We’ve recently updated a couple of our popular articles! Check them out!
Risk assessment is the first step in reducing the risk that your customers and users are exposed to when they use your products. The second step is Risk Reduction, sometimes called Risk Control or Risk Mitigation. This article looks at the ways that risk can be controlled using the Hierarchy of Controls. Figure 2 from ISO 12100-1 (shown below) illustrates this point.
The system is called a hierarchy because you must apply each level in the order that they fall in the list. In terms of effectiveness at reducing risk, the first level in the hierarchy, elimination, is the most effective, down to the last, PPE*, which has the least effectiveness.
It’s important to understand that questions must be asked after each step in the hierarchy is implemented, and that is “Is the risk reduced as much as possible? Is the residual risk a) in compliance with legal requirements, and b) acceptable to the user or worker?”. When you can answer ‘YES’ to all of these questions, the last step is to ensure that you have warned the user of the residual risks, have identified the required training needed and finally have made recommendations for any needed PPE.
*PPE – Personal Protective Equipment. e.g. Protective eye wear, safety boots, bump caps, hard hats, clothing, gloves, respirators, etc. CSA Z1002 includes ‘…anything designed to be worn, held, or carried by an individual for protection against one or more hazards.’ in this definition.
Introducing the Hierarchy of Controls
The Hierarchy of Controls was developed in a number of different standards over the last 20 years or so. The idea was to provide a common structure that would provide guidance to designers when controlling risk.
Typically, the first three levels of the hierarchy may be considered to be ‘engineering controls’ because they are part of the design process for a product. This does not mean that they must be done by engineers!
We’ll look at each level in the hierarchy in detail. First, let’s take a look at what is included in the Hierarchy.
The Hierarchy of Controls includes:
1) Hazard Elimination or Substitution (Design)
2) Engineering Controls (see [1, 2, 8, 9, 10, and 11])
b) Guards (Fixed, Movable w/interlocks)
c) Safeguarding Devices
d) Complementary Protective Measures
3) Information for Use (see [1, 2, 4, 7, 8, 12, and 13])
a) Hazard Warnings
c) HMI* & Awareness Devices (lights, horns)
4) Administrative Controls (see [1, 2, 4, 5, 7, and 8])
c) Hazardous Energy Control Procedures (see [5, 14])
5) Personal Protective Equipment
c) Training in use
*HMI – Human-Machine Interface. Also called the ‘console’ or ‘operator station’. The location on the machine where the operator controls are located. Often includes a programmable screen or operator display, but can be a simple array of buttons, switches and indicator lights.
The manufacturer, developer or integrator of the system should provide the first three levels of the hierarchy. Where they have not been provided, the workplace or user should provide them.
The last two levels must be provided by the workplace or user.
Each layer in the hierarchy has a level of effectiveness that is related to the failure modes associated with the control measures and the relative effectiveness in reducing risk in that layer. As you go down the hierarchy, the reliability and effectiveness decrease as shown below.
There is no way to measure or specifically quantify the reliability or effectiveness of each layer of the hierarchy – that must wait until you make some selections from each level, and even then it can be very hard to do. The important thing to understand is that Elimination is more effective than Guarding (engineering controls), which is more effective than Awareness Means, etc.
1. Hazard Elimination or Substitution
Hazard elimination is the most effective means of reducing risk from a particular hazard, for the simple reason that once the hazard has been eliminated there is no remaining risk. Remember that risk is a function of severity and probability. Since both severity and probability are affected by the existence of the hazard, eliminating the hazard reduces the risk from that particular hazard to zero. Some practitioners consider this to mean the elimination is 100% effective, however it’s my opinion that this is not the case because even elimination has failure modes that can re-introduce the hazard.
Hazard elimination can fail if the hazard is reintroduced into the design. With machinery this isn’t that likely to occur, but in processes, services and workplaces it can occur.
