Fire Risk Assessment in Malaysia: What It Is, Who Needs It, and How It Works Under BOMBA & UBBL
A fire risk assessment in Malaysia is a legal requirement for most commercial, industrial, and public buildings — yet many building owners and facility managers still do not fully understand what it involves, who is required to carry one out, or how it connects to enforcement by BOMBA and the Uniform Building By-Laws (UBBL). This guide covers everything you need to know.
Fesdes is a registered fire engineering and safety consultant in Malaysia. If you need a certified fire risk assessment for your building, contact our team here.
What is a fire risk assessment?
A fire risk assessment (FRA) is a structured evaluation of a building or facility to identify fire hazards, determine who and what is at risk, and recommend control measures to reduce that risk to an acceptable level. It examines three core elements: the sources of ignition, the fuel available to feed a fire, and the people or assets that could be harmed.
In Malaysia, fire risk assessments are closely tied to the requirements set out under the Fire Services Act 1988 (Act 341) and enforced by Jabatan Bomba dan Penyelamat Malaysia (BOMBA). The assessment informs whether a building can receive or maintain its Fire Certificate (FC) — a mandatory document for most occupied buildings under Malaysian law.
Unlike a general safety inspection, a fire risk assessment is a technical document. It must be thorough, documented, and in many cases carried out or reviewed by a qualified fire safety engineer or certified assessor.
Why is fire risk assessment important in Malaysia?
Malaysia has seen several high-profile fire tragedies over the decades — from the Highland Towers collapse-related fires to more recent incidents in factories and shophouses — that have driven stricter enforcement of fire safety laws. BOMBA has progressively tightened requirements for building owners to actively demonstrate that fire risks have been identified and controlled, not just assumed.
Beyond legal compliance, the business case for a proper fire risk assessment is strong. A fire in a commercial or industrial setting can result in:
- Loss of life and injury to occupants and staff
- Destruction of machinery, inventory, and data
- Prolonged business downtime and revenue loss
- Insurance claims being denied due to non-compliance
- Legal liability for the building owner or employer
A properly conducted fire risk assessment directly reduces all of these risks by ensuring that hazards are identified early and systematically addressed.
Who needs a fire risk assessment in Malaysia?
Under the UBBL 1984 and the Fire Services Act 1988, the following types of buildings and facilities are generally required to maintain an active fire safety assessment:
| Building Type | Requirement | Enforcing Authority |
| Commercial buildings (malls, offices) | Fire Certificate mandatory | BOMBA |
| Industrial and manufacturing plants | FERA / FRA required | BOMBA / DOSH |
| Healthcare facilities (hospitals, clinics) | FRA + fire safety plan | BOMBA / MOH |
| Educational institutions | Fire safety audit required | BOMBA / MOE |
| Hotels and hospitality venues | Fire Certificate + FRA | BOMBA / MOTAC |
| Oil, gas & petrochemical facilities | FERA + HAZOP mandatory | BOMBA / DOSH / PETRONAS |
| Data centres | Fire risk assessment + suppression design | BOMBA |
Even if your building type is not listed above, any employer in Malaysia with five or more employees has a duty of care under the Occupational Safety and Health Act 1994 (OSHA) to ensure the workplace is free from fire hazards. This effectively means that a fire risk assessment is relevant to virtually every non-residential building in Malaysia.
How does fire risk assessment work under BOMBA and UBBL?
The fire risk assessment process in Malaysia typically follows a structured methodology aligned with BOMBA’s requirements and the technical standards referenced in the UBBL 1984. Here is how the process works from start to finish.
Step 1: Initial site survey and document review
The fire engineer or assessor begins by conducting a physical walkthrough of the building and reviewing existing documentation. This includes architectural drawings, electrical schematics, existing fire protection system records, previous BOMBA inspection reports, and any prior fire safety plans.
Step 2: Hazard identification
All potential sources of ignition are identified — including electrical panels, heat-generating machinery, flammable storage areas, LPG or chemical storage, and cooking facilities. Fuel sources (combustible materials, finishes, and contents) and oxygen sources are also catalogued. This stage directly maps to the requirements set out in NFPA 1 (Fire Code) as referenced for complex facilities.
Step 3: Risk evaluation and scoring
Each identified hazard is evaluated based on its likelihood and potential consequence. Fire engineers use quantitative or semi-quantitative risk matrices to assign risk scores. High-risk areas — such as transformer rooms, chemical storage, or densely occupied zones — are prioritised for immediate action.
