ISO 45001

What is ISO 45001?

ISO 45001-2018 is the recently released replacement for OHSAS 18001 and therefore is the
new international standard for health and safety management systems.
The standard will follow the structure of Annex SL will therefore be aligned with the 2015
versions of ISO 9001 and ISO 14001
This will enable simpler and stronger integration of these management systems.
WHAT IS ANNEX SL?

Annex SL provides the new high-level structure for ISO management systems standards - it
replaces the historical ISO Guide 83 and expands on the base structure already
implemented.
It has been created to introduce identical core text and common terms and definitions. This
will:
streamline standards
encourage standardisation
ease the integration of management systems
NEW HIGH LEVEL STRUCTURE OF CLAUSES
The numbered list below is a replica of the numbered sections of the high-level structure - the
specific requirements of each management standard will be found within these sections.
1 Scope
2 Normative References
3 Terms and Definitions
4 Context of the Organization
5 Leadership
6 Planning
7 Support
8 Operation
9 Performance Evaluation
10 Improvement
CLAUSE 1 – SCOPE

Carries introductory information about ISO 45001 as a standard for an OHSMS model that:
Meets the necessary regulatory requirements.
Acknowledges that the need for an OH&S management system is dependent on continual
improvement and accomplishment of objectives.
Can be deployed to virtually any type and size of an organisation.
CLAUSE 2 & CLAUSE 3 – TERMS AND DEFINITIONS

These sections are designed as summaries and simply note that there are no normative
references. Clause 3 features a list of terms and definitions that apply to the ISO 45001
standard.
CLAUSE 4 – CONTEXT OF THE ORGANISATION

This section requires organisations to assess the context of their operations and document the
needs and expectations of interested parties. Usually, this is categorised into two: external and
internal issues.
External issues include your organisation’s union expectations, political and economic
conditions, as well as relevant laws and regulations.
On the other hand, internal issues include your company’s communication methodologies and
the commitment of your team to co-operate and adhere to the existing policies.
CLAUSE 5 – LEADERSHIP

This section is designed for employees and managers alike. It demands that the top leaders
demonstrate leadership and dedication regarding the OH&S management system.
It also requires top managers to implement, monitor, and maintain an OH&S policy that’s
unique to your organisation and make sure the administrative authorities, roles, and
responsibilities are clearly understood.
CLAUSE 6 – PLANNING

This involves establishing the objectives of your health and safety management systems and
how you can attain them.
The obvious reason is to mitigate the risk of workplace accidents and common health issues.
CLAUSE 7 – SUPPORT

In this section, your organisation needs to provide support elements required to implement,
manage, and continually improve the occupational health and safety management system.
This support system may include resources, methods of communication, staff awareness, and
the need for documented information.
CLAUSE 8 – OPERATION

Section eight covers the operation controls that organisations must look into, including
management of change, emergency response, elimination of hazards, and change in
procurement.

You can implement your operational processes by developing criteria for operation control.
CLAUSE 9 – PERFORMANCE EVALUATION

Performance evaluation covers systems for monitoring and assessment of compliance with
internal audit, legal requirements, and management review to ensure the system’s overall
effectiveness.
CLAUSE 10 – IMPROVEMENT

This last clause demands that your organisation manages the OH&S system nonconformities,
incidents, and corrective actions.
This also covers the commitment to continual improvement.
What changes are there between BS OHSAS 18001 and ISO 45001?

