Few industries carry the fatality burden that oil and gas does. Workers face an environment where hydrocarbon releases can ignite without warning, hydrogen sulfide can incapacitate within seconds, and a blowout at a remote wellsite means help is an hour away. The oil and gas industry has one of the highest fatality rates across all industry sectors, and ISO 45001 provides the management system framework that integrates with existing OSHA PSM and API safety standards to address that risk systematically.
An oil gas safety management system built on ISO 45001 does something checklist-based safety programs cannot: it creates organizational infrastructure — policy, worker participation, hazard registers, objectives, internal audits, management review — that sustains safety performance between incidents rather than only responding after them. For ISO 45001 petroleum operators, this is the difference between a reactive safety program and one that actually reduces fatality rates over time.
This guide covers how ISO 45001 applies to upstream, midstream, and downstream operations, how it integrates with OSHA PSM and API RP 75, and what EHS managers and HSE professionals need to know to implement it effectively in a petroleum environment.
Key Takeaways
- ISO 45001 is sector-neutral — it applies to oil and gas at any segment, from wellhead to refinery gate, and scales to both operators and contractors.
- It does not replace OSHA PSM or API standards — it provides the overarching occupational safety management system that wraps around those technical requirements.
- Clause 6.1.3 is the mechanism for capturing PSM, OSHA, and API compliance obligations within the ISO 45001 system — this is where the frameworks connect.
- Upstream, midstream, and downstream each have distinct hazard profiles that require tailored clause applications, particularly for Clauses 6.1.2, 8.1, and 8.2.
- Major operators including Shell, BP, and Chevron have adopted ISO 45001 as their baseline safety management framework and are pushing certification requirements into their contractor supply chains.
- Annex SL (High-Level Structure) makes ISO 45001 integrate cleanly with ISO 14001 and ISO 9001 — a significant efficiency advantage for operators pursuing integrated management systems.
- Emergency preparedness (Clause 8.2) deserves specific attention in petroleum operations — the scale of potential consequences demands more than a generic emergency response plan.
Oil and Gas Hazard Matrix
Effective ISO 45001 hazard identification in oil and gas starts with understanding the industry's characteristic hazard categories. The table below maps each primary hazard to its ISO 45001 clause requirements and practical control measures.
| Hazard | Description | ISO 45001 Clause | Control Measure |
|---|---|---|---|
| Process Safety | Uncontrolled hydrocarbon release — loss of containment from vessels, piping, valves, or wellheads leading to fire, explosion, or toxic vapor cloud | 6.1.2, 8.1, 8.2 | PSM program (OSHA 29 CFR 1910.119), process hazard analysis (PHA), mechanical integrity inspections, management of change, pre-startup safety reviews |
| H2S Exposure | Hydrogen sulfide in sour crude, natural gas, and produced water — IDLH of 50 ppm; exposure above 100 ppm can cause rapid incapacitation and death | 6.1.2, 7.2, 8.1 | H2S monitoring (fixed and personal), defined evacuation wind roses, buddy systems in sour areas, SCBA training and drills, emergency muster protocols |
| Confined Space Entry | Tanks, vessels, pig launchers/receivers, boilers, columns — atmospheric hazards include oxygen deficiency, flammable vapors, and toxic gases | 6.1.2, 8.1.3 | Permit-to-work system, atmospheric testing before and during entry, attendant posted outside, rescue equipment staged, OSHA 29 CFR 1910.146 compliance |
| Explosion/Fire Risk | Flammable hydrocarbon vapors in classified electrical areas; ignition from hot work, vehicle exhausts, or static discharge during loading/unloading operations | 6.1.2, 8.1, 8.2 | Hot work permit system, area classification drawings, explosion-proof equipment, hydrocarbon gas detection, no-ignition-source exclusion zones around storage and loading areas |
| Falls from Height | Drilling rig derricks, flare stacks, offshore platform decks, tank tops, heat exchanger bundles — vertical falls account for a significant share of oil and gas fatalities | 6.1.2, 8.1.2 | 100% tie-off policy above 4 feet, self-retracting lifelines on derrick work, scaffold inspection program, OSHA 29 CFR 1926.502 standards for leading edge work, fall rescue procedures |
| Dropped Objects | Tools, pipe, tugger lines, and equipment components dropped from elevated work areas — a primary cause of fatalities on drilling rigs and offshore installations | 6.1.2, 8.1 | Dropped object prevention program (DROPS), tool tethering requirements above ground level, exclusion zones beneath elevated work, barricading and hard-hat areas, DROPS calculator for risk assessment |
ISO 45001 vs. OSHA PSM vs. API RP 75
One of the most common questions I get from HSE professionals in petroleum operations is how these frameworks relate to each other. The short answer: they are not competing. ISO 45001 complements rather than replaces process safety management (OSHA PSM/EPA RMP) — it covers the broader occupational safety management system while PSM focuses specifically on highly hazardous chemical processes. API RP 75 provides the offshore-specific technical framework that sits within that structure.
