83: SMS Pt 4 – What Does ISO 45001 Require?

ISO 45001

According to ISO, the purpose of a safety management system is to provide a framework for managing safety and health risks and opportunities. Of course, this means preventing workplace accidents, injuries, and illnesses by recognizing and eliminating or managing risks by taking preventative and protective measures.

The structure of ISO 45001 will tell you everything you need to know about how effective safety management systems are set up. Let’s take a look at this SMS at a high-level then get into each element.

There are ten areas of focus found in ISO 45001:

  1. Scope
  2. References
  3. Definitions
  4. Context of the Organization
  5. Leadership and Worker Participation
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

I will not get into all of these in great detail but will touch on most to get an understanding of what is needed when considering ISO 45001 for your organization. Let’s just skip to number four since I think you get the scope of why ISO 45001 was created if you listened to the past several episodes.

Context of the organization

You first need to understand your organization, it’s context, needs, and expectations of the workers. One must also understand what ISO calls “other interested parties,” like vendors, suppliers, contractors, and even customers.

The scope is everything around why the company is in business and how the company makes or provides the products or services it offers. In the case of manufacturing, what machines and processes are involved? What chemicals, tools, materials are needed? What trades or special skills are required of workers? What planned or performed work-related activities will be required? The same goes for construction, mining, hospitality, retail, or food industries.

Some expectations you will need to identify are going to be legal ones – compliance with laws and regulations. Other expectations will be industry or corporate-driven, such as the case with best practices or compliance with voluntary guidelines, like ISO or ANSI or VPP.

All of this will help you determine the scope of the safety management system. So you have to establish, implement, maintain, and continually improve a safety management system. This includes the processes needed and their interactions – and ISO lays those out in 45001.

Leadership and Worker Participation

This section addresses two of the foundational elements of any safety management system; the leaders and the workers. This relationship is absolutely critical to the success of everything the business does, including safety and health. As for leadership, they need to be committed to the safety management system. Here are some things required to achieve this:

  • Leadership must accept overall accountability for the prevention of workplace injuries and illnesses, as well as establishing a safe work environment and work-related activities.
  • They must ensure that the overall safety and health policy and related goals and objectives are established and compatible with the strategic direction of the company.
  • Leadership must also make sure to integrate the safety management system elements into the rest of the business processes.
  • Leaders must make sure that adequate resources needed to establish, implement, and maintain the safety management system are provided at all times. This includes qualified personnel to contribute to SMS effectiveness.
  • Top leadership must also communicate the importance of effective safety management and compliance with all of the requirements the company has set forth.
  • Ensure the SMS achieves desired outcomes by promoting a continuous process improvement approach.
  • Supporting other management roles so that they may also ensure SMS success.
  • Develop and lead a culture that supports the intended outcomes of the SMS. This means protecting workers from retaliation when reporting hazards, concerns, suggestions, or even just participating in workplace safety activities. Also, by making sure workers are included in the decision-making process when it comes to safety and health. One way to do this is to establish a safety and health committee. NOTE: ISO 45001 does require a committee.

Safety and Health Policy

So when I mentioned that leadership needs to establish a safety and health policy, what are some requirements for this policy? Here is what ISO says the policy must do, at a minimum:

  • It must include a commitment to provide safe and healthy working conditions for the prevention of work-related injury and illnesses.
  • The policy must set up a framework for establishing safety and health goals and objectives. These must be specific to expected hazards or work activities and measured appropriately. Goals must be achievable and relevant to safety and health program elements and set at least annually.
  • It has to include a written commitment to meeting basic legal and other requirements as discussed, eliminating or reducing/managing risks, and continuous process improvement of the management system.

Another written commitment needed is the participation of workers and their representatives.

So here we see leadership commitment moving from theory to putting it on paper. This written policy has to be communicated and available to all employees, as well.

Roles and Responsibilities

To carry out all of the business commitments, the company needs to staff appropriately. As such, every employee has a purpose in the organization which needs to be defined. This includes safety and health. Here is where we need well-written job descriptions and roles and responsibilities.

