Hazard Identification & Risk Assessment (HIRA) Guide

TL;DR:

HIRA is a structured process that identifies workplace hazards and evaluates their risk before someone gets hurt — not after.
Every incident I’ve investigated traced back to a hazard that was either missed or underestimated during the HIRA process.
Effective HIRA requires field participation, not desktop exercises completed by one person behind a screen.
Risk scoring alone is meaningless without verified, implemented controls matched to the hierarchy of control.
HIRA must be a living process — revisited after incidents, changes in scope, new equipment, and at regular scheduled intervals.

I was three days into a turnaround at a gas processing facility in the Gulf when the scaffolding crew started erecting a platform over a live process line. The permit was in place. The method statement was signed. But nobody — not the scaffold supervisor, not the area authority, not the issuing authority — had identified the risk of dropped objects onto a pressurized flange directly below the work platform. It took a dropped scaffold clip bouncing off the flange bolts to freeze every person on that deck. That near-miss could have been a catastrophic hydrocarbon release. The HIRA for that job was four pages long, ticked every box, and still missed the one hazard that nearly killed the operation.

Hazard identification and risk assessment is the backbone of every occupational health and safety management system. ISO 45001 builds its entire Plan-Do-Check-Act cycle around it. OSHA enforcement starts with whether hazards were recognized and controlled. HSE UK’s Management of Health and Safety at Work Regulations 1999 make it a legal duty. Yet across industries — from construction to petrochemical, mining to manufacturing — HIRA remains the single most poorly executed safety process I encounter in the field. This article breaks down what HIRA actually is, why it fails, how to do it properly, and what separates a document that saves lives from one that just fills a folder.

Infographic showing the four-step HIRA process for workplace hazard identification and risk management: identify the hazard, assess the risk, implement controls, and monitor and review.

What Is Hazard Identification and Risk Assessment (HIRA)?

Hazard identification and risk assessment — commonly abbreviated as HIRA — is a systematic process for recognizing hazards in the workplace and evaluating the level of risk each hazard presents before work begins. It forms the foundation of proactive safety management across every industry.

HIRA consists of two distinct but inseparable stages. The first — hazard identification — involves finding, listing, and characterizing all sources of potential harm in a work environment, task, or process. The second — risk assessment — involves evaluating how likely each hazard is to cause harm, how severe that harm could be, and what controls are needed to reduce risk to an acceptable level.

The critical distinction most organizations miss is between hazard and risk. A hazard is anything with the potential to cause harm — an unguarded moving part, a toxic chemical, an energized circuit. Risk is the combination of the likelihood of that harm occurring and the severity of its consequences. A sharp blade on a bench is a hazard. A sharp blade being used by an untrained worker without cut-resistant gloves, under time pressure, in poor lighting — that’s a high risk.

ISO 45001:2018, Clause 6.1.2 requires organizations to establish, implement, and maintain processes for hazard identification that are ongoing and proactive — not reactive or one-time.

Pro Tip: When I audit a site’s HIRA process, the first thing I check isn’t the risk register. It’s whether the people doing the work were involved in writing it. If the register was built by one person in an office, it’s already compromised — no matter how polished the document looks.

Why HIRA Matters: The Real Consequences of Getting It Wrong

Every safety professional has seen beautifully formatted risk assessments that failed the moment they met real conditions. Understanding why HIRA matters requires looking past the paperwork and into the consequences of failure.

During a pipeline construction project in Central Asia, a crew was excavating a trench for a 16-inch gas line when the unsupported trench wall collapsed and buried a worker to his waist. He survived — barely. The HIRA for that excavation listed “trench collapse” as a hazard and rated it as medium risk. But the control listed was “monitor soil conditions,” with no specifics on who would monitor, what triggers would stop work, or what shoring method applied to that soil classification. The hazard was identified. The risk assessment was useless.

