Citation hook: ISO 45001:2018 clause 8.1.3 requires organizations to establish a process for implementing and controlling planned temporary and permanent changes that impact OH&S performance — making Management of Change one of the most operationally critical elements of the entire standard.
Change is where incidents are born. In my experience working with 200+ clients at Certify Consulting, the organizations that struggle most with ISO 45001 audits — and, more importantly, with actual workplace safety — are almost never the ones ignoring hazards in their existing operations. They're the ones who didn't have a structured process for what happens when something changes.
A new piece of equipment, a modified procedure, a shift in personnel, a temporary workaround that becomes permanent — these are the moments when established controls become misaligned with operational reality. And that misalignment is where people get hurt.
This article is your practical guide to understanding and implementing ISO 45001's Management of Change (MOC) requirements in a way that actually prevents incidents, not just ticks a compliance box.
What Is Management of Change Under ISO 45001?
Management of Change (MOC) is the systematic process of identifying, evaluating, approving, communicating, and reviewing changes to an organization's operations, processes, equipment, personnel, or working conditions — before those changes are implemented.
ISO 45001:2018 addresses MOC directly in clause 8.1.3 (Management of Change), embedded within the broader clause 8.1 (Operational planning and control). The clause states that organizations must establish a process to address:
- New products, services, and processes, or changes to existing ones
- Changes to legal requirements and other requirements
- Changes in knowledge or information about hazards and associated OH&S risks
- Developments in knowledge and technology
Critically, ISO 45001 requires that the consequences of unintended changes be reviewed, and that action be taken to mitigate any adverse effects. This is a proactive — not reactive — mandate.
Why MOC Is the Most Underestimated Clause in ISO 45001
According to the U.S. Chemical Safety and Hazard Investigation Board (CSB), a significant proportion of major industrial accidents can be traced to inadequate change management processes. The 2005 Texas City BP refinery explosion — which killed 15 workers and injured 180 others — was directly linked to failures in management of change, according to the CSB investigation report.
That's not an isolated example. The National Safety Council reports that in 2022, preventable workplace deaths in the United States totaled 4,695, with a substantial share attributable to changes in work conditions, temporary operations, or non-routine tasks where established controls were bypassed or simply didn't apply anymore.
Citation hook: Research consistently shows that non-routine work — including tasks performed during or after a change event — carries a disproportionately higher risk of workplace injury than routine operations, making Management of Change controls a critical risk reduction lever.
In my audit experience, I'd estimate that more than 60% of the OH&S incidents we investigate during gap assessments have a root cause that can be traced back to an uncontrolled or inadequately evaluated change. The change itself isn't always the problem — it's the failure to recognize, assess, and communicate it.
The Four Categories of Change You Must Manage
One of the first questions clients ask me is: "What counts as a change that needs to go through our MOC process?" It's a legitimate question, and drawing the line too broadly creates bureaucratic paralysis while drawing it too narrowly creates risk exposure.
Here's a practical framework I use with my clients at Certify Consulting:
1. Physical / Equipment Changes
- New machinery, tools, or infrastructure
- Modifications to existing equipment or facilities
- Introduction of new chemicals or materials
- Changes to guarding, interlocks, or safety devices
2. Process / Procedural Changes
- Revised work procedures or standard operating procedures (SOPs)
- New production methods or process parameters
- Changes to maintenance practices
- Introduction of new technologies or automation
3. Organizational / Personnel Changes
- New roles or restructuring of responsibilities
- Significant staffing changes, including contractors
- Changes in supervision ratios
- Shifts in organizational culture or leadership
4. Temporary Changes
- Workarounds and deviations from standard procedures
- Bypass of safety systems (even authorized ones)
- Temporary staffing arrangements
- Emergency response modifications
Citation hook: Temporary changes are among the highest-risk categories in Management of Change programs because they often lack the scrutiny applied to permanent changes and have a documented tendency to become permanent without re-evaluation.
The critical discipline here is treating temporary changes with the same rigor as permanent ones. A "temporary" bypass of a safety interlock that lasts three days has caused fatal accidents. Your MOC process must capture these.
ISO 45001 Clause 8.1.3 Requirements: A Detailed Breakdown
Let me walk through exactly what the standard requires — and what auditors are looking for.
| Requirement Area | What ISO 45001 Clause 8.1.3 Requires | Common Gap Found in Audits |
|---|---|---|
| Change Identification | Process to identify changes before implementation | No formal trigger list; changes happen informally |
| Risk Assessment of Changes | Evaluate OH&S risks of proposed changes | Risk assessment skipped for "minor" changes |
| Control Measures | Apply hierarchy of controls to new/modified risks | New controls not implemented before change goes live |
| Communication | Inform affected workers of changes and new controls | Workers informed after the fact, not before |
| Documentation | Maintain documented information on changes | No change log; verbal-only approvals |
| Review of Unintended Changes | Process to review unintended changes and mitigate effects | No mechanism to catch unplanned changes |
| Temporary Changes | Address temporary changes with the same rigor | Temporary changes bypassed the formal MOC process |
A well-functioning MOC system addresses every row in this table. Gaps in even one area can expose your organization — both to audit findings and to real-world incidents.
