Risk assess­ment is the first step in reduc­ing the risk that your cus­tomers and users are exposed to when they use your prod­ucts. The sec­ond step is Risk Reduction, some­times called Risk Control or Risk Mitigation. This arti­cle looks at the ways that risk can be con­trolled using the Hierarchy of Controls. Figure 2 from ISO 12100–1 (shown below) illus­trates this point.

The sys­tem is called a hier­ar­chy because you must apply each level in the order that they fall in the list. In terms of effec­tive­ness at reduc­ing risk, the first level in the hier­ar­chy, elim­i­na­tion, is the most effec­tive, down to the last, PPE*, which has the least effectiveness.

It’s impor­tant to under­stand that ques­tions must be asked after each step in the hier­ar­chy is imple­mented, and that is “Is the risk reduced as much as pos­si­ble? Is the resid­ual risk a) in com­pli­ance with legal require­ments, and b) accept­able to the user or worker?”. When you can answer ‘YES’ to all of these ques­tions, the last step is to ensure that you have warned the user of the resid­ual risks, have iden­ti­fied the required train­ing needed and finally have made rec­om­men­da­tions for any needed PPE.

*PPE — Personal Protective Equipment. e.g. Protective eye wear, safety boots, bump caps, hard hats, cloth­ing, gloves, res­pi­ra­tors, etc. CSA Z1002 includes ‘…any­thing designed to be worn, held, or car­ried by an indi­vid­ual for pro­tec­tion against one or more haz­ards.’  in this definition.

ISO 12100:2010 — Figure 2

Introducing the Hierarchy of Controls

The Hierarchy of Controls was devel­oped in a num­ber of dif­fer­ent stan­dards over the last 20 years or so. The idea was to pro­vide a com­mon struc­ture that would pro­vide guid­ance to design­ers when con­trol­ling risk.

Typically, the first three lev­els of the hier­ar­chy may be con­sid­ered to be ‘engi­neer­ing con­trols’ because they are part of the design process for a prod­uct. This does not mean that they must be done by engineers!

We’ll look at each level in the hier­ar­chy in detail. First, let’s take a look at what is included in the Hierarchy.

The Hierarchy of Controls includes:

1)    Hazard Elimination or Substitution (Design)
2)    Engineering Controls (see [1, 2, 8, 9, 10, and 11])

a)    Barriers

b)    Guards (Fixed, Movable w/​interlocks)

c)    Safeguarding Devices

d)    Complementary Protective Measures

3)    Information for Use (see [1, 2, 4, 7, 8, 12, and 13])

a)    Hazard Warnings

b)    Manuals

c)    HMI* & Awareness Devices (lights, horns)

4)    Administrative Controls (see [1, 2, 4, 5, 7, and 8])

a)    Training

b)    SOP’s,

c)    Hazardous Energy Control Procedures (see [5, 14])

d)    Authorization

5)    Personal Protective Equipment

a)    Specification

b)    Fitting

c)    Training in use

d)    Maintenance

*HMI — Human-​​Machine Interface. Also called the ‘con­sole’ or ‘oper­a­tor sta­tion’. The loca­tion on the machine where the oper­a­tor con­trols are located. Often includes a pro­gram­ma­ble screen or oper­a­tor dis­play, but can be a sim­ple array of but­tons, switches and indi­ca­tor lights.

The man­u­fac­turer, devel­oper or inte­gra­tor of the sys­tem should pro­vide the first three lev­els of the hier­ar­chy. Where they have not been pro­vided, the work­place or user should pro­vide them.

The last two lev­els must be pro­vided by the work­place or user.

Effectiveness

Each layer in the hier­ar­chy has a level of effec­tive­ness that is related to the fail­ure modes asso­ci­ated with the con­trol mea­sures and the rel­a­tive effec­tive­ness in reduc­ing risk in that layer. As you go down the hier­ar­chy, the reli­a­bil­ity and effec­tive­ness decrease as shown below.

There is no way to mea­sure or specif­i­cally quan­tify the reli­a­bil­ity or effec­tive­ness of each layer of the hier­ar­chy — that must wait until you make some selec­tions from each level, and even then it can be very hard to do. The impor­tant thing to under­stand is that Elimination is more effec­tive than Guarding (engi­neer­ing con­trols), which is more effec­tive than Awareness Means, etc.