When HIRA fails, the consequences cascade through every layer of an operation:

Human cost: Workers suffer injuries, permanent disabilities, or fatalities from hazards that could have been controlled with basic engineering or administrative measures.
Legal liability: Under HSE UK’s regulations and OSHA’s General Duty Clause (Section 5(a)(1)), employers who fail to identify foreseeable hazards face citations, penalties, and potential criminal prosecution.
Operational disruption: A single incident from an uncontrolled hazard can shut down an entire project — costing days or weeks of lost production and triggering regulatory investigation.
Erosion of safety culture: When workers see that HIRA documents don’t reflect real site conditions, they stop trusting the safety management system. Once that trust breaks, incident rates climb.
Financial impact: The ILO estimates that occupational accidents and work-related diseases cost approximately 3.94% of global GDP annually — losses driven overwhelmingly by failures in hazard recognition and risk control.

Pro Tip: I keep a one-page summary of the top 5 incidents from each project I’ve worked on. Every single one maps back to a HIRA gap. Use your own incident data to test your risk assessments — if your incidents don’t appear anywhere in your risk register, the register isn’t working.

The HIRA Process: A Step-by-Step Field Approach

The HIRA process is not complicated in theory. It becomes complicated in execution because of shortcuts, assumptions, and lack of field verification. The following sequence reflects how effective HIRA works when done properly on high-risk sites — not how it’s described in textbooks.

Step 1: Define the Scope and Context

Before identifying a single hazard, clarify what you’re assessing. Scope creep and vague boundaries produce risk assessments that try to cover everything and end up covering nothing.

Specify the task, area, or process being assessed — “scaffolding erection at Unit 4 reactor area” is useful; “construction activities” is not.
Identify who is exposed — not just your own workforce, but contractors, visitors, neighbouring operations, and the public if applicable.
Determine the phase of work — hazards during commissioning differ drastically from hazards during routine maintenance or decommissioning.
Review existing documentation — previous incident reports, audit findings, manufacturer manuals, safety data sheets, and permit-to-work records from similar tasks.

Step 2: Identify Hazards Systematically

Hazard identification is where most HIRA processes either succeed or fail. Effective identification uses multiple methods — never just one — and always involves people who perform the work.

The most reliable hazard identification methods across industries include:

Physical workplace inspections: Walk the area. Look at the actual conditions — not what the drawings show, but what exists on the ground right now. During a refinery inspection in the Middle East, I found a corroded pipe support that wasn’t on any inspection schedule. The P&IDs showed it as a 6-inch carbon steel support. In reality, it had lost 40% of its wall thickness.
Task analysis and job safety analysis (JSA): Break the task into sequential steps. At each step, ask: what could go wrong, what energy sources are present, and what could a worker be exposed to?
Review of incident and near-miss data: Historical records reveal patterns. If three near-misses involved dropped tools at height in the past quarter, dropped objects must appear prominently in every HIRA for elevated work.
Worker consultation and interviews: The crew doing the work knows hazards the safety team doesn’t. I make it a practice to ask the crew lead one question before signing off any HIRA: “What’s the thing that worries you most about this job?”
Regulatory and standards review: Check applicable OSHA standards, HSE UK ACoPs, industry codes (API, NFPA, ATEX), and project-specific requirements for hazards that must be addressed.
What-if analysis and HAZOP: For process safety and complex operations, structured techniques like HAZOP (Hazard and Operability Study) identify deviations from design intent that create hazardous conditions.

HSE UK’s HSG65 guidance emphasizes that hazard identification should be an ongoing activity, not limited to formal assessment periods. Real hazards emerge during work — not before it.

Infographic showing six hazard identification methods including workplace inspection, worker consultation, task analysis, standards review, incident data review, and HAZOP/What-If analysis, with a statistic about workers catching missed hazards.

Step 3: Assess the Risk — Likelihood × Severity

Once hazards are identified, each one must be evaluated for its level of risk. This step separates hazard identification from risk assessment and determines how urgently and aggressively each hazard must be controlled.

