%201.svg)
A practical framework for COSHH compliance built around the eight discrete duties under Regulations 6 to 13, each tied to its legal basis and what good practice looks like.
How many steps are there to COSHH compliance? Different sources will tell you five, seven or eight. The answer depends on what you're counting. Eight is the framing this page uses, because it maps directly onto the active duties under Regulations 6 to 13 of the COSHH Regulations 2002 — every duty an employer has, treated as its own discrete step rather than rolled into a broader category.
The five-step framing comes from HSE's generic risk assessment template ("identify hazards, decide who might be harmed, evaluate risk, record findings, review"). It works for the assessment process but doesn't cover the duties that come after. The seven-step framing is various — different sources include different combinations. Eight steps is the form that covers everything COSHH requires, with each step traceable to a specific regulation.
This page walks through each step. For the broader picture, see what COSHH is. For the regulations themselves, see the COSHH Regulations 2002 walkthrough.
Step 1 — Assess the risks (Regulation 6)
The COSHH risk assessment is the keystone of compliance. Before any work that could expose employees to a hazardous substance begins, Regulation 6 requires a "suitable and sufficient" assessment of the risk. The assessment identifies the substances present, evaluates the level of risk, and sets out the controls that will be used.
Where the employer has five or more workers, the assessment must be recorded in writing. The record must show the substances, the hazards, the people at risk, the controls, and the review arrangements. The COSHH risk assessment template covers the structure in detail.
The assessment must be reviewed when circumstances change — a new substance, a different process, a near-miss, a change to the workplace exposure limit, or a finding from monitoring or health surveillance that controls aren't working. Most workplaces operate on an annual review cycle by default, with immediate review for significant changes.
For the practical method of carrying out the assessment, including worked examples from cleaning, hairdressing and construction, see how to carry out a COSHH risk assessment. For knowing which substances need assessing in the first place, see what substances are covered by COSHH.
Step 2 — Decide what precautions are needed (Regulation 7)
Once the risks are assessed, the next step is choosing the controls. Regulation 7 sets a strict order. Substitution comes first under Regulation 7(2) — wherever reasonably practicable, the hazardous substance must be replaced with something less hazardous, or the process changed to eliminate the need for it. Where substitution isn't possible, Regulation 7(3) establishes a hierarchy: engineering controls first, then control of exposure at source and organisational measures, then PPE only as a last resort and in combination with other controls.
The COSHH hierarchy of control walks through each level with worked examples.
For some substances, the standard goes higher than Regulation 7(3). For carcinogens, mutagens and substances that cause occupational asthma, exposure must be reduced as low as is reasonably practicable (ALARP), regardless of whether a workplace exposure limit applies or has been met. The ALARP standard means controls must continue to be improved as long as the cost isn't grossly disproportionate to the reduction in risk.
Step 3 — Prevent or adequately control exposure (Regulation 7)
Step 2 decides the controls; Step 3 puts them in place and demonstrates they work. The two are split here because Regulation 7's duty is dual — deciding what to do, and actually doing it. A decision to use engineering controls that's never implemented is no better than no decision at all.
Implementation usually means a combination of equipment, procedures and training. Engineering controls — local exhaust ventilation, fume cupboards, enclosed handling — need to be installed, commissioned and tested before they're relied on. Organisational measures need to be written up as procedures and built into the work. Administrative controls — signage, restricted access, supervision — need to be in place and maintained.
"Adequately controlled" has a defined meaning. For most substances it means below the workplace exposure limit listed in EH40. Around 500 substances have WELs. For substances without a WEL, adequate control means the lowest practicable level using the hierarchy. For carcinogens, mutagens and asthmagens, it means ALARP regardless of the limit.
Step 4 — Ensure that control measures are used and maintained (Regulations 8 and 9)
Controls only work if they're used, and they only stay effective if they're maintained. Regulation 8 requires the employer to ensure controls are properly used and that workers cooperate with them. Regulation 9 requires the employer to maintain controls in efficient working order, in good repair and in clean condition.
For local exhaust ventilation, Regulation 9 sets a specific maximum interval for thorough examination and testing: 14 months. The examination has to be carried out by a competent tester (typically an external specialist), with formal records of the test and any defects identified. Records must be kept for at least five years.
Other categories of control measure have appropriate maintenance intervals defined in the L5 Approved Code of Practice or by manufacturer specification. PPE needs visual inspection before each use, with formal periodic checks for items like respirators. COSHH storage requirements covers the inspection regime for storage cabinets.
The "use" part of the duty matters as much as the "maintain" part. An LEV system in perfect condition that workers bypass because it makes the work awkward isn't providing control. Supervision, training and culture all matter — and the breakdown in any of them is often what an investigation finds after an incident.
Step 5 — Monitor exposure (Regulation 10)
Where the risk assessment indicates that monitoring is needed, Regulation 10 requires the employer to arrange it. The most common form is personal sampling — a small pump worn by the worker during representative periods of work, capturing the substance from the breathing zone for laboratory analysis. Less commonly, monitoring uses static (area) samplers or direct-reading instruments.
Monitoring isn't required for every COSHH-covered workplace. The L5 ACOP gives criteria: monitoring is needed where exposure is close to a WEL, where the controls are critical to safety, or where the substances have particularly serious health effects. For lower-hazard substances in well-controlled workplaces, monitoring may not be required at all.
When it is required, records must be kept for at least five years. Where the record relates to the personal exposure of an identifiable employee subject to health surveillance, the retention period extends to 40 years from the date of the last entry.
