Management of Change: 7 Safety Tests Leaders Need

Most serious incidents do not begin with a dramatic decision; they begin with a small change that no one treated as a change. This guide gives EHS managers and senior leaders seven Management of Change tests that expose hidden safety risk before the job reaches the field.

Why Management of Change is not paperwork

Management of Change, often shortened to MOC, is the disciplined review of technical, organizational, procedural, and human changes before those changes affect risk. ISO 45001:2018 addresses change in clause 8.1.3, while OSHA Process Safety Management names change control in 29 CFR 1910.119(l), because uncontrolled change can defeat barriers that looked adequate yesterday.

The weak version of MOC asks whether a form was completed. The useful version asks whether the operation still understands its hazards after the change, which is why an MOC review belongs close to the risk owner, not buried in an administrative queue.

On the Headline Podcast, Andreza Araujo and Dr. Megan Tranter often return to the same leadership question: what changes when safety moves from compliance language to real conversation? MOC is one of the places where that question becomes visible, because a leader either asks what shifted in the work system or accepts yesterday's risk picture as if nothing moved.

1. Test the trigger before the approval

An MOC system fails early when the organization cannot recognize what counts as a change. The trigger should cover equipment, chemicals, staffing, contractors, production rates, layout, software, temporary repairs, procedures, and emergency arrangements, since each of those can alter exposure even when the formal process name stays the same.

What most safety programs miss is the informal change. A maintenance team swaps a component for an equivalent part, a supervisor compresses a turnaround schedule, or a contractor changes the work sequence, and the risk profile changes without anyone opening a review. In that moment, the organization is not suffering from a lack of forms; it is suffering from a weak definition.

Use a trigger screen that supervisors can apply in less than five minutes, but do not confuse speed with superficiality. The screen should ask whether the change affects energy, interface, competence, emergency response, critical barriers, or legal requirements. If any answer is yes, the work moves to formal review.

Each week without a clear MOC trigger means temporary fixes, contractor shortcuts, and production-driven workarounds keep entering the operation as normal work.

2. Separate replacement from change

A replacement is not always a like-for-like event, because equal dimensions or equal vendor claims do not prove equal risk. In process safety, maintenance, and construction, the phrase like-for-like often hides a changed material, rating, interface, tolerance, software parameter, or inspection requirement.

As Andreza Araujo argues in her co-host body of work, including Safety Culture: From Theory to Practice, culture appears in the gap between what people declare and what they actually permit. MOC exposes that gap because teams often declare control while allowing unreviewed substitution at the edge of the process.

Ask for evidence, not reassurance. The reviewer should compare specifications, drawings, SDS data, operating limits, maintenance intervals, emergency effects, and training consequences. When evidence is missing, the change should be treated as a change until proven otherwise.

3. Map the barriers that the change can weaken

A change matters when it can weaken a barrier that prevents, detects, controls, or mitigates harm. Barrier mapping turns MOC from a document review into a risk review, especially for high-consequence work where one weak layer can expose a serious injury or fatality scenario.

The practical test is simple enough for a field conversation and rigorous enough for leadership review. List the critical barriers before the change, then ask which barriers will disappear, become harder to verify, depend on a different person, or require a different inspection frequency after the change.

This is where internal links between risk tools become useful. A mature MOC system feeds the safety risk register, because any approved change that shifts residual risk should leave a trace in the risk inventory, not only in the MOC file.

4. Test contractor and interface effects

MOC often breaks at the boundary between departments, companies, and shifts. A technical change approved by engineering can create an execution risk for maintenance, contractors, security, logistics, or emergency response, especially when the change modifies access, isolation points, traffic flow, or simultaneous operations.

In more than 250 cultural transformation projects, Andreza Araujo observes that interface risk is where declared ownership becomes blurry. Everyone assumes another function has explained the change, and the worker who faces the new condition receives only a revised work order.

For each MOC, identify every group whose work will touch the changed condition. That includes contractors who may not appear in the approval chain. The same discipline used for contractor interface risk belongs in MOC, because the hazard does not care which company signs the payroll.

ISO 45001:2018 clause 8.1.3 requires planned control of temporary and permanent changes, which means temporary contractor arrangements cannot be treated as invisible exceptions.

5. Define the field verification before release

An approved MOC is not complete until someone verifies that the field condition matches the approved condition. This verification should occur before startup, before first use, or before the modified work sequence begins, depending on the hazard.

The trap is believing that approval equals readiness. Approval says the change is acceptable on paper; verification says the installation, isolation, signage, instructions, alarms, access, tools, and emergency arrangements exist where the work occurs.

Require a field walkdown for any change that can affect fatal risk, process containment, stored energy, fire, lifting, confined space, work at height, or emergency response. The person doing the walkdown should be independent enough to challenge the owner, although close enough to understand the work.

6. Train for the changed work, not the old procedure

Training after MOC should explain what changed, why it changed, which hazards moved, which controls became critical, and what stop condition should trigger escalation. Generic refresher training does not meet this need, because the worker must recognize the new decision points created by the change.

Across 25+ years leading EHS in multinational environments, Andreza Araujo has seen that people often comply with the last instruction they understood. When the procedure changes but the mental model does not, the worker keeps solving the job with yesterday's assumptions.

Use a short change briefing for affected workers and supervisors, then require one practical verification question. Ask the person to explain what they will do differently on the next job. If the answer is vague, the training did not transfer into operational control.

7. Close the loop through indicators and learning

MOC needs leading indicators because lagging injury rates will not reveal weak change control fast enough. Useful indicators include overdue MOC actions, emergency changes without later review, repeat temporary repairs, startup findings, training completion with verification, and post-change abnormal conditions.

29 CFR 1910.119(l) names technical basis, safety and health impacts, procedural changes, time period, and authorization requirements, according to OSHA's Process Safety Management standard. Even outside regulated PSM operations, those dimensions give leaders a practical minimum for disciplined change review.

Connect MOC outcomes with Bow-Tie analysis or barrier review when the change affects critical controls. Connect them with Prevention Through Design when the change creates an opportunity to remove a hazard instead of managing it forever.

Comparison: paperwork MOC vs risk-control MOC

Conclusion

Management of Change protects people when it treats change as a risk event, not as a document event.

The Headline Podcast exists for real conversations with constantly learning people, and MOC deserves that kind of leadership attention because every approved change tells workers what the organization truly values. Subscribe to Headline Podcast at headlinepodcast.us and bring this checklist to the next change review.