| Feature | ISO 45001 | OSHA PSM (29 CFR 1910.119) | API RP 75 |
|---|---|---|---|
| Scope | All workplace occupational health and safety hazards for all workers across the entire organization | Prevention of catastrophic releases of highly hazardous chemicals at covered processes above threshold quantities | Safety and environmental management systems for offshore oil and gas operations on the OCS |
| Focus | Management system — policy, planning, worker participation, operational controls, auditing, continual improvement | Technical process safety — PHA, MOC, mechanical integrity, hot work, incident investigation, emergency planning for covered processes | Technical safety management — risk assessment, well control, dropped objects, marine operations specific to offshore platforms |
| Legal Requirement | Not a legal requirement in the U.S., but required by many major operator contracts and increasingly expected in prequalification | Mandatory federal regulation for facilities handling listed chemicals above threshold quantities (OSHA-regulated industries) | Incorporated by BSEE (Bureau of Safety and Environmental Enforcement) regulations for OCS operators — effectively mandatory offshore |
| Applies To | Any organization — operators, contractors, service companies, onshore and offshore | Facilities with covered processes (HHC above threshold quantities) — typically refineries, chemical plants, large upstream facilities | Offshore operators on the U.S. Outer Continental Shelf |
| Certification Available | Yes — third-party certification by accredited certification bodies (e.g., BSI, DNV, Bureau Veritas) | No — compliance is verified through OSHA enforcement inspections and process hazard analysis documentation | No formal certification — compliance is verified through BSEE inspections and SEMS audits |
| Integration | Integrates with ISO 14001 and ISO 9001 via Annex SL High-Level Structure; captures PSM and API as compliance obligations under Clause 6.1.3 | Aligns with EPA RMP for emergency response; cross-references with OSHA 1910.38 for emergency action plans | Aligns with ISO 14001 for environmental management; references OSHA PSM for process safety elements |
Upstream vs. Midstream vs. Downstream Considerations
ISO 45001 applies across all segments of the petroleum value chain, but the clause applications differ significantly based on operational hazard profiles. Here is how the standard applies in practice at each segment.
Upstream: Drilling, Production, and Exploration
Upstream operations present the widest range of ISO 45001 implementation challenges. Drilling and production sites are often remote, contractor-intensive, and subject to rapidly changing hazard conditions during well operations.
The most critical clause application is Clause 8.1.3 — Management of Change. In drilling, conditions change constantly — formation pressure gradients, fluid system modifications, casing design changes, rig equipment substitutions. Each change must be evaluated for safety implications before implementation. Many upstream incidents trace back to MOC failures: a change that seemed routine was made without a formal safety review.
Contractor management is another upstream-specific challenge. ISO 45001 Clause 8.1.4 requires organizations to control outsourced processes and contractors, including prequalification of safety management capabilities. On a typical drilling location, 60-80% of the personnel are contractors. Your ISO 45001 system must define how you evaluate, onboard, and monitor contractor safety performance — not just pass paperwork during prequalification.
Clause 6.1.2 hazard identification for upstream must address well control scenarios as a specific hazard category. A well kick, if uncontrolled, becomes a blowout. The hazard identification process must capture kick detection, BOP function testing, and emergency well control procedures as documented operational controls with defined competence requirements per Clause 7.2.
Remote location logistics also affect Clause 7 (Support) requirements — communications, medical response, emergency evacuation routes, and nearest hospital capabilities must all be captured in emergency preparedness planning under Clause 8.2.
Midstream: Pipelines, Compressor Stations, and Processing
Midstream operations span hundreds or thousands of miles of pipeline infrastructure — a fundamentally different operating model from a fixed-site upstream or downstream facility. The primary ISO 45001 challenge for midstream is scope definition: how do you build a consistent safety management system across geographically dispersed assets with small, often lone-worker field crews?
Pipeline integrity falls primarily under Clause 8.1 operational controls. Pressure testing, in-line inspection (pigging), cathodic protection monitoring, and right-of-way surveillance are all operational controls that must be documented, assigned, and tracked within the management system. Third-party damage prevention (call-before-you-dig programs, one-call center compliance) is a compliance obligation under Clause 6.1.3 and a documented control under Clause 8.1.
Compressor station operations add rotating equipment hazards, high-pressure gas handling, and the confined space considerations of gas scrubbers and separators. Clause 8.1.2's hierarchy of controls applies directly: can you eliminate entry into these spaces through remote monitoring technology, or must workers enter? If entry is required, what engineering controls (purge and vent procedures, atmospheric monitoring) precede administrative controls (permits) and PPE?