1. Hazard Elimination or Substitution

Hazard Elimination

Hazard elim­i­na­tion is the most effec­tive means of reduc­ing risk from a par­tic­u­lar haz­ard, for the sim­ple rea­son that once the haz­ard has been elim­i­nated there is no remain­ing risk. Remember that risk is a func­tion of sever­ity and prob­a­bil­ity. Since both sever­ity and prob­a­bil­ity are affected by the exis­tence of the haz­ard, elim­i­nat­ing the haz­ard reduces the risk from that par­tic­u­lar haz­ard to zero. Some prac­ti­tion­ers con­sider this to mean the elim­i­na­tion is 100% effec­tive, how­ever it’s my opin­ion that this is not the case because even elim­i­na­tion has fail­ure modes that can re-​​introduce the hazard.

Failure Modes:

Hazard elim­i­na­tion can fail if the haz­ard is rein­tro­duced into the design. With machin­ery this isn’t that likely to occur, but in processes, ser­vices and work­places it can occur.

Substitution

Substitution requires the designer to sub­sti­tute a less haz­ardous mate­r­ial or process for the orig­i­nal mate­r­ial or process. For exam­ple, beryl­lium is a highly toxic metal that is used in some high tech appli­ca­tions. Inhalation or skin con­tact with beryl­lium dust can do seri­ous harm to a per­son very quickly, caus­ing acute beryl­lium dis­ease. Long term expo­sure can cause chronic beryl­lium dis­ease. Substituting a less toxic mate­r­ial with sim­i­lar prop­er­ties in place of the beryl­lium in the process  could reduce or elim­i­nate the pos­si­bil­ity of beryl­lium dis­ease, depend­ing on the exact con­tent of the sub­sti­tute mate­r­ial. If the sub­sti­tute mate­r­ial includes any amount of beryl­lium, then the risk is only reduced. If it con­tains no beryl­lium, the risk is elim­i­nated. Note that the risk can also be reduced by ensur­ing that the beryl­lium dust is not cre­ated by the process, since beryl­lium is not toxic unless ingested.

Alternatively, using processes to han­dle the beryl­lium with­out cre­at­ing dust or par­ti­cles could reduce the expo­sure to the mate­r­ial in forms that are likely to cause beryl­lium dis­ease. An exam­ple of this could be sub­sti­tu­tion of water-​​jet cut­ting instead of mechan­i­cal saw­ing of the material.

Failure Modes:

Reintroduction of the sub­sti­tuted mate­r­ial into a process is the pri­mary fail­ure mode, how­ever there may be oth­ers that are spe­cific to the haz­ard and the cir­cum­stances. In the above exam­ple, pre– and post-​​cutting han­dling of the mate­r­ial could still cre­ate dust or small par­ti­cles, result­ing in expo­sure to beryl­lium. A sub­sti­tuted mate­r­ial might intro­duce other, new haz­ards, or might cre­ate fail­ure modes in the final prod­uct that would result in risks to the end user. Careful con­sid­er­a­tion is required!

If nei­ther elim­i­na­tion or sub­sti­tu­tion is pos­si­ble, we move to the next level in the hierarchy.

2. Engineering Controls

Engineering con­trols typ­i­cally include var­i­ous types of mechan­i­cal guards [16, 17, & 18], inter­lock­ing sys­tems [9, 10, 11, & 15], and safe­guard­ing devices like light cur­tains or fences, area scan­ners, safety mats and two-​​hand con­trols [19]. These sys­tems are proac­tive in nature, act­ing auto­mat­i­cally to pre­vent access to a haz­ard and there­fore pre­vent­ing injury. These sys­tems are designed to act before a per­son can reach the dan­ger zone and be exposed to the hazard.

Control reli­a­bil­ity

Barrier guards and fixed guards are not eval­u­ated for reli­a­bil­ity because they do not rely on a con­trol sys­tem for their effec­tive­ness. As long as they are placed cor­rectly in the first place, and are oth­er­wise prop­erly designed to con­tain the haz­ards they are pro­tect­ing, then noth­ing more is required. On the other hand, safe­guard­ing devices, like inter­locked guards, light fences, light cur­tains, area scan­ners, safety mats, two-​​hand con­trols and safety edges, all rely on a con­trol sys­tem for their effec­tive­ness. Correct appli­ca­tion of these devices requires cor­rect place­ment based on the stop­ping per­for­mance of the haz­ard and cor­rect inte­gra­tion of the safety device into the safety related parts of the con­trol sys­tem [19]. The degree of reli­a­bil­ity is based on the amount of risk reduc­tion that is being required of the safe­guard­ing device and the degree of risk present in the unguarded state [9, 10].