Step 6 — Carry out appropriate health surveillance (Regulation 11)
Some COSHH-relevant work triggers health surveillance — periodic medical or workplace checks to identify occupational disease early. Regulation 11 and Schedule 6 set out when surveillance is required: specific processes and substances listed in Schedule 6, plus any case where the risk assessment indicates that surveillance can detect identifiable disease at a stage where intervention helps.
The form of surveillance varies. For workers exposed to substances that cause dermatitis, it's usually skin inspections by an appropriately trained person at defined intervals. For workers exposed to asthmagens, it's questionnaires, lung function tests and clinical assessment by an occupational health professional. For workers exposed to certain specified processes, it includes biological monitoring or biological effect monitoring.
Health records must be kept for 40 years from the date of the last entry. This long retention period reflects the latency of many occupational diseases — a worker exposed to a respiratory sensitiser in 1995 may not develop the disease until 2025, by which time the original employer may have changed hands several times. Without long-term records, the link between exposure and disease can't be established and the worker has no evidence for any claim.
The records belong to the employer but must be made available to HSE on request and to the worker themselves. Where a workplace closes, arrangements have to be made to transfer the records to HSE for safekeeping.
Step 7 — Plan for accidents, incidents and emergencies (Regulation 13)
Regulation 13 requires employers to prepare for foreseeable emergencies involving hazardous substances. The arrangements have to include emergency procedures (evacuation, decontamination, first aid suitable to the substances), provision of information to the emergency services, and any alarms or warning systems the risk warrants.
The depth of the arrangements scales with the risk. A small office using cleaning chemicals needs spill containment kit, first-aid arrangements and an evacuation plan. A chemical manufacturer needs detailed incident plans, on-site emergency response capability, mutual aid agreements with neighbours, and pre-arranged communication with local emergency services. Where a substance falls into the higher hazard categories — particularly toxic, very toxic, or on the prohibited or restricted lists — additional notifications and dedicated emergency provisions may be required.
Arrangements have to be exercised. A written plan that has never been tested is more likely to fail at the moment it's needed. Periodic drills — evacuation, spill response, casualty handling — are how the planning gets turned into real capability.
Step 8 — Inform, instruct and train employees (Regulation 12)
Regulation 12 closes the loop. None of the previous seven steps work unless the workers who use the substances, operate the controls, follow the procedures and respond to emergencies actually know what they're doing. The training duty requires the employer to provide information, instruction and training that's "suitable and sufficient" for the work.
The required content includes the names of the substances workers handle, the significant findings of the assessment, the precautions in place, the results of any monitoring or health surveillance, and what to do in an emergency. For substances at the higher hazard categories — carcinogens, mutagens, asthmagens, acute toxics — the training has to go beyond awareness into competence.
This is the step where the regulation meets the workforce. Structured COSHH Training is how most UK employers meet the duty for the substances workers commonly encounter, supplemented by specific instruction on the substances and controls at their own workplace. Workers also have duties under Regulation 8(2) and Section 7 of the Health and Safety at Work Act — see COSHH responsibilities for employers and employees for the full picture.
Putting the eight steps together: the compliance audit
The eight steps double as the structure of a COSHH compliance audit. Working through them in order, an auditor can confirm:
- Whether assessments exist for all hazardous substances in use
- Whether the controls in place reflect the hierarchy and follow Reg 7
- Whether the controls are actually being used and maintained — including the 14-month LEV test interval
- Whether monitoring and health surveillance happen on schedule
- Whether emergency arrangements are documented and tested
- Whether training records are current and align with the substances in use
Most COSHH compliance failures don't sit in the absence of any one step — most workplaces have something for each. The failure is in the consistency: an assessment that wasn't reviewed after the new substance came in, an LEV system three months past its 14-month test, a worker who hasn't had refresher training since 2019. The audit looks for those gaps, and an HSE inspector looks for them too.
Fees for Intervention
When HSE inspects and finds a material breach, they can charge for the time spent investigating it. The Fees for Intervention (FFI) scheme allows HSE to invoice the duty holder for the inspector's time at a published hourly rate, covering everything from initial conversation through letter-writing, return visits, and any enforcement action that follows. The total cost of an FFI-triggering visit can run into thousands of pounds even where no prosecution follows.
FFI is in addition to other enforcement — improvement notices, prohibition notices, prosecution — not instead of it. A workplace that triggers FFI and is then prosecuted faces both the FFI invoice and any subsequent fine and costs from the court.
The straightforward way to avoid FFI is the same as the way to avoid prosecution: work through the eight steps systematically, document each one, and keep the documentation current.
Frequently asked questions
How many steps are there to COSHH compliance?
The eight-step framing maps onto the active duties in Regulations 6 to 13 of the COSHH Regulations 2002 — one step per duty. The five-step framing covers the risk assessment process but not the broader duties. Both can be defended; eight steps is the form that covers all the operational requirements.
Are the 8 steps a legal requirement?
The steps themselves aren't named in the regulations — they're a framework for navigating the duties. The underlying duties (assess, control, maintain, monitor, surveille, plan, train) are legal requirements under Regulations 6 to 13. Working through eight steps is one way to make sure none is missed.
What's the difference between the 5 steps and the 8 steps?
The five-step framing comes from HSE's general risk assessment template and covers the assessment process: identify hazards, decide who could be harmed, evaluate risk, record findings, review. The eight-step framing adds the duties that come after the assessment — implementing controls, maintaining them, monitoring exposure, health surveillance, emergency planning and training.
What happens in a COSHH audit?
An audit works through the eight steps and checks the evidence at each: assessments and reviews, controls in place, maintenance and testing records, monitoring results, health surveillance records, emergency plans and exercise records, training records. The audit identifies gaps and produces an action plan. Internal audits run at the workplace's own schedule; HSE inspections happen at HSE's initiative, with no advance notice.
