Department Of Health

Standard

Document Title: Hazard Identification and Risk Assessment

Document Ref. Number: DOH/HCQ/ST/0003/HS_EHSMS Version 1.0

Approval Date: 03/07/2011 Effective Date: 03/07/2011

Last Reviewed: Next Review: 03/07/2012

Document Owner: DOH HSE Dept., Health Sector EHSMS Section

Applies to: All EHSMS Nominated Healthcare Providers

Classification:  Public

1 Purpose
1.1 To mandate requirements regarding hazard identification and risk management for
Environment, Health and Safety related hazards and risks resulting from operations
of Nominated Healthcare Providers.
1.2 To provide concerned managers and staff with practical advice and tools on the
principles of assessing and controlling Environmental, Health and Safety related
hazards and risks that are inherent to healthcare settings.
1.3 To enable and ensure informed management decisions in the identification,
assessment, and mitigation of environmental and workplace related hazards and
risks.

2 Scope
2.1 This standard applies to all Nominated Healthcare Providers licensed by HAAD in the
Emirate of Abu Dhabi.
2.2 This Standard is related to, and has effect together with the HAAD Policy for
Healthcare Providers – Environment, Health and Safety Management System
(HAAD/HSED/PL/0001/HS_EHSMS) and related HAAD EHSMS standards.

3 Standards
3.1 General Requirements
3.1.1 Nominated HCP must assess the potential likelihood of injury and illness to
personnel, patients and visitors, damage to assets, exposure to occupational
health and safety hazards, pollution and/or contamination of the
environment and the severity and consequences of the effect of such injury,
damage, exposure, spill or contamination.
3.2 Hazard Identification and Risk Management Program
3.2.1 All Nominated Healthcare Providers must develop a Hazard Identification
and Risk Management Program, which includes the following activities:
3.2.1.1 Identify all EHS hazards in the workplace;
3.2.1.2 Assess the risks of these hazards;

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 1 of 9
Version 1.0 Public
 3.2.1.3 Formulate a hazard and risk management program to reduce the
risk to an acceptable level;
3.2.1.4 Review the program for continuous process improvement;
3.2.1.5 Incorporate a management of change process within the
Nominated Entities;
3.2.1.6 All risk assessments shall be documented and maintained within the
relevant work area;
3.2.1.7 Develop an appropriate Hazard, Near Miss Reporting and
Investigation Procedure;
3.2.1.8 Develop an appropriate Incident Reporting and Investigation
Procedure.
3.3 Hazard Analysis and Critical Control Points System (HACCP)
3.3.1 Nominated Entities with food manufacturing, processing, catering and/or
servicing activities must develop and implement an accredited and
appropriate risk management program, based on e.g. the HACCP (Hazard
Analysis and Critical Control Points) approach or equivalent.
3.3.2 If food manufacturing, processing, catering and/or servicing activities are
outsourced the Nominated Entity must ensure that the contractor is using
such an accredited food safety system.
3.3.3 Food manufacturers, food processors and catering/food service companies
must comply with the relevant laws and regulations, as set by e.g. Abu Dhabi
Food Control Authority (ADFCA).
3.4 Risk Assessment and Management Process
The risk management process can be systematically divided into five steps:
3.4.1 Identify hazards, based on experience, recorded data and other information.
3.4.2 Assess the likelihood of occurring and of associated risks to the health and
safety of staff, patients, contractors, visitors and the community, based on
the consequences and likelihood of harm. Prioritize risks according to their
likelihood, severity and potential to cause harm.
3.4.3 Select Control Measures in the following order, whenever possible:
3.4.3.1 Eliminate the hazard
3.4.3.2 Substitute a less hazardous substance for the task.
3.4.3.3 Isolate the hazard through engineering controls.
3.4.3.4 Reduce worker exposure times through administrative policies.
3.4.3.5 Use personal protective equipment (PPE) to shield the worker from
over-exposure.
Attention shall be given to risks that may be easy to fix but may have low risk
priority scores – such risks shall be fixed immediately.
Particular attention shall be given to risks that may have very low likelihood
of occurring but may results in major consequences.
3.4.4 Implement the Selected Control Measure(s) in the workplace as listed above.

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 2 of 9
Version 1.0 Public
 3.4.5 Monitor the Control Measures to ensure that they are working correctly to
control the risks and that no other risks have been identified.