Substitution requires the designer to substitute a less hazardous material or process for the original material or process. For example, beryllium is a highly toxic metal that is used in some high tech applications. Inhalation or skin contact with beryllium dust can do serious harm to a person very quickly, causing acute beryllium disease. Long term exposure can cause chronic beryllium disease. Substituting a less toxic material with similar properties in place of the beryllium in the process could reduce or eliminate the possibility of beryllium disease, depending on the exact content of the substitute material. If the substitute material includes any amount of beryllium, then the risk is only reduced. If it contains no beryllium, the risk is eliminated. Note that the risk can also be reduced by ensuring that the beryllium dust is not created by the process, since beryllium is not toxic unless ingested.
Alternatively, using processes to handle the beryllium without creating dust or particles could reduce the exposure to the material in forms that are likely to cause beryllium disease. An example of this could be substitution of water-jet cutting instead of mechanical sawing of the material.
Reintroduction of the substituted material into a process is the primary failure mode, however there may be others that are specific to the hazard and the circumstances. In the above example, pre- and post-cutting handling of the material could still create dust or small particles, resulting in exposure to beryllium. A substituted material might introduce other, new hazards, or might create failure modes in the final product that would result in risks to the end user. Careful consideration is required!
If neither elimination or substitution is possible, we move to the next level in the hierarchy.
2. Engineering Controls
Engineering controls typically include various types of mechanical guards [16, 17, & 18], interlocking systems [9, 10, 11, & 15], and safeguarding devices like light curtains or fences, area scanners, safety mats and two-hand controls . These systems are proactive in nature, acting automatically to prevent access to a hazard and therefore preventing injury. These systems are designed to act before a person can reach the danger zone and be exposed to the hazard.
Barrier guards and fixed guards are not evaluated for reliability because they do not rely on a control system for their effectiveness. As long as they are placed correctly in the first place, and are otherwise properly designed to contain the hazards they are protecting, then nothing more is required. On the other hand, safeguarding devices, like interlocked guards, light fences, light curtains, area scanners, safety mats, two-hand controls and safety edges, all rely on a control system for their effectiveness. Correct application of these devices requires correct placement based on the stopping performance of the hazard and correct integration of the safety device into the safety related parts of the control system . The degree of reliability is based on the amount of risk reduction that is being required of the safeguarding device and the degree of risk present in the unguarded state [9, 10].
There are many detailed technical requirements for engineering controls that I can’t get into in this article, but you can learn more by checking out the references at the end of this article and other articles on this blog.
Failure modes for engineering controls are as many and as varied as the devices used and the methods of integration chosen. This discussion will have to wait for another article!
Of special note are ‘awareness devices’. This group includes warning lights, horns, buzzers, bells, etc. These devices have some aspects that are similar to engineering controls, in that they are usually part of the machine control system, but they are also sometimes classed as ‘information for use’, particularly when you consider indicator or warning lights and HMI screens. In addition to these ‘active’ types of devices, awareness devices may also include lines painted or taped on the floor or on the edge of a step or elevation change, warning chains, signage, etc. Signage may also be included in the class of ‘information for use’, along with HMI screens.
Failure modes for Awareness Devices include:
- Ignoring the warnings (Complacency or Failure to comprehend the meaning of the warning);
- Failure to maintain the device (warning lights burned out or removed);
- Defeat of the device (silencing an audible warning device);
- Inappropriate selection of the device (invisible or inaudible in the predominating conditions).
Complementary Protective Measures
Complementary Protective measures are a class of controls that are separate from the various types of safeguarding because they generally cannot prevent injury, but may reduce the severity of injury or the probability of the injury occurring. Complementary protective measures are reactive in nature, meaning that they are not automatic. They must be manually activated by a user before anything will occur, e.g. pressing an emergency stop button. They can only complement the protection provided by the automatic systems.
A good example of this is the Emergency Stop system that is designed into many machines. On its own, the emergency stop system will do nothing to prevent an injury. The system must be activated manually by pressing a button or pulling a cable. This relies on someone detecting a problem and realizing that the machine needs to be stopped to avoid or reduce the severity of an injury that is about to occur or is occurring. Emergency stop can only ever be a back-up measure to the automatic interlocks and safeguarding devices used on the machine. In many cases, the next step in emergency response after pressing the emergency stop is to call 911.
