Safety Management Systems: ISO 45001, ANSI Z10, and OSHA's Recommended Practices
ISO 45001 and ANSI Z10 are the two main safety management system frameworks. Learn what each requires, how they differ, and whether your company needs one
Reviewed by: SafetyRegulatory Editorial Team
Regulation check: February 27, 2026
Next scheduled review: August 27, 2026
Most companies don’t have a safety management system. They have a collection of safety programs.
There’s an OSHA required lockout/tagout program. A hazard communication program. A PPE program. Each one was built in response to a citation or a near-miss or a new hire who asked where it was. They live in separate binders, maintained by different supervisors, audited on different schedules, or not audited at all.
That patchwork approach works fine at low complexity. At a 15-person shop with one or two real hazard categories, it’s probably enough. But as operations grow, the gaps between programs become the places where workers get hurt. An SMS is what replaces the gaps with a system.
What an SMS Actually Is
A safety management system is a structured, documented framework that connects hazard identification, risk control, compliance obligations, incident investigation, and performance measurement into a single operating system. The goal isn’t to create more paperwork. The goal is to make safety management predictable and self-correcting instead of reactive.
The difference in practice: a standalone LOTO program tells you how to isolate energy. An SMS tells you how LOTO fits into your overall risk control hierarchy, how LOTO training gets documented and verified, how LOTO failures get investigated and fed back into the system as improvement actions, and who is accountable for each part. The program doesn’t live in isolation.
There are three main frameworks for building an SMS. OSHA’s Recommended Practices for Safety and Health Programs, ANSI Z10, and ISO 45001. They share the same logic. They differ in formality, certifiability, and who developed them.
OSHA’s Recommended Practices
OSHA published its Recommended Practices for Safety and Health Programs in 2016. It’s not a regulation. There’s no enforcement authority behind it. OSHA won’t cite you for failing to follow it. But it describes, in plain language, the seven core elements of an effective safety program as OSHA sees them.
Those seven elements are management leadership, worker participation, hazard identification and assessment, hazard prevention and control, education and training, program evaluation and improvement, and communication and coordination for multi-employer worksites.
The Recommended Practices are worth reading for two reasons. First, they’re free, accessible, and written in non-jargon language. Second, OSHA inspection officers are trained on this framework. When an inspector walks your site, they’re mentally mapping what they see against these elements. Knowing the framework helps you understand how your program will be evaluated.
If you want to build an SMS without spending money on a standard, OSHA’s Recommended Practices is the right starting point. It won’t get you certified, but it gives you the architecture.
ANSI Z10: The U.S. Standard
ANSI Z10 is the American National Standard for Occupational Health and Safety Management Systems, developed and maintained by the American Society of Safety Professionals (ASSP). The current version is ANSI/ASSP Z10.0-2019.
Z10 uses the Plan-Do-Check-Act cycle (explained in more detail below) as its organizing principle. It requires documented policies, defined roles and responsibilities, hazard identification and risk assessment processes, operational controls, and a formal management review process.
The key distinction from ISO 45001: Z10 does not have a third-party certification scheme. You can’t hire a registrar to audit your Z10 compliance and issue a certificate. Conformance to Z10 is self-declared. You build the system, you audit it internally, and you say you conform to the standard.
That’s not a weakness. For most U.S. companies, Z10 conformance is the right level. You get the rigor without the audit fees and recertification cycles that come with ISO certification. If you already have an ASSP chapter locally, you’ll find practitioners who work in Z10 regularly and can help with implementation.
ISO 45001: The International Standard
ISO 45001 was published in 2018, replacing the older OHSAS 18001 standard that many multinational companies had been using. It’s an international standard, managed by the International Organization for Standardization, and it allows third-party certification by an accredited registrar.
The structure follows the same Plan-Do-Check-Act logic as Z10. But ISO 45001 goes further in two areas. First, it has stronger requirements around the “context of the organization,” meaning it requires you to identify external and internal factors that affect your OH&S risks, including legal requirements, the nature of your business relationships, and the expectations of workers and other interested parties. Second, it has explicit requirements for worker participation that go beyond just “consult workers.” Workers must have opportunities to participate in hazard identification, risk assessment, and the investigation of incidents.
