What is HSE OG-0086 (Operational Guidance)

HSE Operational Guidance (OG-0086)

HSE Operational Guidance documents are the internal instructions and guidance that HSE uses to carry out its core operational work of inspecting, investigating, permissioning and enforcing.

The guidance is presented in essentially in the same way as it is made available to HSE staff but with some additional explanation for an external audience.

OG-86 is the HSE’s guidance and interpretation of standards on industrial network, system and data security, and functional safety as they relate to major accident workplaces and operators of essential services.

The guidance will be applied by HSE Inspectors to:

• major hazards workplaces, for control of major accident hazards 
• for control the loss of essential services, for Operators of Essential Services (OES) defined under The Network and Information Systems Regulations 2018 (NIS).

This guidance could help demonstrate that appropriate and proportionate measures have been taken to control cyber security risks of systems that are often termed Industrial Automation and Control Systems (IACS), or Industrial Control Systems (ICS) or Operational Technology (OT).

NOTE - as of April 2026 the UK Health and Safety Executive will be transitioning from OG86 to ISA / IEC 62443 as the basis of COMAH site inspections. Given that the ISA /IEC 62443 family of standards contains a far more comprehensive set of requirements than the out-going OG86 document, this will place additional requirements on COMAH Duty Holders, particularly in the areas of:

• Establishing and improving an organisational Security Program or Cyber Security Management System (ISA / IEC 62443-2-1) and requiring equivalent Security Programs to be in place in their integration and maintenance service provider partners (ISA / IEC 62443-2-4)
• Identification of zones and conduits and determination of target Security Levels (ISA / IEC 62443-3-2)
• Identification of system security requirements (ISA /IEC 62443-3-3)

Possibly the largest change for COMAH Duty Holders will be the expectation that, as asset owners, they will be required to determine their own corporate risk appetite and follow the two-stage initial and detailed risk assessment workflows laid out in ISA  / IEC 62443-3-2. This is in contrast to OG86 Edition 2 which only required an initial (high-level) risk assessment to be carried out for systems whose compromise would result in Major Accident consequences.

The enhanced risk assessment process is linked to more stringent requirements for security countermeasures (ISA / IEC 62443-3-3), proportionate to the risk, than the basic requirements laid out in OG86 Appendix 5.

OG86 is expected to be maintained for the foreseeable future as a measure of basic cyber hygiene, but only in cases where initial risk assessment has identified no enhanced security requirements.