Most organizations treat ISO 45001 clause 6.1.2 like a compliance checkbox — build a hazard register, tick the box, move on. After working with 200+ clients across manufacturing, construction, healthcare, and logistics, I can tell you that approach is exactly why audit findings cluster around this clause more than almost any other in the standard.
The reality is that clause 6.1.2 is the engine of your entire OH&S management system. If your hazard identification is shallow, everything downstream — risk assessment, controls, objectives, even your incident investigation — operates on a flawed foundation.
This article goes well beyond the basics. We'll cover what the standard actually demands, where organizations routinely fall short, and the advanced methodologies that separate a robust OH&S program from a paper exercise.
What ISO 45001 Clause 6.1.2 Actually Requires
Before advancing the methodology, let's anchor to the text. ISO 45001:2018 clause 6.1.2 requires organizations to establish, implement, and maintain a proactive, ongoing process for hazard identification. The standard explicitly states this process shall be proactive — not reactive — and shall take into account a remarkably broad scope of inputs:
- How work is organized, including social factors, workload, and work hours
- Routine and non-routine activities and situations, including infrastructure, equipment, and materials
- Human factors, including ergonomics and behavioral influences
- Past relevant incidents (internal and external)
- Potential emergency situations
- People, including contractors, visitors, and those near the workplace but not directly controlled by the organization
- Changes or proposed changes to the organization, operations, processes, or the OH&S management system itself
That last category — management of change — is where I see the most critical gaps. Organizations hazard-identify their steady-state operations reasonably well, but when a new shift pattern is introduced, a process is modified, or a contractor brings new equipment onsite, the hazard identification process frequently fails to trigger.
Citation hook: ISO 45001:2018 clause 6.1.2 explicitly requires hazard identification to include changes or proposed changes to the organization, processes, and the OH&S management system — making change management a mandatory input to the hazard identification process, not an optional consideration.
Why Checklist-Based Hazard Identification Falls Short
Walk into most organizations and their "hazard identification methodology" is a combination of two tools: a site walkthrough and a generic industry checklist. Both have value. Neither is sufficient on its own.
According to the U.S. Bureau of Labor Statistics, 2.6 million non-fatal workplace injuries and illnesses were recorded in the private sector in 2023 alone. Research consistently shows that the majority of these incidents involve hazards that were present but not formally identified or adequately controlled. The gap isn't in the controls — it's in the identification.
Here's why checklists fail as a standalone methodology:
| Limitation | Impact on Clause 6.1.2 Compliance |
|---|---|
| Static by design | Miss emerging or novel hazards |
| Relies on existing knowledge | Blind to unknown-unknown hazards |
| Typically completed by safety staff only | Misses frontline worker knowledge |
| Focused on physical/equipment hazards | Underrepresents psychosocial and organizational hazards |
| Point-in-time assessment | Fails to capture dynamic work conditions |
| Rarely updated post-change | Violates the management-of-change requirement |
The standard does not prescribe methodology — that's intentional. It gives organizations the freedom to select methods appropriate to their context. But that freedom comes with an obligation: your methodology must be fit for purpose, and demonstrating fitness for purpose requires going beyond the checklist.
Advanced Hazard Identification Methodologies for Clause 6.1.2
1. HAZOP (Hazard and Operability Study)
Originally developed for the chemical and process industries, HAZOP has broad applicability wherever processes involve defined sequences of operations, material flows, or energy transfers. It's a structured, team-based methodology that uses guide words (No, More, Less, As Well As, Part of, Reverse, Other Than) applied to process parameters to systematically identify deviations that could lead to harm.
Where it excels: Manufacturing lines, utility systems, laboratories, pharmaceutical production, and any process that can be described in a process flow diagram.
Clause 6.1.2 relevance: HAZOP is inherently proactive, multi-disciplinary, and documented — satisfying the standard's requirements for a systematic process. It also naturally captures deviations during non-routine operations (startup, shutdown, maintenance), which are disproportionately represented in serious incident data.
Implementation tip: HAZOP requires skilled facilitation. The guide word exercise is only as good as the team's cross-functional knowledge. Include frontline operators, maintenance technicians, and process engineers — not just safety professionals.
2. FMEA/FMECA (Failure Mode and Effects Analysis / Criticality Analysis)
FMEA identifies the ways in which components of a system can fail and analyzes the effects of those failures on the broader system and on people. FMECA adds a criticality ranking, making it directly compatible with the risk assessment requirements of clause 6.1.2.3.
Where it excels: Equipment-intensive operations, fleet management, healthcare device environments, and anywhere preventive maintenance programs need OH&S integration.
Clause 6.1.2 relevance: FMEA is forward-looking by design and integrates well with management of change — when new equipment is introduced, an FMEA can be mandated as part of the change authorization process.
Pro tip: Many organizations already use FMEA for quality purposes. Extending it to include OH&S effects — adding a "safety severity" column to your existing FMEA worksheets — is one of the most efficient ways to strengthen clause 6.1.2 compliance with minimal additional resource investment.
