Hazardous Substance Management Software: Requirements, Functions and Selection Criteria

Section 6(12) GefStoffV obliges employers to maintain a register of all hazardous substances used in the company and to keep current safety data sheets under Article 31 of the REACH Regulation (EC) No. 1907/2006. This obligation applies to all companies handling dangerous chemicals — regardless of industry or company size. Software-supported solutions help to maintain the register, safety data sheets, risk assessments and training records in a consistent structure.

However, software does not fulfil the statutory requirements on its own. It requires a competent person to maintain content, carry out assessments and follow up on update obligations. This article describes the functions that hazardous substance management software must provide, the regulatory requirements it must support, and how CIVAC embeds these functions in an integrated officer workspace that also resolves the personnel question.

Before introducing a software tool, it is worth taking stock of the regulatory requirements the system must cover. Based on the GefStoffV, TRGS and REACH, at least five mandatory areas exist:

• Hazardous substance register under Section 6(12) GefStoffV: A complete list of all hazardous substances used, with name, hazard category and area of use. Updated whenever the inventory or activities change.
• Safety data sheets under Article 31 REACH: Current SDS in the legally required language version (German for companies operating in Germany), stored and accessible. SDS have no fixed expiry dates, but the employer must ensure that the latest version from the manufacturer is always available.
• Risk assessment under TRGS 400: A documented process covering all seven TRGS 400 steps, dated, signed and updated whenever changes occur.
• Training records under Section 14 GefStoffV: Annual written training for all exposed employees, with evidence of attendance and content.
• Verification evidence and documentation of measures: Effectiveness tests under TRGS 400 step 7, records of protective measures implemented.

Software that only maintains the hazardous substance register and stores SDS covers merely two of the five mandatory areas. A complete system is required for authority inspections and internal audits.

The market for hazardous substance management software is heterogeneous. A systematic comparison of functions helps identify the right solution for a given company. A professional solution should provide the following core functions:

SDS import interface: Automatic import of safety data sheets directly from manufacturer databases or via OCR upload. Version management of SDS with dates, so that it is clear in an audit which version was in use at any given time.

Hazardous substance register with categorisation: Structured recording according to CLP pictograms, H and P phrases and GHS classes. Filter functions by storage location, work area and hazard category.

Risk assessment workflow: A guided process following TRGS 400 steps, with mandatory fields for substitution testing, exposure determination and protective measures. Not merely free-text fields but structured input screens that guide the user through the standard.

Training module: Creation and recording of training sessions under Section 14 GefStoffV, with digital attendance confirmation archived in an audit-proof manner.

Deadline management: Automatic notifications for SDS reviews, update deadlines and resubmission dates for risk assessments.

The CIVAC workspace fulfils all of these functions and integrates them with the hazardous substances officer's task log, so that operational work and compliance documentation converge in one system.

The safety data sheet (SDS) under Article 31 and Annex II of the REACH Regulation is the central information document for a hazardous substance. The supplier is obliged to provide the customer with a current SDS. The employer in turn is obliged to maintain the SDS and make it accessible to employees.

In practice, three typical problem areas arise:

1. Outdated SDS: Suppliers update SDS without actively notifying customers. Multiple versions of the same SDS may then exist within the company, with no clear indication of which is current. Section 6(12) GefStoffV requires current data.
2. Completeness: An SDS must be available for every hazardous substance used. In larger companies with hundreds of products, manual maintenance and paper filing lead to gaps.
3. Language version: SDS must be available in the official language of the country of use. English-language SDS from foreign suppliers do not meet the statutory requirements for German companies under REACH Annex II point 1.

Software providing SDS import interfaces to common manufacturer databases and automatically notifying of updates significantly reduces the risk of outdated or missing documents. In the CIVAC workspace, SDS are linked to the hazardous substance register so that gaps are immediately visible.

Hazardous substance management software only delivers its full benefit if it is directly linked to the risk assessment under TRGS 400. The SDS is not an end in itself but rather the input data for the hazard assessment. Only the assessment of the risks posed by a substance in a specific activity makes it possible to select appropriate protective measures.

The TRGS 400 process comprises seven steps: determining the scope of assessment; identifying the existing hazardous substances; determining the activities to be assessed; identifying and evaluating the hazards; substitution testing under Section 7 GefStoffV; defining and implementing protective measures under TRGS 500; and effectiveness testing and documentation.

Software that maps this process in guided workflows ensures that no step is skipped and every decision is documented. Free-text fields alone are insufficient for a standards-compliant risk assessment; the software must impose the TRGS 400 structure in terms of content.

In the CIVAC workspace, the TRGS 400 template is structured such that all seven steps carry mandatory fields. The results are automatically transferred to the documentation export, which can be used for authority inspections and internal audits.