The failure modes for these kinds of controls are too numerous to list here, however they range from simple failure to replace a fixed guard or barrier fence, to failure of electrical, pneumatic or hydraulic controls. These failure modes are enough of a concern that a new field of safety engineering called ‘Functional Safety Engineering’ has grown up around the need to be able to analyze the probability of failure of these systems and to use additional design elements to reduce the probability of failure to a level we can tolerate. For more on this, see [9, 10, 11].
Once you have exhausted all the possibilities in Engineering Controls, you can move to the next level down in the hierarchy.
3. Information for Use
This is a very broad topic, including manuals, instruction sheets, information labels on the product, hazard warning signs and labels, HMI screens, indicator and warning lights, training materials, video, photographs, drawings, bills of materials, etc. There are some excellent standards now available that can guide you in developing these materials [1, 12 and 13].
The major failure modes in this level include:
- Poorly written or incomplete materials;
- Provision of the materials in a language that is not understood by the user;
- Failure by the user to read and understand the materials;
- Inability to access the materials when needed;
When all possibilities for informing the user have been covered, you can move to the next level down in the hierarchy. Note that this is the usual separation point between the manufacturer and the user of a product. This is nicely illustrated in Fig 2 from ISO 12100 above. It is important to understand at this point that the residual risk posed by the product to the user may not yet be tolerable. The user is responsible for implementing the next two levels in the hierarchy in most cases. The manufacturer can make recommendations that the user may want to follow, but typically that is the extent of influence that the manufacturer will have on the user.
4. Administrative Controls
This level in the hierarchy includes:
- Standard Operating Procedures (SOP’s);
- Safe working procedures e.g. Hazardous Energy Control, Lockout, Tagout (where permitted by law), etc.;
- Authorization; and
Training is the method used to get the information provided by the manufacturer to the worker or end user. This can be provided by the manufacturer, by a third party, or self-taught by the user or worker.
SOP’s can include any kind of procedure instituted by the workplace to reduce risk. For example, requiring workers who drive vehicles to do a walk-around inspection of the vehicle before use, and logging of any problems found during the inspection is an example of an SOP to reduce risk while driving.
Safe working procedures can be strongly influenced by the manufacturer through the information for use provided. Maintenance procedures for hazardous tasks provided in the maintenance manual are an example of this.
Authorization is the procedure that an employer uses to authorize a worker to carry out a particular task. For example, an employer might put a policy in place that only permits licensed electricians to access electrical enclosures and carry out work with the enclosure live. The employer might require that workers who may need to use ladders in their work take a ladder safety and a fall protection training course. Once the prerequisites for authorization are completed, the worker is ‘authorized’ by the employer to carry out the task.
Supervision is one of the most critical of the Administrative Controls. Sound supervision can make all of the above work. Failure to properly supervise work can cause all of these measures to fail.
Administrative controls have many failure modes. Here are some of the most common:
- Failure to train;
- Failure to inform workers regarding the hazards present and the related risks;
- Failure to create and implement SOP’s;
- Failure to provide and maintain special equipment needed to implement SOP’s;
- No formal means of authorization – i.e. How do you KNOW that Joe has his lift truck license?;
- Failure to supervise adequately.
I’m sure you can think of MANY other ways that Administrative Controls can go wrong!
5. Personal Protective Equipment (PPE)
PPE includes everything from safety glasses, to hardhats and bump caps, to fire-retardant clothing, hearing defenders, and work boots. Some standards even include warning devices that are worn by the user, such as gas detectors and person-down detectors, in this group.
PPE is probably the single most over-used and least understood risk control measure. It falls at the bottom of the hierarchy for a number of reasons:
- It is a measure of last resort;
- It permits the hazard to come as close to the person as their clothing;
- It is often incorrectly specified;
- It is often poorly fitted;
- It is often poorly maintained; and
- It is often improperly used.
The problems with PPE are hard to deal with. You cannot glue or screw a set of safety glasses to a person’s face, so ensuring the the protective equipment is used is a big problem that goes back to supervision.
Many small and medium sized enterprises do not have the expertise in the organization to properly specify, fit and maintain the equipment.
User comfort is extremely important. Uncomfortable equipment won’t be used for long.
