Understanding the Hierarchy of Controls

Effectiveness of the Hierarchy of Controls
This entry is part 2 of 4 in the series Hierarchy of Controls

Risk assess­ment is the first step in redu­cing the risk that your cus­tom­ers and users are exposed to when they use your products. The second step is Risk Reduction, some­times called Risk Control or Risk Mitigation. This art­icle looks at the ways that risk can be con­trolled using the Hierarchy of Controls. Figure 2 from ISO 12100 – 1 (shown below) illus­trates this point.

The sys­tem is called a hier­archy because you must apply each level in the order that they fall in the list. In terms of effect­ive­ness at redu­cing risk, the first level in the hier­archy, elim­in­a­tion, is the most effect­ive, down to the last, PPE*, which has the least effectiveness.

It’s import­ant to under­stand that ques­tions must be asked after each step in the hier­archy is imple­men­ted, and that is “Is the risk reduced as much as pos­sible? Is the resid­ual risk a) in com­pli­ance with leg­al require­ments, and b) accept­able to the user or work­er?”. When you can answer ‘YES’ to all of these ques­tions, the last step is to ensure that you have warned the user of the resid­ual risks, have iden­ti­fied the required train­ing needed and finally have made recom­mend­a­tions for any needed PPE.

*PPE – Personal Protective Equipment. e.g. Protective eye wear, safety boots, bump caps, hard hats, cloth­ing, gloves, res­pir­at­ors, etc. CSA Z1002 includes ‘…any­thing designed to be worn, held, or car­ried by an indi­vidu­al for pro­tec­tion against one or more haz­ards.’  in this definition.

Risk Reduction from the Designer's Viewpoint
ISO 12100:2010 – Figure 2


Introducing the Hierarchy of Controls

The Hierarchy of Controls was developed in a num­ber of dif­fer­ent stand­ards over the last 20 years or so. The idea was to provide a com­mon struc­ture that would provide guid­ance to design­ers when con­trolling risk.

Typically, the first three levels of the hier­archy may be con­sidered to be ‘engin­eer­ing con­trols’ because they are part of the design pro­cess for a product. This does not mean that they must be done by engineers!

We’ll look at each level in the hier­archy in detail. First, let’s take a look at what is included in the Hierarchy.

The Hierarchy of Controls includes:

1)    Hazard Elimination or Substitution (Design)
2)    Engineering Controls (see [1, 2, 8, 9, 10, and 11])

a)    Barriers

b)    Guards (Fixed, Movable w/​interlocks)

c)    Safeguarding Devices

d)    Complementary Protective Measures

3)    Information for Use (see [1, 2, 4, 7, 8, 12, and 13])

a)    Hazard Warnings

b)    Manuals

c)    HMI* & Awareness Devices (lights, horns)

4)    Administrative Controls (see [1, 2, 4, 5, 7, and 8])

a)    Training

b)    SOP’s,

c)    Hazardous Energy Control Procedures (see [5, 14])

d)    Authorization

5)    Personal Protective Equipment

a)    Specification

b)    Fitting

c)    Training in use

d)    Maintenance

*HMI – Human-​Machine Interface. Also called the ‘con­sole’ or ‘oper­at­or sta­tion’. The loc­a­tion on the machine where the oper­at­or con­trols are loc­ated. Often includes a pro­gram­mable screen or oper­at­or dis­play, but can be a simple array of but­tons, switches and indic­at­or lights.

The man­u­fac­turer, developer or integ­rat­or of the sys­tem should provide the first three levels of the hier­archy. Where they have not been provided, the work­place or user should provide them.

The last two levels must be provided by the work­place or user.


Each lay­er in the hier­archy has a level of effect­ive­ness that is related to the fail­ure modes asso­ci­ated with the con­trol meas­ures and the rel­at­ive effect­ive­ness in redu­cing risk in that lay­er. As you go down the hier­archy, the reli­ab­il­ity and effect­ive­ness decrease as shown below.

Effectiveness of the Hierarchy of ControlsThere is no way to meas­ure or spe­cific­ally quanti­fy the reli­ab­il­ity or effect­ive­ness of each lay­er of the hier­archy – that must wait until you make some selec­tions from each level, and even then it can be very hard to do. The import­ant thing to under­stand is that Elimination is more effect­ive than Guarding (engin­eer­ing con­trols), which is more effect­ive than Awareness Means, etc.