Lone worker safety is a midstream-specific requirement that ISO 45001 Clause 5.4 (worker participation) and Clause 8.1 must address. Field technicians checking remote pig trap sites or valve stations need check-in procedures, GPS monitoring, and defined response protocols for missed check-ins — all of which should be documented operational controls within the management system.
Downstream: Refining and Petrochemicals
Downstream refineries and petrochemical plants represent the most PSM-intensive environment in the petroleum sector. Most refineries are subject to OSHA PSM for multiple covered processes, making the integration of ISO 45001 and PSM a central implementation consideration.
Turnaround management is where downstream fatality risk concentrates. Major maintenance shutdowns bring together hundreds of contractors, create simultaneous confined space entries across the facility, and compress normally distributed hazards into a short window. ISO 45001 Clause 8.1.3 (management of change) and Clause 8.1.4 (contractor controls) are the primary mechanisms for governing turnaround safety. A well-functioning ISO 45001 system will have a turnaround-specific procedure that defines how hazard assessments are updated, how contractors are onboarded, and how work permitting is managed across the site.
Catalyst handling in refinery units presents specific hazardous materials exposure risks — pyrophoric spent catalysts, dust explosion hazards from finely divided solids, and toxic metal compounds in some catalyst formulations. Clause 6.1.2 hazard identification must treat catalyst operations as a distinct hazard category with specific operational controls under Clause 8.1.
Process safety integration is the defining downstream challenge. The ISO 45001 Clause 6.1.3 legal compliance register should explicitly capture all applicable OSHA PSM elements: PHA frequency requirements, incident investigation timelines, mechanical integrity inspection intervals, and employee participation requirements under PSM. This creates a single management system framework that drives compliance with both ISO 45001 and OSHA PSM simultaneously.
Integration with Existing Safety Management Systems
The practical value of ISO 45001 for oil and gas operators is not in replacing what they already have — it is in providing the management system architecture that holds everything together. Major oil and gas operators including Shell, BP, and Chevron have adopted ISO 45001 as their baseline safety management system framework, driving certification requirements down through their contractor supply chains.
This supply chain pressure matters for service companies and contractors. If your business depends on working for major oil and gas operators, ISO 45001 certification is increasingly a prequalification requirement, not a differentiator.
Annex SL — the High-Level Structure that ISO adopted for all management system standards — is the key to understanding how ISO 45001 integrates with everything else. Because ISO 45001, ISO 14001, and ISO 9001 all use identical clause numbering (Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement), an integrated management system can use a single set of procedures, a single internal audit program, and a single management review process to address all three standards simultaneously. For petroleum operators who are also pursuing ISO 14001 environmental certification, this is a significant efficiency gain.
The specific integration point for OSHA PSM and API RP 75 is Clause 6.1.3 — Compliance Obligations. This clause requires the organization to determine and have access to the legal and other requirements applicable to its OH&S hazards. For a refinery subject to OSHA PSM and EPA RMP, those obligations should be explicitly listed in the compliance register with ownership assigned, monitoring frequency defined, and compliance status tracked. This is not a theoretical exercise — it is the mechanism that makes ISO 45001 a living compliance management tool rather than a certification trophy.
When working with clients at Certify Consulting on petroleum sector implementations, the approach I take is to start with a gap analysis that maps existing OSHA PSM documentation, API RP 75 SEMS elements, and company safety standards against ISO 45001 clause requirements. In most cases, 60-70% of the documented evidence already exists — the work is structural integration, not wholesale creation.
Emergency Preparedness for High-Consequence Operations
ISO 45001 Clause 8.2 — Emergency Preparedness and Response requires organizations to plan for potential emergency situations, test response through periodic exercises, and ensure that emergency procedures are understood by all workers and relevant interested parties. In oil and gas, this clause carries more weight than in virtually any other industry.
The scenarios that emergency preparedness must address in petroleum operations include:
- Blowout response: Loss of well control requires activation of well control specialists (e.g., IWCF-certified personnel), coordination with well control contractors (Wild Well, CUDD Energy), and often regulatory notification within specific timeframes. Emergency response plans should define who calls whom, what authority they have, and how media and community communications are handled.
- H2S release scenarios: Sour gas releases require immediate wind direction assessment, predetermined evacuation routes (not fixed muster points that may be upwind), accountability of all personnel, and defined re-entry criteria. The plan must be site-specific — a generic H2S response procedure is not adequate under Clause 8.2.
- Fire and explosion: Hydrocarbon fires require coordination with local fire departments who may have limited petroleum firefighting capability. Mutual aid agreements with neighboring facilities and advance training for local responders should be documented in the emergency preparedness plan.
