Governance, Risk and Compliance Blog

Emily Hill

Recent Posts

Qualsys support The Children's Hospital Charity snowflakes

Posted by Emily Hill on Thu, Oct 26, 2017

Whether it's the clocks going back next week, the drop in temperature or Bonfire Night approaching, summer is definitely long gone. 

But one thing that we do look forward to this time of year is sponsoring the Children's Hospital Charity's snowflake display which decorates the front of the hospital building. 

The annual display is much anticipated by patients, staff and the public, as hundreds of lights adorn the entire hospital, each with a ‘gift tag’ attached displaying the name of a local sponsor.

The charity is very important for Qualsys as many of our employees have children who have used the hospital's services at some point

Our donation will be going towards the "Make it Better" appeal. This was launched in 2012 to help raise money to build new wards and create the best possible environment for children to get better more quickly. 

Tchad Western is Corporate Fundraiser at the Children's Hospital Charity.  He said: "This year our light switch-on will be the biggest yet, with a fun evening being planned! We'll also be celebrating the new wing bedrooms being open as well as seeing the start of the first school’s snowflake sponsorships. So it'll be a great evening."

What to do now 

The hospital will switch on its light display on 30 November.

Please feel free to join us at the event! 








ISO 13485 software validation process

Posted by Emily Hill on Thu, Oct 26, 2017

When you're implementing an electronic medical device quality management system, your software validation plan is of the utmost importance. You'll need to ensure that your system is working and continues to work as required.

There are no shortcuts in this process. However, we provide a structured approach which will help you demonstrate compliance to regulations and standards such as ISO 13485 before, during and long after you've implemented our quality management software. 

In this article, Chris Owen, Services Director at Qualsys Ltd, explains what software validation means and how we approach validating your quality management system software.

What is software validation? 

Businesses must carefully consider the impact of introducing new software applications, particularly where the solution is mission-critical or where the company needs to demonstrate compliance with regulations and standards.

Once the software is installed it must be checked periodically to make sure that it's correctly configured and working as it should. This is all software validation. 


When is it necessary to validate quality management software? 

Quality management software must be validated when a computer system is used in a good practice (GxP) process, to revise the quality of a product, or to generate information for regulatory bodies. Validating the software helps reduce risk and legal liability, as well as providing evidence that the computer system is fit for purpose. 


Requirements for ISO 13485:2016 validation

In the latest version of ISO 13485, the standard has more explicit requirements for software validation. The standard specifies that any business wanting to achieve certification must:

  • Develop procedures to validate and revalidate your quality management system software
  • Develop an approach that is proportionate to the risk being taken
  • Use procedures to validate and revalidate other software applications 
  • Validate computer software applications for their intended use 
  • Validate software whenever its intended use changes 
  • Maintain a record of your software validation and revalidation activities. 


What does a software validation process look like? 

First, you need to adopt an approach which is proportionate to the level of risk that you're taking by using your electronic quality management system. Here's an example of a software validation process: 

  1. Understand the operational requirement
  2. Produce a specification of the requirements
  3. Choose a trusted supplier
  4. Verify the software's capabilities
  5. Validate the implemented system
  6. Use formal change control, including revalidation
  7. Resolve any non-conformities and deviations


Validation test plans

To validate your quality management system software, you'll need to put together a validation test plan. This is a document detailing the objectives, process required, description of the process, expected result, actual result and any comments or observations. Qualsys provides you with templates and support throughout this process. 


How Qualsys can help with the validation

Qualsys will help you throughout the validation process. We make sure that the validation process progresses smoothly and quickly by lessening the impact of many of the most time- and resource-consuming tasks.

We offer: 

  1. System specification requirements (before you buy the system)
  2. Operational Qualification (OQ), Performance Qualification (PQ) and Installation Qualification (IQ) documentation
  3. Validation test scripts
  4. Validation test plans
  5. Validation templates 
  6. Software verification
  7. System change control and validation 
  8. Problem resolution process and tracking

Qualsys work with in-house specialists and an independent validation services partner who have an excellent reputation in carrying out a range of validated projects for AstraZeneca, ConvaTec, Eli Lilly, GlaxoSmithKline, Piramal Healthcare and Sanofi. 

For more information about our validation services, request a 15-minute discovery call with one of our team.