1. Hazard Elimination or Substitution

Hazard Elimination

Hazard elim­in­a­tion is the most effect­ive means of redu­cing risk from a par­tic­u­lar haz­ard, for the simple reas­on that once the haz­ard has been elim­in­ated there is no remain­ing risk. Remember that risk is a func­tion of sever­ity and prob­ab­il­ity. Since both sever­ity and prob­ab­il­ity are affected by the exist­ence of the haz­ard, elim­in­at­ing the haz­ard reduces the risk from that par­tic­u­lar haz­ard to zero. Some prac­ti­tion­ers con­sider this to mean the elim­in­a­tion is 100% effect­ive, how­ever it’s my opin­ion that this is not the case because even elim­in­a­tion has fail­ure modes that can re-​introduce the hazard.

Failure Modes:

Hazard elim­in­a­tion can fail if the haz­ard is rein­tro­duced into the design. With machinery this isn’t that likely to occur, but in pro­cesses, ser­vices and work­places it can occur.


Substitution requires the design­er to sub­sti­tute a less haz­ard­ous mater­i­al or pro­cess for the ori­gin­al mater­i­al or pro­cess. For example, beryl­li­um is a highly tox­ic met­al that is used in some high tech applic­a­tions. Inhalation or skin con­tact with beryl­li­um dust can do ser­i­ous harm to a per­son very quickly, caus­ing acute beryl­li­um dis­ease. Long term expos­ure can cause chron­ic beryl­li­um dis­ease. Substituting a less tox­ic mater­i­al with sim­il­ar prop­er­ties in place of the beryl­li­um in the pro­cess  could reduce or elim­in­ate the pos­sib­il­ity of beryl­li­um dis­ease, depend­ing on the exact con­tent of the sub­sti­tute mater­i­al. If the sub­sti­tute mater­i­al includes any amount of beryl­li­um, then the risk is only reduced. If it con­tains no beryl­li­um, the risk is elim­in­ated. Note that the risk can also be reduced by ensur­ing that the beryl­li­um dust is not cre­ated by the pro­cess, since beryl­li­um is not tox­ic unless ingested.

Alternatively, using pro­cesses to handle the beryl­li­um without cre­at­ing dust or particles could reduce the expos­ure to the mater­i­al in forms that are likely to cause beryl­li­um dis­ease. An example of this could be sub­sti­tu­tion of water-​jet cut­ting instead of mech­an­ic­al saw­ing of the material.

Failure Modes:

Reintroduction of the sub­sti­tuted mater­i­al into a pro­cess is the primary fail­ure mode, how­ever there may be oth­ers that are spe­cif­ic to the haz­ard and the cir­cum­stances. In the above example, pre- and post-​cutting hand­ling of the mater­i­al could still cre­ate dust or small particles, res­ult­ing in expos­ure to beryl­li­um. A sub­sti­tuted mater­i­al might intro­duce oth­er, new haz­ards, or might cre­ate fail­ure modes in the final product that would res­ult in risks to the end user. Careful con­sid­er­a­tion is required!

If neither elim­in­a­tion or sub­sti­tu­tion is pos­sible, we move to the next level in the hierarchy.

2. Engineering Controls

Engineering con­trols typ­ic­ally include vari­ous types of mech­an­ic­al guards [16, 17, & 18], inter­lock­ing sys­tems [9, 10, 11, & 15], and safe­guard­ing devices like light cur­tains or fences, area scan­ners, safety mats and two-​hand con­trols [19]. These sys­tems are pro­act­ive in nature, act­ing auto­mat­ic­ally to pre­vent access to a haz­ard and there­fore pre­vent­ing injury. These sys­tems are designed to act before a per­son can reach the danger zone and be exposed to the hazard.

