ISO 45001 is the international standard for occupational health and safety management systems. Published in March 2018, it replaced OHSAS 18001 and gives an organization a certifiable framework to identify hazards, control risks, involve workers, and prevent injury and ill health, built on the same clause structure as ISO 9001.
The shift from OHSAS 18001 to ISO 45001 was more than a renumbering. It moved workplace safety from a bolt-on program the safety officer owned into a management system top leadership is accountable for, aligned clause-for-clause with quality and environmental standards so the three can run as one. The migration deadline for organizations holding OHSAS 18001 certificates was originally March 2021, later extended to September 2021 because of the pandemic; OHSAS 18001 has since been withdrawn. This guide covers what ISO 45001 requires, how it differs from the standard it replaced, the hierarchy of controls at its core, and how it fits alongside the OSHA compliance that is already the law on a U.S. floor.
What does ISO 45001 require?
It requires a managed system for occupational health and safety: understand your context and risks, commit leadership, involve workers, identify hazards proactively, control them by a defined hierarchy, prepare for emergencies, and improve continually. Those requirements sit in clauses 4 through 10, the Annex SL high-level structure shared across modern ISO management standards.
Two clauses carry the intent. Clause 5 puts occupational health and safety on top leadership, and it goes further than any prior safety standard on the participation of workers, including non-managerial workers, in the decisions that affect their safety. Clause 6.1.2 requires ongoing, proactive hazard identification that considers routine and non-routine activities, human factors, how work is actually organized, past incidents, emergency situations, and everyone with access to the workplace, employees, contractors, and visitors. The rest of the structure is familiar from any management system: competence and awareness under support, operational controls and emergency preparedness under operation, monitoring and internal audit under performance evaluation, and corrective action and continual improvement to close the loop.
How is ISO 45001 different from OHSAS 18001?
ISO 45001 is a true ISO management-system standard; OHSAS 18001 was a British-origin specification with a narrower, more reactive scope. The three big changes are leadership accountability, the participation of workers, and risk-based thinking about the organization's context, not just hazard control at the task level.
Under OHSAS 18001, safety could live in a binder the safety manager maintained. ISO 45001 makes that impossible: leadership has to demonstrate commitment, the system has to be integrated into the business, and workers at every level have to be consulted and able to participate. It also broadens the lens from "what could hurt someone at this task" to "what in our context, our supply chain, and the way we organize work creates risk", including issues like workload and working hours that OHSAS 18001 largely ignored. Because ISO 45001 shares the Annex SL structure, an organization already certified to ISO 9001 can integrate safety into the same document control, internal audit, and management review rather than running a parallel system.
What is the hierarchy of controls?
The hierarchy of controls is the ranked order in which ISO 45001 requires you to reduce risk: eliminate the hazard first, and fall back to less reliable controls only when you cannot. Personal protective equipment is the last resort, not the first move.
The hierarchy is why "we'll add it to the PPE requirements" is usually the weakest answer to a hazard. A machine guard (engineering) protects everyone who walks up to the machine; a rule to wear gloves (administrative and PPE) protects only the people who remember, every shift, forever. This is the same logic behind machine guarding and lockout/tagout and it is the standard your hazard reviews are supposed to apply every time they find something. A good job safety analysis does not stop at "workers should be careful"; it walks the hierarchy and picks the highest control that is practical.
How do you implement ISO 45001?
Certification follows the same arc as any ISO management system, but the content is safety. A workable sequence:
- Secure leadership commitment and set the scope. Clause 5 is not optional. Define which sites, activities, and workers the system covers, and get top management visibly accountable, auditors will test this directly.
- Understand context and legal requirements. Identify the internal and external issues, interested parties, and the OSHA and other legal obligations that already apply to you. ISO 45001 sits on top of the law; it does not replace it.
- Build participation in. Set up how non-managerial workers are consulted and can participate, safety committees, hazard reporting, review of procedures. This is a defining requirement, not a nice-to-have.
- Identify hazards and assess risk. Run clause 6.1.2 for real: routine and non-routine work, human factors, past incidents, emergencies, contractors, and visitors. Feed near-miss and incident data in through near-miss reporting.
- Apply the hierarchy of controls. For each significant risk, choose the highest practical control, from elimination down to PPE, and document why.
- Operate, monitor, and audit. Run operational controls and emergency preparedness, track leading and lagging indicators, and audit the system, a workplace safety audit program, built on the same ISO 19011 auditing guidance used for quality, keeps it honest between certification visits.
- Review and improve. Management review and corrective action close the loop, and incidents drive investigation rather than blame. Then a certification body runs a Stage 1 and Stage 2 audit to grant the certificate.
What should you measure under ISO 45001?
Clause 9 requires you to monitor and measure health and safety performance, and the standard's proactive intent pushes you toward leading indicators, not just the lagging ones you count after an injury. A safety program that only tracks recordable injuries is driving by the rear-view mirror; by the time the number moves, someone is already hurt.
The practical move is to build a small set of leading indicators the safety committee reviews on a regular cadence, hazards controlled, near-misses closed, overdue safety actions, alongside the lagging TRIR you have to report. That balance is exactly what clause 9 is asking for, and it is what turns a certificate on the wall into a program that actually reduces injuries.
Sources for ISO 45001
- ISO 45001:2018, Occupational health and safety management systems, Requirements with guidance for use is published and maintained by the International Organization for Standardization (ISO 45001:2018, standard 63787).
- ISO 45001 was published in March 2018 and replaced OHSAS 18001, which has been withdrawn; the migration period for existing certificates was extended to September 2021 (ISO, migration to ISO 45001).
- The 2023 ISO Survey reported roughly 185,000 valid ISO 45001 certificates worldwide, making it one of the fastest-growing management-system standards (ISO Survey).
- In the United States, ISO 45001 sits alongside, and does not replace, the legal requirements enforced by the Occupational Safety and Health Administration (OSHA).
How does ISO 45001 fit with OSHA compliance?
They are not the same thing and you need both. OSHA sets legal minimums enforced by inspection and citation; ISO 45001 is a voluntary management-system standard that helps you meet those minimums and go beyond them systematically. A plant can be OSHA-compliant on paper and still lack the proactive hazard identification, worker participation, and continual improvement that ISO 45001 requires. Conversely, ISO 45001 certification is not a shield against an OSHA citation, the law still applies.
What ISO 45001 adds is discipline: a repeatable way to find hazards before they hurt someone, involve the people closest to the work, and prove the system is improving. That last part depends on data, leading indicators like near-misses closed and hazards controlled, not just the lagging TRIR you report after someone is already hurt. Safety records that live on clipboards make continual improvement nearly impossible, because nobody can trend what they cannot search. Harmony captures near-misses, hazard reports, and safety checks as structured, timestamped data on the same floor system as your QMS and downtime, so a safety committee can see patterns instead of paper, the same discipline that keeps a lean operation improving applied to keeping people safe. See how the modules fit together. The standard tells you to identify hazards and improve continually; good data is what makes both actually happen.