Finally, by the time that properly specified, fitted and used equipment can do it’s job, the hazard is as close to the person as it can get. The probability of failure at this point is very high, which is what makes PPE a measure of last resort, complementary to the more effective measures that can be provided in the first three levels of the hierarchy.
If workers are not properly trained and adequately informed about the hazards they face and the reasons behind the use of PPE, they are deprived of the opportunity to make safe choices, even if that choice is to refuse the work.
Failure modes for PPE include:
- Incorrect specification (not suitable for the hazard);
- Incorrect fit (allows hazard to bypass PPE);
- Poor maintenance (prevents or restricts vision or movement, increasing the risk; causes PPE failure under stress or allows hazard to bypass PPE);
- Incorrect usage (failure to train and inform users, incorrect selection or specification of PPE).
Time to Apply the Hierarchy
So now you know something about the ‘hierarchy of controls’. Each layer has its own intricacies and nuances that can only be learned by training and experience. With a documented risk assessment in hand, you can begin to apply the hierarchy to control the risks. Don’t forget to iterate the assessment post-control to document the degree of risk reduction achieved. You may create new hazards when control measures are applied, and you may need to add additional control measures to achieve effective risk reduction.
The documents referenced below should give you a good start in understanding some of these challenges.
NOTE: , , and were combined by ISO and republished as ISO 12100:2010. This standard has no technical changes from the preceding standards, but combines them in a single document. ISO/TR 14121-2 remains current and should be used with the current edition of ISO 12100.
 Safety of machinery – Basic concepts, general principles for design – Part 1: Basic terminology and methodology, ISO Standard 12100-1, 2003.
 Safety of machinery – Basic concepts, general principles for design – Basic terminology and methodology, Part 2: Technical principles, ISO Standard 12100-2, 2003.
 Safety of Machinery – Risk Assessment – Part 1: Principles, ISO Standard 14121-1, 2007.
 Safety of machinery — Prevention of unexpected start-up, ISO 14118, 2000
 Control of hazardous energy – Lockout and other methods, CSA Z460, 2005
 Fluid power systems and components – Graphic symbols and circuit diagrams – Part 1: Graphic symbols for conventional use and data-processing applications, ISO Standard 1219-1, 2006
 Pneumatic fluid power — General rules and safety requirements for systems and their components, ISO Standard 4414, 1998
 American National Standard for Industrial Robots and Robot Systems — Safety Requirements, ANSI/RIA R15.06, 1999.
 Safety of machinery — Safety-related parts of control systems — Part 1: General principles for design, ISO Standard 13849-1, 2006
 Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC Standard 62061, 2005
 Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC Standard 61508-X, seven parts.
 Preparation of Instructions — Structuring, Content and Presentation, IEC Standard 62079, 2001
 American National Standard For Product Safety Information in Product Manuals, Instructions, and Other Collateral Materials, ANSI Standard Z535.6, 2010.
 Control of Hazardous Energy Lockout/Tagout and Alternative Methods, ANSI Standard Z244.1, 2003.
 Safety of Machinery — Interlocking devices associated with guards — principles for design and selection, EN 1088+A1:2008.
 Safety of Machinery — Guards – General requirements for the design and construction of fixed and movable guards, EN 953+A1:2009.
 Safety of machinery — Guards — General requirements for the design and construction of fixed and movable guards, ISO 14120.
 Safety of machinery — Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857:2008.
 Safety of machinery — Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855:2010.
Emergency stop devices are sometimes, incorrectly, used as part of a lockout procedure for machinery. Learn more about how to correctly used these devices as part of Hazardous Energy Control Procedures for industrial machinery.
Control of hazardous energy is one of the key ways that maintenance and service workers are protected while maintaining industrial equipment. Not so long ago we only thought about ‘Lockout’ or ‘Lockout/Tagout’ procedures, but there is much more to protecting these workers than ‘just’ locking out energy sources. Inevitably conditions come up where safeguards may need to be removed or temporarily bypassed in order to diagnose problems or to make critical but infrequent adjustments to the equipment, and this is where Hazardous Energy Control Procedures, or HECP, come in.