Control reliability

Barrier guards and fixed guards are not eval­u­ated for reli­ab­il­ity because they do not rely on a con­trol sys­tem for their effect­ive­ness. As long as they are placed cor­rectly in the first place, and are oth­er­wise prop­erly designed to con­tain the haz­ards they are pro­tect­ing, then noth­ing more is required. On the oth­er hand, safe­guard­ing devices, like inter­locked guards, light fences, light cur­tains, area scan­ners, safety mats, two-​hand con­trols and safety edges, all rely on a con­trol sys­tem for their effect­ive­ness. Correct applic­a­tion of these devices requires cor­rect place­ment based on the stop­ping per­form­ance of the haz­ard and cor­rect integ­ra­tion of the safety device into the safety related parts of the con­trol sys­tem [19]. The degree of reli­ab­il­ity is based on the amount of risk reduc­tion that is being required of the safe­guard­ing device and the degree of risk present in the unguarded state [9, 10].

There are many detailed tech­nic­al require­ments for engin­eer­ing con­trols that I can’t get into in this art­icle, but you can learn more by check­ing out the ref­er­ences at the end of this art­icle and oth­er art­icles on this blog.

Failure Modes

Failure modes for engin­eer­ing con­trols are as many and as var­ied as the devices used and the meth­ods of integ­ra­tion chosen. This dis­cus­sion will have to wait for anoth­er article!

Awareness Devices

Of spe­cial note are ‘aware­ness devices’. This group includes warn­ing lights, horns, buzzers, bells, etc. These devices have some aspects that are sim­il­ar to engin­eer­ing con­trols, in that they are usu­ally part of the machine con­trol sys­tem, but they are also some­times classed as ‘inform­a­tion for use’, par­tic­u­larly when you con­sider indic­at­or or warn­ing lights and HMI screens. In addi­tion to these ‘act­ive’ types of devices, aware­ness devices may also include lines painted or taped on the floor or on the edge of a step or elev­a­tion change, warn­ing chains, sig­nage, etc. Signage may also be included in the class of ‘inform­a­tion for use’, along with HMI screens.

Failure Modes

Failure modes for Awareness Devices include:

  • Ignoring the warn­ings (Complacency or Failure to com­pre­hend the mean­ing of the warning);
  • Failure to main­tain the device (warn­ing lights burned out or removed);
  • Defeat of the device (silen­cing an aud­ible warn­ing device);
  • Inappropriate selec­tion of the device (invis­ible or inaud­ible in the pre­dom­in­at­ing conditions).

Complementary Protective Measures

Complementary Protective meas­ures are a class of con­trols that are sep­ar­ate from the vari­ous types of safe­guard­ing because they gen­er­ally can­not pre­vent injury, but may reduce the sever­ity of injury or the prob­ab­il­ity of the injury occur­ring. Complementary pro­tect­ive meas­ures are react­ive in nature, mean­ing that they are not auto­mat­ic. They must be manu­ally activ­ated by a user before any­thing will occur, e.g. press­ing an emer­gency stop but­ton. They can only com­ple­ment the pro­tec­tion provided by the auto­mat­ic systems.

A good example of this is the Emergency Stop sys­tem that is designed into many machines. On its own, the emer­gency stop sys­tem will do noth­ing to pre­vent an injury. The sys­tem must be activ­ated manu­ally by press­ing a but­ton or pulling a cable. This relies on someone detect­ing a prob­lem and real­iz­ing that the machine needs to be stopped to avoid or reduce the sever­ity of an injury that is about to occur or is occur­ring. Emergency stop can only ever be a back-​up meas­ure to the auto­mat­ic inter­locks and safe­guard­ing devices used on the machine. In many cases, the next step in emer­gency response after press­ing the emer­gency stop is to call 911.

Failure Modes:

The fail­ure modes for these kinds of con­trols are too numer­ous to list here, how­ever they range from simple fail­ure to replace a fixed guard or bar­ri­er fence, to fail­ure of elec­tric­al, pneu­mat­ic or hydraul­ic con­trols. These fail­ure modes are enough of a con­cern that a new field of safety engin­eer­ing called ‘Functional Safety Engineering’ has grown up around the need to be able to ana­lyze the prob­ab­il­ity of fail­ure of these sys­tems and to use addi­tion­al design ele­ments to reduce the prob­ab­il­ity of fail­ure to a level we can tol­er­ate. For more on this, see [9, 10, 11].

