CDM 2024 defined who is responsible. Your monitoring system defines whether "responsible" is provable.
Five hundred and forty-eight construction worker deaths between 2017 and 2023. That is the public Department of Occupational Safety and Health (DOSH) enforcement record that drove Malaysia's Construction Design and Management Regulations 2024 (CDM 2024) onto the statute book. Five hundred thousand ringgit is the maximum fine under the OSHA Amendment Act 2022, with two years' imprisonment available against named dutyholders. The CDM 2024 framework names five duty-holder roles — Client, Designer, Principal Contractor, Principal Designer, and Contractor — each with explicit accountabilities the regulator can test.
What CDM 2024 does not do is define what "suitable monitoring arrangements" means in operational terms. The Principal Contractor is required to ensure that the construction phase plan is followed, that hazards are identified and controlled, and that the controls are demonstrably operating. The standard for evidence is silent on the monitoring architecture. That gap is exactly where DOSH enforcement inspections test whether the dutyholder's compliance position is provable in operational terms or only documented in paper terms.
This post is the architectural argument for why CDM 2024 compliance is a monitoring problem, not only a documentation problem, and what the deployment looks like for Principal Contractors who need to close the gap before the inspection.
What the five dutyholder roles change in practice
CDM 2024 maps responsibility across the construction lifecycle rather than concentrating it on the main contractor. The Client carries a duty for the design brief and for appointing competent dutyholders. The Designer and Principal Designer carry duties for the safety implications of design decisions. The Principal Contractor carries the operational duty during construction phase. The Contractor carries duties for the work each contractor performs.
The shift from the prior framework is the named, traceable accountability at each role. Under the prior arrangement, a fatality on site triggered an investigation that often found shared responsibility distributed across parties without a clear personal liability anchor. Under CDM 2024, the investigation begins with the question of which dutyholder's controls failed at the moment of the incident. Personal criminal liability is available against the named individual when the investigation establishes that the dutyholder's controls were not in operation at the time of the harm event.
This changes the evidence question for every dutyholder. Documenting that the hazard register was completed, the risk assessment was filed, and the toolbox talk was held is necessary. It is no longer sufficient. The investigation will ask whether the controls those documents claimed were operating at the moment of the harm event, and whether the dutyholder can prove it without depending on the recollection of the worker who took that shift.
Why DOSH inspections are the live test, not the paperwork audit
The DOSH enforcement record over the past several years has shifted in direction more than in volume. Inspectors increasingly arrive on site, walk the active work areas, and test the controls in operation. The hazard register is verified against the conditions on the floor. The PPE register is verified against the workers actually present. The permit-to-work system is verified against the open permits and the supervisors operating them. A facility that passes the documentation review and fails the operational review is in the position the prior framework rarely produced and the new framework explicitly enables.
Practitioners on construction safety forums have repeatedly described DOSH as one of the more annoying agencies for management to deal with — the formal description matters less than the operating consequence, which is that when the agency is triggered, it acts. A documented continuous-monitoring evidence base is independent of inspector behaviour. The evidence is the same whether the inspector arrives on a routine visit, on an accident-triggered investigation, or on a complaint-driven review. The dutyholder's compliance position is the audit trail that exists independently of any specific inspection.
This is the same direction of travel we covered in detail in the post on what Korean manufacturers need to know about the Serious Accidents Punishment Act. SAPA, CDM 2024, OSHA Amendment Act, Singapore's WSH Act after the 2024 enforcement update — the regional pattern is consistent. The penalties scale to executive criminal liability. The standard for evidence is moving from filed documents to demonstrable continuous controls. APAC dutyholders who have not closed the gap before the inspection are answering the question after.
The four detection categories that map to construction site enforcement
The hazard categories that dominate Malaysia construction enforcement are well established in the public record. Falls from height, struck-by incidents involving plant and material, electrical incidents, and confined-space and excavation events repeat across the fatality statistics. Each of these has observable precursors that a vision system can detect in real time, and each maps onto one of the same detection categories that drive HyperQ AI Safety in industrial environments.
PPE compliance at zone entry, with the construction-site specifics overlaid. Hard hat. Hi-vis. Eye protection in cutting, drilling, and grinding zones. Fall-arrest harness with the lanyard correctly secured at heights. The detection has to know what each item looks like in position, not just whether something resembling the item is somewhere on the worker's body. A fall-arrest harness on but unclipped from the anchor point is the failure mode that produces the fatality, and the detection has to identify the unclipped state, not just the presence of the harness.