The aim of the standard remains the same: to set requirements for OH&S management
systems, and thus to help organisations ensure the health and safety of the people who work
for them.
While ISO 45001 largely stands in continuity with BS OHSAS 18001, there are a couple of
changes worth noting:
The standard has the same structure as ISO 9001:2015 and ISO 14001:2015 and will also
share the same terminology.
This will make it easier to integrate OH&S management into the overall management system.
The standard follows the normal Plan-Do-Check-Act (PDCA) model, which provides a
framework for organisations to minimize the risk of harm.
Although this focus on risk is not new, the emphasis in ISO 45001 on a risk-based approach
places the standard more in line of ISO 9001:2015 and ISO 14001:2015, which also take risk
as their starting point.
Minimizing the risk of harm also requires taking into account any concerns that can lead to
long term health issues and absence from work.
This may include psychosocial factors like stress, which can be managed within the OH&S
framework.
The fact that the standard will follow the same structure as ISO 9001:2015 and ISO
14001:2015 already indicated that there will be a stronger focus on the context of
organisations.
Organisations are required to understand the needs and expectations of interested parties
(commonly known as stakeholders), and to take into account all internal and external issues
that my affect the ability of the organisation to meet its OH&S objectives.
The notion of context requires organisations to look beyond health and safety within their own
facilities and to take into account working conditions that are not under its direct control.
- This reflects on the work with subcontractors and suppliers.
- Supply and procurement policies should address impacts on any persons that carry out
activities for the organisation, or produce products or deliver services for it.
Another change is the stronger role for top management.
- Health and safety will become a central aspect of the overall management system, requiring
a firm commitment from top management.
- At the same time it will be necessary to involve all employees in reaching OH&S objectives.
Stronger requirement to address legal and regulatory compliance issues in the entire
management system, throughout all phases of the PDCA-cycle.

Note: ISO 45001 does not define specific KPIs for health and safety, but rather requires
continuous improvement in the KPIs an organisation has set.
ISO 45001:2018 does not address issues such as product safety, property damage or
environmental impacts, beyond the risks to workers and other relevant interested parties.

ISO 45001:2018 can be used in whole or in part to systematically improve occupational health
and safety management.
However, claims of conformity to this document are not acceptable unless all its requirements
are incorporated into an organisation's OH&S management system and fulfilled without
exclusion.
Prevention of non-conformities is not a specified
requirement and is handled within risk analysis
ISO 13485
Medical Device Standard
Medical devices can be simple or complex, but all of these can benefit from being designed
and manufactured under ISO 13485:2016 which is the most widely used medical device QMS
standard.
It is required in Europe, Canada and many other countries for most devices
Safety and quality are non-negotiables in the medical devices industry.
Regulatory requirements are increasingly stringent throughout every step of a product’s life
cycle, including service and delivery.
More and more, organisations in the industry are expected to demonstrate their quality
management processes and ensure best practice in everything they do
ISO 13485 is an ISO standard, published in 2016, that represents the requirements for a
comprehensive management system for the design and manufacture of medical devices
What is a medical device?

A medical device is a product, such as an instrument, machine, implant or in vitro reagent, that
is intended for use in the diagnosis, prevention and treatment of diseases or other medical
conditions.
ISO 13485:2016 specifies requirements for a quality management system where an
organisation needs to demonstrate its ability to provide medical devices and related services
that consistently meet customer and applicable regulatory requirements.