Once you have exhausted all the pos­sib­il­it­ies in Engineering Controls, you can move to the next level down in the hierarchy.

3. Information for Use

This is a very broad top­ic, includ­ing manu­als, instruc­tion sheets, inform­a­tion labels on the product, haz­ard warn­ing signs and labels, HMI screens, indic­at­or and warn­ing lights, train­ing mater­i­als, video, pho­to­graphs, draw­ings, bills of mater­i­als, etc. There are some excel­lent stand­ards now avail­able that can guide you in devel­op­ing these mater­i­als [1, 12 and 13].

Failure Modes:

The major fail­ure modes in this level include:

  • Poorly writ­ten or incom­plete materials;
  • Provision of the mater­i­als in a lan­guage that is not under­stood by the user;
  • Failure by the user to read and under­stand the materials;
  • Inability to access the mater­i­als when needed;
  • Etcetera.

When all pos­sib­il­it­ies for inform­ing the user have been covered, you can move to the next level down in the hier­archy. Note that this is the usu­al sep­ar­a­tion point between the man­u­fac­turer and the user of a product. This is nicely illus­trated in Fig 2 from ISO 12100 above. It is import­ant to under­stand at this point that the resid­ual risk posed by the product to the user may not yet be tol­er­able. The user is respons­ible for imple­ment­ing the next two levels in the hier­archy in most cases. The man­u­fac­turer can make recom­mend­a­tions that the user may want to fol­low, but typ­ic­ally that is the extent of influ­ence that the man­u­fac­turer will have on the user.

4. Administrative Controls

This level in the hier­archy includes:

  • Training;
  • Standard Operating Procedures (SOP’s);
  • Safe work­ing pro­ced­ures e.g. Hazardous Energy Control, Lockout, Tagout (where per­mit­ted by law), etc.;
  • Authorization; and
  • Supervision.

Training is the meth­od used to get the inform­a­tion provided by the man­u­fac­turer to the work­er or end user. This can be provided by the man­u­fac­turer, by a third party, or self-​taught by the user or worker.
SOP’s can include any kind of pro­ced­ure insti­tuted by the work­place to reduce risk. For example, requir­ing work­ers who drive vehicles to do a walk-​around inspec­tion of the vehicle before use, and log­ging of any prob­lems found dur­ing the inspec­tion is an example of an SOP to reduce risk while driving.
Safe work­ing pro­ced­ures can be strongly influ­enced by the man­u­fac­turer through the inform­a­tion for use provided. Maintenance pro­ced­ures for haz­ard­ous tasks provided in the main­ten­ance manu­al are an example of this.
Authorization is the pro­ced­ure that an employ­er uses to author­ize a work­er to carry out a par­tic­u­lar task. For example, an employ­er might put a policy in place that only per­mits licensed elec­tri­cians to access elec­tric­al enclos­ures and carry out work with the enclos­ure live. The employ­er might require that work­ers who may need to use lad­ders in their work take a lad­der safety and a fall pro­tec­tion train­ing course. Once the pre­requis­ites for author­iz­a­tion are com­pleted, the work­er is ‘author­ized’ by the employ­er to carry out the task.
Supervision is one of the most crit­ic­al of the Administrative Controls. Sound super­vi­sion can make all of the above work. Failure to prop­erly super­vise work can cause all of these meas­ures to fail.

Failure Modes

Administrative con­trols have many fail­ure modes. Here are some of the most common:

  • Failure to train;
  • Failure to inform work­ers regard­ing the haz­ards present and the related risks;
  • Failure to cre­ate and imple­ment SOP’s;
  • Failure to provide and main­tain spe­cial equip­ment needed to imple­ment SOP’s;
  • No form­al means of author­iz­a­tion – i.e. How do you KNOW that Joe has his lift truck license?;
  • Failure to super­vise adequately.

I’m sure you can think of MANY oth­er ways that Administrative Controls can go wrong!

