2018
ISO 45001 published — 12 March 2018
ISO
2021
OHSAS 18001 migration period ended (extended for COVID)
IAF
2.93M
work-related deaths per year — ILO, 2019 data
ILO (published November 2023)
When ISO 45001:2018 was published on 12 March 2018, it replaced OHSAS 18001, the BSI-published specification that had served as the de facto global benchmark for occupational health and safety management for nearly two decades. The migration was not a minor housekeeping exercise. ISO 45001 brought a genuinely different philosophy: broader scope, deeper leadership requirements, mandatory worker participation, and a risk-and-opportunity lens rather than a hazard-only one.
The migration period, originally three years, was extended due to COVID-19 and closed in 2021, at which point OHSAS 18001 was formally withdrawn. Organizations now certified to ISO 45001:2018 are on the only active international standard for OH&S management systems. For candidates preparing for an ISTO Test of Understanding, understanding the delta between the two standards is consistently examinable. Auditors and practitioners must know not just what ISO 45001 requires, but why it requires it differently.
Why OHSAS 18001 was retired
OHSAS 18001 was a British Standards Institution (BSI) specification rather than an ISO standard. It had no formal ISO ownership, no single governance body, and its adoption, while widespread, was uneven. The specification lacked the Annex SL architecture that was becoming the backbone of all major management-system standards, making integrated management systems cumbersome to audit and maintain.
ISO technical committee ISO/PC 283 was formed to develop a true international standard. The result, ISO 45001:2018, aligned OH&S management with the same Harmonized Structure used by ISO 9001:2015 and ISO 14001:2015, bringing it into the integrated management ecosystem for the first time.
Annex SL structure and context of the organization
The most architecturally significant change is ISO 45001's adoption of the Annex SL high-level structure, the common clause numbering and terminology that runs across all major management-system standards. OHSAS 18001 had its own clause architecture; ISO 45001 replaces that with the standardized Sections 4–10 (Context → Leadership → Planning → Support → Operation → Performance evaluation → Improvement).
Within that structure, Clause 4 — Context of the organization is entirely new compared with OHSAS 18001. Organizations must now formally determine external and internal issues that affect the OH&S management system, identify interested parties and their requirements, and define the scope with those factors in mind. This context-first approach, borrowed directly from ISO 9001:2015, grounds the OH&S system in organizational reality rather than a generic checklist. Amendment 1:2024 subsequently added a requirement to determine whether climate change is a relevant issue in clause 4.1, a natural extension of this context-driven architecture.
| Topic | OHSAS 18001 | ISO 45001:2018 |
|---|---|---|
| Standard architecture | BSI specification with its own clause structure | Annex SL / Harmonized Structure — same as ISO 9001, ISO 14001, and other management-system standards |
| Context of the organization | Not present — no formal requirement to scan internal/external issues or define scope against context | Clause 4: formal requirement to determine relevant issues, interested parties, and define scope accordingly |
| Leadership | Management representative role — a designated individual responsible for the OH&S system | Clause 5: top management bears direct, non-delegable accountability; no management-representative escape hatch |
| Worker participation | Consultation and participation required, but less prescriptive | Clause 5.4: organizations shall establish, implement, and maintain processes for worker participation at all applicable levels; workers must be consulted, not just informed |
| Risk focus | Hazard identification and risk assessment — hazard-centric | Clause 6: risks AND opportunities — bidirectional lens; organizations must address both |
| Hierarchy of controls | Hierarchy (eliminate → substitute → engineer → administrate → PPE) present as guidance | Clause 8: hierarchy of controls is a 'shall' requirement — mandatory application, not advisory |
| Documented information | 'Documents' and 'records' as separate concepts | Harmonized 'documented information' — unifies documents and records under one framework |
| Procurement and change management | Less explicit on supply chain and management of change | Clause 8 addresses outsourcing, procurement, and management of change explicitly — new scope of control |
Leadership and worker participation
In OHSAS 18001, organizations could appoint a management representative, a designated individual responsible for the OH&S management system. That person acted as the bridge between top management and the system. ISO 45001 eliminates this escape route. Clause 5 requires top management to demonstrate direct, active commitment: taking accountability for the OH&S management system's effectiveness, ensuring it is integrated with business processes, and participating visibly in promoting the system.
