ISO 45001: Management of Safety and Occupational Health

The ISO 45001 is a standard related to the management of occupational health and safety; here we provided an overview of ISO 45001 clauses, requirements, a list of documentation requested and explanation of the main concept such as context of the organization within ISO 45001. It is nowadays essential that organisations implement a system to protect and manage the safety of the working environment, including safety of the workers. This is valid for any type of organisations and for any type of business.

Among the highest benefits of implementing a management system for safety and occupational health is the enhancement of company’s public image that comes with being ISO 45001 certified. In fact, the ISO 45001 demonstrates that the organization belongs among those businesses that cares for its employees’ health and safety. 

In this article, we will explore the ISO 45001, the history related to its development, the structure of the standard and discussions on the main clauses and requirements. We will then provide as well suggestions for its implementation, especially in the framework of an integrated management system with other ISO management system standards (for example ISO 9001).

Brief summary of the contents of the article:

• History of ISO 45001 and the previous OHSAS 18001
• The structure of ISO 45001 and PDCA approach
• Section 4: Context of the organization
• Section 5: Leadership and Worker Participation
• Section 6: Planning
• Section 7: Support
• Section 8: Operations
• Section 9 : Performance Evaluation
• Section 10: Improvements
• List of Mandatory Documents according to ISO 45001
• List of Mandatory Records according to ISO 45001

History of ISO 45001 and the previous OHSAS 18001

ISO 45001 has been published in 2018 after a process of standard development which began in 2013. Originally, the requirements for occupational health and safety were described in the so-called OHSAS 18001 which was released by British Standards Institute in 2007. Although this standard has been worldwide used by many different organization for the implementation of an Occupational Health and Safety Management System, it did not have the worldwide recognition that an ISO standard does usually have. This is the reason why ISO committee proposed the development of a new standard (ISO 45001) utilizing the common formatting used for all ISO management system standards that includes 10 clauses and follows the plan-do-check-act cycle.

The Structure of ISO 45001 and the PDCA cycle

The ISO 45001 follows the High Level Structure of other ISO management system such as ISO 13485 or ISO 27001. The High Level Structure provides a common clause sequence (structure), text, terms and definitions for all the management system standards, facilitating the implementation of multiple (integrated) management system within the same organisations.

The ISO 45001 defines a sets of processes, policies and requirements in order to minimise risks related to occupational health and safety within an organization. The standard provides a guideline for the implementation of an Occupational Health and Safety Management System, which the tool used by the organization to reduce and keep under control any risks related to safety and health.

The standard is based on the so-called PDCA cycle (Plan – Do – Check – Act) which can be summarised as per below:

The PDCA approach for ISO 45001 standard can be further explained in this way;

• The Plan phase mainly consists in the identification of the OH&S risks and determine the related objective to ensure to meet the OH&S policy
• The Do phase is related to the implementation of the processes as defined in the plan phase
• the Check phase is related to monitor the implemented processes and report the results
• finally, the Act phase corresponds to the improvements part which is essential to constantly meet the planned objectives.

In the next sections, we will go through the main clauses of ISO 45001 and understand the most important requirements to be met in order to implement and maintain an OH&S management system.

Section 4: Context of the Organization

The section 4 is related to the fully understanding of the context of the organization, which is the starting point for the implementation of the requirements of any management system.

The organization shall identify all the internal and external factors which could affect health and safety management system. Moreover, the scope of the OH&S management system shall be defined and documented; to perform this activity the organization shall fully understand the needs and expectation of the workers and all the other relevant parts which could have an impact on the OH&S management System.

ISO 45001 context of the organization is really a key factor for an OH&S management system and the organization should make any effort to properly identify it.

Section 5 : Leadership and Worker Participation

Leadership and top management commitment is of fundamental importance in order to implement and maintain an efficient Occupation Health and Safety Management System. In the framework of ISO 45001, top management is responsible for the prevention of work-related injury and ill health as well as the provision of safe and healthy workplaces.