There are many detailed tech­ni­cal require­ments for engi­neer­ing con­trols that I can’t get into in this arti­cle, but you can learn more by check­ing out the ref­er­ences at the end of this arti­cle and other arti­cles on this blog.

Failure Modes

Failure modes for engi­neer­ing con­trols are as many and as var­ied as the devices used and the meth­ods of inte­gra­tion cho­sen. This dis­cus­sion will have to wait for another article!

Awareness Devices

Of spe­cial note are ‘aware­ness devices’. This group includes warn­ing lights, horns, buzzers, bells, etc. These devices have some aspects that are sim­i­lar to engi­neer­ing con­trols, in that they are usu­ally part of the machine con­trol sys­tem, but they are also some­times classed as ‘infor­ma­tion for use’, par­tic­u­larly when you con­sider indi­ca­tor or warn­ing lights and HMI screens. In addi­tion to these ‘active’ types of devices, aware­ness devices may also include lines painted or taped on the floor or on the edge of a step or ele­va­tion change, warn­ing chains, sig­nage, etc. Signage may also be included in the class of ‘infor­ma­tion for use’, along with HMI screens.

Failure Modes

Failure modes for Awareness Devices include:

• Ignoring the warn­ings (Complacency or Failure to com­pre­hend the mean­ing of the warning);
• Failure to main­tain the device (warn­ing lights burned out or removed);
• Defeat of the device (silenc­ing an audi­ble warn­ing device);
• Inappropriate selec­tion of the device (invis­i­ble or inaudi­ble in the pre­dom­i­nat­ing conditions).

Complementary Protective Measures

Complementary Protective mea­sures are a class of con­trols that are sep­a­rate from the var­i­ous types of safe­guard­ing because they gen­er­ally can­not pre­vent injury, but may reduce the sever­ity of injury or the prob­a­bil­ity of the injury occur­ring. Complementary pro­tec­tive mea­sures are reac­tive in nature, mean­ing that they are not auto­matic. They must be man­u­ally acti­vated by a user before any­thing will occur, e.g. press­ing an emer­gency stop but­ton. They can only com­ple­ment the pro­tec­tion pro­vided by the auto­matic systems.

A good exam­ple of this is the Emergency Stop sys­tem that is designed into many machines. On its own, the emer­gency stop sys­tem will do noth­ing to pre­vent an injury. The sys­tem must be acti­vated man­u­ally by press­ing a but­ton or pulling a cable. This relies on some­one detect­ing a prob­lem and real­iz­ing that the machine needs to be stopped to avoid or reduce the sever­ity of an injury that is about to occur or is occur­ring. Emergency stop can only ever be a back-​​up mea­sure to the auto­matic inter­locks and safe­guard­ing devices used on the machine. In many cases, the next step in emer­gency response after press­ing the emer­gency stop is to call 911.

Failure Modes:

The fail­ure modes for these kinds of con­trols are too numer­ous to list here, how­ever they range from sim­ple fail­ure to replace a fixed guard or bar­rier fence, to fail­ure of elec­tri­cal, pneu­matic or hydraulic con­trols. These fail­ure modes are enough of a con­cern that a new field of safety engi­neer­ing called ‘Functional Safety Engineering’ has grown up around the need to be able to ana­lyze the prob­a­bil­ity of fail­ure of these sys­tems and to use addi­tional design ele­ments to reduce the prob­a­bil­ity of fail­ure to a level we can tol­er­ate. For more on this, see [9, 10, 11].

Once you have exhausted all the pos­si­bil­i­ties in Engineering Controls, you can move to the next level down in the hierarchy.

3. Information for Use

This is a very broad topic, includ­ing man­u­als, instruc­tion sheets, infor­ma­tion labels on the prod­uct, haz­ard warn­ing signs and labels, HMI screens, indi­ca­tor and warn­ing lights, train­ing mate­ri­als, video, pho­tographs, draw­ings, bills of mate­ri­als, etc. There are some excel­lent stan­dards now avail­able that can guide you in devel­op­ing these mate­ri­als [1, 12 and 13].

Failure Modes:

The major fail­ure modes in this level include:

• Poorly writ­ten or incom­plete materials;
• Provision of the mate­ri­als in a lan­guage that is not under­stood by the user;
• Failure by the user to read and under­stand the materials;
• Inability to access the mate­ri­als when needed;
• Etcetera.