Risk is universally evaluated using two dimensions:

Likelihood — How probable is it that the hazard will result in harm? Consider exposure frequency, duration, existing controls, and historical data.
Severity — If the hazard does cause harm, how serious would the outcome be? Consider the potential for fatality, permanent disability, lost time injury, or first aid case.

Most organizations use a risk matrix to combine these two dimensions into a risk rating. The matrix typically uses a 3×3, 4×4, or 5×5 grid where likelihood and severity intersect to produce a risk level — low, medium, high, or critical.

The risk matrix is a decision-support tool — not a decision-making tool. The number it produces means nothing without professional judgment, field knowledge, and honest assessment.

Likelihood \ Severity	Negligible	Minor	Moderate	Major	Catastrophic
Almost Certain	Medium	High	Critical	Critical	Critical
Likely	Low	Medium	High	Critical	Critical
Possible	Low	Medium	Medium	High	Critical
Unlikely	Low	Low	Medium	Medium	High
Rare	Low	Low	Low	Medium	Medium

I’ve seen teams rate a confined space entry as “medium risk” because they assumed atmospheric monitoring would always be performed correctly. That assumption ignores human error, equipment failure, and complacency — all of which have killed workers in confined spaces. Rate the inherent risk first, before controls. Then rate the residual risk after verified controls are in place.

Pro Tip: Always assess risk twice — once as inherent risk (no controls) and once as residual risk (with controls applied). If your residual risk relies entirely on human behaviour (PPE compliance, following a procedure), bump the rating up one level. Humans fail. Systems shouldn’t depend entirely on them not failing.

Step 4: Determine and Implement Controls

Controls must follow the hierarchy of control — not default to PPE or safe work procedures. This hierarchy, codified in ISO 45001 Clause 8.1.2, ranks control effectiveness from most to least reliable.

The hierarchy of control applied to HIRA requires evaluating each hazard against five levels of intervention, starting from the top:

Elimination — Remove the hazard entirely. Can the task be redesigned so the hazard doesn’t exist? Can the chemical be substituted out of the process? On a pipeline project, we eliminated the risk of confined space entry by using robotic inspection crawlers instead of sending workers inside the vessel.
Substitution — Replace a high-hazard material, process, or equipment with a lower-hazard alternative. Replace solvent-based coatings with water-based alternatives. Use mechanical lifting instead of manual handling.
Engineering controls — Physically isolate workers from the hazard. Install guarding on machinery, ventilation systems for airborne contaminants, fall protection anchorage systems, or pressure relief devices on vessels.
Administrative controls — Implement procedures, permits, training, signage, rotation schedules, and safe work method statements. These controls depend on human compliance and are therefore less reliable than engineering solutions.
Personal protective equipment (PPE) — The last line of defence. PPE does not eliminate the hazard — it reduces the consequence if exposure occurs. Respirators, harnesses, gloves, and hearing protection all fall here.

Hierarchy of Control in HIRA showing five levels from most to least effective: Elimination, Substitution, Engineering Controls, Administrative Controls, and PPE, with examples and icons for each level.

Step 5: Record, Communicate, and Monitor

A HIRA that sits in a document management system without reaching the workers it’s meant to protect is a waste of everyone’s time.

Effective HIRA documentation and communication follows a clear pattern across well-managed sites:

Record the assessment in a standardized format — date, assessor(s), task description, identified hazards, risk ratings (inherent and residual), controls, responsible persons, and review dates.
Communicate to the workforce before work begins — through toolbox talks, pre-task briefings, or permit-to-work discussions. The crew must know what hazards exist, what controls are in place, and what their specific responsibilities are.
Display key controls visually at the work location — not buried in a 20-page document. A single-page summary posted at the job site does more than a full register locked in an office.
Monitor control effectiveness during work — supervisors must verify that controls are actually implemented, not just planned. I’ve lost count of the number of times I’ve found “barricade the area” listed as a control, only to arrive at the site and find no barricade in place.
Trigger re-assessment whenever conditions change — new scope, different equipment, weather changes, personnel changes, near-misses, or incidents all require revisiting the HIRA.

