The systematic identification of workplace hazards and assessment of OH&S risks is the foundation of every effective safety management system. Learn what Clause 6.1.2 requires and how to build a hazard identification process that protects your workers and satisfies auditors.
Every workplace injury, illness, and fatality traces back to a hazard that was either unidentified or inadequately controlled. Hazard identification is not a compliance checkbox — it is the single most critical activity in your entire occupational health and safety management system.
ISO 45001 Clause 6.1.2 requires organizations to establish, implement, and maintain a proactive, ongoing process for hazard identification. This is fundamentally different from the reactive approach many organizations take, where hazards are only documented after an incident occurs. The standard demands that you look for hazards before they cause harm.
Done well, hazard identification feeds directly into your risk assessment, which determines your operational controls (Clause 8.1), your emergency preparedness (Clause 8.2), your monitoring and measurement activities (Clause 9.1), and ultimately your organization's safety performance. Get this step wrong, and the entire management system is built on an incomplete foundation.
Key Principle
Hazard identification under ISO 45001 is not a one-time exercise. It must be continuous — triggered by changes, incidents, new information, and regular scheduled reviews. Organizations that treat it as an annual paperwork exercise consistently underperform on safety outcomes.
ISO 45001 Clause 6.1.2.1 specifies that your hazard identification process must consider — at minimum — all of the following factors.
Consider hazards from everyday work tasks as well as infrequent activities like maintenance shutdowns, seasonal operations, or one-off projects that may introduce unfamiliar risks.
Identify hazards that arise during emergency scenarios — fires, chemical spills, natural disasters, medical emergencies, active threats — and the risks associated with emergency response activities themselves.
Account for worker behavior, cognitive limitations, fatigue, stress, physical capabilities, training gaps, and the potential for human error. This includes how work is actually performed versus how it is documented.
Evaluate hazards introduced by new equipment, processes, raw materials, work procedures, facility modifications, or changes in staffing levels. Management of change is essential to keeping your hazard register current.
Review incident investigation findings, near-miss reports, first aid records, and workers' compensation data to identify hazards that have already demonstrated the potential to cause harm.
Consider the safety implications of restructuring, acquisitions, new product lines, workforce changes, shift pattern modifications, or introduction of contract workers with different training backgrounds.
Leverage existing knowledge — Safety Data Sheets, industry best practices, published research, equipment manuals, and the practical experience of workers — to identify hazards and determine effective controls.
Workers who perform the tasks every day have the deepest understanding of actual workplace hazards. Clause 5.4 requires their participation in hazard identification — this is not optional under ISO 45001.
ISO 45001 does not prescribe specific methods — it requires organizations to choose methods appropriate to their context. These are the most effective techniques used across industries.
Break each job into individual steps, identify hazards at each step, and determine controls. The gold standard for task-specific hazard identification.
Scheduled and unscheduled physical inspections using standardized checklists. Walk the floor, observe work as it actually happens, and document findings.
Analyze every incident and near miss to identify root causes and previously unrecognized hazards. Near misses are free lessons — they reveal hazards without the injury.
Create easy, non-punitive channels for workers to report hazards. Suggestion boxes, digital reporting tools, safety committees, and toolbox talks all contribute.
Systematic evaluation of processes that handle hazardous materials or energy. Includes HAZOP studies, What-If analysis, Fault Tree Analysis, and Bow-Tie methods.
Evaluate worker exposure to chemical hazards through air monitoring, biological monitoring, and review of Safety Data Sheets. Compare results to OSHA PELs and ACGIH TLVs.
Evaluate workstation design, manual handling tasks, repetitive motions, and physical demands. Use tools like RULA, REBA, and the NIOSH Lifting Equation to quantify ergonomic risk.
Evaluate machinery and equipment for mechanical, electrical, hydraulic, and pneumatic hazards. Include pre-use inspections, preventive maintenance programs, and lockout/tagout procedures.
Once hazards are identified, Clause 6.1.2.2 requires you to assess the associated OH&S risks using a defined methodology. The goal: determine which hazards need immediate action and which controls are appropriate.
The most widely used method for risk assessment. Each identified hazard is evaluated based on how severe the potential outcome would be and how likely it is to occur.
| Severity → Likelihood ↓ |
Negligible | Minor | Moderate | Major | Catastrophic |
|---|---|---|---|---|---|
| Almost Certain | Medium | High | Critical | Critical | Critical |
| Likely | Low | Medium | High | Critical | Critical |
| Possible | Low | Medium | Medium | High | Critical |
| Unlikely | Negligible | Low | Medium | Medium | High |
| Rare | Negligible | Negligible | Low | Medium | Medium |
Apply the severity x likelihood matrix to each identified hazard. This produces a risk score that determines the urgency and priority of control measures. Critical and high risks require immediate action before work continues.
Assess the effectiveness of current controls already in place. Are they functioning as intended? Are workers actually using them? Document both the control and its verified effectiveness.
Apply the hierarchy of controls to select appropriate risk reduction measures. Always start at the top of the hierarchy (elimination) and work downward. Multiple controls may be needed for a single hazard.
After implementing controls, reassess the risk level. This residual risk must be documented and accepted by management. If residual risk remains unacceptable, additional controls are required.