When all pos­si­bil­i­ties for inform­ing the user have been cov­ered, you can move to the next level down in the hier­ar­chy. Note that this is the usual sep­a­ra­tion point between the man­u­fac­turer and the user of a prod­uct. This is nicely illus­trated in Fig 2 from ISO 12100 above. It is impor­tant to under­stand at this point that the resid­ual risk posed by the prod­uct to the user may not yet be tol­er­a­ble. The user is respon­si­ble for imple­ment­ing the next two lev­els in the hier­ar­chy in most cases. The man­u­fac­turer can make rec­om­men­da­tions that the user may want to fol­low, but typ­i­cally that is the extent of influ­ence that the man­u­fac­turer will have on the user.

4. Administrative Controls

This level in the hier­ar­chy includes:

• Training;
• Standard Operating Procedures (SOP’s);
• Safe work­ing pro­ce­dures e.g. Hazardous Energy Control, Lockout, Tagout (where per­mit­ted by law), etc.;
• Authorization; and
• Supervision.

Training is the method used to get the infor­ma­tion pro­vided by the man­u­fac­turer to the worker or end user. This can be pro­vided by the man­u­fac­turer, by a third party, or self-​​taught by the user or worker.
SOP’s can include any kind of pro­ce­dure insti­tuted by the work­place to reduce risk. For exam­ple, requir­ing work­ers who drive vehi­cles to do a walk-​​around inspec­tion of the vehi­cle before use, and log­ging of any prob­lems found dur­ing the inspec­tion is an exam­ple of an SOP to reduce risk while dri­ving.
Safe work­ing pro­ce­dures can be strongly influ­enced by the man­u­fac­turer through the infor­ma­tion for use pro­vided. Maintenance pro­ce­dures for haz­ardous tasks pro­vided in the main­te­nance man­ual are an exam­ple of this.
Authorization is the pro­ce­dure that an employer uses to autho­rize a worker to carry out a par­tic­u­lar task. For exam­ple, an employer might put a pol­icy in place that only per­mits licensed elec­tri­cians to access elec­tri­cal enclo­sures and carry out work with the enclo­sure live. The employer might require that work­ers who may need to use lad­ders in their work take a lad­der safety and a fall pro­tec­tion train­ing course. Once the pre­req­ui­sites for autho­riza­tion are com­pleted, the worker is ‘autho­rized’ by the employer to carry out the task.
Supervision is one of the most crit­i­cal of the Administrative Controls. Sound super­vi­sion can make all of the above work. Failure to prop­erly super­vise work can cause all of these mea­sures to fail.

Failure Modes

Administrative con­trols have many fail­ure modes. Here are some of the most common:

• Failure to train;
• Failure to inform work­ers regard­ing the haz­ards present and the related risks;
• Failure to cre­ate and imple­ment SOP’s;
• Failure to pro­vide and main­tain spe­cial equip­ment needed to imple­ment SOP’s;
• No for­mal means of autho­riza­tion — i.e. How do you KNOW that Joe has his lift truck license?;
• Failure to super­vise adequately.

I’m sure you can think of MANY other ways that Administrative Controls can go wrong!

5. Personal Protective Equipment (PPE)

PPE includes every­thing from safety glasses, to hard­hats and bump caps, to fire-​​retardant cloth­ing, hear­ing defend­ers, and work boots. Some stan­dards even include warn­ing devices that are worn by the user, such as gas detec­tors and person-​​down detec­tors, in this group.
PPE is prob­a­bly the sin­gle most over-​​used and least under­stood risk con­trol mea­sure. It falls at the bot­tom of the hier­ar­chy for a num­ber of reasons:

1. It is a mea­sure of last resort;
2. It per­mits the haz­ard to come as close to the per­son as their clothing;
3. It is often incor­rectly specified;
4. It is often poorly fitted;
5. It is often poorly main­tained; and
6. It is often improp­erly used.

The prob­lems with PPE are hard to deal with. You can­not glue or screw a set of safety glasses to a person’s face, so ensur­ing the the pro­tec­tive equip­ment is used is a big prob­lem that goes back to supervision.

Many small and medium sized enter­prises do not have the exper­tise in the orga­ni­za­tion to prop­erly spec­ify, fit and main­tain the equipment.

User com­fort is extremely impor­tant. Uncomfortable equip­ment won’t be used for long.

Finally, by the time that prop­erly spec­i­fied, fit­ted and used equip­ment can do it’s job, the haz­ard is as close to the per­son as it can get. The prob­a­bil­ity of fail­ure at this point is very high, which is what makes PPE a mea­sure of last resort, com­ple­men­tary to the more effec­tive mea­sures that can be pro­vided in the first three lev­els of the hierarchy.

