHS management systems.

Staff should be empowered, and expected, to intervene whenever they see unsafe behavior.


The employees should be consulted on anything in the workplace that can substantially affect their safety and health including

  • any change which may have a substantial effect on the workforce’s safety and health pertaining to new or revised procedures, types of work, equipment, premises, and ways of working e.g. new shift patterns;
  • OSH consequences of introducing new technology.

Employees and other relevant stakeholders should be consulted in OSH matters including but not limited to

  • establishing and reviewing OSH policy, and objectives and planning to achieve them;
  • determining the needs and expectations of interested parties;
  • assigning the roles, responsibilities and authorities, as applicable;
  • in determining how to fulfill legal requirements and other requirements;
  • determining applicable controls for outsourcing, procurement and contractors;
  • determining what needs to be monitored, measured and evaluated;
  • establishing an audit program;
  • continual improvement;
  • OSH incident investigation, risk assessment and emergency plans; and
  • structure of consultation committees and meetings.

OSH Manager should provide feedback to explain decisions and respond to issues raised by staff. The appropriate method of responding (in writing or verbal), and times line for response, will depend on the nature and circumstances of the issue. The arrangements shall be agreed upon with staff in advance. Contractors and other external stakeholders shall be invited as needed.

Participation and Consultation Methods

There are a number of ways to consult with staff, each having advantages and disadvantages that include

  • face to face, directly with individuals;
  • indirectly with staff; and
  • with staff representatives.

A range of methods to be used to suit the circumstances e.g. various ways to consult with staff face to face including

  • one-to-one discussions – effective if there is an opportunity to talk to staff regularly;
  • regular walkabouts/OSH tours – you get to meet staff face to face, and they get to share ideas and concerns, if management is regularly approachable, staff are more likely to open up about the risks, especially if the issues raised are addressed;
  • OSH as an agenda point on meetings – having OSH as a standing item on the agenda of routine team meetings where staff views can be fed back to and so there is always an opportunity for OSH issues to be picked up;
  • special workforce meetings – these can be best when you need to call the whole workforce together for their views and opinions. This could be in addition to regular team meetings. At large meetings, the exchange of views and ideas might not be as effective as in smaller gatherings where people may feel more comfortable sharing their views;
  • toolbox talks – arrange toolbox talks where you have short talks on specific OSH issues that show the relevance of a topic to particular jobs, for instance, a talk about manual handling for those doing jobs that involve lifting heavy goods. It allows you and your employees to explore the risks and think about ways to deal with them; and
  • working groups – set up work groups to tackle specific OSH issues and explore ways of making a difference. The staff involved in the group should be directly involved with the issues being looked at so they can really contribute to solutions.

There are also indirect ways to involve staff e.g.

  • intranet – convenient to post health and safety information as this can feature news and request the views of all your staff. Keep the information updated and draw attention to new material so people who do not regularly check it will know what is happening in their workplace. If some staff do not have access to the site, the quality and range of views given may be compromised;
  • staff surveys can be useful in consulting your workforce, although a lack of trust can undermine surveys and reduce the return rate. Consider the literacy or language skills of the employees to make sure they can answer questions they understand. You can get an external organisation to run the staff survey so your staff feel they can say what they really think;
  • staff suggestion schemes – these can be useful if they are regularly used and acted upon. However, they may not work if staff believe they will not make a difference, or because you and your staff have already developed a good working relationship without the need for a suggestion box; and
  • notice boards and newsletters – they can be useful for sharing information as part of the consultation process, particularly if used together with other methods as this increases the chance of getting your messages across.


Consultation is about seeking views of workers and considering them before making a decision; participation is about joint decision making e.g. joint risk assessment and agreeing on actions, establishing OHS policy and objectives.

Involving workers is a key requirement for the effectiveness of OHS management systems as it enables the organization to make informed decisions.

Those who are involved in day-to-day activities probably know more than anyone else about the risks and therefore can provide insight into potential problems.

Decisions made jointly with these workers are more likely to be effective. However, the organization does not need to involve every worker in every decision and act on every suggestion. Rather, the participation and consultation should be proportionate.

It is up to the organization to decide on the best ways of participation and consultation and a need for formal mechanisms e.g. OSH committee, focused team meetings, workshops, worker surveys and suggestion schemes.

Once mechanisms have been selected, it is then important that full top management support be given.

A small organization can include all workers in discussions and decision-making; for a larger organization, it can more effective to consult with workers’ representatives.