Common Hazard Categories in HIRA

Understanding what types of hazards to look for prevents the most common failure in HIRA — identifying only the obvious hazards and missing the ones that actually cause harm. The following categories cover the full spectrum of workplace hazards encountered across industries.

Physical hazards: Noise, vibration, radiation (ionizing and non-ionizing), extreme temperatures, pressure, and lighting deficiencies. These hazards often cause chronic health effects that don’t appear until years after exposure.
Chemical hazards: Exposure to toxic substances, corrosive materials, flammable liquids and gases, dusts, fumes, and vapours. Safety data sheets and COSHH assessments are the starting point, but field verification of actual exposure conditions is essential.
Biological hazards: Bacteria, viruses, fungi, parasites, and animal-borne hazards. Particularly relevant in healthcare, agriculture, wastewater treatment, and construction near contaminated land.
Ergonomic hazards: Manual handling, repetitive motion, awkward postures, vibration exposure, and poorly designed workstations. These account for a significant proportion of lost-time injuries across all industries.
Psychosocial hazards: Workplace stress, fatigue, bullying, harassment, lone working, shift patterns, and excessive workload. Often overlooked in traditional HIRA but increasingly recognized under ISO 45003 and HSE UK’s stress management standards.
Mechanical hazards: Unguarded machinery, moving parts, entanglement points, crushing zones, and equipment failure. OSHA 1910 Subpart O and HSE UK’s PUWER 1998 provide specific requirements.
Electrical hazards: Contact with live conductors, arc flash, static discharge, and inadequate earthing/grounding. Risk severity is almost always high or critical — electrical contact is binary in its consequences.
Environmental hazards: Working at height, excavation instability, confined spaces, adverse weather, and poor housekeeping. These are the hazards that dominate construction and infrastructure fatality statistics.

Infographic displaying eight HIRA hazard categories: Physical, Chemical, Biological, Ergonomic, Psychosocial, Mechanical, Electrical, and Environmental, each with icons and descriptions of workplace risks.

Why HIRA Fails: Root Causes from the Field

After reviewing hundreds of risk assessments across multiple industries and continents, I’ve identified a consistent pattern of failures. These aren’t theoretical — they’re the exact gaps that show up during audits, incident investigations, and management system reviews.

Copy-Paste Culture

The single most common HIRA failure is using a generic risk assessment from a previous project, changing the date and project name, and calling it done. I audited a marine construction project in Southeast Asia where the HIRA for hot work on a barge was identical — word for word — to a HIRA from a land-based tank farm project three years earlier. The barge-specific hazards (vessel stability, marine traffic, tide-dependent access) were entirely absent.

Generic risk assessments produce generic controls that don’t match actual site conditions.
Task-specific and site-specific hazards get missed because nobody walks the actual work area before completing the document.
Workers recognize copied documents and immediately lose confidence in the safety management system.

Desk-Based Assessments Without Field Verification

A HIRA completed entirely in an office is a HIRA that reflects assumed conditions — not actual ones.

Drawings don’t match as-built conditions. Pipe routes change during construction. Equipment gets relocated. Access routes get blocked.
Seasonal and environmental variables — heat, rain, wind, lighting — don’t appear in documents produced months before work begins.
Concurrent activities create interface hazards that only become visible when you physically see what’s happening adjacent to the work area.

Under-Rating Risk to Avoid Paperwork

This is the dirty secret of risk assessment. Teams consciously or unconsciously rate risks lower to avoid triggering additional permit requirements, management approvals, or engineering controls that cost time and money. On a mining operation in Western Australia, I reviewed a HIRA that rated working near a 15-metre open pit edge as “medium risk.” The justification? “Workers are experienced.” Experience is not a control — it’s a variable.

Inherent risk should be assessed honestly, without factoring in hoped-for compliance with procedures.
Residual risk must reflect reality, not best-case scenarios.
Supervisors and managers who pressure teams to lower risk ratings to avoid delays are creating the conditions for incidents.