Such organisations can be involved in one or more stages of the life-cycle, including design
and development, production, storage and distribution, installation, or servicing of a medical
device and design and development or provision of associated activities (e.g. technical
support). ISO 13485:2016 can also be used by suppliers or external parties that provide
product, including quality management system-related services to such organisations.
Requirements of ISO 13485:2016 are applicable to organisations regardless of their size and
regardless of their type except where explicitly stated.
Wherever requirements are specified as applying to medical devices, the requirements apply
equally to associated services as supplied by the organisation.
The processes required by ISO 13485:2016 that are applicable to the organisation, but are not
performed by the organisation, are the responsibility of the organisation and are accounted for
in the organisation's quality management system by monitoring, maintaining, and controlling
the processes.
If applicable regulatory requirements permit exclusions of design and development controls,
this can be used as a justification for their exclusion from the quality management system.
These regulatory requirements can provide alternative approaches that are to be addressed in
the quality management system.
It is the responsibility of the organisation to ensure that claims of conformity to ISO 13485:2016
reflect any exclusion of design and development controls.
If any requirement in Clauses 6, 7 or 8 of ISO 13485:2016 is not applicable due to the activities
undertaken by the organisation or the nature of the medical device for which the quality
management system is applied, the organisation does not need to include such a requirement
in its quality management system.
For any clause that is determined to be not applicable, the organisation records the justification
as described in 4.2.2.
ISO 13485 is a regulatory standard whose focus is meeting customer requirements, including
regulatory requirements, and maintaining the effectiveness of the QMS.
This differs from ISO 9001:2015 which focuses on customer satisfaction and continual
improvement whereas ISO 13485 requires only that they demonstrate the quality system is
implemented and maintained.
Although both customer satisfaction and continual improvement are as important to medical
device manufacturers as to any other business today, these things are hard to measure and
tend to be somewhat subjective
So, when it came time to adapt ISO 9001:2000 to the medical device industry, these potentially
subjective requirements were changed to meeting customer requirements and maintaining the
effectiveness of the QMS, which are more easily measureable.
The other major difference from ISO 9001, is that there are even more requirements for
documented procedures (because it is a regulatory standard).
ISO 13485 follows the process approach introduced in ISO 9001.
The process approach treats the QMS as a set of interrelated processes covering not only the
manufacture of a product or provision of a service, but also management processes and
support processes.
While it remains a stand-alone document, ISO 13485 is
generally harmonised with ISO 9001.
ISO 13485 is structured the same way as ISO 9001 and is in fact about 90% the same as this
general standard for quality management systems.
Other specific differences include:

- the promotion and awareness of regulatory requirements as a management responsibility.

- controls in the work environment to ensure product safety
- focus on risk management activities and design control activities during product development
- specific requirements for inspection and traceability for implantable devices
- specific requirements for documentation and validation of processes for sterile medical
devices
- specific requirements for verification of the effectiveness of corrective and preventive actions
Compliance with ISO 13485 is often seen as the first step in achieving compliance with
European regulatory requirements.
The conformity of Medical Devices and In-vitro Diagnostic Medical Devices according to EEC-
decrees 93/42/EEC, 90/385/EEC and 98/79/EEC must be assessed before sale is permitted.
The preferred method to prove conformity is the certification of the Quality Management
System according ISO 9001 and/or ISO 13485 and ISO 14971 by a Notified Body.
ISO 14971:2019