3. Bow-Tie Analysis
The bow-tie model visualizes the relationship between a hazard, the top event (loss of control), the threats that drive toward the top event, and the consequences that flow from it. Critically, it maps both prevention barriers (left side of the bow) and mitigation barriers (right side).
Where it excels: Complex operations with high-consequence potential — oil and gas, mining, aviation ground operations, construction of critical infrastructure.
Clause 6.1.2 relevance: Bow-tie analysis is uniquely powerful for the standard's requirement to consider emergency situations. It forces organizations to ask not just "what could go wrong?" but "what stops it from going wrong, and what do we do if those barriers fail?"
What auditors love: A well-constructed bow-tie provides immediate visual evidence that your organization understands the continuum from hazard to consequence, satisfying both clause 6.1.2 and clause 8.2 (emergency preparedness) in one coherent document.
4. Task-Based Hazard Identification (TBHI) and Job Hazard Analysis (JHA)
Job Hazard Analysis — also called Job Safety Analysis (JSA) — breaks a specific job or task into individual steps and systematically identifies the hazards and required controls for each step. It's one of the most worker-inclusive methodologies available and directly addresses the ISO 45001 requirement (clause 5.4) for worker participation in the OH&S management system.
Where it excels: Field operations, construction, maintenance activities, healthcare patient handling, and any job with high variability or infrequent performance.
Clause 6.1.2 advancement tip: Most organizations conduct JHAs at the job/task level but fail to roll them up into a system-level hazard profile. Building a matrix that links individual JHA findings to your master hazard register transforms JHAs from isolated task documents into genuine inputs to your strategic hazard identification process.
| JHA Advancement Level | Description | Clause 6.1.2 Compliance Value |
|---|---|---|
| Basic | Task steps + hazards + controls | Meets minimum intent |
| Intermediate | Includes non-routine variants (startup, upset) | Stronger alignment |
| Advanced | Links to bow-tie / risk register + worker sign-off | Robust compliance evidence |
| Best Practice | Dynamic digital JHA with change triggers + metrics | Audit-ready, defensible |
5. Participatory Ergonomics and Psychosocial Hazard Identification
This is the area most organizations systematically underperform — and it's the area where ISO 45001:2018 made the most significant advance over its predecessor OHSAS 18001. The standard explicitly includes social factors, workload, work hours, victimization, harassment, and work-related stress within the scope of hazard identification.
The World Health Organization estimates that depression and anxiety disorders cost the global economy $1 trillion per year in lost productivity — a figure that dwarfs most physical safety hazard cost estimates. Yet psychosocial hazards remain the least systematically identified category in most OH&S management systems.
Methodologies for psychosocial hazard identification include:
- Validated survey instruments such as the HSE Management Standards Indicator Tool (UK) or the Copenhagen Psychosocial Questionnaire (COPSOQ III)
- Structured focus groups facilitated by trained personnel, separate from line management
- Return-to-work interview data analyzed for psychosocial themes
- Absence and presenteeism analytics correlated with work unit and role type
- Near-miss and incident data mining for behavioral and organizational precursors
Citation hook: ISO 45001:2018 clause 6.1.2 explicitly requires organizations to identify hazards arising from social factors, including workload, work hours, victimization, and harassment — yet psychosocial hazards remain the most underrepresented category in organizational hazard registers, representing a critical compliance gap for most certified organizations.
6. Learning Teams and Safety II Methodology
Traditional hazard identification is built on Safety I thinking: study failures, find causes, prevent recurrence. Safety II, articulated by Professor Erik Hollnagel, asks a fundamentally different question: Why does work succeed most of the time, and what do we need to protect to ensure it keeps succeeding?
Learning Teams are a practical Safety II tool. Rather than waiting for incidents, small cross-functional groups regularly examine normal work — identifying the adaptations, workarounds, and unofficial practices that workers use to get the job done. These adaptations are goldmines for hazard identification because they reveal the gap between work-as-imagined (your procedures) and work-as-done (operational reality).
Clause 6.1.2 relevance: The standard's requirement to consider "how work is organized" and to take a proactive stance is perfectly served by Learning Teams. They also generate the kind of qualitative, workforce-sourced evidence that external auditors find compelling.
7. Change-Triggered Hazard Identification (Management of Change Integration)
I'll say it plainly: your hazard identification process is only as good as your management of change (MOC) integration. This is the single most common finding I observe during gap assessments against clause 6.1.2.
An effective MOC-triggered hazard identification process should activate for:
- New or modified equipment, substances, or processes
- Organizational restructuring or changes in supervision
- New or modified work schedules, including shift changes
- Introduction of new contractors or changes in contractor scope
- Regulatory or legal requirement changes
- Changes to the OH&S management system itself (including new objectives or targets)
Best practice: Implement a hazard identification trigger matrix — a documented tool that maps the type of change to the required hazard identification methodology, the responsible party, and the required documentation. This transforms clause 6.1.2 compliance from a periodic exercise into an embedded organizational process.