The organization should take into account the specific issue being considered when choosing the best way to find out workers’ views and how much time and resources to be devoted to consultation and participation. The relevant non-managerial workers should be asked directly about the best mechanism to address their concerns.

Competence includes the ability to spot hazards and assess risks as well as having the ability to perform tasks in a way that protects the health and safety of workers. The competence of persons shall typically comprise a mixture of education, training, skills and experience and can be demonstrated in different ways.

Where employees have a formal education e.g. a university degree can be used to demonstrate that they have acquired part, or all, of the knowledge required to carry out their work, but not necessarily they are able to apply that knowledge. so, other things such as vocational training can furnish the ability to apply knowledge and skills.

When the work is carried out by an external provider, additional controls should be placed such as specifying competence requirements in contracts or service level agreements or performing audits of the outsourced activities or functions.

Competence Evaluation Methods

The competency assessment can be as follows

  • reviewing resumes, records of academic qualifications e.g. degrees, and professional qualifications e.g. memberships and certifications;
  • evaluating previous experiences and training;
  • on-the-job observation of skills and techniques; and
  • interviewing i.e. asking questions in regard to the understanding of the relevant work.

When a person does not meet or no longer meets the competence requirements, actions shall be taken which include but are not limited to,

  • mentoring the employee;
  • provision of training and or supervision;
  • simplifying work so that competence requirements are reduced without compromising the OHS performance;
  • re-assigning the work to someone with the necessary competence.

Professional OH Roles for Specialized Guidance 



Reference (For reading)

First Aider, Emergency Medical Technician
  • First aid treatment (limit to the scope and training level)
  • Ensure the emergency support services are pursued to ensure timely intervention by specialist services such as ambulance services or physician support for a chronic condition
Occupational hygienist
  • Identify, assess and control health hazards in the workplace
  • Advice on how chemical, physical and biological agents affect health
  • Control of health risks by assessing and resolving practical problems
  • Support on the shot and long-term effects on health arising from acute and chronic exposure to hazards
  • Understanding the relationship between people , equipment, design
  • System design to suit the worker
Occupational psychologist
  • Prevention of workplace stress through organizational design
  • Improving work-life balance
Occupational health nurse
  • Health risk assessment, advice on the management of health risks
  • Absence management including capability and workplace adjustments
  • Worker health assessment  on fitness for work
  • Health surveillance
  • Health promotion and education
Occupational physician
  • Statutory medical surveillance
  • Medical examination certificates
  • Worker ill health diagnosis
  • Opinion on complicated cases of ill health and worker capability
  • Opinion on ill health retirement cases
  • Advice on OHS policy
  • Organizational health risk management
Occupational health technician
  • Qualified to level 4 certificate or diploma
  • The role includes health screening, health surveillance including respiratory tests, hearing tests, ECGs under supervision of a physician
Occupational physiotherapist
  • Return to work assessments
  • Health education and promotion
  • Workplace assessment
  • Ergonomics and job design
  • Rehabilitation plans
  • Delivery of training on manual handling
  • Musculoskeletal disorders clinical service
  • Talking therapies
  • Enhancing well being
Clinical/counselling psychologist

Treatment of workplace stress and mental ill health
  • Emotional problems
  • Mental health issues
  • Coping with bringing about change
  • Improving mental and emotional well being
Occupational therapist
  • Skilled in the analysis of practical consequences of ill health or disability
  • Advise employers on the needs of sick or disabled workers on return to work
  • Help overcome the effects of disability caused by illness, ageing or injury, so that  the workers can carry out everyday tasks and occupation

Example Competence Requirements for Third-party OHS Consultant

Academic qualifications

  • BSc. engineering or equivalent
  • NEBOSH international diploma

Professional qualifications

  • graduate member of IOSH
  • IRCA certified lead auditor in ISO 45001:2018
  • registered in OSHAD as lead auditor and grade A practitioner


  • Total # of years ≥ 15
  • Sector-specific ≥ 5


  • communication – effective delivery and presentation;
  • the ability to involve and engage the learners throughout the delivery of the course.


Appropriate communication is key to achieving the necessary level of awareness.

Every worker should be made aware of the OHS management system as to what it is trying to achieve, how it affects them and how their own actions can affect it. This is achieved when workers fully understand their own responsibilities and authority to act, and how their actions contribute to the achievement of OHS objectives and the effectiveness of OHS management systems.

Workers are also made aware of the relevant hazards and related OHS risks that can impact them, including those that might not be related to their individual activities e.g. hazards arising from nearby activities.