Schedule a GRC Software discovery call 

Tags: ISO 13485

Qualsys presents at Sodexo's Global Pharmaceutical Conference

Posted by Emily Hill on Thu, Oct 19, 2017

Gemma baldan - proud our software has played such a role in Sodexo's growth.pngSodexo's pharmaceutical business has grown substantially in recent years. Four years ago, there were two members of staff in the department. Now there are 63. 

To celebrate and share their success stories, Sodexo hosted a three-day conference in London. Delegates travelled from China, Italy, France and the Netherlands to attend.

Qualsys's Key Account Manager, Gemma Baldan, was invited to talk about how our GRC software is used throughout Sodexo. 

Below, we've shared an overview of Gemma's presentation and upcoming projects with our software at Sodexo. 



Best-practice risk management

One of the hot topics at the moment is configuring the risk management module for each site. Operating in heavily-regulated environments with lots of new employees needs strong and effective policies, procedures and processes. Gemma explained how our risk management module provides the best-practice framework for Sodexo's site risk but can be configured to meet each site's unique requirements. For example, if a site wants to use red, amber, green (RAG) or impact vs likelihood vs detectability, either can be configured on the systems at no extra cost. 


Sharing successes

The conference gave those working closely with the project an opportunity to share their experience of using our GRC software. All feedback was really positive. "One of the sites uses our software to manage contract agreements," Gemma said. "This usually involves lots of different people, heaps of paper and fighting to keep spreadsheets updated. Now the team uses our workflow management module and there's none of that frustration at all. They can pinpoint exactly where a job hasn't been followed up. There's complete visibility, accountability and transparency." 


What's next 

As well as expanding to more sites with even more of our GRC software modules, Sodexo are getting excited about Qualsys's new business intelligence reporting dashboard. 

Qualsys have recently partnered with Logi Analytics to create an integrated system that will allow businesses like Sodexo to interact with vast quantities of governance, risk and compliance data and create systems that dramatically improve engagement, productivity, operations and products. 


What you should do now

If you're interested in learning more about our solutions, schedule a discovery call hereOr, download our GDPR toolkit.

 GDPR Toolkit cta - grey.png


How much does GRC software cost?

Posted by Emily Hill on Tue, Oct 17, 2017

One of the very first questions potential customers ask is: how much does your GRC software cost? A number of factors go into how we price our software, so in this post we set out to give you a better idea of how our pricing model works. 

Cost of EQMS and GRC software

Prices for our GRC software start from £200 per month. This cost depends on a number of variables which we will explain below. 

Your objectives

Obviously, a straight-forward implementation in a small business will cost less than one that extends across a global organisation with multiple sites which needs lots of ERP integrations, configuration and maybe even bespoke development. 

We work with lots of different-sized businesses who want to use our software for different ends, including:

  • Making their business more efficient.
  • Managing their certification to ISO standards. 
  • Making their processes more uniform and consistent, as their business grows. 
  • Becoming more transparent and allowing for better accountability. 
  • Process-based risk management. 
  • Integration with an ERP or Linux-compatible system.
  • A very specific system they want to optimise.

These objectives are very important, because although you may have a very large organisation you might only need our system to control a very simple business process. On the other hand, your business might be small but you need the system to be set up for all business processes. Both of these are our bread and butter. 

When we first ask you about your objectives, we'll make sure you know what questions to ask. For example, if you want a business management system, do you want it to integrate with your existing ERP? If you're hoping to achieve certification to an ISO standard, is that for one site or for all of them?

We try to keep this process simple, but implementing any new system takes time, investment, commitment and energy. We want to make sure we ask the right questions so there are no surprises later on. 

You cannot buy the system outright – there is an annual licence.

Included in that licence you get:

  • Best-practice implementation
  • Support
  • Administrator training
  • A dedicated account manager who will mentor you and your team 
  • Support with engaging end-users
  • User Group community


When it comes to pricing, although your objectives won't change the cost they will change which modules will suit you and who will need to access the system. For example, if you solely want to control documentation in one department, you'll probably only need our document control module. If you want an enterprise business management system, you'll likely need all of the modules. 

Most of our customers start with four or five modules and add more as their management system matures. All modules work well on their own or as one integrated solution. 

Free end-users

Licences work like fairground tickets. You tell us how many administrators you need on each module. All modules cost the same. The only variable is the number of administrator licences you need. 