One of the questions I often get when helping clients with developing HECPs for their equipment is, “Can we use the emergency stop circuit for lockout?”. As usual, there is a short answer and a long answer to that simple question!
The Short Answer
The short answer to this question is NO. Lockout requires that sources of hazardous energy be physically isolated or blocked. Control systems may be able to meet parts, but not all of this requirement. Read on if you’d like to know why.
The Long Answer
Lockout procedures are now grouped with other adjustment, diagnostic and test procedures into what are called Hazardous Energy Control Procedures or HECP. In the USA, OSHA publishes a lockout standard in 29 CFR 1910.147, and ANSI publishes ANSI Z244.1.
In Canada we didn’t have a standard for HECP until 2005 when CSA Z460 was published, although all the Provinces and Territories have some language in their legislation that at least alludes to the need for control of hazardous energy. In the Province of Ontario where I live, this requirement shows up in Ontario Regulation 851, Sections 42, 75 and 76.
In the EU, control of hazardous energy is dealt with in ISO 14118:2000, Safety of machinery — Prevention of unexpected start-up.
If you have a look at the sections from the Ontario regulations, they don’t tell you how to perform lockout, and they make little mention of what to do with live work for troubleshooting purposes. The US OSHA regulations read more like a standard, but because they are in legislation they are prescriptive. You MUST meet this minimum requirement, and you may exceed it.
Let’s look at how lockout is defined in the standards.
|Canada (Ontario)||USA (OSHA)||European Union|
Lockout — placement of a lock or tag on an energy-isolating device in accordance with an established procedure, thereby indicating that the energy-isolating device is not to be operated until removal of the lock or tag in accordance with an established procedure.
CSA Z460, 2005
Lockout. The placement of a lockout device on an energy isolating device, in accordance with an established procedure, ensuring that the energy isolating device and the equipment being controlled cannot be operated until the lockout device is removed.
Tagout. The placement of a tagout device on an energy isolating device, in accordance with an established procedure, to indicate that the energy isolating device and the equipment being controlled may not be operated until the tagout device is removed.
29 CFR 1910.147
2.14 lockout/tagout: The placement of a lock/tag on the energy isolating device in accordance with an established procedure, indicating that the energy isolating device shall not be operated until removal of the lock/tag in accordance with an established procedure. (The term “lockout/tagout” allows the use of a lockout device, a tagout device, or a combination of both.)
3.3 isolation and energy dissipation
procedure which consists of all of the four following actions:
a) isolating (disconnecting, separating) the machine (or defined parts of the machine) from all power supplies;
b) locking (or otherwise securing), if necessary (for instance in large machines or in installations), all the isolating units in the “isolated” position;
c) dissipating or restraining [containing] any stored energy which may give rise to a hazard.
NOTE Energy considered in c) above may be stored in e.g.:
d) verifying by using a safe working procedure that the actions taken according to a), b) and c) above have produced the desired effect.
As you can see, the definitions are fairly similar, although slightly different terms may be used. The ISO standard actually provides the best guidance overall in my opinion. Note that these excerpts are all taken from the definitions sections of the relevant documents.
One of the big differences between the US and Canada is the idea of ‘tagout’ (pronounced TAG-out for those not familiar with the term). Tagout is identical to lockout with the exception of the device that is attached to the energy isolating device. Under certain circumstances the US permits the use of a tag without a lock to secure the energy isolation device. This is not permitted in Canada under any circumstance, and the term ‘tagout’ is not officially recognized. In Canada the term is often taken to mean the addition of a tag to the locking device, a mandatory part of the procedure.
Use of Controls for Energy Isolation
This is where the ‘rubber meets the road’ – how is the source of hazardous energy isolated effectively? To understand the requirements, let’s look at the definition for an Energy Isolating Device.
Energy-isolating device — a mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: a manually operated electrical circuit breaker; a disconnect switch; a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors; a line valve; a block; and other devices used to block or isolate energy (push-button selector switches and other control-type devices are not energy-isolating devices).
CSA Z460, 2005
Note – Bold added for emphasis – DN
Energy isolating device. A mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: A manually operated electrical circuit breaker; a disconnect switch; a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors, and, in addition, no pole can be operated independently; a line valve; a block; and any similar device used to block or isolate energy. Push buttons, selector switches and other control circuit type devices are not energy isolating devices.