Top management shall ensure that a process for consultation of the workers is established and maintained. The organization, moreover, shall establish an OH&S policy which shall cover specific requirements:

Responsibilities and authorities in the framework of OH&S management system shall be defined and documented.

Moreover, great attention is provided to the requirements of consultation and participation of the workers in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system; emphasis is given to consulation and participation of non-managerial workers. This point is considered critical for a successful OH&S management system able to meet its specific objectives.

Section 6 : Planning

The planning phase (clauses 6 of ISO 45001) consists of multiple steps which can be summirazed below;

The first step is related to the identification of hazard and assessment of risks and opportunities that are necessary to ensure the OH&S management system is efficient, prevent, or reduce, undesired effects and achieve continual improvement.

For the activity related to hazard identification, multiple factors shall be taken in considerations such as how the work is organised, the type activities performed (routine and non-routine activities), emergency situations and people, including the ones which are not within the organization but that could be affected the activities of the organization in relation to health and safety.

A process for the assessment of risks and opportunities shall be implemented, with the goal to

• reduce as far as possible the risks related to the identified hazard
• asses and reduce other risks related to implementation, operation and maintenance of the OH&S management system.

The same concept is valid as well for the opportunities, that shall be assessed in order to enhance the performance of the Occupational head and safety management system.

Finally, it is of fundamental importance the organization is able to identify or the legal requirement or other applicable requirements; these requirements, if there are deemed to be applicable, shall be taken in consideration while developing, implement and maintain an OH&S management system.

A plan on how the organization is going to address these risks and opportunities and address legal requirements and other requirements shall be documented. Moreover the plan shall include modalities used by the organization to respond to emergency situations.

Section 7 : Support

This clause starts with a requirement that organizations shall determine and provide the necessary resources for the OH&S management system. The word “Resources” is considered in a very broad meaning and it includes Human Resources, natural resources, infrastructure and financial resources.

The support clauses is splitted into different categories, which can be summarised in the scheme below:

Section 8 : Operations

This section is mainly related to the implementation of the activities planned as per Section 6 of the standards, in terms of processes for the OH&S management system and in terms of elimination the identified hazards and reduce the occupational heath and safety risks.

However one the most important concept of this clause is the management of changes, as changes in the organization are identified as potential sources of risks and hazard situations. A process for the implementation and control of planned temporary and permanent changes that impact OH&S performance shall be maintained. Different types of changes are envisioned, such as:

• new products, services and processes or changes on existing products, services and processes
• changes to legal requirements or other applicable requirements
• changes in knowledge or information about hazards and OH&S risks and
• developments in knowledge and technology.

Clause 8.1.4 related to procurement is the recognition that the risks related to the supply chain are most effectively managed when they are taken into account at the very first stages of procurement. This includes as well the management of outsourcing activities, which shall be identified to make sure they are compliant with legal requirements.

Section 9 : Performance Evaluation

The evaluation of the performance of the OH&S management system corresponds to the “Check” phase of the PDCA cycle and it is defined in clauses 9 of ISO 45001 . The organization shall evaluate the OH&S performance and determine the effectiveness of the OH&S managent system; this can be performed by using specific measurable objectives or KPIs that are constantly monitored to evaluate if ISO 45001 requirements are met.

Moreover, the monitor of the OH&S management system is performed as well using two standards methods which are typical fo any management system:

• internals audits
• management review

Both internal audits and management review are standard tools for any management system, thus no further specific ISO 45001 requirements are introduced.

Section 10: improvements

The clauses 10 of ISO 45001 is related to improvements, mainly explaining how to deal with the management of incidents, non-conformities and corrective actions. Investigation shall be performed and the source of incidents or non-conformities shall be eliminated in a timely manner. Risks shall be reviewed to make sure they are updated after the issue occurred. Like for any management system, corrective actions shall be appropriate to the effects or potential effects of the incidents or nonconformities encountered.

