Contacts

Bothan Aisir, Rhiconich, Lairg, Sutherland, IV27 4RS, Scotland

kris@processsafetyconsulting.com

07983 142 451

What is MHHHRA, and what does it mean for your COMAH site?

If you run a COMAH site, you’ve probably started hearing about MHHHRA, and you may already be wondering how much work it’s going to put on your desk. This page explains what it is in plain English, what it actually asks of you, where I most often see sites fall short, and a question almost nobody else is answering: whether it applies to you if you’re only lower tier.

I’m Kris Ellenthorpe. I’ve spent 25 years in high-hazard process safety, and I’ve sat on the CDOIF working group behind this guidance, offering review, challenge and feedback as it was finalised. What follows isn’t a paraphrase of the document. It’s what it means in practice.

What is MHHHRA?

MHHHRA stands for Major Accident Hazard Human Harm Risk Assessment. It’s guidance developed under CDOIF (the Chemical and Downstream Oil Industries Forum) that sets out a structured way to assess the risk major accidents pose to people, and to show those risks have been reduced so far as is reasonably practicable.

Think of it this way. It does for human harm risk assessment roughly what the existing CDOIF environmental guidance already does for environmental (MATTE) assessment. It’s the benchmark the regulator expects you to have followed when you demonstrate that major accident risks to people have been properly assessed.

Why does MHHHRA matter now?

MHHHRA is finalised and at sign-off, and copies are already circulating across the industry. So this isn’t something coming down the track for you to worry about later. The HSE has been clear, in industry forums and in COMAH safety report pre-receipt meetings, that this is the approach it expects sites to follow now.

There’s a point worth being blunt about. Even if the formal publication date slips, the HSE’s position is that these are the principles you need to follow to comply with the law, and it will regulate on that basis regardless. So the publication status is, in practical terms, a distraction. The expectation is already real.

That matters for one simple reason. If your site has a safety report submission or review coming up, you’ll be assessed against this thinking whether you’ve prepared for it or not. Getting ahead of it now is a good deal easier than meeting it cold in front of an inspector.

What does MHHHRA actually require?

The guidance runs across four connected stages. Most explanations stop at listing them, which isn’t much help. What matters is what good looks like at each stage, and where sites most often come unstuck, because that’s the difference between having done the work and having done it in a way that stands up.

Identification: finding everything, and proving you have

You build a screening picture of every major accident hazard scenario across the site, organised by unit operation and grouped into representative scenarios where that’s justified.

Where it goes wrong: a list of scenarios with no visible trail of how you got to it. A good screening doesn’t just list hazards. It shows how your HAZID, HAZOP and incident history were brought together to derive them, proves the whole site was covered, and says what isn’t a major accident hazard as well as what is. The coverage gaps I find are rarely in the obvious plant. They hide in the things that don’t read as “process”: a drum or IBC store, a warehouse, a gas compressor in an enclosure that could accumulate and ignite, an ammonia chiller written off as just refrigeration.

There’s also a quiet but important shift in what you’re screening for. The duty is to assess serious danger to people, and that includes serious injury, not fatality alone. Plenty of existing assessments only ever counted who could be killed.

Analysis: comparing against good practice, not just producing a number

For each scenario you work up the causes, the protective measures, the consequences and the likelihood. Consequence modelling, fault and event trees, and frequency estimation all sit here.

Where it goes wrong: treating analysis as the production of a risk number. The number tells you the size of the risk. But the heart of the job is the comparison against relevant good practice, which asks whether you’re doing what a competent operator is expected to do. I also see frequency data lifted straight from generic industry datasets without ever relating it to the actual asset. A plain storage tank and a tank that’s heated, agitated, or holding something that could react are not the same risk, and the analysis has to reflect that, because it drives the measures you end up relying on.