Certification involves a two-stage external audit. Stage 1 is a document review, where the auditor confirms your system is adequately designed. Stage 2 is an on-site audit, where they verify implementation. After certification, you’ll have annual surveillance audits and a recertification audit every three years.
The process typically takes 12 to 24 months for an organization starting from scratch. Companies that already hold ISO 9001 (quality) or ISO 14001 (environmental) certifications often move faster, because the management system structure maps directly between standards.
The PDCA Cycle
Both Z10 and ISO 45001 organize around PDCA: Plan, Do, Check, Act.
Plan means identifying your hazards, assessing the risks they create, setting objectives for improving controls, and defining the operational procedures you’ll use. Do means implementing those procedures and controls, conducting training, and running your operations within the system. Check means monitoring performance with metrics, conducting audits, investigating incidents, and reviewing whether your controls are actually working. Act means taking corrective actions, updating procedures, and feeding what you learned back into the planning phase.
The cycle doesn’t end. That’s the point. A mature SMS gets better every year because every incident, every audit finding, and every near-miss generates an action that closes a gap. The safety metrics guide goes deeper on what to measure at each phase.
Does Your Organization Need One?
Honest answer: it depends on size, complexity, and what’s driving the question.
If you’re asking because a client is requiring ISO 45001 certification as a contract condition, you don’t have a choice. This happens frequently with large manufacturers and contractors who work in supply chains requiring ISO compliance. Build for certification.
If you’re asking because you want a more organized safety program and fewer gaps between your individual programs, ANSI Z10 or the OSHA Recommended Practices are the better fit. You get the architecture without the overhead. For most U.S. companies under 500 employees, this is the right move.
If you’re asking because senior management wants to pursue OSHA’s Voluntary Protection Program (VPP), know that VPP Star sites are expected to demonstrate a documented, functioning SMS. VPP doesn’t mandate ISO 45001, but the evaluation criteria map closely to it.
Small and mid-size organizations sometimes make the mistake of building an ISO 45001 system when the real problem is that no one owns safety at a senior level. Certification doesn’t fix a management commitment problem. It documents it. If leadership isn’t genuinely engaged, the system will be a set of binders that gets dusted off before the surveillance audit. The safety culture guide addresses the leadership side of this.
Building Without Certification
You can implement an effective SMS without ever pursuing formal certification. The steps are the same. The difference is that you’re your own evaluator.
Start with a gap assessment. Map your existing programs against the OSHA Recommended Practices seven elements, or against the Z10 or ISO 45001 clauses if you want a more structured benchmark. Where do you have documented processes? Where do you have programs in practice but nothing written? Where do you have nothing at all?
The gap assessment gives you the build sequence. Start with the high-hazard gaps, not the paperwork gaps. If you don’t have a formal incident investigation process, that’s a higher priority than updating your policy statement.
Build the management review process early. This is where the SMS becomes self-sustaining. A formal management review, typically quarterly or annually, reviews performance data, incident trends, audit results, and objectives progress. Leadership sees the data and makes resource decisions based on it. Without a formal review, the SMS is just programs again.
Document the system in a way that’s maintainable. Long policy manuals that take a specialist to update don’t stay current. Keep core procedures short and update them on a set schedule. A safety program audit run annually against your own system will catch drift before the next external audit does.
If you’re stepping into a safety manager role and trying to assess where your organization is, the first 90 days guide includes a framework for sizing up the existing system before deciding whether to build, refine, or pursue certification.
The SMS is a tool. The goal is fewer workers getting hurt and a program that can prove it’s improving. Certification is optional. The improvement isn’t.
Sources
- OSHA - Recommended Practices for Safety and Health Programs
- ANSI/ASSP Z10.0-2019 Occupational Health and Safety Management Systems
Spot an issue or outdated citation? Report a correction.