ISO 14971 is an ISO publication, that represents the requirements for a risk management
system for medical devices.
This standard establishes the requirements for risk management to determine the safety of a
medical device by the manufacturer during the product life cycle
In 2012, a European harmonised version of this was adopted by CEN as EN ISO 14971:2012.
This version is harmonised with respect to the three European Directives associated with
medical devices Medical Devices Directive 93/42/EEC, In-vitro Diagnostic Medical Device
Directive 98/79/EC, and Active Implantable Medical Device Directive 90/385/EEC through the
three 'Zed' Annexes (ZA, ZB & ZC)
The result of a positive assessment is the certificate of conformity allowing the CE mark and
the permission to sell the medical device in the European Union.
The ISO 13485 standard is organised in a similar way to that of ISO 9001:2008.
Sections 1 to 3 are introductory sections that describe the purpose and use of the standard,
followed by sections 4-8 that contain requirements that must be fulfilled in order to be
compliant with the standard.
ISO 13485 Section 4 gives the general requirements.
These include identifying specific processes and how they interact, and responsibility for
processes that are outsourced.
A quality manual, quality policy and objectives and the requirements for control of documents
and records and for outlining the company's document structure are given in Section 4.
Document control includes review and approval of documents before use, control of changes,
and making sure that current versions of controlled documents are available where needed for
use.
Requirements for control of records include maintaining their integrity and establishing
procedures for how long documents and records are maintained.
The management of a company must take an active part in the establishment and
maintenance of an ISO 13485 QMS. Section 5 requires management involvement at the level
of the person who makes policy and financial decisions.
This is usually either the CEO or the chief of operations. Establishing the quality policy and
objectives, support and oversight of the QMS and provision of resources are the direct
responsibility of upper management.
In addition, top management appoints a Management Representative, usually the most senior
quality manager, who has the day-to-day responsibility for the functioning of the QMS.
Upper management's commitment must also include quality planning and making sure that the
quality policy is understood at every level of the organisation.
Section 6 contains requirements for provision of resources. Management must assure
adequate facilities including, space, tools, and equipment, including computer systems.
The building environment must fit the devices being made, including where necessary, such
environments as clean rooms.
Buildings, tools and equipment must be maintained in order to produce devices meeting all
their requirements.
The QMS must have as process to ensure that all required maintenance activities are
preformed.
Human resources are essential to quality medical devices. Therefore, the provision of and
adequate number of people that are competent, capable, and aware of their job responsibilities
is key.
It is not sufficient to train personnel and keep good training records, although that is important.
Management must first define job requirements, often in the quality manual and positions
descriptions.
The QMS must then document that employees meet these requirements, or have had training
to fill in any gaps.
Ongoing employee awareness of QMS requirements, particularly related to documents and
record-keeping is the responsibility of management.
Employees must also have awareness of their job responsibilities, including their
responsibilities for product quality.
They must know the consequences to the product or to the people using the product, if they
fail to do their job properly.
The portion of the standard that most affects what people in the company do on a day-to-day
basis is Section 7, with the unusual name of "Product Realisation."
This covers much more than manufacturing.
It does in fact cover everything that is required to realise a product, from customer
requirements to creating (designing and manufacturing), installing and supporting a medical
device.
There is risk associated with everything that we do, but in making medical devices these can
include the risk to a person's life.
Therefore ISO 13485 requires that "The organisation shall establish documented requirements
for risk management throughout product realisation."
Risk management includes the following:
Risk Assessment - Identifying risks
Risk Analysis - looking at severity and probability of all hazardous situations
Risk Reduction - reduction, mitigation (labelling), elimination of risk as much as possible.
This is such an important process that ISO 13485 requires that risk management be done
according ISO 14971:2019, the international standard for medical device risk management.
Once there is a device design with established manufacturing processes, it is important to
make sure that the materials going into and used in making the device are correct.
ISO 13485 purchasing requirements cover purchasing from qualified suppliers, according to
pre-established specifications, and assuring that purchased product meets those
specifications.
Manufacturing or production processes must be controlled to assure that the manufactured
device meets all of its specifications.
This includes not only controlling the production processes, but control of how material and
devices are identified, stored and used.
Documented processes must cover receiving, warehouse, production, testing, shipping,
installation and servicing.
Some of these processes cannot or cannot economically be fully tested to assure that all
product specifications are met.
Processes that cannot or will not be fully verified must be validated to assure that they always
meet specifications, and once validated must be controlled and performed by trained
personnel.
The last section of ISO 13485 is the one that provides the feedback and other information that
allows management to maintain the effectiveness of the QMS and includes:
Feedback including Customer Complaints and handling adverse events
Internal audit
Monitoring and measurement of processes
Monitoring and measurement of product including nonconforming product
Analysis of data
Corrective and preventive action
A corrective action is one that fixes the root cause of a problem that has happened.
This is often confused with fixing a problem that exists.
Just fixing a problem is not sufficient.
Preventive action is a system that if used successfully will provide one of the largest financial
benefits of the QMS.
Preventive actions are taken to prevent nonconformities by fixing things that might go wrong.
For Corrective and Preventive Action ISO-13485 states that,
a) for corrective, “the organisation shall take action to eliminate the causes of non-
conformities”
b) for preventive “the organisation shall determine action to eliminate the causes of potential
non-conformities”
Questions?