- Mass casualty events: Multi-fatality incidents on remote locations require helicopter evacuation planning, hospital capacity pre-identification, family notification protocols, and trauma support for surviving workers. Clause 8.2 does not prescribe specific content, but an ISO 45001 auditor will look for evidence that the organization has thought through worst-case scenarios, not just routine incidents.
The practical requirements for a compliant Clause 8.2 program in petroleum operations include regular drills (at minimum annually for major scenario types), documented mutual aid agreements with neighboring operators and emergency services, contractor coordination in drills (not just operator personnel), communication trees that define who has authority to declare an emergency and notify regulators, and post-drill evaluations that feed into the corrective action process.
For a deeper review of how ISO 45001 structures emergency preparedness requirements, see the ISO 45001 emergency preparedness guide on this site.
Frequently Asked Questions
Is ISO 45001 used in the oil and gas industry?
Yes. ISO 45001 is widely used across upstream, midstream, and downstream oil and gas operations globally. Major operators including Shell, BP, and Chevron have adopted ISO 45001 as their baseline occupational health and safety management system framework. Many now require ISO 45001 certification from their contractors and service providers as a condition of prequalification. The standard complements industry-specific frameworks like API RP 75 and OSHA Process Safety Management by providing the overarching occupational safety management structure for the entire organization.
How does ISO 45001 work with OSHA PSM requirements?
ISO 45001 and OSHA PSM (29 CFR 1910.119) address different but complementary scopes. OSHA PSM focuses specifically on preventing catastrophic releases of highly hazardous chemicals from covered processes. ISO 45001 covers the broader occupational health and safety management system for all workers and all hazards across the organization. The integration point is Clause 6.1.3 — ISO 45001 requires organizations to identify and comply with their legal obligations. For facilities subject to PSM, those PSM requirements should be explicitly listed in the compliance register with ownership assigned and compliance status monitored. This makes ISO 45001 the management system layer that drives PSM compliance, rather than two separate programs running in parallel.
What are the main safety hazards in oil and gas operations?
The primary safety hazards include process safety events (hydrocarbon releases), hydrogen sulfide (H2S) exposure in sour service environments, confined space entry during maintenance and inspection, fire and explosion from flammable vapors, falls from height on platforms and rigs, and dropped objects on drilling rigs and offshore installations. Upstream adds well control and blowout risks; midstream adds pipeline integrity and lone worker exposure; downstream refineries face turnaround management, catalyst handling, and dense PSM-regulated process complexity. Each hazard category requires specific controls mapped through the hazard identification and risk assessment process under Clause 6.1.2.
Can ISO 45001 replace API safety standards?
No. ISO 45001 does not replace API safety standards — it operates alongside them. API RP 75 (Safety and Environmental Management Systems for Offshore Operations), API RP 54 (Occupational Safety for Oil and Gas Well Drilling), and related recommended practices contain technical requirements specific to petroleum operations that ISO 45001 does not address. ISO 45001 provides the management system framework — policies, objectives, worker participation, internal audits, continual improvement — while API standards provide the technical content for specific hazard controls. They are designed to be used together. API RP 75, in fact, follows a management system structure that aligns well with ISO 45001 clause requirements.
What is the difference between ISO 45001 and process safety management?
ISO 45001 is an occupational health and safety management system standard covering all workers and all workplace hazards — falls, chemical exposure, ergonomics, emergency preparedness, and more. Process safety management (OSHA 29 CFR 1910.119 and EPA RMP) is a regulatory program specifically focused on preventing catastrophic releases of highly hazardous chemicals from industrial processes. PSM applies only to facilities handling listed chemicals above threshold quantities. ISO 45001 complements rather than replaces PSM. A refinery subject to PSM should have both: ISO 45001 as the overarching OH&S management system, and PSM documentation (PHA, MOC, MI, hot work, incident investigation, emergency planning) as the technical safety program for covered processes.
Conclusion
The oil and gas industry's fatality statistics are not inevitable. They reflect what happens when safety programs are reactive, fragmented across regulatory frameworks, and disconnected from management decision-making. ISO 45001 addresses each of those root causes — it builds safety into organizational structure, requires leadership commitment from the top, drives worker participation at the frontline, and establishes a systematic cycle of hazard identification, control, measurement, and improvement.
For EHS managers and HSE professionals in petroleum operations, the practical work is integration: connecting ISO 45001 clause requirements to the OSHA PSM documentation, API RP 75 SEMS elements, and existing company safety standards that already exist in most mature oil and gas organizations. The management system layer is largely what is missing — and that is exactly what ISO 45001 provides.
For a foundation on the standard itself, the what is ISO 45001 complete guide covers the full clause structure and certification process. If you are beginning an implementation in a petroleum environment — or trying to integrate ISO 45001 with existing PSM and OSHA programs — Certify Consulting and Jared Clark work directly with oil and gas operators and contractors across the value chain. Schedule a free consultation to discuss your specific operation.