3.5 When to Use the Risk Assessment Process

EHS risk assessment is an on-going process and shall be undertaken at various times,
including:
3.5.1 when planning or making change to a work procedure and/or practices;
3.5.2 when introducing new equipment, materials, substances, machinery or
plants into the workplace;
3.5.3 after an EHS incident or near miss
3.5.4 Introducing new workers;
3.5.5 A high level of risk is involved with a specific work activity (e.g. caring for and
treating patients with certain infectious diseases, working in microbiology
lab or exposure to ionizing radiation);
3.5.6 At regular or scheduled intervals appropriate to the nature of the workplace
and the hazards present;
3.5.7 When legislative obligations change (including regulations and HAAD
policies and standards);
3.5.8 Before work activities begin, including any work that might require a permit
to work, e.g. repairs requiring specific work, such as hot work, electrical lock
outs, confined space etc. Here an assessment needs to be done and a work
permit issued for the specific work.

3.6 Consultation
3.6.1 Consultation between management, employees and stakeholders is
beneficial throughout the risk management process because, beside other
benefits, it brings together different areas of expertise, allows employees to
have ownership of risks and solutions, increases the likelihood that
employees will be committed to implement the control measures and
improves trust, communication and teamwork.
3.6.2 The EHSMS sets out requirements for consultation, which involves fostering
cooperation and developing partnerships between employers, employees,
and contractors to ensure protection of the environment, health and safety.
3.6.3 Consultation takes place at every stage of the risk management process.
3.6.4 A consultative group could include workers, supervisors, managers,
workplace EHS officers and representatives, infection control and patient
safety representatives, risk managers, EHS committees, infection control and
patient safety committees, contractors, and other relevant stakeholders.

3.7 Levels of Risk Assessment

3.7.1 The level of risk shall be assessed based on the likelihood of occurrence and
the potential consequences.
3.7.2 Depending on the site circumstances and the stage of the investigation
levels of risk assessment can range from a simple desktop study through to a

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 3 of 9
Version 1.0 Public
 detailed assessment as part of a formal EHSIA (Environment, Health and
Safety Impact Assessment) process.
3.7.3 Risk assessment is at least required and mandatory in the following areas:
3.7.3.1 Workplaces with potential or likely exposure to biological, chemical
and physical hazards, e.g. infectious disease wards, laboratories and
pharmacies
3.7.3.2 Workplaces with increased risk of injury and infection, including
operating theatres, ICU, CSSD, technical and maintenance
departments, kitchen and waste handling.

3.8 Hazard Identification

3.8.1 This step seeks to identify the hazards and risks to be managed.
3.8.1.1 Comprehensive identification using a well-structured systematic
process is critical, because a hazard or risk not identified at this
stage may be excluded from further analysis.
3.8.1.2 Identification shall include actual and potential risks, whether or not
they are under control of the entity.
3.8.2 The aim is to generate a comprehensive list of sources of risks and events
that might have an impact on the achievement of each of the objectives
identified in the context.
3.8.3 Having identified what might happen, it is necessary to consider possible
causes and scenarios. As there are many ways an event can occur it is
important that no significant causes are omitted.
3.8.4 Approaches used to identify hazards include checklists, judgements based
on experience and records, flow charts, brainstorming, systems analysis,
scenario analysis and systems engineering techniques.
3.8.5 The approach used will depend on the nature of the activities under review,
types of risk, the entity, and the purpose of the risk management study.
3.8.6 The identified hazards and risks (plus the associated risk level) shall be
documented on an EHS Risk Register. The register shall be reviewed and
updated at regular time intervals.

3.9 Analyse Risks

3.9.1 Risk analysis is about developing an understanding of the risk. It provides an
input to decisions on whether risks need to be controlled and the most
appropriate and cost-effective risk treatment strategies.
3.9.2 The objective of a risk assessment is to filter the activities with minor
acceptable risks from the activities with major non-acceptable risks.
3.9.3 Risk analysis techniques include qualitative, semi-quantitative and
quantitative assessment.
3.9.4 Risk analysis involves consideration of the sources of risk, their consequences
and the likelihood that those consequences might occur.
3.9.5 The level of risk is calculated by multiplying the Consequence Score and
Probability of Occurrence together:

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 4 of 9
Version 1.0 Public
 Risk = Consequence Score x Probability of Occurrence
3.9.6 Consequences and likelihood may be estimated using the most pertinent
information sources such as statistical analysis and calculations, published
scientific evidence, other available evidence, e.g. past records, practice and
relevant experience, specialist and expert judgements. Where no reliable or
past data is available, subjective estimates may be made which reflect an
individual’s or group’s degree of belief that a particular event or outcome
will occur.
3.9.7 Risk analysis techniques include
3.9.7.1 structured interviews with experts in the area of interest;
3.9.7.2 use of multi-disciplinary groups of experts;
3.9.7.3 individual evaluations using questionnaires; and
3.9.7.4 use of models and simulations.
3.9.8 Where appropriate, the confidence placed on estimates of levels of risk shall
be included. Assumptions made in the analysis shall be clearly stated.
3.9.9 Regarding occupational health and safety the following evaluating factors
will help in the assessment of relative consequence:
3.9.9.1 Health effect (e.g. short-, long-term effects, fatality, type and
degree of injury/illness/disability);
3.9.9.2 Damage to assets (e.g. machinery, devices, premises).
3.9.10 A preliminary analysis can be carried out so that similar risks are combined or
low-impact risks are excluded from detailed study. Excluded risks should,
where possible, be listed to demonstrate the completeness of the risk
analysis.
3.9.11 The next step is to identify the existing processes, devices or practices
(control measures) and assess their adequacy (strengths and weaknesses).

3.10 Potential EHS Impact and Potential Incident Consequence Rating

3.10.1 Potential EHS impact and potential incident consequences should be rated in
a 1 to 5 severity of consequences scale, ranging from insignificant (1), minor
(2), moderate (3), major (4), to catastrophic (5).
3.10.2 For details see Table 3.2 in: EHSMS Regulatory Framework. Code of Practice.
AD EHSMS CoP 05 - Risk Management. Version 1.1, April 2009.

3.11 Estimate Probability of Occurrence

3.11.1 The probability of occurrence needs to be estimated and rated in a 1 to 5
probability of occurrence scale, ranging from rare (1), possible (2), likely (3),
often (4), to frequent/almost certain (5).
3.11.2 For details see Table 3.4 in: EHSMS Regulatory Framework. Code of Practice.
AD EHSMS CoP 05 - Risk Management. Version 1.1, April 2009.

3.12 Risk Categories

3.12.1 All assessed risks have to be categorized and ranked using the following four
risk categories: Extreme, High, Moderate, and Low.

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 5 of 9
Version 1.0 Public
 3.12.2 Decisions regarding control measures and remedial actions should be based
on the risk category and risk ranking as follows:

Table 3.12.2.1: Risk Categories and Risk Ranking

Probability Consequence
Insignificant Minor (2) Moderate (3) Major (4) Catastroph
(1) ic (5)
Rare (1) 1 2 3 4 5
Possible (2) 2 4 6 8 10
Likely (3) 3 6 9 12 15
Often (4) 4 8 12 16 20
Frequent/Almost 5 10 15 20 25
certain (5)
15 – 25 Extreme Activity or industry should not proceed in current
Risk form
8 – 12 High Risk Activity or industry should be modified to include
remedial planning and action and be subject to
detailed EHS assessment
4–6 Moderate Activity or industry can operate subject to
Risk management and/or modification
1–3 Low Risk No action required, unless escalation of risk is
possible

3.13 Selecting and Implementing Control Measures

3.13.1 When the risk is categorized and ranked the management shall identify,
select and implement the corrective action and/or control measure in
order to manage the hazard at an acceptable and “as low as reasonably
practicable” (ALARP) risk level. For hazards with risk ranking “low risk”
actions may not be required.
3.13.2 The health and safety hierarchy of control measures is as follows:
3.13.2.1 Elimination of the hazard (where possible);
3.13.2.2 Substitution (e.g. use of less hazardous
substance/environmentally friendly materials);
3.13.2.3 Engineering / isolation controls – for plant and equipment (e.g.
exhaust ventilation, negative pressure rooms, HVAC systems, LAF
work benches);
3.13.2.4 Procedural (e.g. via improving work methods, housekeeping);
and
3.13.2.5 Personal Protective Equipment (PPE) as the last resort if the
above measures are not practical, e.g. face shields, gowns,
gloves, masks.
3.13.3 In the evaluation of which measures shall be taken, consideration shall be
given to reducing to a level deemed ALARP. It is a consideration of the:
3.13.3.1 Legal requirements;
3.13.3.2 International standards and guidelines;