If work­ers are not prop­erly trained and ade­quately informed about the haz­ards they face and the rea­sons behind the use of PPE, they are deprived of the oppor­tu­nity to make safe choices, even if that choice is to refuse the work.

Failure Modes

Failure modes for PPE include:

• Incorrect spec­i­fi­ca­tion (not suit­able for the hazard);
• Incorrect fit (allows haz­ard to bypass PPE);
• Poor main­te­nance (pre­vents or restricts vision or move­ment, increas­ing the risk; causes PPE fail­ure under stress or allows haz­ard to bypass PPE);
• Incorrect usage (fail­ure to train and inform users, incor­rect selec­tion or spec­i­fi­ca­tion of PPE).

Time to Apply the Hierarchy

So now you know some­thing about the ‘hier­ar­chy of con­trols’. Each layer has its own intri­ca­cies and nuances that can only be learned by train­ing and expe­ri­ence. With a doc­u­mented risk assess­ment in hand, you can begin to apply the hier­ar­chy to con­trol the risks. Don’t for­get to iter­ate the assess­ment post-​​control to doc­u­ment the degree of risk reduc­tion achieved. You may cre­ate new haz­ards when con­trol mea­sures are applied, and you may need to add addi­tional con­trol mea­sures to achieve effec­tive risk reduction.

The doc­u­ments ref­er­enced below should give you a good start in under­stand­ing some of these challenges.

References

5% Discount on All Standards with code: CC2011

[1]             Safety of machin­ery – Basic con­cepts, gen­eral prin­ci­ples for design – Part 1: Basic ter­mi­nol­ogy and method­ol­ogy, ISO Standard 12100–1, 2003.
[2]            Safety of machin­ery – Basic con­cepts, gen­eral prin­ci­ples for design – Basic ter­mi­nol­ogy and method­ol­ogy, Part 2: Technical prin­ci­ples, ISO Standard 12100–2, 2003.
[3]            Safety of Machinery – Risk Assessment – Part 1: Principles, ISO Standard 14121–1, 2007.
[4]            Safety of machin­ery — Prevention of unex­pected start-​​up, ISO 14118, 2000
[5]            Control of haz­ardous energy – Lockout and other meth­ods, CSA Z460, 2005
[6]            Fluid power sys­tems and com­po­nents – Graphic sym­bols and cir­cuit dia­grams – Part 1: Graphic sym­bols for con­ven­tional use and data-​​processing appli­ca­tions, ISO Standard 1219–1, 2006
[7]            Pneumatic fluid power — General rules and safety require­ments for sys­tems and their com­po­nents, ISO Standard 4414, 1998
[8]            American National Standard for Industrial Robots and Robot Systems — Safety Requirements, ANSI/​RIA R15.06, 1999.
[9]            Safety of machin­ery — Safety-​​related parts of con­trol sys­tems — Part 1: General prin­ci­ples for design, ISO Standard 13849–1, 2006
[10]          Safety of machin­ery – Functional safety of safety-​​related elec­tri­cal, elec­tronic and pro­gram­ma­ble elec­tronic con­trol sys­tems, IEC Standard 62061, 2005
[11]           Functional safety of electrical/​electronic/​programmable elec­tronic safety-​​related sys­tems, IEC Standard 61508-​​X, seven parts.
[12]          Preparation of Instructions — Structuring, Content and Presentation, IEC Standard 62079, 2001
[13]          American National Standard For Product Safety Information in Product Manuals, Instructions, and Other Collateral Materials, ANSI Standard Z535.6, 2010.
[14]          Control of Hazardous Energy Lockout/​Tagout and Alternative Methods, ANSI Standard Z244.1, 2003.
[15]          Safety of Machinery — Interlocking devices asso­ci­ated with guards — prin­ci­ples for design and selec­tion, EN 1088+A1:2008.
[16]          Safety of Machinery — Guards — General require­ments for the design and con­struc­tion of fixed and mov­able guards, EN 953+A1:2009.
[17]          Safety of machin­ery — Guards — General require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120.
[18]         Safety of machin­ery — Safety dis­tances to pre­vent haz­ard zones being reached by upper and lower limbs, ISO 13857:2008.
[19]         Safety of machin­ery — Positioning of safe­guards with respect to the approach speeds of parts of the human body, ISO 13855:2010.

5% Discount on All Standards with code: CC2011

Copyright secured by Digiprove © 2011Some Rights Reserved