How to Build an Effective MOC Process: A Step-by-Step Approach
Here's the MOC framework I implement with clients that achieves consistent first-time audit pass rates. This is practical, scalable, and ISO 45001-aligned.
Step 1: Define Your Change Trigger List
Create an explicit list of change categories that automatically trigger your MOC process. Make it specific enough to be actionable. "Any change to work methods involving chemical handling" is better than "chemical changes." Post this list visibly in relevant departments.
Step 2: Standardize the MOC Request Form
Every change request should capture: - Description of the change (what, where, when) - Reason for the change - Affected areas, equipment, and personnel - Proposed implementation date - Temporary or permanent designation - Requestor's name and date
Step 3: Conduct a Pre-Change Hazard and Risk Assessment
Before approving any change, conduct a focused hazard identification and risk assessment. Use your existing risk assessment methodology (consistent with ISO 45001 clause 6.1.1). Ask: - What new hazards does this change introduce? - What existing controls become ineffective after this change? - Who is exposed, and how severely? - What's the likelihood of harm?
For complex changes, use structured techniques like HAZOP, FMEA, or What-If Analysis. For simpler changes, a documented checklist-based review may suffice.
Step 4: Determine and Implement Control Measures
Apply the hierarchy of controls (ISO 45001 Annex A, section A.8.1.2): 1. Elimination 2. Substitution 3. Engineering controls 4. Administrative controls 5. Personal protective equipment (PPE)
Critically: controls must be implemented before the change goes live, not after. I've seen too many organizations plan the controls and then rush the change timeline before controls are in place.
Step 5: Communicate to Affected Workers
ISO 45001 clause 7.4 (Communication) works hand-in-glove with clause 8.1.3. Workers affected by a change must be: - Informed of what is changing and why - Trained on any new procedures or equipment - Made aware of new hazards and the controls protecting them - Given opportunity to raise concerns
This step is where many MOC processes break down — documentation is complete, but the people doing the work find out on the first day of the new process.
Step 6: Obtain Formal Approval
Establish a clear approval authority based on the magnitude of the change. Minor changes might be approved by a supervisor. Significant changes may require the OH&S Manager, Department Head, and/or a cross-functional review committee.
Step 7: Implement and Monitor
Execute the change according to the approved plan. Assign a responsible person to monitor the initial implementation period — particularly for the first few days or shifts after a change goes live. This is when residual risks are most likely to materialize.
Step 8: Post-Change Review
After a defined stabilization period (typically 30–90 days for significant changes), conduct a formal post-change review: - Did new hazards emerge that weren't anticipated? - Are controls performing as expected? - Do procedures and training materials need updating? - Should this change be made permanent (if temporary)?
Document the outcome and close the change record.
Integrating MOC With Other ISO 45001 Elements
MOC doesn't exist in isolation. An effective management of change process touches nearly every clause of ISO 45001:
- Clause 6.1.1 (Hazard identification): MOC triggers new hazard identification cycles
- Clause 6.1.2 (Risk assessment): Pre-change risk assessments are a core MOC output
- Clause 7.2 (Competence): Changes often require updated training and competence verification
- Clause 7.4 (Communication): Communicating changes to workers is a MOC deliverable
- Clause 8.1.1 (Operational planning and control): MOC is a sub-process of operational control
- Clause 9.1.1 (Monitoring and measurement): Post-change monitoring validates control effectiveness
- Clause 10.2 (Incident investigation): Change failures feed back into corrective action and future MOC improvement
When I build MOC programs for clients, I explicitly map these connections. The result is a system where change management is embedded in the organization's day-to-day OH&S rhythm — not a separate bureaucratic exercise.
Common MOC Failures — and How to Avoid Them
After hundreds of client engagements and audits, I see the same failure patterns repeatedly. Here's what to watch for:
| MOC Failure Mode | Root Cause | Prevention Strategy |
|---|---|---|
| "It's just a small change" mentality | No defined threshold for what triggers MOC | Publish explicit trigger list; train supervisors |
| MOC form completed after implementation | Compliance-only culture; time pressure | Make MOC a gate, not a record — no approval = no change |
| Risk assessment is cursory or copy-pasted | Lack of competence or time | Train assessors; use structured checklists; audit for quality |
| Workers not informed before change | Communication gap between management and floor | Include communication sign-off on MOC approval form |
| Temporary changes become permanent silently | No expiry date on temporary changes | Require expiry date on all temporary MOC approvals |
| MOC records stored but never reviewed | No feedback loop | Quarterly MOC review in OH&S committee meetings |
The "just a small change" mentality is the most dangerous. I tell clients: the standard doesn't have a size exception. If it changes how work is done, it goes through MOC. Period.