An administrator is someone who manages the system. Typically, they will: 

  • Create and maintain users and groups.
  • Control access, viewing permissions and notifications.
  • Maintain any sort of record.
  • Decide how the system will be configured. 

You don't want to give this access to everyone. Usually, it's best to have a select few people, such as your QHSE team. Occassionally managers from other departments will be administrators. For example, you may want HR to manage and control training records. 

We offer free end-user licences. Why? Everyone across your business needs to play their part, be accountable and take ownership. We want to make quality, governance, risk and compliance management a natural part of your everyday business. 

Adding an individual licence is a pain-free, efficient and effective process. This makes it easy if: 

  • Someone new starts at your business
  • Suppliers need access
  • Customers want to see certain information


A day of training per module for administrators is standard. If you're implementing more modules, the cost of training increases. However, end-users don't usually need training as the system is very user-friendly, keeping the cost low and the roll-out process fast. Most of our customers get their administrators to train end-users and tell them why the system needs to be used. 

Bespoke modifications to the software 

Many of our customers find the software already has all the functionality they could ever need. However, we do offer our customers the option to make bespoke changes to the system. This is usually when our customers have a very specific process they need to manage. Some modifications we'll make completely free of charge if we feel all our other customers will benefit. 

Extra services 

You may not have the resources to replace your legacy systems yourself. We offer a range of services which can help you get up and running more quickly. These services include data migration support, validation scripts and process reviews. 


Ready to put together your GRC software business case? 

Schedule a discovery call to discuss your needsWe know what questions to ask.  We will talk you through our pricing and answer any of your questions. 

Schedule a GRC Software discovery call


Tags: GRC Dashboard

EQMS transition to BMS, EMS, PLM, ISMS, EHS... What do I need? What's the difference?

Posted by Emily Hill on Tue, Oct 17, 2017

translate good quality performance.png

Over the next few months, you'll notice some big changes on our website. We're launching a new visual identity and heaps of new content. We're hoping that these changes will make it easier for our customers and potential customers to find the information they need. 

In this blog post, we shared our journey to evolve the brand and how we're changing our positioning. We also mentioned that we're moving away from solely offering "EQMS" and offering more management systems such as PLM, BMS and ISMS. 

We felt it was important to explain this in more detail, particularly the reasons behind the changes and what they mean for our business and our customers. 


3 key drivers


1) Our products have evolved

Our product has changed a lot since the last time we overhauled our website. We have new modules and new services, and our customers have found hundreds of new ways to use our software in their businesses.

Our software is no longer used only for quality management or by quality managers – it's used now to manage integrated business management processes, GRC, product lifecycles, environment, health and safety and customer care. 


2) Customer demand

We've found that when we're talking to new customers, we aren't actually competing solely with other quality management software vendors. We're competing against other business management software vendors, GRC software providers and PLM vendors. We're winning many of these contracts as customers find the advanced configuration and functionality of our software is better and ensures a best-practice approach to implementation. As a result, we believe we need to get better at communicating this to our potential customers. 


3) Our industry is changing


It's becoming more widely accepted that the quality management system is actually the business management system. Read more on these changes hereThis is driven by quality leaders recognising a need to move away from isolated systems in individual departments to an approach that extends across the entire business. Quality is every employee's responsibility and everything we do is focused on making management systems that are easy to access, easy to use and scalable.

What's the difference? 

We'll still be offering the same modules, but we'll simply be explaining more clearly how the software can be used. We'll be sharing more case studies to show you how customers have used the software for all different sorts of management systems. 

We hope this helps. If you have any questions about these changes, either drop me an email at or call the office on + 44 (0)114 282 3338.

Tags: EQMS

Top 5 integrated GRC software problems and solutions

Posted by Emily Hill on Tue, Oct 17, 2017

You know what? Buying an integrated GRC software solution may not be for you. If you're a small business with only a few processes and a small number of standards and regulations to meet, you can probably get by using spreadsheets and paperwork. But if you're a heavily-regulated large enterprise or a quickly-growing SME, a GRC solution is an essential investment that will deliver returns within several months of implementation.

However, implementing an integrated GRC software solution is not without its risks. A bad fit will not only cost you time and money, but valuable opportunities as well.

