If I had to pick one document that makes or breaks an ISO 45001 management system, it wouldn't be your OH&S policy. It wouldn't be your objectives register or your management review minutes. It would be the Job Hazard Analysis — the JHA.
Every clause in ISO 45001 traces back to one fundamental question: Do you know what can hurt your people, and have you done something about it? The JHA is how you answer that question with documented, defensible evidence. After helping more than 200 organizations achieve ISO 45001 certification — with a 100% first-time audit pass rate — I can tell you with confidence that organizations with rigorous JHA programs sail through audits while those without them scramble to explain gaps.
This guide gives you everything you need to build, execute, and maintain a JHA program that satisfies ISO 45001 and, more importantly, actually keeps workers safe.
What Is a Job Hazard Analysis?
A Job Hazard Analysis (also called a Job Safety Analysis, or JSA) is a systematic process for identifying the hazards associated with each step of a job task, evaluating the risks those hazards create, and defining controls to eliminate or reduce them. It is the operational heart of hazard identification under ISO 45001:2023 clause 6.1.2.
The JHA is not a one-time checklist. It is a living document that connects your hazard identification process directly to worker training, PPE selection, procedure writing, incident investigation, and management of change. Think of it as the thread that weaves through your entire safety management system.
Key distinction: A JHA is task-specific. It is not a facility-wide risk assessment or a regulatory compliance audit. It focuses on a defined sequence of job steps performed by a specific worker role in a specific environment.
Why the JHA Is Central to ISO 45001 Clause 6.1.2
ISO 45001:2023 clause 6.1.2 requires organizations to establish, implement, and maintain a process to identify hazards on an ongoing basis. The standard is explicit that this process must consider:
- The organization of work, social factors, leadership, and culture
- Routine and non-routine activities and situations
- Past relevant incidents, both internal and external
- Potential emergency situations
- People, including workers, contractors, and visitors
The JHA satisfies all of these requirements in a single structured document. More importantly, it generates the input data that drives clause 6.1.3 (assessment of OH&S risks), clause 6.1.4 (assessment of opportunities), and clause 8.1.2 (eliminating hazards and reducing OH&S risks).
Citation hook: ISO 45001:2023 clause 6.1.2 requires hazard identification to consider the organization of work, past incidents, routine and non-routine activities, and all persons under the organization's control — requirements that a well-structured Job Hazard Analysis is uniquely positioned to fulfill in a single documented process.
The U.S. Occupational Safety and Health Administration (OSHA) reports that approximately 4,764 workers were killed on the job in 2023, with struck-by, caught-in/between, falls, and electrocution (the Fatal Four) accounting for the majority of construction fatalities. Most of these incidents involve tasks that lack a documented JHA or where existing JHAs were not reviewed with workers before the task began.
The Five Steps of a Job Hazard Analysis
Step 1: Select the Job to Analyze
Not every task needs a JHA on day one. Prioritize based on risk. Use the following criteria to rank jobs:
- Injury/illness frequency — Jobs with the highest incident rates go first
- Severity potential — Jobs where a single error could cause a fatality or permanent disability
- New or modified tasks — Any change in process, equipment, or personnel triggers a new JHA
- Near-miss history — A near miss is a data point telling you a JHA is overdue
- Regulatory requirements — OSHA standards such as 29 CFR 1910.147 (lockout/tagout) and 29 CFR 1926.502 (fall protection) effectively mandate JHA-level documentation
Step 2: Break the Job Into Sequential Steps
Observe the task being performed by an experienced worker. Document each discrete action in the order it occurs. A good rule of thumb: aim for 8–15 steps. Fewer than 8 suggests you may have combined steps; more than 15 suggests the job should be broken into sub-tasks.