The communications should be suitable for the audience in view of language, culture, literacy, and disability. For those working in shifts, remotely or on a part-time basis, the communication needs should be addressed appropriately.

The complexity of the organization should also be considered to make sure that the messages are communicated in an effective way across functions at different levels.

External communication is different from communicating internally and the extent of communication depends on OHS risks faced by interested parties such as

  • contractors;
  • visitors;
  • local community; and
  • emergency services.

Legal requirements including incident reporting should also be considered.

Methods such as onsite induction should be used to raise awareness about relevant hazards and risks, emergency rules and other precautions in addition to the “contracts” that are often used as the only means to communicate OHS performance requirements.

Along with the performance requirements, the consequences of nonconformity should also be communicated e.g. impact of an accident or the possibility of canceling a contract due to poor OHS performance.

Any update regarding OHS during the contractual period should be communicated promptly.

Further, when communicating with external providers, the following should be considered

  • the need to align their OHS policies and processes with those of ourselves and other contractors at the worksite;
  • previous OHS performance e.g. incidents
  • the presence of other contractors at the worksite;
  • arrangements for the emergency;
  • need for consultation for high-risk tasks;
  • reporting a problem and taking corrective action;
  • process for incident reporting and investigation; and
  • arrangements for day-to-day communications.

Tools such as warning signs, videos or audio messages, posters can be used for communicating to occasional visitors to the worksite e.g. delivery boys, customers, public.

In deciding what to communicate with such visitors, the following issues should be considered

  • specific OHS processes and practices e.g. wear hardhat on construction sites, use-hearing protection in noisy environments;
  • emergency evacuation arrangement and if there are planned drills during the time of visit; and
  • traffic controls.

Example Communication Matrix

What to communicate Frequency Audience Responsibility Method Associated records Nature of information
Information relating to commitment by top management in regard to OH&S management system e.g. resources committed, programmes undertaken As available All workers Management representative Noticeboards, website, official e-mail Miscellaneous Public
Importance of conforming to the OH&S

management system requirements

All workers Management representative Awareness sessions
Responsibilities and authorities for relevant roles Initially All employees HR manager Email to management; induction to staff Procedure and associated records
Upon revision All employees Management representative Email
Project specific roles and responsibilities New project All concerned employees Management representative Email Project HSE plan
Information pertaining to ‘how workers can raise concerns and make suggestions’ e.g. feedback, complaint As applicable Internal and external interested parties Management representative screensavers, website, email to selective external stakeholders Feedback, the outcome of the complaint Confidential
OHS policy Initially; upon revision Internal and external interested parties Management representative Noticeboards, conspicuous places e.g. reception, website, official e-mail Latest approved copy of the policy Internal
General OSH issues As available Internal and external interested parties Management representative Noticeboards, intranet
Legal updates As available Internal and external interested parties Management representative Noticeboards, intranet
Performance of OSH management system Quarterly sector regulatory authority Management representative Online Form E
Annually top management Email Annual performance report
Information related to the identification of hazards and their related risks At the time of risk assessment Those involved in the assessment of risks Management representative Official email Internal
Opportunities that the organization intends to pursue At the time of assessment of opportunities Those involved in the assessment of opportunities and development of pursuit plans Management representative Official email Internal
Information pertaining to operational controls As applicable All employees Management representative Noticeboards, official e-mail
Changes in the system As applicable All employees Management representative, process owners Official E-mail RACI Matrix Internal
Incident notification Within 24 hours, if fatality Sector regulatory authority Management representative Online (Al-Adaa) Form G, G1, G2 Internal
Within 72 hours, for other serious incidents
Incident investigation and reporting Within 30 calendar days of the incident CEO, client, sector regulatory authority, employees Management representative
  • Email: CEO, client
  • Regulatory authority: Al-Adaa
  • Employees: Notice boards
Form G Internal/External
OH&S objectives and planning Initially; upon revision CEO, process owners, relevant staff Management representative Noticeboards, awareness sessions, official e-mail Internal
Training calendar Start of the year, upon revision Process owner, relevant persons Management representative E-mail Training calendar Internal
Review meeting invitation and minutes Within 3 working days of the meeting Meeting participants, and others, as decided Management representative Email Notification, Meeting minutes confidential
Non-conformance Within 05 working days of the last day of the onsite audit CEO, Management representative, Auditees Internal auditor Email non-conformance report confidential
Third-party audit Immediately, upon receipt CEO, Auditees Management representative Email Third-party audit report confidential
Annually Sector regulatory authority Management representative Online Third-party audit report using Form F confidential
Requirement outlined in

  • permits, licenses, no objection certificates
  • OSH plans and studies

The Extent of Documented Information

The extent of documented information is dependent upon various factors related to the organization’s context, such as its size, activities e.g., number of projects, geographical spread, types of products and services including relevant regulations, the complexity of processes, human resources including their competencies and languages spoken, and the potential impact on the business in the event of non-conformities.