Here at Qualsys Ltd, we talk to lots of quality, health and safety and environmental managers who want to know what to look out for when choosing a solution.

We've asked Michael Ord, Qualsys's New Business Director, to list the top 5 things to think about when choosing a GRC solution. Michael has worked at Qualsys Ltd for the past five years and helped hundreds of professionals through the software-buying process.


1) Don't underestimate the implementation process

Very few businesses have all of their processes, procedures and policies ready to upload and configure on a new system. In fact, usually they're in a bit of a mess. Legacy systems are outdated and tired. And although the business itself has changed a lot, their processes haven't changed with it.

You might be in a similar situation, and buying a GRC solution for that very reason. But tread carefully. Any vendor who tells you they can implement a new system in a day or so is setting unrealistic expectations and will only disappoint at a later stage.

It takes a lot of time, energy and investment to get right. At Qualsys, we intend our solutions to have a truly transformational effect. We're talking about providing complete visibility, ownership and accountability. Overhauling and streamlining your processes. Making compliance a natural and invisible part of the everyday. This is one of your business's most important strategic and operational projects.


2) Make sure you and the vendor have a good cultural fit

The second thing to consider is whether the vendor fits your company culture. Do they share the same values? Are they positive and proactive? If something seems odd, unrealistic or concerning now, imagine what it'll feel like weeks or months down the line.

Companies don't always work well together. They have different aims and intentions, and a collaboration would feel very forced. At Qualsys, we're all about "growing by case study". This means we want satisfied, happy customers. We won't sell you our products if we don't think it's a good fit. Partnership is very important to us. We want to make sure your systems move with the times, and we want you to love using them. We want you to get amazing results that we can share with our other customers.

For this reason, we rarely work with businesses who have under 20 employees. We do, however, jump at the chance to work with food and drink manufacturers, medical device manufacturers and industrial manufacturers. We know our solution works very well for these customers, and have the case studies to prove it. 

We always encourage our potential customers to shop around and to either visit or call one or two of our existing customers. We find this creates a positive community of sharing, where you know there's someone who's been through the same process you're hoping to embark upon.


3) Consider all your requirements

Our software consists of 10 different modules designed to work together as one integrated solution. Most customers start with three or four core modules – such as document management, audit management and issue management – and then extend the number as they go. Some customers choose to implement all 10 modules at the same time.

It doesn't really matter which way you do it. Our pricing model means you buy administrator licences from across any of the modules.

But whichever modules you opt for, make sure you have a clear "why" from the very start of the project. By this, we mean knowing exactly what you want the software to achieve in the long run. What do you want it to change throughout your business? What results do you want to see as you go along?

Our team will help you understand what questions to ask and who to speak with. It may be that you have an enterprise resource planning (ERP) system which you could integrate with a GRC system. Perhaps you need a system to keep thousands of disorganised company documents under tight control. Or maybe your business extends over a number of sites and you want a different configuration or separate systems.

It’s common for your specification to change. Work with your leadership team and management team to clearly define the scope of the project, and put it in a place where everyone can refer back to it. This will help prevent stress later! Once the project gets underway, there will be lots of moving parts and you are going to be a lot busier. But remember, you don't need to so everything at once.


4) Don't neglect the engagement process

Engaging the people who are going to be using the software is crucial. If your employees have no idea why your business has chosen to introduce the system into their daily lives, or why they should be using it, they're not going to. They need to understand what it will do for them and how it'll help them to work more effectively.

We don't leave this up to you. We provide the software but we also give you your own customer success champion and dedicated account manager. They work to help you raise awareness, engage your employees and encourage the action you need.


5) You're not stuck with something that doesn't work for you

Our customers love our feature-rich modules, but sometimes the software doesn't quite fit the bill without a little tweaking and customisation.

When this happens, we ask whether this additional functionality will benefit all other customers. If it will, we'll usually do the extra development free of charge. If it's a very custom request, we'll ask for a contribution towards the cost of making the changes. If you think you'll need lots of changes made, talk to us and we'll consult our development team about how we can develop those enhancements for you.

We've had some of our customers request almost entirely bespoke modules as it's more cost-effective and quicker than doing it with other vendors or internally.

We have a process whereby requests for change are put into a development 'sprint'. Each sprint lasts for three weeks. At the end of the three weeks, we put all the enhancements live on your system. This is a very customised option, and requests for change range from a few hundred pounds to several thousand.