Assessment: the whole-site picture, not one scenario at a time

This is the stage sites most often misunderstand. Analysis works on scenarios one at a time. Assessment combines them, to work out the cumulative risk to the people actually exposed, by location and by role, and where relevant the societal risk and the risk to people inside buildings (an occupied building risk assessment). A site can have perfectly good scenario analysis and still not have done the assessment, simply because it has never added anything up.

Further measures and ALARP: what more can reasonably be done

Finally, you ask what more could reasonably be done to reduce the risk, and you justify your decisions either way. The effort expected scales with the risk: the closer to intolerable, the more is expected of you.

Where it goes wrong: assuming that because a risk sits below a tolerability threshold, the job is finished. It isn’t. A proportionate ALARP demonstration is still expected even when risk is broadly acceptable. It’s just lighter.

Where sites most often fall short

Pulling that together, the gaps I see most often aren’t exotic. They’re consistent:

  • A scenario list with nothing behind it to show how it was derived.
  • Coverage that looks complete because the HAZOP folder is thick, when whole units were never studied.
  • Screening that stops at fatality and never reaches serious harm.
  • Quantification built on generic data that was never related to the actual plant.
  • A LOPA that says one thing and a COMAH risk assessment that says another for the same scenario.
  • An assessment that never combines scenarios into the cumulative picture.
  • And the one almost nobody watches for: creeping change. What quietly invalidates your assessment is often nothing you did at all. It’s a housing development, a school, or a new occupied building going up near your boundary, shifting the off-site picture while nothing on your plant changed.

None of these are failures of effort. They usually come from the underlying studies, standards or management arrangements never being set up for the job MHHHRA now asks of them.

Does MHHHRA apply to me if I’m only lower tier?

This is the question I get asked most, and the assumption behind it is usually wrong. Plenty of lower-tier operators reason like this: MHHHRA is about safety reports, I don’t produce a safety report, so it doesn’t apply to me. That looks sensible, but it rests on a false premise.

The duty to carry out a suitable and sufficient risk assessment doesn’t come from the safety report. It comes from general health and safety law, which draws no line between upper and lower tier. The safety report is an additional obligation that upper-tier sites carry on top. It was never the source of the assessment duty. So lower tier does not mean lower duty. If anything, a lower-tier site is more exposed, because nothing is forcing the work along, so the discipline has to be self-imposed. (I’ve written about this in more detail on does MHHHRA apply to lower tier COMAH sites?)

How ready is your site?

For most sites the honest answer is “less ready than it feels”, because the gaps above stay hidden until someone goes looking for them. That’s exactly what a structured readiness check is for. (See is your site ready for MHHHRA? for the gaps I see most often.)

Get my free MHHHRA readiness self-assessment. It walks you through where your site stands against each stage of the guidance, with the common pitfalls flagged, so you can see your gaps before an inspector does. Enter your email and I’ll send it straight over.

Prefer to talk it through with your team? Request a free 30-minute MHHHRA briefing and I’ll walk you and your colleagues through what’s coming and what it means for your site, with 15 minutes for your questions afterwards. No charge, no obligation.

Common questions

Who does MHHHRA apply to?

Operators of COMAH establishments who need to show that major accident hazards to people have been identified, assessed and managed. It’s directly relevant to upper-tier sites preparing or revising safety reports, but the underlying risk-assessment duty applies to lower-tier sites too.

When does MHHHRA take effect?

In practical terms, now. The guidance is finalised and at sign-off, and the regulator already expects sites to work to it, through industry forums and safety report pre-receipt meetings. If you have a submission or review coming up, prepare on that basis rather than waiting for a publication date.

Is MHHHRA a legal requirement?

The guidance itself is guidance, not law. But the duty to assess major accident risks to people properly is a legal one, and MHHHRA is the benchmark the regulator uses to judge whether you’ve met it. The HSE’s stated view is that these principles are what the law requires, so in practice it’s regulated as such.

How do I know if my site is ready?

Work through a structured readiness check against each stage of the guidance. My free self-assessment does exactly that: request it above.