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 6 of 9
Version 1.0 Public
 3.13.3.3 HAAD and Entity’s Policies, Standards and Guidelines;
3.13.3.4 Availability of resources;
3.13.3.5 Costs and benefits; and
3.13.3.6 The status of scientific and technical knowledge.
3.13.4 To reduce the risk to an ALARP level involves balancing reduction in risk to a
level, objectively assessed, where the trouble, difficulty and cost of further
reduction measures becomes unreasonably disproportionate to the
additional risk reduction obtained.
3.13.5 When the mitigation and control measures are identified, an action plan
shall be formulated addressing roles and responsibilities, training required,
time frame for completing the actions, the required changes for the Entity
EHSMS and its associated documents/procedures for quality assurance,
monitoring, maintenance and audit (where appropriate). The action plan
shall be followed up to ensure actions are closed per the plan.
3.13.6 Nominated Entities will need to develop work procedures/standard
operating procedures in relation to established and new control measures,
which may involve clearly defining responsibilities of management,
supervisors and workers.
3.13.7 Nominated Entities shall inform all relevant persons about the control
measures being implemented, in particular the reasons for changes.
3.13.8 Nominated Entities shall provide adequate supervision and training to verify
that the new control measures are being implemented and used correctly.

3.14 Monitor and Review

3.14.1 Depending on the magnitude of risks and the potential consequences of
hazards the risk assessment shall be periodically reviewed by competent
staff (normally at annual intervals).
3.14.2 The review shall incorporate change of legal and HAAD requirements,
introduction of new technology and control measures, change of work
procedures, and changes of factors that affect the likelihood and
consequences of an outcome.
3.14.3 Actual progress against risk control plans provide an important
performance measure and shall be incorporated into the nominated
entity’s performance management, measurement and reporting system.

3.15 Record the Risk Management Process

3.15.1 Each stage of the risk management process shall be appropriately recorded
and documented in writing. Assumptions, methods, data sources, analyses,
results and reasons for decisions shall be recorded.
3.15.2 The records of such processes are an important aspect of good corporate
governance and must be documented in writing and kept for at least three
years and be made available to HAAD upon request.
3.16 Monitoring and Reporting Requirements
The following must be monitored:

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 7 of 9
Version 1.0 Public
 3.16.1 Identified hazards and risks;
3.16.2 Implemented control measures.
3.17 Additional Guidance
For additional guidance refer to the following documents:
3.17.1 Abu Dhabi Environment, Health and Safety Management System (AD
EHSMS) Regulatory Framework, Code of Practice 05 – Risk Management,
Version 1.1, April 2009;
3.17.2 Australian Standard AS/NZ 4360: 1999 Risk Management;
3.17.3 HB 203:2000 Environmental Risk Management – Principles and Process.

4 Definitions and Abbreviations

ADFCA Abu Dhabi Food Control Authority
CSSD Central Sterile Supply Dept.
HACCP Hazard Analysis and Critical Control Points
HVAC Heating, Ventilation and Air-Conditioning
ICU Intensive Care Unit
LAF Laminar Air Flow

For additional definitions and abbreviations see HAAD Standard for Healthcare
Providers – Environment, Health and Safety Management System - Management and
Administration Manual, Glossary of Terms (DOH/HCQ/ST/0000/HS_EHSMS).

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 8 of 9
Version 1.0 Public
5 Appendix
5.1 Appendix A: Hazard and Risk Assessment Form (Example)

EHSMS Hazard and Risk Assessment Form

HCP/HCF Name: Department: Reference No.:

Task/Operation being assessed:

Purpose/Method of Work/SOP

 ..
Specific Legislative Requirements: Level of Skill/Training Requirement:
 ..  ..
 ..  ..
Chemicals/Materials Involved (MSDS No.): Specific Work Equipment Provided:
 ..  ..
 ..  ..
Control Measures to Reduce
Main Hazards Identified: Who will be affected:
the Risk
1.
2.
3.
..
Personal Protective Equipment Provided:
 ..
Frequency of Monitoring Assessment Review Period
N/A 3 months 6 months 1 year >1 year < 1Year 2 Years 3 Years 4 Years 4+ Years

Name: Position/Title:
Signature: Date:

HAAD EHSMS Standard for Healthcare Providers – Hazard Identification & Risk Assessment Page 9 of 9
Version 1.0 Public