Want more information?

Schedule a GRC Software discovery call

Implementing an electronic QHSE management system: A G Barr

Posted by Emily Hill on Mon, Oct 16, 2017

We recently caught up with John Thompson, Business Process Lead for Supply Chain management at A G Barr to find out why  the drinks manufacturer needed a centralised system for quality, health and safety and environmental management. Below you will find the interview and transcript.  

How have you found the project so far?

Wistia video thumbnail

The project has been very good. It has been a pleasure to work with Qualsys Ltd. We’ve been working on the project for a very long time and Qualsys Ltd have been very patient with us. It has taken us several years now to get to a point where we are at a point of putting the system into A G Barr. I’ve been really happy with all of the people I have been working with – Rob Oakley, Rob Needham, Steve and lots of other members of the team. They have all been very good working with us, they’ve been very patient with us to help us get to this point and to start getting the data from the system.


What is your role?


Wistia video thumbnail

IT wise, I represent business process. I’ve been working as a project manager in that and I have a strong responsibility for the IT systems at A G Barr. Setting up the IT Systems is communications, and making sure there is a secure platform to upload and download data and keep it secure on the cloud. It has been a really easy process. The Qualsys Ltd team have been really helpful. They have been really knowledgeable in telling us how we can connect our existing systems with EQMS and make sure the system is set up and configured properly. It has been easier than any other cloud-based system we have put in. It has been a joy.


What has been the best thing about working with Qualsys Ltd?


Wistia video thumbnail

Apart from the patience of the team at Qualsys, the thing that has struck me with EQMS is just how user-friendly the interface looks. I’ve been used to other systems like SharePoint but they can be extremely difficult to use for a non-technical person. EQMS actually has a really good handle on how to make that as easy as possible for an end-user to work with. I really like the system from that perspective. I know why it would appeal to the end-users. I support our position and it has the feel for our business so people are actually going to use this system. I’m sure they will be very happy with it.




Schedule a GRC Software discovery call

Tags: Case Studies

Diageo listed top of the IoD & CQI Good Governance Report 2017

Posted by Emily Hill on Thu, Oct 12, 2017

Global drinks manufacturer Diageo has been ranked top of the Institute of Directors' (IoD) and Chartered Quality Institute's (CQI) Good Governance Report. 

Every year, the IoD and CQI survey a range of businesses on a number of good governance indicators. This year, there were some additions to the indicators to better reflect what society considers to be good governance. 

Estelle Clark, Executive Director of Policy at the CQI, said: "It would've been easy to keep the measures in the 2017 Good Governance Report the same as those used for last year's research, and I'm sure many would've liked the resulting comparability between years. However, society's views of what constitutes good governance change over time and it's important that the IoD and CQI research takes the lead in reflecting these changes in the way that governance is understood and measured." 

In 2017, there were 47 good governance indicators, including audit, risk, reward and stakeholder relations. Each business was given a score out of 5 for their ability to plan and manage each indicator. 

After a thorough analysis, Diageo ranked highest for their robust governance management processes. 

Robert Oakley, Commercial Director at Qualsys, has worked with the governance, risk and compliance team at Diageo since 2005. "This is an enormous achievement both for Diageo and Qualsys," Robert said. "Diageo have been using our quality management software to manage their documentation and audits for over a decade, and over that time, we've seen their governance, risk and compliance management system mature.

"We've been working closely with their team to make governance, risk and compliance a natural part of the company culture. It's really rewarding to see that all the hard work has been recognised."

Read Diageo's tip tips for implementing an electronic quality management system here:

Tags: News

Evolving the Qualsys brand

Posted by Emily Hill on Mon, Oct 09, 2017

Quality is going through a really exciting metamorphosis.

For too long, quality was living in isolation. Seen as a challenge, a barrier or an overhead, called upon only when something went wrong. And for many, there's been a glass wall between 'quality' and 'operations' which has led to a culture of 'them and us'. 

Now, with the help of industry experts, changes in standards, and tools which facilitate excellence, the role of quality is moving from one of administration to one which focuses on strategy, vision and innovation.

All this change has led Qualsys to ask some real questions, like what business are we really in? Yes, we provide software, but that's a tool. What we really offer is a cultural tool for change. This requires partnership, commitment, knowledge, time and energy.   