The general guideline is that process owners should assess their own requirements by employing risk-based thinking and reviewing various forms of information including procedures, work instructions, information and communication systems, drawings, specifications, visual aids, progress reports, key performance indicators (KPIs), meeting minutes, representative samples, and verbal conversations.

Apart from the documented information mandated by the standard, other types of information may be necessary to effectively control the organizational processes, such as websites, computer software, apps, work instructions, manuals, forms, guides, regulations, and standards, to govern business operations.

For instance, a small bakery would require simpler and less extensive documented information compared to an automotive parts manufacturer that caters to highly specific customer requirements.

Control of Documented Information

The term “maintain documented information” refers to the periodic review and revision of information to ensure that it is up-to-date.

The term “retain documented information” signifies safeguarding it against any degradation or unauthorized alterations unless agreed-upon corrections are made.

Creating and Updating

The objective of this subclause is to ensure appropriate identification, format, media, review, and approval of documented information.
Documented information should include clear identification and description. Various methods can be employed for this purpose, such as utilizing titles, dates, authors, or document reference numbers (a combination of two or more of these can be used). The information can be presented in any medium, whether it is hard copy, electronic, or a combination of both.
Special consideration should be given when utilizing software, as not all users may have access to the same version. In certain cases, documentation may need to be provided in multiple languages due to cultural diversity. Proper authorization and defined methods are necessary for the review and approval of documented information, which may include login and password protocols.
Availability and Protection of Documented Information 
Once the decision is made regarding the documented information, it should be made available at relevant points within the organization. Controlling documented information involves managing the media it is stored in, its distribution, availability, and protection against potential risks, such as data loss, confidentiality breaches, improper use, and unintended changes. Several approaches can be adopted for this purpose, including electronic systems with read-only access and specified permissions, password protection, or identification (ID) entry. The level of control may vary, with increased access restrictions for external parties. It is important to address information security issues and consider data backup measures.
Distribution, Access, Retrieval and Use, Storage and Preservation, Control of Changes, Retention, and Disposition
Different methods can be employed to control the distribution of documented information. Once a system for distribution and access is established, the organization should consider how the documented information will be stored, maintained, and disposed of. As the quality management system improves and matures over time, the documented information should become more streamlined and concise.
Provisions should be made for the maintenance, storage, and retrieval of historically documented information that may be required for subsequent use. Version control should also be implemented to ensure that only the most current documented information is used. The storage of obsolete information can be important, especially when it pertains to historical data needed for complaint investigations or organizational knowledge management purposes. The documented information should be stored in an appropriate medium to ensure its preservation and legibility.
The retention time for documented information should be determined based on legal requirements, contractual obligations, or the organization’s own needs, taking into account the lifespan of its products and services. When disposing of obsolete and unnecessary documented information, the organization should carefully manage sensitive data, such as personal or confidential information, to ensure proper control during the disposal process.
Documented information of external origin, such as drawings, sampling plans, standards, test methods, or calibration reports from customers or external providers, should be identified and controlled in line with other documented information.

Examples of Documented Information

Documented information related to occupational health includes

  • policies and processes addressing specific issues
  • evidence of risk and opportunity assessments
  • details of workers in occupational health and safety (OSH) roles
  • evidence of OSH competence
  • records of health surveillance, including check-ups, screening results, and workplace exposure
  • referrals to occupational health professional services
  • licenses and authorizations, such as those for radiation sources
  • information pertaining to trends, patterns, and clusters of ill health

The extent of documentation depends on the risks involved, the nature of the work, and the complexity of the organization. However, it is important to note that extensive paperwork alone does not contribute to effective OSH management. Instead, the documentation should be driven by what is necessary for effective OSH management.
The format of documented information can vary e.g. excel spreadsheets, text messages on mobile phones, photographs, traditional logbooks, work instructions, or online instructional videos.
Maintaining documented information entails keeping it up to date through regular review and revision. Retaining documented information means ensuring its safety, such as using login and password protection when working electronically to prevent unauthorized changes.
When necessary, documented information should include clear descriptions and be easily identifiable, such as providing a title like “site rules” on a poster.
In terms of controlling documented information, it should be accessible to relevant workers across all functions and levels within the organization, as well as relevant external stakeholders. The same documented information can be presented in different formats for different users, but controls should be in place to ensure it is used as intended. For example, data should not be altered without permission, and confidentiality should be maintained for sensitive information.