List of Mandatory Documents according to ISO 45001

The following is the list of documents needed to demonstrate compliance with ISO 45001:

• Scope of the OH&S management system (clause 4.3)
• OH&S policy (clause 5.2)
• Responsibilities and authorities within OH&SMS (clause 5.3)
• OH&S process for addressing risks and opportunities (clause 6.1.1)
• Methodology and criteria for assessment of OH&S risks (clause 6.1.2.2), similarly to the approach used for medical devices
• OH&S objectives and plans for achieving them (clause 6.2.2)
• Emergency preparedness and response process (clause 8.2)

List of Mandatory Record according to ISO 45001

Records are also needed to demonstrate compliance of ISO 45001 as per the context of the organization. Here below the requested records, along with the specific applicable clause of the standard:

• OH&S risks and opportunities and actions for addressing them (clause 6.1.1)
• Legal and other requirements (clause 6.1.3)
• Evidence of competence (clause 7.2)
• Evidence of communications (clause 7.4.1)
• Plans for responding to potential emergency situations (clause 8.2)
• Results on monitoring, measurements, analysis and performance evaluation (clause 9.1.1)
• Maintenance, calibration or verification of monitoring equipment (clause 9.1.1)
• Compliance evaluation results (clause 9.1.2)
• Internal audit program (clause 9.2.2)
• Internal audit report (clause 9.2.2)
• Results of management review (clause 9.3)
• Nature of incidents or nonconformities and any subsequent action taken (clause 10.2)
• Results of any action and corrective action, including their effectiveness (clause 10.2)
• Evidence of the results of continual improvement (clause 10.3)

Other non-mandatory documents

There are non-mandatory documents on ISO 45001 which however are the core of any management system. In case OH&S management system is integrated with another management system (quality or environment management system, for example), these documents should already exists within the organization and they should just be adapted to make them suitable and applicable to the requirements of ISO 45001.

Do not forget that this documentation shall always be adapted to the contest of the organization within ISO 45001 management system or any other type of management system implemented in the company.

• Procedure for Determining Context of the Organization and Interested Parties (clause 4.1)
• OH&S Manual (clause 4), similar to the quality manual
• Procedure for Consultation and Participation of Workers (clause 5.4)
• Procedure for Hazard Identification and Assessment (clause 6.1.2.1)
• Procedure for Identification of Legal Requirements (clause 6.1.3)
• Procedure for Communication (clause 7.4.1)
• Procedure for Document and Record Control (clause 7.5)
• Procedure for Operational Planning and Control (clause 8.1)
• Procedure for Change Management (clause 8.1.3)
• Procedure for Monitoring, Measuring and Analysis (clause 9.1.1)
• Procedure for Compliance Evaluation (clause 9.1.2)
• Procedure for Internal Audit (clause 9.2)
• Procedure for Management Review (clause 9.3)
• Procedure for Incident Investigation (clause 10.1)
• Procedure for Management of Nonconformities and Corrective Actions (clause 10.1)
• Procedure for Continual Improvement (clause 10.3)

Subscribe to 4EasyReg Newsletter

4EasyReg is an online platform dedicated to Quality & Regulatory matters within the medical device industry. Have a look to all the services that we provide: we are very transparent in the pricing associated to these consulting services.

Within our WebShop, a wide range of procedures, templates, checklists are available, all of them focused on regulatory topics for medical device compliance to applicable regulations. Within the webshop, a dedicated section related to cybersecurity and compliance to ISO 27001 for medical device organizations is also present.

As one of the leading online platforms in the medical device sector, 4EasyReg offers extensive support for regulatory compliance. Our services cover a wide range of topics, from EU MDR & IVDR to ISO 13485, encompassing risk management, biocompatibility, usability, software verification and validation, and assistance in preparing technical documentation for MDR compliance.

Do not hesitate to subscribe to our Newsletter!