We recognised there was a need to update our visual identity and launch a new website with lots of exciting new changes. 

Below, we've shared the journey of our brand, unveiled our new identity and provided a glimpse into some of the new services and products which will be available on the new website. 

Where we started 

Qualsys was founded in 1995 offering consultancy services and a very different version of our document control software. The company grew steadily, acquiring a number of heavily-regulated businesses as long-standing customers. 

Over time, we packaged our software solution EQMS as an electronic quality management system, offering a range of different modules to choose from. 

What was working

Back in March 2016, we were on track to not only double our customers, but doubling our team too.

The leadership team wanted to make sure we understood what was working and how, and why customers who had budgets to spend with huge companies like IBM were choosing us. 

After a number of workshops, customer research exercises and interviews with the industry experts, we began to build a bigger picture about what industry we're really in.

We looked at what we were good at. 

Quality  Others Qualsys 
Focus Compliance  Excellence 
Time spent Administration Strategy, innovation and vision
Relationship Client Partnership, investment, time and energy
Leadership See quality as an overhead Actively engage with quality
Need Certificate on the wall Vital part of business growth
Team Quality manager Every employee playing a part
Role Job

Make our customers heroes – quality as a career

Presence In isolation

Natural and invisible

Vision Command and control Culture as competitive advantage
System Quality management system Business management system


Our software and services have resulted in some exceptional customer success stories.

However, the identity of our brand was not reflecting what we stand for, and we were failing to give a full picture on our website of all the services we provide. 

Calling in the experts

To ensure our culture, relationships and personality was reflected in our visual identity, we called upon the services of brand and marketing agency UppB2B, who have experience working with brands such as DHL, Rolls Royce and the BBC. 

In the first phase of the project, we explored the 'essence' of our brand.

UppB2B talked to employees across the company and led a workshop. Mel Daggett, Account Manager at UppB2B, said: "After extensive market research, customer feedback and brand workshops with the team at Qualsys, it was clear there's something really special about what Qualsys stand for. 

"When we got to the real 'why' for Qualsys, it wasn't that the company simply provide software," Mel said. "It was all about making their customers more profitable, efficient, resilient, scalable and trustworthy. Qualsys knows it takes investment, time, energy and commitment to ensure governance, risk and compliance becomes natural and invisible. They're making compliance and quality not just for the quality manager, but providing solutions for the whole organisation. We're confident the new identity and website will reflect Qualsys's values and services."

A glimpse at the new visual identity



A vibrant, fresh and bold logo to reflect our mission to make quality approachable and accessible to all. 




Integrated EQMS solutions.png


We will update our documentation with the new colour palettes. 



Our software will adopt the updated branding, but the first experience of the new brand will come through the website. We'll start the process of updating the whole brand throughout 2018 and all customers' applications, touchpoints and interactions with Qualsys will reflect the new look. 

We'll also be moving away from solely offering "EQMS" and offering a range of software solutions, including ISMS, EMS, QHSE and BMS. 



Over the next few weeks, you'll see a complete overhaul of our website. The product offering, services and industry relationships will be more noticeable. 


Beyond the visual elements 

Design was only one part of the effort. Realising the new identity needed the collective work and diligence of our team, partners and customers. Our entire community deserves credit for making Qualsys the confident, trusted and innovative company that it is today. 

As we move forward creating new innovations, we hope every interaction with Qualsys will delight you.

Tags: New features

ISO 45001: Latest changes – Richard Green webinar transcript

Posted by Emily Hill on Fri, Oct 06, 2017

We recently recorded a webinar with Managing Director of Kingsford Consultancy Services Ltd, Richard Green, to discuss the latest developments in the new ISO health and safety standard. 

Below is a transcript of the webinar. 

What are the main challenges managing health and safety? 

Health and safety tends to get a bad press. Too often it is seen as both an administrative and an operational overhead, something that gets in the way of completing the job quickly, something which can be circumvented when the pressure is really on.

Responsible organisations know this is nonsense, and the HSE has gone to great lengths to publish Myth Busters on its website in an attempt to dispel some of the crazier H&S assertions that surface periodically, but the sad truth remains that the only time the top management of certain organisations take an interest in this subject matter is when there has been an actual H&S incident. Then they tend to get very interested, very quickly.

