AI safety monitoring compliance checklist for APAC manufacturers: Singapore WSH Act, Malaysia CDM 2024, South Korea SAPA
Three jurisdictions. Three independent legislative programmes. One architectural conclusion: active detection with a timestamped audit trail is the compliance position, and documentation of the controls without evidence of their operation is no longer sufficient. South Korea's Serious Accidents Punishment Act (SAPA), Singapore's Workplace Safety and Health Act after the 2024 MOM enforcement update, and Malaysia's Construction Design and Management Regulations 2024 (CDM 2024) under the OSHA Amendment Act 2022 each arrived at this conclusion on independent timelines, with different incident statistics driving each programme and different industries as the regulatory anchor. The convergence is not coincidence. It is what the data on industrial fatality investigations across the region has been pointing at since the late 2010s.
The penalties have also converged on a structure the prior generation of statutes did not produce. Corporate fines are still available — half a million Singapore dollars under WSH Act for a corporate breach, five hundred thousand ringgit under CDM 2024 plus two years' imprisonment, fines plus criminal imprisonment for executives under SAPA. The shift is the personal criminal liability available against named individuals across all three statutes. A safety officer at a Changi Airport contractor was sentenced to two months' jail in 2020 under the prior WSH regime. The Korean Supreme Court has upheld SAPA convictions producing executive imprisonment. The Malaysian framework follows the same direction. Fines can be absorbed as costs of doing business. Imprisonment cannot.
This post is the checklist for APAC manufacturers operating across two or more of these jurisdictions, with the architectural argument that a single AI safety monitoring system can satisfy all three rather than three separate deployments.
What each statute actually requires
The three statutes are different in language and identical in structural requirement.
The Singapore WSH Act, after MOM's 2024 enforcement guidance update, asks the dutyholder to take reasonably practicable measures so far as the workplace, equipment, and work practices are safe. The shift in 2024 was from documentation compliance to operational compliance: the inspector tests whether the controls are running at the moment of the visit, not whether the hazard register was filed last year. We covered the specific change in detail in the post on the camera that records is not the camera that complies after Singapore's 2024 WSH enforcement update. The penalty schedule scales to fifty thousand Singapore dollars for an individual breach (raised in June 2025), with corporate exposure to five hundred thousand and personal imprisonment available.
Malaysia's CDM 2024 names five dutyholder roles — Client, Designer, Principal Designer, Principal Contractor, Contractor — each with explicit operational accountabilities during the construction phase. The OSHA Amendment Act 2022 set the penalty ceiling at five hundred thousand ringgit plus two years' imprisonment. The Department of Occupational Safety and Health (DOSH) enforcement record shifted measurably toward operational testing after the framework took effect. We covered the dutyholder analysis in the post on CDM 2024 and the audit-trail requirement that follows.
Korea's Serious Accidents Punishment Act (SAPA) is the most aggressive of the three on executive liability. CEO and senior-executive criminal imprisonment is available for workplace fatalities where the company's safety and health duties were not discharged. The Article 4 safety-and-health duties are operationally defined and include continuous monitoring of high-risk workplace activities. We covered the practical implications in the post on what Korean manufacturers need to know about SAPA.
The three statutes converge because the underlying engineering question is the same. Did the controls the company claimed were in place actually operate at the moment of the incident, and can the company prove it without depending on the recollection of the worker who took that shift?
The convergent requirement: active detection plus timestamped evidence
What each statute is testing for, in operational terms, is the same: a continuous monitoring layer that produces a timestamped audit trail of the controls in operation, with the alert reaching the worker who could act on it within the intervention window. The vocabulary differs across the three. The architectural requirement is identical.
Active detection — meaning the system identifies the precursor state to an incident in real time, not the post-event evidence — is the floor. CCTV that records is evidence after the fact and is not active detection. A monitoring system that produces an audible alarm only when an incident has already occurred is not active detection. An AI vision system that detects the precursor to an incident (forklift approaching pedestrian zone, missing PPE at zone entry, unauthorised entry into restricted area, lone worker presence in hazardous zone) and fires the alert to the worker before the incident occurs is active detection.
Timestamped audit trail — meaning the inspection result, the detection confidence, the model version, the alert routing, and the worker response are all logged at the moment of the event and recoverable indefinitely — is the documentary base the three statutes test against. The auditor in each jurisdiction asks the same question: show me the evidence that the controls were operating at the time of the incident. The audit trail is the answer. A vendor-locked cloud dashboard the auditor cannot inspect is not the answer; it is the explanation of why the answer is not available.
Reasonably practicable scope — meaning the system covers the hazards the statute names rather than an arbitrary subset — is the third requirement. WSH Act, CDM 2024, and SAPA each have their own list of priority hazards driven by the incident statistics in the respective jurisdictions. The four detection categories that map across all three are PPE compliance at zone entry, plant-and-pedestrian proximity, restricted-zone breach, and lone-worker presence in hazardous environments. These are the categories where AI vision detection is mature enough to deploy in production today and where the deployment satisfies the operational requirement of all three statutes simultaneously.
