Back to Articles

ISO 45001 vs. OHSAS 18001: What Changed and Why It Still Matters

ISO 45001

By Trenton Steadman

7 min read|
ISO 45001 vs. OHSAS 18001: What Changed and Why It Still Matters

OHSAS 18001 was retired in 2021 but legacy thinking persists. Learn what actually changed in ISO 45001 and where it shows up as audit findings.

I hear it at least a few times a year. A client will mention that they have "some experience with the safety standard" and start referencing OHSAS 18001 as if it and ISO 45001 are interchangeable. "We did 18001 years ago, so we know what to expect." Then we start the Gap Analysis, and the assumptions start falling apart one by one.

OHSAS 18001 was officially retired in March 2021. Organizations that held certification had until then to transition to ISO 45001:2018. That deadline came and went years ago. But the legacy thinking is alive and well. I still work with manufacturers who either transitioned on paper without changing their approach, or who are coming to ISO 45001 fresh with OHSAS 18001 as their mental model for what a safety management system looks like. Both groups run into the same problems.

ISO 45001 isn't OHSAS 18001 with a new number. The differences are structural, and they show up as audit findings when companies don't recognize what actually changed.

The Structural Shift: High-Level Structure

The most visible change is that ISO 45001 follows the ISO High-Level Structure (Annex SL), the same clause framework as ISO 9001 and ISO 14001. If your organization already runs a Quality Management System or Environmental Management System, the structure will look familiar: Context, Leadership, Planning, Support, Operation, Performance Evaluation, and Improvement.

This matters practically because companies running multiple management systems can integrate them. Your Management Review, Internal Audit program, Document Control, and Corrective Action process can serve all three standards instead of running parallel systems. I've set this up with several clients who run ISO 9001 alongside 45001, and the efficiency gain is significant - one integrated Management Review covering quality, safety, and environmental topics instead of three separate meetings.

Leadership and Worker Participation: Where Legacy Thinking Breaks Down

OHSAS 18001 had "management responsibility." ISO 45001 has "leadership." That's not just a word change - it's a fundamental shift in expectation. Under the old standard, Top Management could delegate safety to a safety officer and satisfy the requirement by reviewing reports. ISO 45001 requires Top Management to demonstrate leadership and commitment personally. They need to be actively involved, not just informed.

The bigger addition is worker participation and consultation. Clause 5.4 explicitly requires that workers at all levels are consulted on OH&S matters and actively participate in specific elements of the management system. This includes:

  • Providing mechanisms, time, training, and resources for consultation and participation
  • Providing timely access to clear information about the OH&S management system
  • Identifying and removing obstacles or barriers to participation
  • Consulting non-managerial workers on OH&S policy, objectives, and planning

I was working with a manufacturing facility that had transitioned from OHSAS 18001. They had a safety committee, but it was essentially a management meeting where supervisors discussed safety topics. Shop floor workers weren't represented. Under OHSAS 18001, that was technically acceptable. Under ISO 45001, it's a Gap. We restructured their approach to include operator representatives and built a process where safety concerns raised on the floor had a documented path to the committee agenda and back. That kind of structural participation is what the standard expects - and it's exactly what companies with an OHSAS mindset tend to miss.

Risk-Based Thinking Replaces Hazard-Only Focus

OHSAS 18001 centered on hazard identification, risk assessment, and determining controls. ISO 45001 keeps all of that but wraps it in a broader risk-based thinking framework. You still identify hazards and assess OH&S risks under Clause 6.1.2. But you also need to address risks and opportunities related to the management system itself, including external and internal issues, interested parties, and your scope.

In practical terms, this means thinking beyond "what can hurt someone on the shop floor." A company going through rapid growth with lots of new hires has an organizational risk - new workers are statistically more likely to be injured. That's not a hazard you'd find on a Job Hazard Analysis, but it's a risk that ISO 45001 expects you to identify and address through planning. Companies still operating with OHSAS thinking tend to keep their risk assessment narrowly focused on physical hazards and miss these system-level risks entirely.