In its introduction, DIS2 ISO 45001 reminds us of the role top management MUST play if a H&S management system is to be effective. These critical success factors include promoting and developing a H&S culture, their need to consult with workers over H&S matters and ensure worker participation in key H&S decisions, the need for them to provide the necessary resources to run an effective H&S management system, and the need for them to ensure H&S is integrated into business as usual.

At present, I’d suggest we are some way off this being the norm, particularly when we view Health and Safety from an international perspective.


Why a need to move from OHSAS 18001?

OHSAS 18001 was (indeed is) a highly successful standard. Although it’s difficult to capture accurate figures (as it’s not an ISO standard and therefore not included in the ISO annual Certification Body survey), it’s estimated that 93,000 OHSAS 18001 certificates have been issued. That places it third behind ISO 9001 and ISO 14001 respectively.

ISO have long desired to complete the holy trinity. Those with long memories will recall ISO 9001 started out a British Standard BS 5750 and ISO 14001 also started out as a British Standard, BS 7750.

OHSAS 18001 (or BS OHSAS 18001 to give it its proper title), is going the same way for the same reason, to elevate it from what is essentially a national standard, albeit one which has been globally accepted, to a truly international standard, developed with full international consensus.

As OHSAS 18001:2007 was due for an update anyway it seemed logical to take the opportunity to go down the international route, to try to drive H&S improvement on an international basis.

ISO 31000 reminds us that risk is ‘the effect of uncertainty’. It therefore follows that by reducing the effect of uncertainty we will reduce our organisation’s risk exposure. Annex SL based standards, and that includes ISO 45001 of course, set out to do this by requiring organisations to:

  • Be clear on what they have to do (legal requirements).
  • Be clear on what they chose to do (other requirements).
  • Be clear on how they will do it (planning, support in place and operations)
  • Be clear that it is being done (performance evaluation)
  • Be clear on how to do it better (Improvement)


Why do you think there has been a big divide in the feedback on the ISO DIS 45001?

ISO 45001 was always going to be a problem child. Those developing the standard come from national standards bodies representing different parts of the world, with radically different perspectives on workers’ H&S.

Accepted working practices in some countries are completely unacceptable in others, and the degree to which workers are able to actively participate in, and be consulted on, H&S matters, are similarly divergent.

Now throw into the mix the liaison organisations who at one end of the spectrum are passionate about enshrining worker’s rights at the core of the standard, and who at the other are represent employer’s interests, believing it’s for businesses to decide how and when to involve their workforce in any H&S debate. Finally, add in the complexities of national and international health and safety legislation and perhaps you’ll begin to understand why this standard is taking so long to finalise. 


What are some of the key changes and how will they impact the way health and safety is managed in the organisation?

For me the key changes are;

  • The adoption of annex SL which should aid integration with other management systems.
  • The removal of the role of management representative which is designed to embed H&S responsibility more widely than just that single individual.
  • The enhanced role top management HAVE to play in the operation of their H&S management system- there are things they cannot now delegate.
  • The requirement to integrate the H&S system into ‘business as usual’
  • The extension of worker consultation and participation
  • The requirement for the organisation to prevent ‘ill heath’ (including psychological health) as opposed to just injuries
  • There’s explicit recognition that injuries and ill health can result not just from immediate impacts but also from long term impacts
  • The need to consider H&S opportunities, not just H&S risks
  • Major shakeup of terms and definitions. Of the 37 included in ISO 45001 only 3 are identical to those in OHSAS 18001. New definitions include ‘worker’ and ‘workplace’.


How can organisations prepare for ISO 45001?

Start by increasing awareness, if you are responsible for your organisation’s OHSAS 18001 compliant system you need to know about ISO 45001. There’s lot of information circulating on the internet but make sure you look at that coming out of an informed source, someone who is actively involved in the revision process. 

Then tell others in your organisation what’s about to happen and how it will impact them. You’ll need to speak to top management about their revised obligations and you’ll want to bring your internal auditors up to speed with the new requirements in order that they can spot issues during the transition process.

Speak to your certification body to see what help they intend to provide you with and note that if you are not happy with your certification body or any support consultants you may employ, now is a good time to change them. You’ll want to be making this journey with people you trust.