What HyperQ AI Safety does inside this regulatory frame
The architecture is purpose-built for the four detection categories above. The Visual Language Model with PEFT fine-tuning is trained on the precursor states for falls, fires, intrusion, and PPE non-compliance. ONVIF auto-recognition picks up existing CCTV in roughly one hour of deployment, which keeps the capital cost of the compliance deployment at the software-and-integration layer rather than the camera-replacement layer.
The IP68-rated smartband at 250 US dollars per worker (4G/WiFi model with firmware and app) is the worker-side alert channel and the biometric monitoring channel. Heart rate, SpO2, skin temperature, and blood pressure are measured continuously, with the vibration alert on the worker's wrist firing when the precursor is detected. The worker-first alert routing is what the practitioner community has named as the architectural counter to the surveillance objection that occurs in vendor-controlled deployments — we covered the architecture in the post on what HyperQ AI Safety is and the moment-before window the system is built for.
The audit trail records the timestamp, the camera image, the classification confidence, the alert routing, and the worker response — recoverable per event, indefinitely. The data path is on-premise by default, with cloud sync optional at the analytics layer when the data-sovereignty position permits it. The three regulators apply different data-sovereignty rules; the architecture is air-gappable when the project's data-sovereignty position requires it, and runs through standard MES integration when it does not.
Hardware footprint runs 30 to 50 percent lower than hardware-locked safety platforms. The deployment economics resolve at the software-licence-plus-smartband-per-worker level, with the existing CCTV footprint and the existing MES integration as the capital base.
The single-deployment-three-jurisdictions argument
A multi-site operator running facilities in Singapore, Malaysia, and Korea has historically deployed three separate safety monitoring programs — one designed for the WSH Act, one for CDM 2024, one for SAPA. Each program is documented separately, audited separately, and operates against different vendor relationships. The duplication is real and consumes a meaningful share of the corporate EHS budget.
The architectural argument for a single monitoring deployment is that all three statutes are testing for the same engineering output. The detection categories the system covers are the same. The audit trail the regulator asks for is the same. The worker-side alert routing is the same. The operational evidence base is the same. The differences across the three jurisdictions are the documentary metadata (regulatory references, dutyholder names, jurisdiction-specific reporting templates) and not the underlying detection or alerting work.
A single HyperQ AI Safety deployment with the documentary metadata layer configured per jurisdiction produces three audit-compatible evidence bases at the cost of one architectural deployment. The capital cost of the compliance programme reduces. The operating cost reduces. The cross-site EHS oversight discipline we covered in the post on the multi-site EHS blind spot most directors live with becomes tractable because the data across sites is comparable on the same detection criteria.
The checklist itself
The checklist for an APAC manufacturer evaluating an AI safety monitoring deployment against the three statutes has six concrete items.
Active-detection capability against the four named categories: PPE, plant-pedestrian proximity, restricted-zone breach, lone-worker presence in hazardous environments. Verifiable on a sample deployment with the customer's actual workforce and PPE distribution.
Worker-first alert routing with a wearable channel that reaches the worker in the intervention window. The smartband or equivalent has to fire the alert to the worker before the alert routes to the dashboard, not after.
Timestamped audit trail with on-premise data sovereignty as the default. The customer owns the audit trail. The vendor relationship is the platform; the data is the customer's.
Documentary metadata configurable per jurisdiction. WSH Act dutyholder references, CDM 2024 Principal Contractor accountabilities, SAPA Article 4 evidence formats — each rendered against the same underlying detection events.
Existing CCTV and MES integration. The deployment runs against the camera footprint and the operational systems the customer already has. The capital cost is at the software-and-smartband layer, not the camera-replacement layer.
Customer-owned retraining workflow. The QA and EHS team owns the labelled corrections and the model updates. The vendor supplies the platform and the labelling tools.
What you can verify before any commitment
Send the floor plans and CCTV inventories for the priority zones across one site in each of the three jurisdictions you operate in. Within two weeks, we map each zone against the four detection categories, identify where the current detection-to-alert window leaves workers stranded, and produce three written hazard registers — one each in the regulatory language of WSH Act, CDM 2024, and SAPA — tied to the specific zones. The deliverable names which detections are tractable on existing camera infrastructure, which require optics upgrades and at what cost, and the documentary metadata layer required to render the same audit trail in three jurisdiction-specific formats.
The deployment to validate the architecture on a single zone is a one-hour install on existing ONVIF-compatible cameras, with the IP68 smartband layer added per worker at 250 US dollars per unit. The retraining workflow is owned by the customer's safety team after handover, which keeps the audit trail under direct dutyholder control rather than at a vendor's discretion.
The jurisdictions are different. The underlying compliance logic is the same. One active monitoring system with timestamped audit trail and worker-first alert routing satisfies all three — without three separate deployments and three separate cost centres.