Risk Assessment for Hazardous Substances: TRGS 400 Template and Mandatory Requirements

Section 6 GefStoffV obliges employers to carry out a risk assessment and document it in writing before commencing any activity involving hazardous substances. Technical Rule for Hazardous Substances 400 (TRGS 400, 2008 edition, last amended 2020) specifies this statutory requirement as a seven-step process, ranging from the identification of the substances used through exposure determination to a documented effectiveness test. Without this documentation, the company lacks evidence in an audit that it has fulfilled its statutory obligations.

This article describes what a standards-compliant risk assessment under TRGS 400 must contain, what typical errors occur during its preparation, how a structured template safeguards the process and who the competent person must be who signs off on the assessment. CIVAC provides a pre-structured TRGS 400 template in the workspace that covers all mandatory fields and is archived in an audit-proof manner.

The risk assessment under Section 6 GefStoffV is not a general occupational health and safety obligation but a specific requirement for activities involving hazardous substances. It supplements the general risk assessment under Section 5 ArbSchG, but its detailed requirements go considerably further.

TRGS 400 has the status of a technical rule and reflects the state of the art. Compliance with TRGS 400 generally satisfies the protective obligations of the GefStoffV. Any deviation requires proof that at least an equivalent level of protection has been achieved. In practice, this means: TRGS 400 sets the benchmark against which deviations must be justified.

Section 6(8) GefStoffV stipulates the written requirement: the result of the risk assessment must be documented. For companies with more than ten employees this is unconditionally mandatory. For smaller companies, the obligation applies where activities involve particularly dangerous substances — for example carcinogenic substances in category 1A or 1B under the CLP Regulation.

Breaches of the documentation obligation give rise to an indication of administrative offences in company audits under Section 19 GefStoffV in conjunction with Section 130 OWiG. The auditor calls, the evidence is ready — or it is not.

TRGS 400 structures the risk assessment into seven successive steps. A standards-compliant template must contain all seven steps as mandatory fields:

1. Determining the scope of assessment: Delimiting the work area, activity and affected employees to be assessed. Clear delimitation is important because the assessment is activity-based, not company-based.
2. Identifying the existing hazardous substances: Systematic identification of all hazardous substances used or potentially generated during the activity, based on the hazardous substance register and SDS under Article 31 REACH.
3. Determining the activities to be assessed: Description of the activity involving the hazardous substance: handling, duration, frequency and exposure pathway (inhalation, dermal, oral).
4. Identifying and evaluating hazards: Exposure determination under TRGS 402 (inhalation) or TRGS 401 (dermal). Evaluation against occupational exposure limits (OELs) or substance-specific TRGS.
5. Substitution testing under Section 7 GefStoffV: Assessment of whether the hazardous substance can be replaced by a less hazardous substance, or a more dangerous process by a safer one. A negative outcome must be documented with justification.
6. Defining and implementing protective measures: Measures following the STOP hierarchy (Substitution, Technical, Organisational, Personal) under TRGS 500.
7. Effectiveness testing and documentation: Proof that the measures taken are actually effective. Measurements, inspection records or expert assessment.

A template that does not structurally reflect these seven steps is not a standards-compliant TRGS 400 template, even if it bears the label.

During company inspections by supervisory authorities and in internal audits, recurring weaknesses in risk assessments become apparent. These are quickly correctable in practice where the structure is right.

Missing or outdated assessments: Risk assessments are created once and then not updated, even though new substances have been introduced or activities have changed. TRGS 400 section 5 stipulates that the assessment must be reviewed where there are indications that it is no longer current.

Missing substitution testing: Step 5 of TRGS 400 is frequently omitted or disposed of in a single sentence without documented justification. Inspectors treat this as a structural deficiency.

Free text without standard structure: Some templates consist only of free-text fields without standard references. Such documents cannot be reliably classified as TRGS 400-compliant in an audit.

No competent signature: The risk assessment must be signed off by a competent person. Where this attribution is absent, it is unclear who bears technical responsibility.

No effectiveness test: Step 7 is systematically omitted. The outcome of protective measures must be evidenced — not merely their planning. In the CIVAC workspace, a mandatory-field structure is provided for each step, which prevents these gaps.

A legally compliant TRGS 400 template contains the following elements, serving both as mandatory fields and as a structural guide for the competent person:

• Header data: Company, scope of assessment, date of preparation, date of last review, name and function of the assessing person.
• Substance identification: Name of the hazardous substance, CAS number, GHS classification under the CLP Regulation, reference to the current SDS (date, version).
• Activity description: Description of the specific activity, duration and frequency of exposure, affected employee groups.
• Hazard assessment: Result of exposure determination under TRGS 402 (inhalation) or TRGS 401 (dermal), comparison with OELs or TRGS limit values, risk rating.
• Substitution test: Result with justification of why substitution is not possible or not required (or the substitution that was made).
• Protective measures: Defined measures following the STOP hierarchy, responsibility and implementation date.
• Effectiveness test: Method and result of the effectiveness test, date and reviewer.
• Signature: Competent person, date.