5. Personal Protective Equipment (PPE)

PPE includes everything from safety glasses, to hard­hats and bump caps, to fire-​retardant cloth­ing, hear­ing defend­ers, and work boots. Some stand­ards even include warn­ing devices that are worn by the user, such as gas detect­ors and person-​down detect­ors, in this group.
PPE is prob­ably the single most over-​used and least under­stood risk con­trol meas­ure. It falls at the bot­tom of the hier­archy for a num­ber of reasons:

  1. It is a meas­ure of last resort;
  2. It per­mits the haz­ard to come as close to the per­son as their clothing;
  3. It is often incor­rectly specified;
  4. It is often poorly fitted;
  5. It is often poorly main­tained; and
  6. It is often improp­erly used.

The prob­lems with PPE are hard to deal with. You can­not glue or screw a set of safety glasses to a person’s face, so ensur­ing the the pro­tect­ive equip­ment is used is a big prob­lem that goes back to supervision.

Many small and medi­um sized enter­prises do not have the expert­ise in the organ­iz­a­tion to prop­erly spe­cify, fit and main­tain the equipment.

User com­fort is extremely import­ant. Uncomfortable equip­ment won’t be used for long.

Finally, by the time that prop­erly spe­cified, fit­ted and used equip­ment can do it’s job, the haz­ard is as close to the per­son as it can get. The prob­ab­il­ity of fail­ure at this point is very high, which is what makes PPE a meas­ure of last resort, com­ple­ment­ary to the more effect­ive meas­ures that can be provided in the first three levels of the hierarchy.

If work­ers are not prop­erly trained and adequately informed about the haz­ards they face and the reas­ons behind the use of PPE, they are deprived of the oppor­tun­ity to make safe choices, even if that choice is to refuse the work.

Failure Modes

Failure modes for PPE include:

  • Incorrect spe­cific­a­tion (not suit­able for the hazard);
  • Incorrect fit (allows haz­ard to bypass PPE);
  • Poor main­ten­ance (pre­vents or restricts vis­ion or move­ment, increas­ing the risk; causes PPE fail­ure under stress or allows haz­ard to bypass PPE);
  • Incorrect usage (fail­ure to train and inform users, incor­rect selec­tion or spe­cific­a­tion of PPE).

Time to Apply the Hierarchy

So now you know some­thing about the ‘hier­archy of con­trols’. Each lay­er has its own intric­a­cies and nuances that can only be learned by train­ing and exper­i­ence. With a doc­u­mented risk assess­ment in hand, you can begin to apply the hier­archy to con­trol the risks. Don’t for­get to iter­ate the assess­ment post-​control to doc­u­ment the degree of risk reduc­tion achieved. You may cre­ate new haz­ards when con­trol meas­ures are applied, and you may need to add addi­tion­al con­trol meas­ures to achieve effect­ive risk reduction.

The doc­u­ments ref­er­enced below should give you a good start in under­stand­ing some of these challenges.


5% Discount on All Standards with code: CC2011 

NOTE: [1], [2], and[3]  were com­bined by ISO and repub­lished as ISO 12100:2010. This stand­ard has no tech­nic­al changes from the pre­ced­ing stand­ards, but com­bines them in a single doc­u­ment. ISO/​TR 14121 – 2 remains cur­rent and should be used with the cur­rent edi­tion of ISO 12100.