Many companies already have systems for maintenance (CMMS), resource planning (ERP) or general occupational safety that interface with hazardous substance management. Before introducing new software, it is worth analysing these interfaces.

ERP systems (SAP, Microsoft Dynamics): Hazardous substances are often managed as master data in ERP systems. Hazardous substance management software should be able to import or synchronise this master data to avoid duplication of maintenance.

CMMS systems: Maintenance orders may include activities involving hazardous substances. A link between CMMS orders and relevant risk assessments ensures that employees can access the correct protective measures.

Occupational safety software: Systems for accident and near-miss documentation or occupational health management can be connected to the hazardous substance module via interfaces, so that reported incidents lead directly to a review of the risk assessment.

CIVAC follows an integrated approach: all 25 officer roles share a common documentation archive and a common audit log. Overlaps between the hazardous substances officer, the occupational safety specialist and the environmental officer are not mapped in separate silos but in a single system.

Hazardous substance management software processes sensitive operational data: inventory volumes, safety concepts, location information. Requirements from data protection and IT security law must therefore be taken into account in the selection process.

Data protection under the GDPR: Where the software processes personal data — for example training records containing employee names and signatures — the requirements of Articles 5, 25 and 32 GDPR apply. Data minimisation, purpose limitation and technical and organisational measures must be in place. A data processing agreement (DPA) under Article 28 GDPR is mandatory where the software provider acts as a processor.

IT security: For companies falling under NIS-2 — operators of essential or important facilities under Sections 30 and 38 BSIG — the IT security of the software used forms part of the company-wide ISMS. Auditability, logging and access control are mandatory requirements.

Data residency: For German or European data storage, it should be contractually guaranteed that data is stored exclusively in EU data centres. CIVAC operates its platform with EU data residency, AES-256 encryption at rest and TLS 1.3 in transit.

When selecting software, written evidence of data residency, the DPA and security measures should be obtained.

Introducing hazardous substance management software is an implementation project with regulatory requirements for data quality. The project typically proceeds in four phases:

Phase 1 — Inventory: Collating all hazardous substances used in the company, comparing them with existing SDS, identifying gaps. This phase lasts one to three weeks depending on company size and degree of preparation.

Phase 2 — Data migration: Transferring existing Excel registers and PDF SDS into the new system. Quality checking of data for completeness and currency. The most common stumbling block: SDS versions that do not correspond to the supplier's latest version.

Phase 3 — Process integration: Linking the hazardous substance register with the risk assessment, setting up training modules, configuring deadline management and notifications.

Phase 4 — Training and go-live: Training users — in particular the hazardous substances officer and the responsible safety specialists — in operating the system.

A recurring stumbling block across all phases: the software is introduced but the expertise is absent. Without a qualified hazardous substances officer to maintain content and carry out assessments, even the best software is merely an empty form. CIVAC resolves this combination by having the external hazardous substances officer work directly within the workspace.

The market for hazardous substance management software can broadly be divided into four categories covering different requirement profiles:

Standalone hazardous substance databases: Products such as chemical databases or SDS management systems focused on pure data management. Strength: large SDS databases with import function. Weakness: no integrated risk assessment workflow, no personnel function.

Occupational safety suites with hazardous substance module: More comprehensive systems covering, in addition to hazardous substances, accident reporting, company medical documentation and general occupational safety obligations. Strength: more holistic approach. Weakness: often designed for large enterprises, frequently too complex and costly for SMEs.

ERP-integrated hazardous substance modules: Extensions to SAP EH&S or comparable ERP systems. Strength: seamless integration with existing data. Weakness: high implementation effort, licence costs, dependence on the ERP service provider.

Officer workspace platforms: Systems that map hazardous substance management as part of a comprehensive officer framework, including order document, audit log and AI assistant. Others manage compliance like a filing cabinet. CIVAC runs it like software. Strength: integrated personnel function, all 25 officer roles, no role changes between different systems required.

CIVAC is a German compliance platform and officer-as-a-service solution that offers hazardous substance management not as an isolated tool but as part of a complete officer framework. Licence the workspace for your internal representatives, or have our representatives assume the function.

The CIVAC workspace provides the following for hazardous substance management: a pre-structured hazardous substance register under Section 6(12) GefStoffV, a guided TRGS 400 risk assessment template, a training module with record-keeping, an AI assistant with standard citations for technical questions, and a complete audit log that can be exported at any time. A total of 37 ready-to-use audit templates cover the most common assessment scenarios.

For companies without an internal hazardous substances officer or wishing to reduce the burden on their internal function, CIVAC provides a qualified external GSB. Order document, signed, filed, verifiable — within two working days rather than the conventional two to six weeks.

Turn reading into action: info@civac.de or via the contact form on civac.de.