Building a Layered Hazard Identification System
No single methodology covers the full landscape of clause 6.1.2's requirements. The most defensible — and most effective — systems use layered methodologies that together address:
- Physical and equipment hazards → HAZOP, FMEA, site inspections
- Task and procedural hazards → JHA/JSA, TBHI
- System-level and change-related hazards → Bow-tie, MOC-triggered processes
- Psychosocial and organizational hazards → Validated surveys, focus groups, Learning Teams
- Emergency and catastrophic scenarios → Bow-tie, scenario-based workshops
Citation hook: Organizations that deploy three or more complementary hazard identification methodologies — rather than relying on a single checklist-based approach — are significantly better positioned to satisfy the proactive, ongoing, and comprehensive requirements of ISO 45001:2018 clause 6.1.2 during third-party certification audits.
What Auditors Look for in Clause 6.1.2
Having supported over 200 clients through ISO 45001 certification and surveillance audits, here's what experienced auditors actually probe in clause 6.1.2:
| Audit Question | What They're Really Testing |
|---|---|
| "How do you identify hazards for non-routine tasks?" | Scope completeness — beyond steady-state |
| "Walk me through your process for a recent change." | MOC integration |
| "How are workers involved in hazard identification?" | Clause 5.4 worker participation linkage |
| "What psychosocial hazards have you identified?" | Coverage of organizational/social hazards |
| "What external incidents have influenced your hazard register?" | Use of external information per 6.1.2 |
| "How frequently is your hazard register reviewed?" | 'Ongoing' nature of the process |
The auditors I respect most aren't checking whether you have a hazard register — they're probing whether your organization genuinely understands its hazard landscape and has a living process to keep that understanding current.
Common Clause 6.1.2 Nonconformity Themes (and How to Avoid Them)
Based on audit experience across industries, these are the recurring nonconformity themes I observe:
- Hazard register is static — updated annually at best, not triggered by change
- Contractors and visitors excluded — scope limited to direct employees only
- Psychosocial hazards absent — no social/organizational hazards identified
- No documented methodology — hazard identification is ad hoc and undocumented
- Worker input not evidenced — process conducted solely by safety department
- Past incidents not feeding the process — reactive investigation not looping back to proactive identification
- Emergency situations treated separately — not integrated into the clause 6.1.2 hazard identification process
Any one of these can generate a Major Nonconformity at a Stage 2 or surveillance audit. Multiple findings in this clause can trigger a broader systemic concern about the organization's approach to risk.
Integrating Clause 6.1.2 With the Broader OH&S Management System
Hazard identification doesn't exist in isolation. A mature implementation connects clause 6.1.2 outputs to:
- Clause 6.1.2.2 and 6.1.2.3 — OH&S risks and opportunities assessment
- Clause 6.2 — OH&S objectives derived from significant hazards
- Clause 8.1 — Operational planning and control measures
- Clause 8.2 — Emergency preparedness and response
- Clause 9.1 — Monitoring and measurement of hazard controls
- Clause 10.2 — Incident investigation feeding back into hazard identification
The ISO 45001 risk assessment process is where your hazard identification work translates into prioritized action. Without a rigorous upstream identification process, your risk assessments will systematically underestimate your organization's true exposure.
For organizations building their OH&S management system from the ground up, our ISO 45001 implementation guide provides a structured roadmap that sequences clause 6.1.2 development within the broader system build.
Practical Steps to Elevate Your Clause 6.1.2 Methodology Today
If you're ready to move beyond the basics, here's a prioritized action sequence:
- Audit your current methodology against the full scope requirements of clause 6.1.2 — not just physical hazards
- Map your MOC process to verify hazard identification triggers are embedded and documented
- Assess psychosocial hazard coverage — if your hazard register has zero psychosocial entries, that's a gap
- Introduce at least one structured methodology (HAZOP, FMEA, bow-tie, or Learning Teams) appropriate to your industry context
- Formalize worker participation in hazard identification and document the evidence
- Create a hazard identification trigger matrix that connects change types to methodology requirements
- Review your hazard register frequency — quarterly reviews as a minimum, with real-time MOC triggers
Conclusion
ISO 45001 clause 6.1.2 is not a documentation exercise. It is a commitment to systematically understand every way work could harm the people who do it — and to keep that understanding current as your organization, your operations, and your world change. The organizations that treat it that way are the ones that build safety management systems that actually prevent harm, not just pass audits.
At Certify Consulting, we've helped 200+ organizations build hazard identification processes that are both audit-ready and genuinely effective. If your organization is ready to move beyond the checklist, we'd welcome the conversation.
Last updated: 2026-04-12
Jared Clark
Principal Consultant, Certify Consulting
Jared Clark is the founder of Certify Consulting, helping organizations achieve and maintain compliance with international standards and regulatory requirements.