[1]             Safety of machinery – Basic con­cepts, gen­er­al prin­ciples for design – Part 1: Basic ter­min­o­logy and meth­od­o­logy, ISO Standard 12100 – 1, 2003.
[2]            Safety of machinery – Basic con­cepts, gen­er­al prin­ciples for design – Basic ter­min­o­logy and meth­od­o­logy, Part 2: Technical prin­ciples, ISO Standard 12100 – 2, 2003.
[3]            Safety of Machinery – Risk Assessment – Part 1: Principles, ISO Standard 14121 – 1, 2007.
[4]            Safety of machinery — Prevention of unex­pec­ted start-​up, ISO 14118, 2000
[5]            Control of haz­ard­ous energy – Lockout and oth­er meth­ods, CSA Z460, 2005
[6]            Fluid power sys­tems and com­pon­ents – Graphic sym­bols and cir­cuit dia­grams – Part 1: Graphic sym­bols for con­ven­tion­al use and data-​processing applic­a­tions, ISO Standard 1219 – 1, 2006
[7]            Pneumatic flu­id power – General rules and safety require­ments for sys­tems and their com­pon­ents, ISO Standard 4414, 1998
[8]            American National Standard for Industrial Robots and Robot Systems — Safety Requirements, ANSI/​RIA R15.06, 1999.
[9]            Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design, ISO Standard 13849 – 1, 2006
[10]          Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems, IEC Standard 62061, 2005
[11]           Functional safety of electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems, IEC Standard 61508-​X, sev­en parts.
[12]          Preparation of Instructions — Structuring, Content and Presentation, IEC Standard 62079, 2001
[13]          American National Standard For Product Safety Information in Product Manuals, Instructions, and Other Collateral Materials, ANSI Standard Z535.6, 2010.
[14]          Control of Hazardous Energy Lockout/​Tagout and Alternative Methods, ANSI Standard Z244.1, 2003.
[15]          Safety of Machinery — Interlocking devices asso­ci­ated with guards — prin­ciples for design and selec­tion, EN 1088+A1:2008.
[16]          Safety of Machinery — Guards – General require­ments for the design and con­struc­tion of fixed and mov­able guards, EN 953+A1:2009.
[17]          Safety of machinery — Guards — General require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120.
[18]         Safety of machinery — Safety dis­tances to pre­vent haz­ard zones being reached by upper and lower limbs, ISO 13857:2008.
[19]         Safety of machinery — Positioning of safe­guards with respect to the approach speeds of parts of the human body, ISO 13855:2010.

5% Discount on All Standards with code: CC2011 

Series NavigationHockey Teams and Risk Reduction or What Makes Roberto Luongo = PPEThe Third Level of the Hierarchy: Information for Use

Author: Doug Nix

+DougNix is Managing Director and Principal Consultant at Compliance InSight Consulting, Inc. (http://www.complianceinsight.ca) in Kitchener, Ontario, and is Lead Author and Managing Editor of the Machinery Safety 101 blog. Doug's work includes teaching machinery risk assessment techniques privately and through Conestoga College Institute of Technology and Advanced Learning in Kitchener, Ontario, as well as providing technical services and training programs to clients related to risk assessment, industrial machinery safety, safety-related control system integration and reliability, laser safety and regulatory conformity. Follow me on Academia.edu//a.academia-assets.com/javascripts/social.js

  • Pingback: Emergency Stop – What’s so confusing about that? | Machinery Safety 101()

  • Stewart Riddel

    Good art­icle Doug.
    I entirely agree there is a great deal of mis-​understanding about the hier­archy of con­trol out there, how­ever, I do think in many instances its a wil­ful mis­un­der­stand­ing. Its much easi­er and cheap­er to sup­ply a pair of gloves that install appro­pri­ate guarding.

    • Stewart,
      Thanks for the kind words!
      I com­pletely agree with you regard­ing the will­ful mis­ap­plic­a­tion of the Hierarchy. I also agree that this is only par­tially due to ignor­ance of the hier­archy and it’s cor­rect applic­a­tion. Looking at Fig. 2 from ISO 12100, the break­down that we are talk­ing about hap­pens at the point where the risk related to the machinery is trans­ferred to the user and there­fore to the work­er. If you look at the bands illus­trat­ing the decreas­ing level of risk on the right side of that fig­ure, you will note that the man­u­fac­turer or design­er is sel­dom able to reduce the risks to a tol­er­able or accept­able level based solely on engin­eer­ing con­trols, and that inform­a­tion for use, admin­is­trat­ive con­trols and PPE are required in most cases to effect­ively con­trol the risk. Failure on the part of employ­ers to imple­ment these meas­ures and to skip dir­ectly to PPE is one of the key ele­ments con­trib­ut­ing to work­place injur­ies and fatal­it­ies. Since most of us think ‘It can’t hap­pen here or to me!” at some level, many employ­ers, par­tic­u­larly small and medi­um sized employ­ers don’t actu­ally believe that they can have a ser­i­ous injury or a fatal­ity in their work­place. Once it hap­pens they are shocked. Unfortunately, that why we have to have reg­u­lat­ors to enforce these require­ments. The prob­lem is that in many cases this is react­ive and not pro­act­ive, and someone is already in hos­pit­al or worse.