Roles and responsibilities are critical because every worker, regardless of their position, needs to know what is expected of them when they start work. This is the first impression they get when they join. These expectations need to be measurable or observable. So we want to avoid the high-level language like “support safety efforts,” and “demonstrate leadership.” We need to define these with actions, spell them out, and communicate them. Download an example of safety and health roles and responsibilities here.

I routinely see companies struggle with middle managers not being “committed,” yet when they were hired, none of this was covered with them. When you tell a group of supervisors to “support” safety without defining it, they will come up with their own version. You see now how this all works together? This is what we mean when we say it requires a systems approach.

Worker Participation (Involvement)

When we say worker participation or employee involvement, it has to be meaningful involvement. As mentioned earlier, workers need to be involved in the decision-making process when it comes to safety and health. You cannot say they report hazards, that is a mandate, a condition of employment. Also, OSHA already requires employees to report hazards to the employer. We are talking about involvement in the development of programs, policies, defenses, and improvements moving forward.

Some examples include:

  • Serving on a safety committee
  • Volunteering as a first aid provider
  • Participating in area inspections and/or program audits
  • Establishing an incentive program
  • Serving on a select team – like ergo, wellness, etc.
  • Participating in training programs
  • Managing a suggestion program
  • Participating in continuous process improvement activities
  • Conducting incident investigations
  • Planning

Once you have the scope of the organization, all interested parties and begin to size up the safety management system, you have to plan for it. This means accounting for all of the hazards, risks, opportunities, and even legal requirements to ensure the SMS is comprehensive and will achieve its intended goals.

This has to be documented, including the process and actions need to address identified risks and opportunities. So, let’s get into what activities support planning for SMS success.

Hazard Identification

You have to create and maintain a process for hazard identification – this has to be proactive and continuous. Some areas you will need to focus on include:

  • How the organization plans and organizes work. Things like workload and shifts, and also discrimination and harassment policies or leadership practices that drive culture.
  • Assessing routine and non-routine work. This could be work involving facilities, equipment, tools, processes, products/services offered, assembly operations, construction, disposal, etc.
  • A review of past incidents needs to be a big part of hazard identification. This not only includes incidents inside the organization but also outside. Things like local/regional disasters, events created by nearby companies, emergencies, etc.
  • You will need to include an assessment of personnel and outside persons. This that have access to the company and property and also those in the vicinity like municipal workers, utilities, neighbors, etc. that could impact the business and also be affected by operations.
  • Some other issues to consider for hazard identification include workstation design, layout, operating procedures, adaptability to change, and support for these activities.
  • Management of change needs to be considered, as well. In other words, how is the company prepared to support the changes required? How will changes impact safety and health? Is the company set up to manage those?

Another aspect of hazard identification is whether or not there are adequate controls in place or needed. You will need to use a recognized and accepted approach to assessing and determining the level of risk so that appropriate controls can be determined. Hierarchy of controls, for example.

You also want to have a process in place to continually assess work, work areas, processes for improvements, and improvements to the safety management system in general. Things like looking at software solutions to help manage aspects of the system or new equipment to mitigate or manage specific hazards. Continuous improvement is the goal here. But you cannot just say it, you need a process in place to ensure that it is being done.

Finally, you need to have access to the latest regulatory information, whether that be Federal, State, or local. This includes professionals that specialize in this, like Safety Pros. The company needs to be able to demonstrate that it took these legal aspects into account when designing work, processes, etc. This too, can be included in a documented hazard assessment process. All of this info needs to be included in everything from the written safety programs, policies, response plans, and more.

Safety and Health Objectives

The business needs to create safety and health goals and objectives relevant to the different functions of the business and levels of the company. These will need to be consistent with the established safety and health policy, also be measurable, communicated, updated, and monitored as required. You will need to document things such as:

  1. what needs to be done
  2. what resources are required
  3. who will be responsible for what parts
  4. a realistic timeframe
  5. how you will ensure the results achieve the objectives
  6. how will results be scaled across the business

Support for Safety

I mentioned already the need to provide Safety Pros and others trained and qualified to carry out aspects of the SMS. This is but one way to show support for safety. The company must demonstrate employees are competent to comply with and act on behalf of the SMS. This competence can be documented in different ways. Everything from specific training and qualifications to establishing a comprehensive on-the-job training program with evaluations and refresher requirements.