Tips for this step: - Watch the task — don't reconstruct it from memory - Involve the worker performing the task; they know the real sequence, including informal shortcuts - Use active verbs: Lift, Connect, Start, Position - Do not describe how to do the task yet — that comes in Step 4
Step 3: Identify the Hazards at Each Step
For each job step, ask: What could go wrong here? What could hurt someone? Cast a wide net across hazard categories:
| Hazard Category | Examples |
|---|---|
| Physical | Struck-by, caught-in, fall from height, noise, vibration |
| Chemical | Solvent exposure, dust inhalation, skin absorption |
| Biological | Bloodborne pathogens, mold, animal contact |
| Ergonomic | Repetitive motion, awkward posture, overexertion |
| Psychological | Work overload, isolation, fatigue, workplace violence |
| Electrical | Energized circuits, arc flash, improper grounding |
| Thermal | Extreme heat/cold, contact burns, heat stress |
| Radiation | UV, ionizing, non-ionizing sources |
ISO 45001:2023 explicitly includes psychological hazards as a required consideration under clause 6.1.2 — a fact that surprises many organizations during audits. Your JHA must address mental health risk factors for jobs involving high demand, low control, or social isolation.
Citation hook: ISO 45001:2023 formally requires organizations to identify psychological hazards — including work overload, bullying, and workplace violence — as part of the hazard identification process under clause 6.1.2, making the Job Hazard Analysis the appropriate vehicle for documenting mental health risk at the task level.
Step 4: Determine Preventive and Protective Controls
This is where the JHA generates real safety value. For each identified hazard, assign one or more controls using the Hierarchy of Controls — the framework referenced directly in ISO 45001:2023 clause 8.1.2:
| Hierarchy Level | Control Type | Example |
|---|---|---|
| 1 — Elimination | Remove the hazard entirely | Automate a manual lifting task |
| 2 — Substitution | Replace with something less hazardous | Switch from solvent-based to water-based coating |
| 3 — Engineering Controls | Physical barriers or safeguards | Machine guarding, local exhaust ventilation |
| 4 — Administrative Controls | Procedures, training, rotation | Written SOP, job rotation to reduce repetitive strain |
| 5 — PPE | Personal protective equipment | Respirator, cut-resistant gloves, hard hat |
The hierarchy is non-negotiable under ISO 45001. An auditor will check whether you defaulted to PPE when engineering controls were feasible. Document your rationale when lower-hierarchy controls are chosen — cost alone is not an acceptable justification for skipping elimination or substitution.
Step 5: Document, Review, and Communicate
A JHA that sits in a binder and never reaches the worker has zero safety value. Documentation must include:
- Date of analysis and date of last review
- Job title and department
- Names of participants (including the worker observed)
- Approving supervisor or safety officer
- Required PPE and tools
- Emergency procedures specific to the task
Under ISO 45001:2023 clause 7.4, workers must be consulted on hazard identification and receive information about hazards relevant to their work. Pre-task JHA reviews — commonly called toolbox talks — satisfy this requirement and create a defensible record of communication.
JHA vs. Risk Assessment: Understanding the Relationship
One of the most common questions I receive from clients is: "Is a JHA the same as a risk assessment?" They are related but distinct.
| Dimension | Job Hazard Analysis (JHA) | OH&S Risk Assessment |
|---|---|---|
| Scope | Single job task, step by step | Broader process, area, or activity |
| Output | Hazard-control pairs per task step | Risk rating (likelihood × severity) |
| ISO 45001 Clause | 6.1.2 (Hazard identification) | 6.1.2 (Risk assessment) |
| Frequency | Before any new/modified task; annually at minimum | Periodic; triggered by change or incident |
| Primary User | Frontline worker and supervisor | Safety manager, management team |
| Document Form | Step-by-step table | Risk register |
In practice, the JHA feeds the risk register. The hazards you identify through JHAs become line items in your risk assessment, where you assign likelihood and severity scores and determine whether residual risk is acceptable. Think of the JHA as the input and the risk assessment as the synthesis.
Common JHA Mistakes That Cause Audit Findings
After reviewing hundreds of JHA programs during ISO 45001 gap assessments, I see the same mistakes repeatedly:
1. Generic hazard descriptions. Writing "slip/trip hazard" without specifying which step creates it and what surface condition causes it is useless. Auditors look for specificity.