Excluding Frontline Workers from the Process

When the people doing the work aren’t involved in identifying the hazards, the HIRA will always have blind spots.

Workers understand task sequences and failure modes that engineers and safety officers don’t experience firsthand.
Language and literacy barriers prevent workers from understanding risk assessments written in technical English — making their participation in the development stage even more critical.
Worker buy-in to safety controls depends on their involvement in creating them. A control imposed by someone who’s never done the job will always face resistance.

Hierarchical chart showing four main reasons why HIRA risk assessments fail, ranked by prevalence from copy-pasting old projects to excluding workers from the assessment process.

HIRA Methods and Techniques Compared

Different operational contexts demand different HIRA approaches. Choosing the wrong technique for the complexity of the task produces either an overengineered document that nobody reads or an oversimplified checklist that misses critical hazards.

The following comparison helps safety professionals match the right HIRA method to the right situation:

Method	Best Used For	Complexity Level	Key Strength	Limitation
Job Safety Analysis (JSA)	Task-based, manual work activities	Low–Medium	Step-by-step hazard mapping	Doesn’t capture process or system-level risks
Risk Matrix (Qualitative)	General workplace hazards, routine tasks	Low	Simple, fast, widely understood	Subjective — depends on assessor judgment
HAZOP	Process industries, chemical operations	High	Systematic deviation-based analysis	Time-intensive, requires specialist facilitation
Bow-Tie Analysis	High-consequence, low-frequency events	Medium–High	Visual barrier and escalation mapping	Can become overly complex without discipline
FMEA	Equipment reliability, manufacturing	High	Quantifies failure modes with RPN scoring	Requires detailed component-level data
What-If Analysis	Brainstorming sessions, early planning stages	Low–Medium	Captures creative and non-obvious scenarios	Unstructured — quality depends on team experience
Checklist-Based	Routine inspections, compliance verification	Low	Consistent, easy to audit	Misses non-standard or emerging hazards

On complex projects, I combine methods. A turnaround at a refinery might use HAZOP for process deviations, JSA for manual tasks like scaffolding and rigging, and bow-tie analysis for the top 5 major accident hazards. No single method covers everything.

Pro Tip: If your HIRA method hasn’t changed in five years but your operations have evolved significantly, the method is probably no longer fit for purpose. Match the technique to the current risk profile — not to organizational habit.

Integrating HIRA into Your Safety Management System

HIRA doesn’t exist in isolation. It feeds into — and draws from — virtually every other element of an occupational health and safety management system. When HIRA operates as a standalone document disconnected from the broader system, it loses its power.

Effective integration connects HIRA to the following management system elements:

Permit-to-work systems: High-risk tasks identified through HIRA should trigger specific permit requirements — hot work permits, confined space entry permits, energized work permits, and excavation permits all originate from HIRA findings.
Training and competency frameworks: If HIRA identifies a hazard requiring specialized controls, the workforce must be trained and assessed as competent before work starts. A control that depends on worker knowledge only works if that knowledge exists.
Incident investigation: Every incident investigation should cross-reference the applicable HIRA. Did the risk assessment identify the hazard? Was the control adequate? Was it implemented? Root cause analysis frequently traces back to HIRA deficiencies.
Management of change (MOC): Any change to equipment, personnel, procedures, materials, or scope should trigger a HIRA review. Process safety management under OSHA 1910.119 and the Seveso III Directive both require formal MOC processes linked to risk assessment.
Procurement and contractor management: Contractor selection should consider HIRA capabilities. On every EPC project I’ve managed, contractor pre-qualification includes a review of their risk assessment methodology, sample documents, and evidence of worker participation.
Emergency preparedness: HIRA identifies credible emergency scenarios — fires, chemical releases, structural collapses, medical emergencies — that drive emergency response planning, drill schedules, and resource allocation.

ISO 45001:2018, Clause 6.1.2.1 explicitly requires that hazard identification considers “how work is organized, social factors, workload, work hours, leadership, and culture.” HIRA is not limited to physical hazards — it encompasses the full operating context.