The process for the management of contractors is as follows

Establishment of Project OSH Requirements

The tender and specification documents include the following OSH requirements:

  • A detailed and clear scope of work
  • A list of known key OSH hazards and risks associated with the project
  • Minimum OSH requirements regarding OSH resources
  1. legal compliance
  2. risk management
  3. OSH performance monitoring
  4. incident reporting
  5. OSH training and competency
  6. communication and consultation
  7. OSH inspection and auditing
  8. non-compliance and enforcement procedures

Contractor Evaluation for Selection

The management, preferably the OSH committee should evaluate the documented information provided by contractors during the shortlisting process. The assessment should take into account the complexity of the scope of work and the level of risks involved. Preference should be given to contractors with an approved OSH management system, unless the scope or complexity of the project does not warrant a full OSH management system.

Contractual Agreement
The contract should include the following

  • OSH resources;
  • clearly defined and communicated OSH roles, responsibilities, and accountabilities for all stakeholders;
  • breakdown of work to be performed under the contract;
  • sufficiently detailed description of the complexity of the work, potential hazards, and level of risks involved in the work;
  • mechanisms or penalties for managing ongoing non-conformance to OSH requirements;
  • relevant project OSH documentation, such as site induction requirements, site safety plan, policies and procedures, permit systems; and
  • other OSH-related requirements, as necessary.

Coordination and Communication
Coordination is needed in regard to

  • planning of work activities and tasks between contractors
  • risk assessment of work activities and tasks
  • consultation and participation e.g. OSH committee meeting
  • employee welfare and transportation activities

Communication includes hazard alerts, site safety alerts, and notification, investigation and reporting of an incident.

Mobilization and Work in Progress
Reasonable measures should be taken to ensure

  • contractors perform work activities safely for employees and the community;
  • contractors apply OSH systems/practices suitable for the work being carried out; and
  • all employees of contractors and visitors undergo an OSH induction process.

Monitoring Performance 
This can include

  • OSH key performance indicators
  • regular site inspections
  • compliance audits of OSH management systems
  • incident reports
  • third-party audit reports
  • handling complaints

Meetings are held with contractors as necessary, and control measures and corrective actions are advised when appropriate.

Regarding commissioning

  • competent personnel should be assigned to perform commissioning activities
  • full written operating instructions should be provided for all commissioning activities; and
  • a logical progression of steps necessary to verify the functionality and fitness for the purpose of the installed plant should be documented.

Procedures address various aspects, including permit to work, isolation (lock-out/tag-out) procedures, restrictive access, operator training and competency, system configuration check, vessel and instrumentation calibration, start-up protocol, shut-down protocol, chemical trials, and handover.


OSH requirements should be ensured throughout all demobilization/decommissioning activities, including transportation of plant, equipment, materials, and waste, as well as the disassembly, removal, and site cleanup of any assembled offices, buildings, or facilities.

The following actions should be taken

  • a demolition/decommissioning plan developed and approved by the Regulatory Authority before commencing work;
  • equipment and materials demobilized in accordance with applicable transportation, waste disposal, and safety laws; and
  • upon completion of the work, all access areas restored to their original condition.

Contract Close-Out
The process at the completion of the contract should include clear provision and identification of control of the site, where “Construction Work” has occurred, is handed over.

Risk management is a process for analyzing risk and deciding on the most appropriate control measures to manage it. Although all reasonably practicable efforts to reduce risk may have been taken, there will normally be some residual risk. It is this residual risk that may lead to emergencies. Anticipated emergency scenarios should therefore be identified during the process of risk assessment.
Emergency management involves the process of containing and controlling incidents to minimize the effects and to limit the danger to persons and property. An emergency management program consists of a number of specific response plans.

Identification of Potential Emergency Scenarios

During the identification of scenarios, the following information should be considered

  • legal requirements;
  • the results of risk assessment;
  • previous incidents; and
  • emergencies occurred elsewhere in similar industries.

The following situations should be considered when identifying scenarios

  • normal operations; and
  • nonroutine conditions e.g. start-up and shut-down activities, maintenance, construction and demolition.

The emergency scenarios may include

  • incidents that can lead to serious injuries/fatalities or ill health;
  • explosion/fire;
  • release of hazardous materials or gases;
  • natural disaster e.g. storm, flood, earthquake;
  • bomb threat/terrorism/unrest;
  • pandemic of communicable or infectious disease;
  • communications failure; and
  • radiological accident/biological agent release.