2. PPE-first controls. Jumping straight to "wear safety glasses" without demonstrating that elimination, substitution, and engineering controls were considered violates the hierarchy of controls requirement in clause 8.1.2.
3. No worker involvement. ISO 45001 clause 5.4 requires worker participation in hazard identification. A JHA developed entirely by a safety manager without observing or consulting the worker is a nonconformity waiting to happen.
4. No review triggers. JHAs must be reviewed when incidents occur, when equipment changes, when procedures change, or when new workers are introduced. An undated or five-year-old JHA signals a broken process.
5. Missing non-routine tasks. Organizations document their standard operating tasks but forget shift changeovers, maintenance, emergency shutdowns, and seasonal activities. Non-routine work is statistically the highest-risk category.
According to the National Safety Council, overexertion and bodily reaction injuries account for approximately 27% of all non-fatal workplace injuries — yet ergonomic hazards are the category most frequently missing from JHAs in organizations I assess.
Integrating Your JHA Program With ISO 45001
A mature JHA program connects to multiple clauses across the standard. Here is how to make those connections explicit:
Clause 6.1.2 → Hazard Identification: JHAs are your primary evidence of an ongoing hazard identification process.
Clause 6.1.3 → Risk Assessment: Transfer identified hazards into your risk register with likelihood and severity ratings.
Clause 7.2 → Competence: Use JHAs to define what training and skills are required before a worker performs a task.
Clause 7.4 → Communication: Pre-task JHA briefings satisfy the requirement to communicate OH&S information to workers.
Clause 8.1.1 → Operational Planning: JHAs inform your operational controls — the SOPs, permits, and inspection checklists you develop for high-risk work.
Clause 8.1.3 → Management of Change: Any change to equipment, personnel, process, or environment should trigger a JHA update before the change is implemented.
Clause 10.2 → Incident Investigation: Post-incident, return to the JHA for the affected task. Was the hazard identified? Was the control adequate? Was the JHA communicated? This analysis drives corrective action.
Citation hook: A Job Hazard Analysis program that is systematically linked to ISO 45001:2023 clauses 6.1.2, 7.2, 7.4, 8.1.3, and 10.2 creates a closed-loop safety management system where task-level hazard data continuously improves organizational risk controls — a structure that external auditors consistently recognize as evidence of system maturity.
JHA Template: Minimum Required Fields
Your JHA form does not need to be complex, but it must be complete. Here is the minimum structure I recommend for ISO 45001 compliance:
| Field | Purpose |
|---|---|
| Job Title / Task Name | Identifies scope |
| Location / Department | Contextualizes environment |
| Date Prepared / Last Reviewed | Demonstrates currency |
| Participants | Evidence of worker involvement (clause 5.4) |
| Required PPE | Pre-task safety requirement |
| Job Step # | Sequential task breakdown |
| Hazard Description | Specific, observable risk condition |
| Potential Consequence | What injury or illness could result |
| Existing Controls | What is already in place |
| Additional Controls Recommended | Hierarchy-based improvements |
| Responsible Party / Due Date | Drives corrective action closure |
| Approving Supervisor | Accountability trail |
How Often Should JHAs Be Reviewed?
ISO 45001 requires hazard identification to be an ongoing process. At a minimum, review JHAs:
- Annually for all routine, high-risk tasks
- Immediately after any incident or near miss involving that task
- Before any management of change affecting the task, equipment, or workers
- When regulations change affecting the task
- When a new worker is assigned to the task for the first time
Building review triggers into your document control system — rather than relying on human memory — is the most reliable way to keep JHAs current. Many of my clients use their document management platform to set automatic review reminders tied to the JHA's last-reviewed date.
Building a Culture Where JHAs Are Used, Not Filed
The most technically perfect JHA is worthless if workers don't engage with it. Here is what separates organizations with strong JHA cultures from those with compliance theater:
1. Workers write them. When frontline workers are involved in developing JHAs — not just signing them — they retain the content and enforce the controls on each other.
2. Supervisors brief them daily. High-performing safety organizations use pre-task JHA reviews as a daily ritual, not an annual event.