What Auditors Look for in ISO 45001 MOC Audits
During a Stage 2 certification audit or surveillance audit, expect auditors to:
- Request your documented MOC procedure — it must exist and be controlled
- Sample recent change records — they'll want to trace a change from request through risk assessment, approval, communication, and close-out
- Interview workers on the floor — "Has anything changed in your work area recently? Were you told about it before it happened?"
- Look for uncontrolled changes — walk the gemba and look for evidence of changes that aren't in the MOC log (new equipment, modified setups, posted workaround notes)
- Check temporary change expiry — are there "temporary" changes that are months or years old with no re-evaluation?
- Verify post-change monitoring — is there evidence that changes were followed up after implementation?
The worker interview piece (point 3) is frequently where MOC programs unravel. A technically complete paper process that workers don't know about will earn a nonconformity every time.
MOC in High-Risk vs. Low-Risk Industries: Calibrating Your Approach
ISO 45001 applies to all organizations regardless of size or sector, but the depth and formality of your MOC process should be calibrated to your risk profile.
| Industry / Context | Recommended MOC Approach |
|---|---|
| High-hazard manufacturing (chemicals, oil & gas) | Full formal MOC process with HAZOP/FMEA, multi-level approval, P&ID updates |
| Construction | Change orders integrated with MOC; daily pre-task planning for dynamic changes |
| Healthcare | Infection control and ergonomic impacts; patient safety crossover with clinical change management |
| Office / low-hazard environment | Simplified MOC with checklist-based review; lower approval thresholds |
| Contractor-heavy operations | MOC process extended contractually to key contractors; contractor change notifications required |
The principle is the same across all sectors. The formality scales with the consequence severity.
Connecting MOC to Your OH&S Objectives
ISO 45001 clause 6.2 requires organizations to establish OH&S objectives and plan how to achieve them. A mature MOC process directly enables several common OH&S objectives:
- Reducing incident rates: MOC prevents the conditions that cause incidents
- Improving near-miss reporting: Workers who understand MOC are more likely to report "unplanned changes" as near misses
- Enhancing worker participation (clause 5.4): Involving workers in pre-change hazard identification drives engagement
- Achieving continual improvement (clause 10.3): Post-change reviews are a structured improvement loop
If your organization is working toward ISO 45001 certification or maintaining it, a strong MOC program isn't just a clause requirement — it's the mechanism by which your OH&S management system actually learns and improves over time.
Getting Started: MOC Program Maturity Self-Assessment
Use this quick self-assessment to gauge where your organization stands:
| Maturity Level | Characteristics |
|---|---|
| Level 1 – Reactive | No formal MOC process; changes handled informally; incidents drive awareness |
| Level 2 – Developing | MOC form exists but inconsistently used; risk assessment quality varies; limited worker communication |
| Level 3 – Defined | Consistent MOC process; trained personnel; documented records; basic post-change review |
| Level 4 – Managed | MOC integrated with OH&S planning; KPIs tracked; MOC data feeds incident prevention |
| Level 5 – Optimized | MOC drives continual improvement; workers proactively initiate MOC; leading indicators used; benchmarked against industry |
Most organizations I work with enter at Level 1 or 2 and can reach Level 3–4 within a single certification cycle with focused effort. Level 5 is where the real safety performance gains live.
Final Thoughts: Change Management Is Safety Management
ISO 45001's Management of Change requirement isn't administrative overhead. It's the recognition that the vast majority of workplace incidents are not caused by familiar, stable operations — they're caused by the gap between how work was designed and how it's actually being done after something changed.
A disciplined MOC process closes that gap, systematically and proactively. It ensures that every time your organization changes — and organizations change constantly — your workers remain protected by controls that are calibrated to the actual work they're doing.
At Certify Consulting, we've helped organizations across industries build MOC programs that satisfy ISO 45001 auditors and genuinely reduce incidents. The two outcomes are not in tension — in fact, the best compliance programs are the ones that work in the real world, on the shop floor, in the field, and in the clinic.
If you're building or revising your MOC process, explore our ISO 45001 clause-by-clause implementation guide and our deep dive on ISO 45001 hazard identification and risk assessment for the foundational tools that make MOC work.
Last updated: 2026-03-17
Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC is the principal consultant at Certify Consulting and has guided 200+ organizations through ISO 45001 certification with a 100% first-time audit pass rate.
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.