Emergency Classification
To ensure emergencies are managed in a manner appropriate to the risk posed by each emergency, each emergency can be evaluated using the tiers below

  • Tier 1 – Events are typical of localized significance and can be handled using resources immediately available within own organization;
  • Tier 2 – Events are typical of significance requiring the involvement of specialized emergency services; and
  • Tier 3 – Events are typical of significance at the national level and may require access to national/international resources and emergency response services.

Emergency Response Personnel

During an emergency, emergency response personnel should be identifiable by the use of colored vest e.g.

  • in-house first aiders identifiable by a white cross/crescent on a green background; and
  • prominently marked with the wearer’s emergency response role.

The type of identification used for each designation should be consistent throughout the facility.
various roles in the emergency management team and emergency support team can include incident commander, liaison officer, safety manager, management representative, planning chief, operations chief, logistics chief, fire wardens, firefighters and first aiders.

Emergency Operations Center (EOC)

To enhance coordination and communication during emergencies, an area referred to as Emergency Operations Centre (EOC) can be assigned where decision makers gather during an emergency and which would serve as the main communication link between the on-scene team, the line managers, incident support teams, and with local emergency services, where required.
EOC should be equipped with

  • space and seating large enough to accommodate the emergency management team which includes an incident commander, liaison officer, safety manager, operations chief, logistics chief, planning chief, board keeper, and log keeper;
  • required equipment and supplies including uninterrupted power supply, communication devices to receive and transmit voice and data, computers for information management, intranet and internet access to useful relevant data, information management forms (e.g. sign-in/sign-out, initial incident facts, situation report, and log sheet), situation displays/boards (to report/present incident facts, maps/charts/diagrams, problems, proposed solutions, tasks, etc.).
  • required reference documentation including contact directories of all concerned parties, ready access and scenario-specific call plans, controlled issues of linked emergency response plans (internal or external) that shall be consulted/relied on, mutual aid plans/agreements, relevant manuals/guides, relevant maps/charts/diagrams;
  • equipment inventories: (i) own, (ii) contract; (iii) mutual aid; (iv) other; and
  • relevant safety data sheets in case of handling hazardous materials.

Emergency Response Plan

Emergency response plans (ERPs) are documents that are produced and maintained for immediate implementation to safeguard people and property from foreseeable emergency scenarios.
Specific emergency response plans (ERPs) for all identified emergency scenarios as per section 5.2 of this document should be developed.

Communication and Reporting

This includes

  • dissemination of relevant information e.g. contact numbers, evacuation maps;
  • notifications of potential and actual emergencies;
  • activation of the emergency response plan;
  • notification of incidents and reporting the outcomes of their investigation;
  • any required communications with the media.

Periodic Testing of Emergency Response Plans

Mock drills for all ERPs should be scheduled and tested at least annually for credible scenarios, such as the closure of emergency escape routes, persons requiring special assistance during an emergency, and loss of power.
External stakeholders such as civil defense and police should be invited and involved also, as needed.

Review and Update of Emergency Response Plans

Following each exercise, test or drill

  • performance should be reviewed and documented; and
  • the plan revised as necessary to resolve deficiencies noted in the review.
  • otherwise, ERPs are reviewed at least annually, or whenever significant operational changes or conditions in line with procedure for workplace ‘change management’ necessitate additional review.

When the plan is reviewed and revised

  • all affected persons should be informed of significant changes in duties, actions and obligations under the ERP; and
  • all controlled copyholders of the ERP receive the latest one.

Terms and Definitions

An ‘audit’ is a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which requirements are fulfilled and to identify opportunities for improvement.

To ensure an independent audit, those carrying out internal audits must be free from all kinds of interests including responsibility for the area being audited i.e. the auditors cannot audit their own work.

Audit criteria: This can include ISO 45001:2018, OSHAD-SF V 3.1 and requirements specified by sector regulatory authority and other competent authorities

Scope of the audit: Scope means ‘boundaries of the audit’ e.g. locations, products and services, functions (within the department) etc. The scope is defined, and documented in the audit plan and communicated to the auditee so that they can prepare well.

Audit objectives can include

  • legal compliance;
  • determining the extent to which OHS management systems conform to the audit criteria;
  • ascertain the efficiency and effectiveness of the OHS systems;
  • identifying the strengths, weaknesses, threats and opportunities;
  • making recommendations for improvement e.g. best practices; and
  • any other, as specified by the management.