Once you are clear as to where you need to get to, then you can start to plan. At this stage, it can only be an outline as ISO 45001 is still work in progress but the bare bones can be put in place and then adjusted when there is more certainty as to the standard’s contents and timing.


Where can people access a copy of the draft?

Both BSI and ISO will happily provide you with a copy of the DIS2 for suitable recompense. BSI are asking £30 for non-members and £24 for members, ISO are charging 58 Swiss francs (which equates to £46.80). Both have online shops offering immediate downloads.


When should people expect ISO 45001 to be released?

Not even members of PC283 know the answer to that one. The official ISO timeline shows the publication of an FDIS in November 2017 and then publication of the full ISO in March 2018. That said, there are a lot of technical comments on DIS2 (1200) and each and every one of these needs to be considered. It’s conceivable that if PC283 cannot process all of these at their meeting in Melaka this month, that they will need to schedule another meeting to complete the task. Personally, I’d see March 2018 as the EARLIEST possible publication date and if I were staking my own money on it I’d probably go for the end of Q2 2018.


What process would you recommend following when transitioning?

View this as a journey. Firstly, you need to understand where you want to get to. That’s the easy bit, compliance with ISO 45001. Now take time   to understand what the destination looks like - if you can’t tell   Rotherham from Rochdale you won’t be able to tell when you’ve got to   where you want to be. So, start by self-education and progress to   awareness raising. Make sure you tell everyone where you are taking   them and why this is right destination.

Next you need to understand where you are starting from. Each organisation’s departure   point will be unique, as the degree to which   each organisation embraces OHSAS 18001 will be different. There are   organisations already going beyond the basic requirements of the   standard whilst others will simply be doing the minimum to comply. The   former will be closer to the destination than the latter. Conduct a gap   analysis to identify your own personal departure point.

Now we need to plan the journey, making it as smooth as possible and   avoiding the potholes along the way. Enshrine your route in a transition plan built on the results of your gap analysis. Periodically re-run the gap   analysis to ensure you are still on the correct road and that you are   continuing to make progress. Get internal audits and management   reviews up and running early so if you do drift off piste you can pick the   right route up once more or, if you identify a shortcut, to position you to   take it. 

Involve your certification body early on. They can help smooth the route.  

Treat this as a project, create a project structure to manage the   transition, a communications plan to keep stakeholders engaged, a project plan to act as your route plan and risk and issue logs as things   will go wrong along the way, and the fallout will need to be managed.


Some organisations have a separate quality and health and safety manager. How can organisations use the Annex SL to make transition faster?

Get the quality & H&S manager talking to each other. Hopefully, given   that we have only 12 months of the 9001 and 14001 transition periods   remaining, work on transitioning the organisation’s QMS and EMS will   be well advanced. At the very least there should be a clear and   communicated transition plan in place by now.

That means a lot of lessons will have been learned by the quality and   environmental people that can usefully be passed across  to the H&S   manager. What went well and what didn’t, what were the principal   challenges and how were these addressed? 

The H&S manager will also benefit from the fact that by now Top   Management should have been educated by their   quality/environmental heads as to their revised roles in Annex SL based   systems, the organisation should have established processes for the   determination of Context, for the management of risks and   opportunities, the alignment of management system objectives with   business objectives and performance evaluation of management   systems. The H&S system can be piggy backed off these new ways of   working, introduced to satisfy the QMS and EMS standards.    


Documenting a health and safety management system is one thing, how can organisations ensure correct processes and procedures are being followed?

This starts with ensuring individuals are clear as to their roles and responsibilities, and are also clear as to how specific tasks are to be performed. These aspects are dealt with under clause 7, Support, which encompasses competence, awareness and communication sub-clauses.

Work is then planned and performed under Clause 8, Operation with H&S performance and the effectiveness of the H&S system overall being checked under clause 9, Performance evaluation, by means of monitoring, measurement, analysis and evaluation.

Internal audit has a key role to play in determining compliance (or otherwise) with agreed practice, as has Management Review.

Worker consultation and participation forums should also be used to identify process deviations, noting that in some instances the deviation may have occurred for good reason. E.g. where following the process would have endangered rather than protected individuals. The standard is clear that where this is the case workers should not be exposed to the threat of dismissal, disciplinary action or other reprisals as a result of their failure to follow the prescribed method.



Transition to ISO 45001 Toolkit


Tags: ISO 45001