At a minimum, workers must be aware of the SMS policies, objectives, and how their participation leads to its success. You also need to ensure they understand the consequences of not meeting SMS requirements.

Another part of increasing awareness of safety includes communicating the results of learnings from incident investigations – including newly discovered risks or hazards and how the company is managing them. And of course, a clearly communicated stop work policy must be a part of ANY safety and health policy. Employees must be aware of what to do when faced with a hazard or risk that was not previously identified and managed. Don’t forget to add the anti-harassment protections they have as well. Very important!


I have mentioned the word “communicate” many times already, so let’s talk about that as a strategic part of the SMS. You need to have a communication process established. That is, when and how often does the company disseminate information? What will you communicate? What channels of communication will the company use? You also need to take into account diversity when communicating. Things like language barriers, literacy in general, culture, and even disability as is the case with the spoken word and the hearing impaired or written communications and visually impaired.

There are also internal communications as well as external; how does the organization handle these?


The organization must keep all documentation required by applicable laws and regulations as well as those needed for the SMS, as discussed. But some basic things that ISO requires are as follows:

  • Documents need to contain a title, description, date, author or reference number
  • Need to follow a standard format, like language, software version, etc. and media like paper, electronic, etc.
  • Establish a review and approval process for suitability, adequacy and any changes made

You also have to have controls in place for SMS documents. Are they available for use when needed and by those needing them? Are they protected from being altered, or are sensitive documents protected from unauthorized dissemination? So, establish a written policy spelling out process around the request, access, retrieval, distribution, and use of specific documents, even ones that would normally be considered “public use,” like safety data sheets. Also, describe how the organization will store, preserve, and even destroy documents as well as handle changes needed.


This section covers operational planning and control, eliminating hazards and reducing risks, management of change, procurement and emergency preparedness and response. So those written programs, policies, and procedures are going to be needed here. Some of these are obvious, but one I want to focus on is the management of change (MOC).

Your organization has to establish a process (or set of processes) planned temporary and permanent changes that will affect the SMS. Examples include new products/services, process changes, tools, equipment, workstation, facility layout, new additions to buildings/structures, changes to general work environments, and even workforce changes.

Other changes needing to be addressed, those stemming from other changes. For example, a change in processes may require legal changes, like permitting. Also, the need for more expertise or specialists you do not currently have on staff. And you will need to review any unintended changes as well.

Performance Evaluation

This includes inspections, audits, and analysis of results. These are needed to ensure the SMS is not only achieving its intended objectives but also that those charged with specific activities are fulfilling them as well. You will need to define what needs to be monitored and measured, the methods that will be sued, the criteria against which you will be evaluated, when and how often, and how to communicate the results. This means you will need to establish and maintain a documented audit program.

Furthermore, top management has to review the organization’s safety management system at planned intervals to make sure that it is still adequate and is sustainable. All of the things Safety Pros will be doing, organizational leadership needs to do as well. They cannot just pass it off because they have professionals on staff. I talked about this in a previous episode – assigning key elements of the SMS to others to get them involved. It is a great approach and meets ISO expectations.


Finally, the organization has to continuously look for opportunities to improve the SMS and implement needed actions to support any improvements. The first place most of us start is with corrective actions stemming from incident investigations. All recommendations have to be supported by the company. This also serves as evidence of leadership commitment.

Final Thoughts

As I have mentioned, continuous improvement is a foundational element of any SMS. A lot of what I talked about here focuses first on documenting why and how everything related to SMS will be carried out. In the end, this is a continuous process and cannot merely be created once on paper and forgotten. It is not the traditional written safety program approach. ISO 45001 requires proper documentation, yes, but more importantly, you have to act on what is spelled out in your SMS. That SMS must first start with the scope and context of your unique organization.

The past several episodes discussing SMS, and all of the things that go into it cannot be overlooked. Things like systems thinking, continuous process improvement, root cause analysis, human organizational performance – the mindset and approaches needed to design, implement, and support SMS components. Do not jump straight to writing manuals and policies simply to satisfy a regulating body.

Inspire your safety culture with iReportSource
iReportSource's safety management software helps you improve safety and reduce incidents by driving employee engagement.
Schedule a Demo

Subscribe to our Blog

Always be the first to access new articles, all you have to do is enter your name and email address.