This structure allows the assessment to be verified against TRGS 400 at any time and gaps to be identified immediately.

TRGS 400 section 5 identifies the occasions on which the risk assessment must be reviewed and, if necessary, updated. These are not recommendations but minimum requirements:

• Introduction of new hazardous substances or activities within the scope of assessment.
• Change in working conditions, e.g. new machinery, changed ventilation, altered exposure duration.
• New scientific findings or changes in the state of the art, e.g. new TRGS, revised OELs.
• Occurrence of accidents, near misses or suspected occupational disease.
• Results of measurements or official inspections indicating deficiencies.

In practice, regular review without a specific trigger is also recommended — at minimum every three years. Authorities view assessments from significantly earlier years critically, even where no formal trigger for updating has arisen.

The hazardous substances officer is responsible for monitoring this update obligation. In the CIVAC workspace, review deadlines are automatically tracked and those responsible receive timely notifications of due updates.

The risk assessment must take into account group-specific protective obligations. The GefStoffV and ArbSchG identify several employee groups to whom enhanced requirements apply:

Pregnant and breastfeeding employees: Section 10 GefStoffV refers to the Maternity Protection Act (MuSchG). Activities involving substances toxic to reproduction (category 1A/1B under CLP) or carcinogenic substances are generally prohibited. The risk assessment must contain a separate evaluation for this group.

Young persons: Section 22 JArbSchG restricts the handling of dangerous substances by young persons. The risk assessment must assess whether young persons fall within the scope of the assessment and what restrictions apply.

Older employees and persons with chronic conditions: Section 6(3) sentence 2 ArbSchG requires that particularly vulnerable groups be considered. Specific provisions must be examined according to substance and activity.

Third-party company personnel: Section 8 ArbSchG obliges employers to ensure mutual information exchange about hazardous substances where third-party companies are working on their premises. The risk assessment must reflect what information obligations exist towards those companies.

The CIVAC TRGS 400 template contains separate assessment fields for each of these groups, so that no group-specific protective obligation is overlooked.

Exposure determination is step 4 of TRGS 400 and the technically most demanding part of the risk assessment. TRGS 402 describes the methodological procedure for inhalation exposure.

In principle, three methods are permissible: measurements at the workplace by a measurement body under DGUV principle 313-010 (mandatory for activities involving carcinogenic substances under TRGS 905); estimation based on recognised models (e.g. the IFA GESTIS database, MEGA exposure database); and comparison with validated exposure data from comparable activities.

The result of exposure determination is compared with the occupational exposure limit (OEL) under TRGS 900. Where exposure is below the OEL and all other protective measures are implemented, the protective objective is deemed fulfilled. Where exposure exceeds the OEL, higher-level protective measures must be taken immediately.

For substances without a specified OEL — such as carcinogenic substances in category 1A/1B — special assessment procedures under TRGS 910 (risk number concept) apply. Here, expert assessment by the hazardous substances officer is indispensable, as standard templates are insufficient for these complex cases.

In the CIVAC workspace, exposure determination is integrated into the TRGS 400 template as a guided sub-process, with direct references to relevant TRGS and OEL data sources.

The documentation of the risk assessment fulfils two functions: it provides evidence to supervisory authorities that statutory obligations have been met, and it serves internally as a planning basis for protective measures and training.

Section 6(8) GefStoffV requires that the result of the risk assessment be recorded in writing. Documentation must contain at minimum: the existing hazardous substances, the identified hazards, the defined protective measures and the result of the effectiveness test.

The GefStoffV contains no explicit provision regarding the retention period. For activities involving carcinogenic substances, Section 14(3) GefStoffV requires that records on employment and exposure be retained for at least 40 years. The general recommendation is to retain risk assessments for the entire period of operations and for ten years beyond, in order to be able to provide evidence in the event of damage.

Audit-proof electronic archiving that excludes manipulation and is exportable at any time meets the requirements. In the CIVAC workspace, all risk assessments are stored with a timestamp and user log, so that every change remains traceable. Audit-proof, documented, Section 6 GefStoffV-compliant.

CIVAC is a German compliance platform and officer-as-a-service solution that provides risk assessments under TRGS 400 as a pre-structured template in the workspace. Licence the workspace for your internal representatives, or have our representatives assume the function.

The CIVAC TRGS 400 template covers all seven process steps with mandatory fields, contains group-specific protective obligations for pregnant women and young persons, automatically links SDS references to the hazardous substance register and saves all versions in an audit-proof manner with timestamps. A total of 37 ready-to-use audit templates are available in the workspace, covering common assessment scenarios.

For companies without an internal hazardous substances officer, CIVAC offers external commissioning: a competent person signs off the risk assessment, ensures TRGS conformity and updates it when changes occur. Order document, signed, filed, verifiable — ready within two working days.

Turn reading into action: info@civac.de or via the contact form on civac.de.