Dynamic Risk Assessment: HIRA in Real Time

Formal HIRA covers planned work. But site conditions change by the hour — weather shifts, equipment breaks down, new trades arrive, scope changes mid-task. Dynamic risk assessment fills the gap between the planned HIRA and the actual conditions workers face in real time.

Dynamic risk assessment is the continuous, real-time evaluation of hazards and risks that workers perform mentally and verbally as conditions change during the work itself.

Every worker should be trained to recognize when conditions have deviated from the planned HIRA and to stop work when new or uncontrolled hazards emerge.
The “Stop, Think, Act, Review” model provides a simple framework: stop the task, think about what’s changed, act only if the new risk is controlled, and review whether additional support or a formal reassessment is needed.
Stop-work authority must be genuine — not just written in a policy. On a construction site in Northern Europe, I watched a rigger stop a 200-tonne crane lift because wind speed had increased beyond the crane’s operational chart limit. His supervisor tried to overrule him. The site HSE manager backed the rigger. That’s how dynamic risk assessment works in practice — it only functions when the organizational culture supports it.

Circular diagram showing the Dynamic Risk Assessment Cycle with four interconnected steps: Stop (Pause, Assess, Secure), Think (Identify, Evaluate, Plan), Act (Implement, Control, Monitor), and Review (Check, Learn, Adapt), with a note to reassess if conditions change.

Legal and Regulatory Requirements for HIRA

HIRA is not discretionary. It is a legal requirement across virtually every jurisdiction where occupational safety legislation exists. The specific statutory obligations vary, but the principle is consistent: employers must identify foreseeable hazards and take reasonably practicable measures to control them.

Key regulatory frameworks that mandate or incorporate HIRA include:

OSHA (USA): The General Duty Clause (Section 5(a)(1)) requires employers to maintain a workplace free from recognized hazards likely to cause death or serious physical harm. Specific OSHA standards — 1910.119 (Process Safety Management), 1926.502 (Fall Protection), 1910.146 (Permit-Required Confined Spaces) — embed risk assessment requirements directly.
HSE UK: The Management of Health and Safety at Work Regulations 1999 (Regulation 3) imposes a duty to conduct suitable and sufficient risk assessments. This is reinforced by sector-specific regulations including CDM 2015, COSHH 2002, and LOLER 1998.
EU Framework Directive 89/391/EEC: Requires all EU member states to ensure employers evaluate risks to safety and health and implement preventive measures based on the assessment.
ISO 45001:2018: While a voluntary standard, ISO 45001 has become the global benchmark for occupational health and safety management systems. Clause 6.1.2 establishes detailed requirements for hazard identification, and Clause 6.1.2.2 addresses the assessment of OH&S risks and other risks to the management system.
IFC/World Bank EHS Guidelines: For projects financed by international development institutions, compliance with the EHS Guidelines — which require comprehensive hazard identification and risk assessment — is a condition of financing.

A HIRA that meets regulatory requirements must be suitable and sufficient — meaning it is appropriate for the complexity of the task, conducted by competent persons, based on accurate information, and reviewed at appropriate intervals.

Conclusion

Hazard identification and risk assessment is not a document. It is a discipline — a way of thinking about work before it starts, during every phase of execution, and after every change, incident, or near-miss. The organizations that treat HIRA as a living process, fed by field observation and shaped by worker input, consistently outperform those that treat it as a compliance requirement to be completed and filed.

Every incident I’ve investigated — from dropped objects on process lines to trench collapses, from chemical exposures to electrical flash events — mapped back to a failure in hazard identification and risk assessment. The hazard was either not recognized, the risk was underestimated, the controls were inadequate, or the assessment was never communicated to the people who needed it most. Each of those failures was preventable.

The real measure of a HIRA process isn’t the quality of the paperwork. It’s whether a worker can stop, point to a hazard on their job site, and tell you exactly what controls are in place and what to do if those controls fail. That’s the standard. Everything else is administration.