Plant and pedestrian proximity. Cranes, excavators, telehandlers, and skid-steers operating in the same zone as workers on foot. The detection is the approach event in real time, with the alert reaching the worker on a wearable channel before the audible alarm or the line-of-sight cue can resolve. The forklift-pedestrian pattern that drives industrial safety incidents is the same pattern at construction-site scale, with heavier plant and longer braking distances.
Restricted-access zones. Live electrical, hot work, confined space, and excavation zones with the permit-to-work system in operation. The control is the alert at the entry boundary plus the timestamped log of the entry event with worker identification, so the dutyholder can demonstrate a functioning permit system rather than a posted permit that may or may not be in active operation.
Lone-worker presence in hazardous zones. The control combines camera-side detection with the wearable-side biometric channel for the worker. The architectural pattern is the same one applied in the AI safety monitoring approach for chemical and process industries and in adjacent high-risk environments.
What HyperQ AI Safety does inside the CDM 2024 frame
The architecture is purpose-built for the four detection categories above and the audit-trail discipline the regulator now expects. The Visual Language Model with PEFT fine-tuning is trained on the precursor states for falls, fires, intrusion, and PPE non-compliance. ONVIF auto-recognition picks up existing CCTV in roughly one hour of deployment. The IP68-rated smartband at 250 US dollars per worker (4G/WiFi model with firmware and app) is the worker-side alert channel and the biometric monitoring channel — heart rate, SpO2, skin temperature, and blood pressure measured continuously, with vibration alerts on the wrist when the camera-side or biometric-side detection fires.
Hardware footprint runs 30 to 50 percent lower than hardware-locked safety platforms. The inference architecture is air-gappable when the project's data-sovereignty position requires it, which is increasingly common on government-funded construction and on critical-infrastructure work in Malaysia. The audit trail records the timestamp, the camera image, the classification confidence, the alert routing, and the worker response — the documentary base the dutyholder uses to demonstrate that controls were operating at the moment in question.
The product positions inside the zone the practitioner community accepts: PPE, zone monitoring, plant-pedestrian proximity, fire and intrusion detection. It does not make permit decisions, draft incident investigation conclusions, or replace the qualified safety professional. The professional makes the calls. The system supplies the data and the alert. The boundary is intentional, and the architecture preserves it. We covered the same boundary in the recent post on what HyperQ AI Safety is and the moment-before window the system is built for.
Where the dutyholder defence stands or falls
A facility that has filed the hazard register, completed the risk assessment, and held the toolbox talks has a defensible documentation position. A facility that can also produce a timestamped audit trail showing the controls operating at the moment of the incident, with named worker identifications, classification confidence, and alert-response logging, has a defensible operational position. The two are not the same. Under CDM 2024 with personal criminal liability available, the operational position is the test the regulator and the prosecution will run.
The Principal Contractor's exposure is structurally higher than the other dutyholders' because the operational duty is continuous through the construction phase. The other dutyholders are accountable at decision points — design choices, dutyholder appointments, contractor selections. The Principal Contractor is accountable for whether the controls were operating at every shift across the project. That continuous accountability is what the audit trail addresses. A monitoring layer that produces an evidence base across every shift is the difference between the dutyholder being able to demonstrate continuous compliance and being asked to recollect compliance at the inquiry.
This is also the architecture that lets the same evidence travel to the insurer, the client representative, and the cross-project EHS oversight function — the discipline we wrote about in the multi-site EHS oversight post that maps onto distributed construction portfolios as cleanly as it does onto multi-site manufacturing groups.
What you can verify before any commitment
Send the site plan for one work zone — high-rise floor, excavation, hot-work area, restricted-access perimeter — and the inventory of the existing camera and sensor coverage. Within two weeks, we map the zone against the four detection categories, identify where the current detection-to-alert window leaves workers stranded, and produce a written hazard register tied to the CDM 2024 dutyholder responsibilities for that specific zone. The deliverable names which detections are tractable on existing camera infrastructure, which require optics upgrades and at what cost, and where the worker-distribution and PPE-distribution patterns require facility-specific model retraining before go-live.
The deployment to validate the architecture on a single zone is a one-hour install on existing ONVIF-compatible cameras, with the smartband layer added per worker as the worker-side alert channel and the biometric-monitoring channel. The retraining workflow is owned by the dutyholder's safety team after handover, which keeps the audit trail under direct control rather than at a vendor's discretion.
CDM 2024 named the dutyholders. The monitoring architecture determines whether the dutyholder defence is provable in operational terms. The two are different positions. Only one of them survives the inquiry.