3. Workers can stop work. ISO 45001 clause 8.4 requires that workers have the authority to remove themselves from situations presenting imminent danger. The JHA is the baseline against which "imminent danger" is measured.
4. Close-calls update them. Every near miss is a free lesson. Organizations that treat near misses as JHA revision triggers continuously improve their hazard identification without waiting for an injury.
According to OSHA, employers pay approximately $1 billion per week in direct workers' compensation costs alone. A robust JHA program is one of the highest-ROI investments an organization can make — not just for ISO 45001 certification, but for the financial health of the business.
Getting Started: Your 90-Day JHA Rollout Plan
If your organization is starting from scratch or rebuilding a weak program, here is a practical 90-day roadmap:
Days 1–30: Inventory and Prioritize - List all job tasks performed in your organization - Rank by risk using the criteria in Step 1 above - Identify your top 20 highest-priority tasks - Assign task owners and observers
Days 31–60: Develop and Review - Conduct observed task analysis for all top-20 tasks - Draft JHAs with worker participation - Route for supervisor and safety review - Approve and enter into document control
Days 61–90: Train, Communicate, and Sustain - Brief all affected workers on completed JHAs - Train supervisors on pre-task JHA review procedures - Establish review triggers in your document management system - Begin the next tier of JHA development
For organizations pursuing ISO 45001 certification, a complete JHA program covering all high-risk tasks should be in place before your Stage 2 certification audit. Auditors sample JHAs and will test workers on whether they can describe the hazards and controls for their own jobs. If workers can't answer those questions, the JHA program isn't working — regardless of what the paperwork says.
For tailored support building a JHA program that integrates with your full ISO 45001 management system, Certify Consulting offers gap assessments, program development, and certification readiness services backed by 200+ successful client engagements.
You can also explore our related resources on conducting a comprehensive OH&S risk assessment and ISO 45001 hazard identification requirements for deeper dives into the broader risk framework your JHA program supports.
Frequently Asked Questions
What is the difference between a JHA and a JSA?
Job Hazard Analysis (JHA) and Job Safety Analysis (JSA) are functionally identical terms for the same process. Both describe a systematic, step-by-step method for identifying hazards associated with a specific job task and defining controls to address them. OSHA tends to use "JHA," while many industries and contractors use "JSA." ISO 45001 does not mandate either term — it requires the underlying process regardless of what you call the document.
Is a JHA required by ISO 45001?
ISO 45001:2023 does not use the term "Job Hazard Analysis" explicitly, but clause 6.1.2 requires organizations to establish an ongoing process to identify hazards associated with their work activities, including routine and non-routine tasks. A JHA program is the most practical and auditor-recognized method of meeting this requirement. In practice, certification auditors expect to see task-level hazard documentation that demonstrates the JHA approach, even if the organization calls it something else.
How many job tasks need a JHA?
All tasks with meaningful injury or illness potential should eventually have a JHA. For organizations starting out, prioritize by risk: begin with tasks involving fatality potential, past injuries, or regulatory requirements (such as confined space entry, lockout/tagout, and working at height). Most organizations build toward complete JHA coverage over 12–24 months, starting with their top 20–30 highest-risk tasks in the first 90 days.
Who should be involved in writing a JHA?
ISO 45001:2023 clause 5.4 requires worker participation in hazard identification. A JHA should always include the worker who performs the task (ideally observed during the analysis), the direct supervisor, and a safety professional or trained JHA facilitator. Workers bring ground-level knowledge about informal shortcuts and real-world conditions that supervisors and safety managers frequently miss.
How does a JHA connect to incident investigation?
After any incident or near miss, investigators should immediately retrieve the JHA for the involved task and ask: Was the hazard identified? Was the assigned control adequate? Was the JHA reviewed with the worker before the task? Gaps in any of these areas become corrective action items. This connection — required under ISO 45001:2023 clause 10.2 — is what transforms incident investigation from a reactive exercise into a proactive system improvement process.
Last updated: 2026-03-09
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.