Step 4: Review of existing fire protection systems
The assessment verifies whether existing passive and active fire protection systems are adequate and in good working order. This includes:
- Sprinkler systems and coverage adequacy
- Fire alarm and detection systems
- Emergency lighting and exit signage
- Smoke control systems and ventilation
- Firefighting access and hydrant points
- Fire compartmentation and door integrity
Step 5: Recommendations and action plan
The assessor produces a formal report documenting all findings, risk ratings, and specific recommendations. These recommendations are prioritised by urgency — critical items that pose immediate life-safety risks are addressed separately from medium-term improvements. The report forms the basis of the building’s ongoing fire safety management plan.
Step 6: BOMBA submission and Fire Certificate renewal
For buildings requiring a Fire Certificate, the findings from the fire risk assessment are submitted as part of the FC application or renewal process. BOMBA officers may conduct their own inspection before issuing or renewing the FC. A comprehensive and professionally prepared FRA report significantly streamlines this process and reduces the likelihood of rejection or re-inspection delays.
Fesdes has supported FRA submissions for BOMBA across commercial, industrial, and petrochemical facilities in Malaysia. Learn more about our Fire Risk Assessment (FRA) service.
Fire Risk Assessment vs Fire & Explosion Risk Assessment (FERA): what is the difference?
A common point of confusion for building owners and engineers in Malaysia is the difference between a standard Fire Risk Assessment (FRA) and a Fire & Explosion Risk Assessment (FERA). While both are focused on fire-related hazards, they serve different purposes:
- An FRA is typically used for buildings — commercial, industrial, and institutional premises. It focuses on fire hazards within the built environment: ignition sources, fuel loads, occupant safety, and emergency egress.
- A FERA is used for process industries — oil & gas plants, chemical facilities, and refineries. It covers both fire and explosion hazards arising from flammable or explosive materials processed or stored on-site. FERA is typically a prerequisite for DOSH registration under CIMAH regulations.
If you operate a manufacturing plant, oil and gas facility, or any site that handles flammable substances in significant quantities, you likely need a FERA rather than a standard FRA. Both types of assessment require a qualified fire engineer with relevant industry experience.
How often should a fire risk assessment be reviewed in Malaysia?
A fire risk assessment is not a one-time exercise. Under best practice guidelines and BOMBA expectations, an FRA should be reviewed:
- At least once every three years for stable, low-risk buildings
- Annually for higher-risk facilities (manufacturing, healthcare, warehousing)
- Immediately after any significant change to the building layout, occupancy, or use
- Following any fire incident, near-miss event, or BOMBA enforcement notice
- Prior to Fire Certificate renewal submission
Failing to keep your fire risk assessment current is one of the most common reasons BOMBA inspections result in enforcement notices or FC renewals being delayed.
Frequently asked questions
Is a fire risk assessment a legal requirement in Malaysia?
Yes. Under the Fire Services Act 1988 and the UBBL 1984, most commercial, industrial, and public buildings in Malaysia are legally required to maintain fire safety documentation. For facilities covered under CIMAH regulations (DOSH), a formal FERA is mandatory. While the law does not always use the exact term “fire risk assessment,” the substance of what it requires aligns directly with a proper FRA.
Who can carry out a fire risk assessment in Malaysia?
For most buildings, a fire risk assessment should be carried out by a qualified fire safety engineer or a certified fire safety professional registered with the relevant authorities. For high-risk facilities (oil & gas, chemical plants), the assessor must have specific process industry experience. Fesdes provides FRA and FERA services delivered by registered fire engineers with experience across multiple sectors.
How long does a fire risk assessment take?
The duration depends on the size and complexity of the facility. A straightforward commercial office might take one to two days for the site survey and two to three days for the report. A large industrial or petrochemical facility can take several weeks from initial assessment through to final report and submission. Fesdes provides a timeline estimate as part of every project scoping discussion.
What happens if my building fails a BOMBA fire inspection?
If BOMBA identifies fire safety deficiencies during an inspection, they may issue a Notice of Defect requiring remedial works within a specified time frame. In serious cases, they have the authority to issue a Stop Work Order or refuse to issue or renew your Fire Certificate until all deficiencies are resolved. A proactive fire risk assessment significantly reduces the risk of failing an inspection by identifying and addressing issues before BOMBA arrives.
What is the difference between a fire safety audit and a fire risk assessment?
A fire safety audit is a compliance-focused check it verifies that existing fire safety systems and procedures meet regulatory requirements. A fire risk assessment goes deeper: it proactively identifies all hazards, evaluates the level of risk, and produces a prioritised action plan. In practice, many organisations use both tools together as part of a comprehensive fire safety management programme.
Need a fire risk assessment for your building in Malaysia?
Fesdes is a registered fire engineering and safety consultant serving commercial, industrial, oil & gas, and healthcare clients across Malaysia. Our team of certified fire engineers delivers thorough FRA and FERA reports accepted by BOMBA and aligned with UBBL, NFPA, and international standards. Get a free consultation