Context and Interested Parties: The New Requirements

OHSAS 18001 didn't require organizations to analyze their context or identify interested parties. ISO 45001 does. Clause 4.1 requires understanding the external and internal issues that affect your ability to achieve the intended outcomes of the OH&S management system. Clause 4.2 requires identifying the needs and expectations of workers and other interested parties.

For most manufacturers, this means documenting regulatory requirements (OSHA, state programs), customer safety expectations (especially in construction or oil and gas where clients audit your safety program), insurance requirements, and internal factors like workforce demographics and organizational changes. Companies that held OHSAS 18001 often have nothing in this area because the old standard simply didn't ask for it. It's one of the most common gaps I find.

The Hierarchy of Controls Gets Explicit

Both standards address controlling OH&S risks, but ISO 45001 explicitly requires using the Hierarchy of Controls (Clause 8.1.2): elimination, substitution, engineering controls, administrative controls, and PPE - in that order. OHSAS 18001 referenced the hierarchy but didn't mandate it as explicitly.

This matters because many manufacturers default to PPE and administrative controls as their primary risk response. An auditor reviewing your ISO 45001 system wants to see evidence that you considered higher-order controls first. When you identify a noise hazard, did you evaluate whether the source could be eliminated or enclosed before issuing ear plugs? The answer might still be PPE, but you need to show you worked through the hierarchy.

What Carries Forward

Not everything changed. The core elements of a functioning safety management system carry over:

  • Hazard identification and risk assessment remain central
  • Legal and regulatory compliance requirements remain
  • Emergency preparedness and response is still required
  • Incident investigation and Corrective Action processes stay
  • Internal Audits and Management Reviews are still required
  • Competence, training, and awareness obligations continue

If you had a solid OHSAS 18001 system, a good portion carries forward. The foundation is the same - the difference is in how leadership engages, how workers participate, and how the system connects to broader organizational context and risk thinking.

Where Legacy Thinking Shows Up in Audits

If you're operating with an OHSAS mindset - whether you formally transitioned or are approaching ISO 45001 with 18001 as your reference point - here are the areas most likely to generate findings:

Worker participation evidence. "We have a safety committee" isn't enough if the committee is all managers. The auditor will ask how non-managerial workers are consulted and how they participate in hazard identification and risk assessment specifically.

Top Management involvement. The auditor may interview Top Management directly. They need to demonstrate personal commitment to OH&S, not just awareness that a safety program exists. What resources have they allocated? What safety decisions have they personally made?

Context and interested parties documentation. If you don't have a documented understanding of your organizational context and the needs of your interested parties as they relate to OH&S, that's a gap. OHSAS 18001 didn't require it. ISO 45001 does.

Hierarchy of Controls evidence. If your hazard assessments jump straight to PPE without considering elimination, substitution, or engineering controls, expect questions.

If you're transitioning your safety management system to ISO 45001 or preparing for a Certification Audit with OHSAS 18001 as your starting point, we offer a free initial consultation to help you figure out where you stand.

Share this article:

LinkedInX-AppFacebook

Related Articles

iso-img
Near Miss Reporting Under ISO 45001: Building a System People Actually Use

Learn how to build near miss reporting systems that workers actually use. Practical guidance for ISO 45001 implementation with real-world examples and proven strategies....

iso-img
Contractor Safety Management Under ISO 45001

Learn how to implement effective contractor safety management under ISO 45001. Covers pre-qualification, on-site controls, communication, and practical implementation strategies....

iso-img
ISO 45001 Training Requirements: What the Standard Actually Says

Complete guide to ISO 45001 training requirements covering competence vs awareness, training matrices, and practical implementation strategies for occupational health and safety management systems....

Contact

Free initial consultation.

Phone

+1 833 I-GET-ISO+1 833 443 8476

Business Hours

Monday - Friday: 9:00 AM - 6:00 PM
Saturday: 10:00 AM - 2:00 PM
Sunday: Closed
(Central Time, UTC-6)