Audit methodology: objective evidence of conformity must be factual and obtained through

  • review of documents and information;
  • interviewing selected staff;
  • discussion with the process owners;
  • witnessing a test;
  • onsite observation of work practices, facilities and equipment.

‘Finding’ is summary of audit evidence and can be

  • conformity or non-conformity with reference to the audit criteria; or
  • opportunity for improvement.

A ‘non-conformity’ is an instance where evidence does not fully comply with requirements.

A minor non-conformity is a single instance or set of single instances, that shows a requirement has not been met.

A ‘major non-conformity is

  • when there is a total breakdown of a system to meet the requirements e.g. system does not exist or not implemented;
  • where a large number of related minor non-conformities have not been met, such non-conformities may collectively be classed as a single major non-conformity;
  • when there is a non-conformance that has a high business impact;
  • when it relates to legal compliance;
  • when a minor non-conformity is not resolved within the agreed timeframe it becomes a major non-conformity.

Audit frequency: once a year, however, recommended to be conducted quarterly or more frequently due to e.g. data showing decreasing trend e.g. increase in incident rate, an increase in complaints.

The Audit Process

The internal audit shall be carried out according to the audit methodology. During the opening meeting, the lead auditor explains the approach to be used during the audit, audit objectives, methods, and the importance of the audit.

The focus is on compliance as well as the adequacy of the systems.  In addition, the audit focuses on assessing the system performance over a longer period to help process owners and CEO with better understanding and decision-making.

During the audit, the auditors may seek advice from the lead auditors to discuss an audit situation.

Upon completion of the audit, all internal auditors submit their findings to the lead auditor.  The lead auditor will then review and consolidate all findings to ensure that the audit report is complete, clear, and based on traceable objective evidence.

ISO 45001:2018, Internal Audit Checklist

ISO 45001:2018, Sample Internal Audit Report

Planning the Inspection

The inspection plan should be developed using a risk-based approach and considering all the activities undertaken. The frequency of the inspection should be decided by reviewing the output of the OHSMS. It is recommended that all areas are inspected twice a year; while high-risk activities on a monthly basis.

Each inspection should be planned by including the following information

  • objectives of the inspection;
  • scope of inspection;
  • criteria for inspection (checklist unless otherwise stated);
  • assigned inspection team;
  • date and time of inspection;
  • method for the collection and verification of information;
  • timeline for the reporting of inspection results;
  • the process for non-conformance and corrective action; and
  • record-keeping.

The inspection team should make sure that the inspection checklist is reviewed and updated, as necessary.

Reporting the Inspection

The inspection report should include the completed checklist, a description and location of all the identified hazards, and recommendations for eliminating or controlling the hazards. The report should be submitted to the management representative and subsequently forwarded to the concerned process owner for

  • root cause analysis;
  • determination of corrective actions; and
  • their effective implementation.

Monitoring the Inspection Program 

The implementation of the inspection program should be monitored to ensure it is meeting the objectives and to identify any areas for improvement. When undertaking the review, the following is considered

  • feedback by auditees, inspectors and other relevant stakeholders; and
  • outputs from the inspections.

Follow Up

The management representative should follow up on the effective implementation of the corrective actions.

Example Site Inspection Checklist


The investigation team can include

  • the first-line supervisor (foreman, supervisor or manager);
  • a representative from the area;
  • the shift supervisor;
  • the injured  party,  if available;
  • OHS specialist, as applicable (subject to severity);
  • the relevant manager (subject to severity); and
  • other senior managers (subject to severity).

The table below can be used as a checklist for notification and invitation to participate in the investigation.

Notification Investigation
General manager yes
Site manager yes yes
Shift supervisor yes yes
Department manager yes yes
Process safety coordinator yes yes
Environmental advisor yes
Employee from area yes
Team leader/line supervisor yes yes
OHS manager yes yes
Engineering services manager yes If needed
Humana services manager yes If needed

Classification of OSH Incidents

The types of OSH incidents to be recorded, notified and/or reported are listed below

  • lost time injury: fatality, permanent total disability, permanent partial disability; and lost workday case;
  • serious injury;
  • serious occupational illness/disease;
  • serious dangerous occurrence;
  • restricted work case;
  • medical treatment case;
  • first aid injury;
  • equipment/property damage; and
  • near miss.

Regardless of the classification, all incidents should be recorded and investigated internally.

