ISO 45001: What the Standard Requires and How Sites Meet It

Avatar photo

Karol Dabrowski

ISO 45001 is the international standard for occupational health and safety management systems. It sets out what an organisation has to do to identify hazards, control risk, and prevent harm to everyone who works on its sites, including employees, contractors, and visitors. It was published by the International Organization for Standardization and applies to any organisation, of any size, in any sector.

The standard describes what a health and safety management system has to achieve. The method is left to the organisation. That distinction matters more than it first appears, because it means two certified sites can run their safety systems in completely different ways and both be compliant. What they share is the underlying logic: understand the risk, put controls in place, check that the controls work, and improve them when they fall short.

Where ISO 45001 Came From

For most of the two decades before ISO 45001 existed, the reference point for health and safety management was OHSAS 18001, first published in 1999 by a group of national standards bodies and certification houses. It was widely adopted and reasonably well respected. It was also never a true ISO standard, which limited how neatly it could sit alongside the quality and environmental systems most manufacturers were already running.

Work on a proper international standard began in 2013. ISO 45001 was published in March 2018, after a drafting process that ran longer than planned and drew comment from more than seventy countries. Organisations holding OHSAS 18001 certification were given a transition period to migrate, and that window closed in 2021. OHSAS 18001 is now withdrawn.

What Changed in the Move from OHSAS 18001

Three shifts are worth understanding, because they explain why ISO 45001 feels different to live with.

The first is context. ISO 45001 asks an organisation to look outward at the conditions it operates in: regulators, supply chain, community, workforce demographics, and anything else that shapes safety performance. The second is leadership. Responsibility for the safety management system sits with top management and cannot be delegated to an EHS function. The third is worker participation. The standard is explicit that workers at all levels must be consulted on hazards, controls, and the design of the system itself, and that barriers to their participation must be removed.

Taken together, these moved health and safety out of the safety office and into the way the site is run every day.

How the Standard Is Structured

ISO 45001 follows the harmonised structure that ISO uses across its management system standards, which is why it maps cleanly onto ISO 9001 for quality and ISO 14001 for environment. Clauses one to three cover scope, references, and definitions. The requirements sit in clauses four to ten.

Clause four covers the context of the organisation and the needs of interested parties. Clause five covers leadership, policy, roles, and worker consultation. Clause six covers planning, which is where hazard identification, risk assessment, legal requirements, and safety objectives live. Clause seven covers support: competence, awareness, communication, and documented information. Clause eight covers operation, including operational controls, management of change, procurement and contractors, and emergency preparedness. Clause nine covers performance evaluation through monitoring, internal audit, and management review. Clause ten covers improvement, including incident investigation, corrective action, and continual improvement.

The whole thing runs on the PDCA cycle. Clauses six and seven plan, clause eight does, clause nine checks, and clause ten acts.

The Hierarchy of Controls

One requirement inside clause eight tends to shape day to day EHS work more than any other. When a hazard has been identified, the standard requires controls to be applied in a set order of preference: eliminate the hazard first, then substitute it for something less hazardous, then apply engineering controls and reorganise the work, then apply administrative controls such as procedures and training, and only then rely on personal protective equipment.

Auditors look for evidence that this order was genuinely followed. A risk assessment that jumps straight to PPE and training, without any record of whether elimination or engineering controls were considered, is a common finding.

How a Site Adopts ISO 45001

The sequence below is roughly what implementation looks like from the first meeting to a certificate on the wall, and it usually takes somewhere between nine and eighteen months depending on where the site is starting from.

Gap Analysis and Scope

Work begins by defining which sites, activities, and workers the system will cover, then comparing what already exists against what the standard requires. Most manufacturing sites discover they are already doing perhaps sixty per cent of the work, and that the gaps are in evidence, consultation records, and management review rather than in the safety controls themselves.

Building the System

Next comes the policy, the hazard identification and risk assessment method, the register of legal and other requirements, the objectives, and the operational controls. This is also when responsibilities are assigned and competence requirements are set. The temptation at this stage is to write a large volume of documentation and call it a management system. Documentation on its own certifies nothing.

Internal Audit and Management Review

Before any certification body arrives, the organisation has to audit itself against the standard and hold a formal management review covering performance, incidents, audit findings, and the status of objectives. Internal audit maturity is usually the clearest signal of whether a site is ready.

Certification and the Three Year Cycle

Certification runs in two stages. The first checks that the system exists and is documented. The second tests whether it is working in practice, which means talking to operators, watching work happen, and tracing incidents through to closure. Certificates last three years, with surveillance audits each year and a full recertification at the end. Certification itself is voluntary, and plenty of organisations conform to the standard without being certified to it.

What ISO 45001 Means for Daily EHS Operations

This is where the standard stops being a document and starts being a way of working.

Hazard and near miss reporting has to be routine, quick, and visible, because clause ten expects incidents to be investigated for cause rather than logged and forgotten. That is why root cause analysis sits at the centre of a working safety system: an investigation that ends at operator error has not found a cause, and it will produce the same incident again.

Worker participation has to leave a trace. Safety concerns raised at a shift huddle, discussed at tier meetings, and escalated to site leadership are exactly the evidence the standard asks for, provided somebody recorded them. A gemba walk checklist does similar work, turning an observation on the floor into an action with an owner and a date.

Risk has to move between shifts. Where a partially completed job, a defeated interlock, or an unresolved hazard is passed on verbally at changeover, the control depends entirely on who is standing there. Handover is one of the points where safe operations are most often lost, and a structured handover record makes that transfer of risk auditable.

Frontline visibility has to be built in. Workers cannot report what they have no route to report, and clause five requires the barriers to participation to be removed rather than described. Connected worker safety is the practical version of that clause: a hazard raised from the floor, seen by a supervisor within minutes, and owned before the shift ends.

Evidence has to exist before the auditor asks for it. Sites that spend the fortnight before a surveillance audit reconstructing records from emails, spreadsheets, and paper folders are not failing at safety. They are failing at proof, and under ISO 45001 the two are hard to separate. Understanding where audit risk accumulates matters here, because audit dashboards that show open findings, overdue actions, and closure rates in real time turn that fortnight into an afternoon.

Where the Standard Usually Breaks Down

The common failure is a safety management system that lives beside the operation instead of inside it. Actions are tracked in one place, production is discussed in another, and safety appears as the first slide of a meeting that is really about output. Nothing in ISO 45001 asks for this separation. It asks for the opposite.

Bring EHS Into the Daily Routine

EviView is a digital daily management system built for regulated manufacturing, where hazard reports, safety actions, audit findings, and root cause investigations are captured on the floor and tracked through tier boards and audit dashboards until they close. It gives EHS teams the evidence trail ISO 45001 expects, without the scramble before every audit, and it does for safety what EHS software does for pharma compliance: it puts the record where the work happens.

To see how daily management can carry health and safety alongside quality, delivery, and cost, book a demo with the EviView team, and reach out with the specifics of your site so the conversation starts where your gaps actually are.

Written By:

Karol Dabrowksi, CEO

Karol Dąbrowski is the CEO of EviView, a digital daily management system used by leading manufacturing companies to improve efficiency, reduce downtime, and optimise production performance. With a strong background in manufacturing operations, Karol is focused on solving real-world shop floor challenges by enabling teams to turn operational data into actionable insights and unlock hidden capacity across their facilities.

Share this blog post:

Table of content

Subscribe to Our
Newsletter

Get monthly updates to know how you can improve process performance and drive efficiency within your existing organisation.