Worker participation receives similarly upgraded treatment in Clause 5.4. The requirement is not simply to allow workers to participate. It is to establish, implement, and maintain processes that actively enable participation at all applicable levels. Workers must be consulted on hazard identification, risk assessment, determination of controls, and OH&S objectives. Workers' representatives must be consulted where they exist. This is a substantive shift in accountability: the organization cannot satisfy clause 5.4 by communicating decisions after the fact.
Risk and opportunity vs hazard-only
OHSAS 18001 was built around a hazard-identification-and-risk-assessment model, identifying what could go wrong and assessing the likelihood and severity. ISO 45001:2018 broadens this to require organizations to address both risks and opportunities (Clause 6). Opportunities might include implementing better engineering controls that reduce injury rates below regulatory minimums, or deploying worker-participation programmes that identify hazards earlier. The standard requires actions on both dimensions, with evaluation of their effectiveness.
This is more than a semantic change. An organization that only looks for hazards may miss the opportunity to fundamentally redesign a work process to eliminate them. The risks-and-opportunities framing encourages a proactive posture, looking for improvement possibilities, not just threats.
Hierarchy of controls, documented information, and procurement
Clause 8 — Operation brings three specific changes worth highlighting.
The hierarchy of controls (eliminate → substitute → engineering controls → administrative controls → personal protective equipment) was already well-established practice and appeared in OHSAS 18001 as guidance. ISO 45001 elevates it to a "shall" requirement. Organizations must demonstrate that when determining controls for OH&S hazards, they applied the hierarchy in priority order, with elimination of hazards as the primary objective, and PPE only as a last resort.
Documented information replaces OHSAS 18001's separate "documents" and "records" categories with a harmonized concept that aligns with ISO 9001 and ISO 14001. Organizations determine what documented information is needed to plan, operate, and maintain the OH&S management system, with flexibility on format and medium, but with clear control requirements for confidentiality, integrity, and access.
Procurement and outsourcing receive explicit attention. ISO 45001 requires organizations to coordinate with contractors and other external providers to manage OH&S risks in their operations. Where OHSAS 18001 was less prescriptive about supply-chain scope, ISO 45001 clarifies that the management-of-change process applies to planned changes (new processes, new equipment, organizational restructuring) and that outsourced functions that affect OH&S outcomes must be controlled.
The migration timeline
OHSAS 18001 → ISO 45001 migration milestones
12 Mar 2018
ISO 45001:2018 published
First international standard for OH&S management systems. OHSAS 18001 migration period begins
2020
Migration deadline extended
COVID-19 caused the IAF to extend the migration period beyond the original three-year window
2021
Migration period ended
OHSAS 18001 withdrawn; migration period extended into 2021
23 Feb 2024
Amd 1:2024 published
Climate-change context language added to clauses 4.1 and 4.2
The three-year migration window from March 2018 was originally set to close on 30 March 2021. Because COVID-19 disrupted certification audit schedules globally, the IAF extended the deadline by six months to 11 September 2021, at which point OHSAS 18001 was formally withdrawn. Organizations that had not migrated by that date lost the ability to hold a valid certification to an active OH&S standard.
For the ISO 45001 article on the 2024 climate-change amendment, see What's new in ISO 45001:2018/Amd 1:2024, which covers how Amendment 1:2024 added climate-context requirements to clauses 4.1 and 4.2, and why no separate transition period applies for amendments.
What this means for candidates
For candidates preparing for an ISTO Test of Understanding, the OHSAS 18001 to ISO 45001 migration is a conceptually rich area. Expect the test to probe:
- Why the Annex SL structure matters (integrated management; context-first)
- What clause 5.4 requires that OHSAS 18001 did not (active worker participation processes, not just consultation)
- The risks-and-opportunities distinction (clause 6) versus OHSAS 18001's hazard-only framing
- The mandatory status of the hierarchy of controls in clause 8
- The scope of outsourcing and procurement obligations
Understanding why each change was made, not just what changed, is what differentiates a genuine understanding of the standard from surface familiarity with its clause structure.