Record all findings in the hazard register as documented information per Clause 7.5. Communicate risks and controls to affected workers. Keep records for audit readiness and continual improvement.
ISO 45001 requires organizations to plan and implement controls following a defined hierarchy — from most effective (elimination) to least effective (PPE). Always start at the top.
Physically remove the hazard entirely. Stop using a hazardous chemical, automate a dangerous manual task, eliminate work at heights by redesigning the process. When elimination is feasible, it provides 100% risk reduction for that hazard.
Replace the hazard with a less hazardous alternative. Substitute a toxic solvent with a water-based cleaner, replace a loud pneumatic tool with a quieter electric version, or use pre-fabricated components to reduce on-site cutting and welding.
Isolate people from the hazard through physical means. Install machine guards, local exhaust ventilation, safety interlocks, fall protection systems, noise barriers, or ergonomic lifting equipment. Engineering controls do not rely on human behavior to be effective.
Change the way people work to reduce exposure. Develop safe work procedures, implement permit-to-work systems, rotate workers to limit exposure duration, schedule hazardous tasks when fewer workers are present, post warning signs, and provide training.
Protect individual workers when higher-level controls are not feasible or as a supplement to other controls. Includes hard hats, safety glasses, hearing protection, respirators, chemical-resistant gloves, and fall arrest harnesses. PPE is the least effective because it depends entirely on correct selection, fit, use, and maintenance.
The hierarchy is not a menu to pick from — it is a priority order. You must demonstrate that higher-level controls were considered and deemed infeasible before relying on lower-level controls. Auditors will ask for this evidence.
A comprehensive hazard identification process must consider all categories of hazards present in your workplace. Here are the six primary categories with common examples.
Environmental factors that can cause harm without direct contact.
Substances that can cause harm through exposure or contact.
Living organisms or their byproducts that can cause disease.
Physical factors that lead to musculoskeletal disorders.
Aspects of work that affect mental health and wellbeing.
Conditions that create immediate risk of injury or death.
OSHA's General Duty Clause (Section 5(a)(1)) requires employers to provide a workplace "free from recognized hazards that are causing or are likely to cause death or serious physical harm." This is the regulatory floor — ISO 45001 Clause 6.1.2 builds a comprehensive system on top of it.
Specific OSHA standards also mandate hazard assessments: PPE hazard assessment (29 CFR 1910.132(d)), hazard communication and SDS review (29 CFR 1910.1200), process safety management (29 CFR 1910.119), and permit-required confined space evaluation (29 CFR 1910.146). An ISO 45001 hazard identification process, done properly, satisfies all of these OSHA requirements simultaneously — eliminating redundant compliance programs.
Explore Our OSHA Compliance ServicesRequires employers to identify and control "recognized hazards" — ISO 45001 6.1.2 provides the systematic process to do this comprehensively.
Requires a written workplace hazard assessment to determine required PPE. Covered by ISO 45001's hazard identification and hierarchy of controls.
Requires chemical hazard identification and communication to workers. Directly supported by ISO 45001's chemical exposure assessment methods.
A properly implemented ISO 45001 hazard identification process satisfies both international standard requirements and OSHA regulatory obligations in a single, unified system.
ISO 45001 Clause 6.1.2 requires hazard identification to be an ongoing, proactive process — not a one-time exercise. At minimum, organizations should perform formal hazard identification reviews annually, but the process must also be triggered by changes such as new equipment, modified processes, workplace incidents, near misses, organizational restructuring, or new regulatory requirements. Many organizations incorporate daily safety observations, weekly workplace inspections, and quarterly comprehensive reviews into their hazard identification program.
A hazard is a source, situation, or act with the potential to cause harm — such as a wet floor, exposed electrical wiring, or a toxic chemical. A risk is the combination of the likelihood of a hazardous event occurring and the severity of the injury or ill health that could result. In ISO 45001 terms, hazard identification comes first (Clause 6.1.2.1), followed by risk assessment (Clause 6.1.2.2) where you evaluate each hazard's likelihood and severity to determine the level of OH&S risk requiring controls.
OSHA requires employers to provide a workplace free from recognized hazards under the General Duty Clause (Section 5(a)(1)) and mandates specific hazard assessments for certain standards (e.g., PPE hazard assessment under 29 CFR 1910.132). ISO 45001 goes further by requiring a systematic, documented process that considers routine and non-routine activities, human factors, emergency situations, organizational changes, and past incidents. While OSHA focuses on regulatory compliance with specific standards, ISO 45001 creates a comprehensive management framework for continuous hazard identification and risk reduction across all workplace activities.
A hazard register (also called a risk register) is a documented inventory of all identified workplace hazards, their associated risks, existing controls, residual risk levels, and planned actions. It serves as the central record for your ISO 45001 hazard identification and risk assessment process. A well-maintained hazard register typically includes: hazard description, location, affected workers, risk rating (severity x likelihood), current controls, residual risk after controls, responsible person, and review dates. The register must be kept as documented information per Clause 7.5 and updated whenever new hazards are identified or conditions change.
Schedule a free consultation to discuss your ISO 45001 certification goals, OSHA compliance needs, and how we can build a safety management system that works for your organization.