Note – Bold added for emphasis – DN
Tagout device. A prominent warning device, such as a tag and a means of attachment, which can be securely fastened to an energy isolating device in accordance with an established procedure, to indicate that the energy isolating device and the equipment being controlled may not be operated until the tagout device is removed.
29 CFR 1910.147
2.8 energy isolating device: A mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: a manually operated electrical circuit breaker, a disconnect switch, a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors and, in addition, no pole can be operated independently; a line valve; a block; and any similar device used to block or isolate energy.
2.20.1 tagout device: A prominent warning means such as a tag and a means of attachment, which can be securely fastened to an energy isolating device to indicate that the energy isolating device and the equipment being controlled may not be operated until the tagout device is removed.
4.1 Isolation and energy dissipation
Machines shall be provided with means intended for isolation and energy dissipation (see clause 5), especially with a view to major maintenance, work on power circuits and decommissioning in accordance with the essential safety requirement expressed in ISO/TR 12100-2:1992, annex A, 1.6.3.
Note – ISO/TR 12100-2 was withdrawn in Oct-10 and replaced by ISO 12100-2010. – DN Read more on this.
5.1 Devices for isolation from power supplies
NOTE 1 For electrical equipment, a supply disconnecting device complying with IEC 60204-1:1997, 5.3 “Supply disconnecting (isolating) device” meets this requirement.
NOTE 2 Plug and socket systems (for electrical supplies), or their pneumatic, hydraulic or mechanical equivalents, are examples of isolating devices with which it is possible to achieve a visible and reliable discontinuity in the power supply circuits.
For electrical plug/socket combinations, see IEC 60204-1:1997, 5.3.2 d).
NOTE 3 For hydraulic and pneumatic equipment, see also EN 982:1996, 5.1.6 and EN 983:1996, 5.1.6.
As you can see from the above definitions, all the jurisdictions require that devices used for energy isolation are reliable, manually operable, mechanical devices. While electrical control systems that meet high levels of design reliability may meet the reliability requirements, they do not meet the requirements for physical, mechanical disconnection of the source of hazardous energy. Operator devices are specifically excluded from this use in Canada and the USA. Note that plug and socket combinations are permitted in all jurisdictions. Lockout devices such as Brady 65675 Large Plug Lockout Device like the Brady Small Plug Lockout Device shown here and similar devices can be used for this purpose. With some plugs it is possible to put a small lock through a hole in one of the contacts. In some jurisdictions, even the simple act of putting the plug in your back pocket while conducting the work is sufficient.
In addition, the energy isolation device is required to be able to be locked in the off, isolated, or blocked position. There are emergency stop button operators that can be purchased with an integrated lock cylinder, and there are some control operator accessories available that will allow control push buttons and selector switches to be locked in one position or another, but these do not meet the requirements of the above standards. They can be used in addition to an energy isolation device as part of the procedure, but not on their own as the sole means of preventing unexpected start-up.
Each machine or piece of equipment is required to have an HECP that is specific to that piece of equipment. ‘Global’ HECP’s are seldom useful except as a template document. Development of HECPs takes some careful thought and a thorough understanding of the kinds of work that will need to be done to maintain and service the machinery. Individual jurisdictions have some differences in the details of their regulations, but ultimately the requirements come down to the same thing: Protecting workers.
Control system devices such as stop buttons and emergency stop devices are not accepted as energy isolating devices and cannot be used for this purpose, although they may be used as part of the HECP shutdown procedure leading up to the physical isolation of the hazardous energy sources.
Excellent standards exist that cover development of these procedures and should be referenced as specific HECP are developed.
CSA Z460-05 (R2010) – Control of hazardous energy — Lockout and other methods
29 CFR 1910.147 – The control of hazardous energy (lockout/tagout).
ANSI Z244.1 – 2003 (R2008) – Control of Hazardous Energy – Lockout/Tagout and Alternative Methods
ISO 14118 2000, Safety of machinery — Prevention of unexpected start-up