Serious OSH Incident Notification and Reporting 

The concerned sector regulatory authority is notified using Form G as follows

  • within 24 hours of an incident occurring at a workplace that results in a fatality.
  • within 3 working days from the date of an incident occurring at a workplace which results in the following types of serious incidents.
  1. serious dangerous occurrence (Schedule A);
  2. serious injury (Schedule B); and
  3. receipt of a written diagnosis or other knowledge of the occurrence of a serious occupational illness or disease arising out of and in the course of work (Schedule C).
  • OSH injuries/illnesses should be notified to the concerned sector regulatory authority based on the immediate judgment of their severity, where a medical report is not available at the time of notification.
  • the actual severity and consequences of the notified injury/illness once established based on investigation and diagnosis by a licensed health care professional (supported by a medical report) is reported in the incident investigation report using Form G1 and quarterly performance report using Form E/E2 to the sector regulatory authority.
  • incident escalation where applicable is important for necessary update in records and initiating the reporting process.

Note 1: If a LWDC transforms into fatality or permanent total/partial disability, it will no longer be considered as LWDC. Incident severity statistics and KPIs are updated accordingly for the severity of the injury and the number of lost workdays. Such escalation applies to all types of incidents.

Note 2: Principal contractor shall notify, investigate and report relevant OSH incidents to the Building and Construction Sector.

At a workplace where “construction work” is being undertaken and there is a principal contractor assigned, the following OSH performance and incident reporting hierarchies apply:

  • all OSH incidents at the workplace to be notified to the principal contractor;
  • if a sub-contractor is involved in an OSH incident and they do have an approved OSH MS, they are responsible for notifying, investigating and reporting the incident to the concerned sector regulatory authority; and
  • if a sub-contractor is involved in an OSH incident and they are not nominated, the principal contractor is responsible for notifying, investigating and reporting the incident to the concerned

OSH Incidents With Multiple Consequences

  • a single OSH incident may result in multiple consequences;
  • in case, the consequences are multiple injuries, injury details for each person are completed as part of the incident;
  • form E, E1 and E2 are used to collate multiple consequences of a single incident, this is to correctly account for the number of injuries and incidents while calculating injury rates/frequencies.

Internal Investigation Team

It should be made sure that the investigation team is competent in the application of techniques employed in the investigation, and additional technical expertise e.g. third-party services of professional investigators may be employed where required due to the severity and complexity of the investigation in order to find out the correct root causes.

Preserving Incident Site and Evidence

If an incident notified is deemed to require the intervention of police or any other authority, the site where an incident has occurred should be preserved and not disturbed until the relevant authorities arrive on site.

OSH Incident Investigation Process and Investigation Report

All work-related incidents including near misses and dangerous occurrences should be investigated. The focus of the investigation should be on identifying root causes, determining and implementing corrective actions to prevent future incidents and not to assign blame for the incident.

Investigation of all incidents is initiated as soon as practicable while making sure that

  • The level of investigation is proportional to the magnitude of the occurrence;
  • methods, processes and techniques utilized are sufficient to identify the root causes.

The outcomes, if any from police, judiciary and relevant medical reports are considered. Incident investigation information is analyzed and evaluated to the common trends reoccurring incidents and common incident contributors.

The investigation report includes the following information, at min

  • type of OSH incident;
  • location and details of the injured person e.g. gender, occupation, experience, training, etc;
  • details of the incident;
  • the person(s) responsible for the investigation, their authority and competency requirements; and
  • evidence collected e.g. arrangements and location for witness interviews, the statements of the interviewees, photographs of the scene, OSH management system documents;
  • actual consequences e.g. people, assets, reputation and potential consequences of the incident;
  • causes of the incident: surface causes, underlying causes and root causes;
  • recommendations on corrective actions for preventing the recurrence of a similar incident; and
  • lessons learned.

Completed investigation reports should be reviewed and accepted by the ‘management representative’ or a person with formal delegated authority.

Reporting Serious OSH Incident Investigations

  • the investigation report for serious OSH incidents should be completed and submitted to the top management, client, concerned sector regulatory authority and other relevant stakeholders within 30 calendar days of the date of the incident as an attachment to the completed Form;
  • corrective action plans are submitted as part of the completed investigation report, as well;
  • investigation reports are updated and reported as soon as relevant information becomes available.


  • ISO 45001:2018, clause 10.2;
  • OSHAD-SF, Element 7, sections 3.2 and 3.4;
  • OSHAD-SF, Mechanism 11, OSH incident notification, investigation and reporting; and
  • BS 45002-3:2018.

    Contact us through any of the below channels

    For Further Information
    00971 50 406 5134