ISO 45001:2018, the Occupational Health and Safety Management System standard was published in early March 2018. This is the eighteenth in a series of blogs, in which we describe what the implementing company must do in order to meet the requirement of the standard. We will now look at clause 7.5: Documented information.
ISO 45001:2018 – Clause 7.5: Documented Information
Clause 7.5.1: General
It is important for top management to ensure that the OHSMS processes are carried out as planned and the desired results are achieved. Capturing key pieces of information in documented form can assist in this effort. Documenting how the system works helps personnel responsible for its implementation understand what they need to do and how to do it. Where a number of people are performing a process, documenting the steps can ensure consistency in the results. Documenting decisions made, OHSMS activities performed and the resulting outcomes provides evidence to demonstrate conformity to requirements and the effective implementation of the OH&S management system.
Mandatory documents include the documented information required by ISO 45001 and additional information identified by the organisation as necessary for the effective operation of its OH&S management system.
The extent of documented information for an OH&S management system can differ from one organisation to another due to:
- The size of the organisation and the type of activities, processes, products or services it is engaged in;
- The need to demonstrate fulfilment of legal and other requirements;
- The complexity of the organisation’s processes and how they interact;
- The competence of workers.
ISO 45001 has moved from prescriptive requirements for specific ‘documents’ and ‘records’ towards the more inclusive term ‘documented information’. This allows the organisation to customise its occupational health and safety documentation to better reflect its particular circumstances. There are now basically two types of documented information; “living” documents that describe how things are done within the OHSMS, and “static” records that reflect results of some activity at a particular point in time. Whether in electronic or paper format, the correct and current versions of living documents, be they procedures, work instructions, process maps, plans or programmes, need to be available to those who use them. This requires the organisation to have a process to create these documents and control their revision. Records of results need to be created, reviewed, and retained for a period of time.
The organisation should attempt to keep the complexity of the documented information at the minimum level necessary to ensure contemporaneous effectiveness, efficiency and simplicity. It should be noted that an Occupational Health and Safety Manual is no longer required by ISO 45001, but most organisations are likely to persevere with it as an integral part of their OH&S management system
Clause 7.5.2: Creating and Updating
When creating and updating documented information, the organisation must ensure appropriate:
- Identification and description (e.g. a title, date, author or reference number);
- Format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
- Review and approval for suitability, adequacy and effectiveness.
Clause 7.5.3: Control of Documented Information
The organisation is required to control documented information in order to ensure that it is available where needed and that it is suitable for use. It must also be adequately protected against improper use, loss of integrity and loss of confidentiality.
With reference to documented information the organisation must make decisions on its:
- Distribution, access, retrieval and use;
- Storage and preservation;
- Control of any changes;
- Retention and disposal.
The organisation is also required to identify any documented information of external origin that is considered essential for the planning and operation of its OH&S management system and ensure that it is controlled.
All of the controls described are primarily aimed at preventing unintended use of obsolete documented information.