Machinery Safety 101

Understanding the Hierarchy of Controls

This entry is part 4 of 5 in the series Hier­archy of Controls

(Eds. note: This art­icle was ori­gin­ally writ­ten in 2011 and was updated in Nov. 2018.)

The “Hier­archy of Con­trols” is one approach to risk reduc­tion that has become entrenched in the Occu­pa­tion­al Health and Safety (OHS) sec­tor. There are oth­er approaches to risk reduc­tion which are equally effect­ive but are less rigidly struc­tured. If you want to know more about those approaches, I recom­mend you vis­it Dr. Sid­ney Dek­ker­’s site, “Safety Dif­fer­ently”, Dr. Robert Lng’s site, “Human Dymen­sions,” or Dr. Todd Conk­lin’s “Pre-Acci­dent Invest­ig­a­tions.” None of these approaches are wrong. Any approach that res­ults in effect­ively redu­cing the risk for the people at the “sharp end of the stick” is a worthy approach. Onward.

The first step: Risk Assessment

Risk assess­ment is the first step in redu­cing the risk that your cus­tom­ers and users are exposed to when they use your products. The second step is Risk Reduc­tion, some­times called Risk Con­trol or Risk Mit­ig­a­tion. This art­icle looks at the ways that risk can be con­trolled using the Hier­archy of Controls.Figure 2 from ISO 12100 – 1 (shown below) illus­trates this point.

The sys­tem is called a hier­archy because you must apply each level in the order that they fall in the list. In terms of effect­ive­ness at redu­cing risk, the first level in the hier­archy, elim­in­a­tion, is the most effect­ive, down to the last, PPE*, which has the least effectiveness.

It’s import­ant to under­stand that ques­tions must be asked after each step in the hier­archy is imple­men­ted, and that is “Is the risk reduced as much as pos­sible? Is the resid­ual risk a) in com­pli­ance with leg­al require­ments, and b) accept­able to the user or work­er?”. When you can answer ‘YES’ to all of these ques­tions, the last step is to ensure that you have warned the user of the resid­ual risks, have iden­ti­fied the required train­ing needed and finally have made recom­mend­a­tions for any needed PPE.

*PPE – Per­son­al Pro­tect­ive Equip­ment. e.g. Pro­tect­ive eye wear, safety boots, bump caps, hard hats, cloth­ing, gloves, res­pir­at­ors, etc. CSA Z1002 includes ‘…any­thing designed to be worn, held, or car­ried by an indi­vidu­al for pro­tec­tion against one or more haz­ards.’  in this definition.

Risk Reduction from the Designer's Viewpoint
Fig­ure 1 – The Risk Reduc­tion Pro­cess [1, Fig.2]

Introducing the Hierarchy of Controls

The Hier­archy of Con­trols was developed in a num­ber of dif­fer­ent stand­ards over the last 20 years or so, with ISO 12100 [1] com­ing to the fore­front as the lead­ing Inter­na­tion­al stand­ard. The idea was to provide a com­mon struc­ture that would provide guid­ance to design­ers when con­trolling risk.

Typ­ic­ally, the first three levels of the hier­archy may be con­sidered to be ‘engin­eer­ing con­trols’ because they are part of the design pro­cess for a product. This does not mean that they must be done by engineers!

We’ll look at each level in the hier­archy in detail. First, let’s take a look at what is included in the Hierarchy.

The Hier­archy of Con­trols includes:

1)    Inher­ently Safe Design, includ­ing Haz­ard Elim­in­a­tion or Sub­sti­tu­tion (Design)
2)    Engin­eer­ing Con­trols (see [1, 2, 8, 9, 10, and 11])

a)    Bar­ri­ers

b)    Guards (Fixed, Adjustable, Mov­able w/interlocks)

c)    Safe­guard­ing Devices

d)    Com­ple­ment­ary Pro­tect­ive Measures

3)    Inform­a­tion for Use (see [1, 2, 4, 7, 8, 12, and 13])

a)    Haz­ard Warnings

b)    Manu­als

c)    HMI* & Aware­ness Devices (lights, horns)

4)    Admin­is­trat­ive Con­trols (see [1, 2, 4, 5, 7, and 8])

a)    Train­ing

b)    Stand­ard Oper­at­ing Pro­ced­ures (SOPs),

c)    Haz­ard­ous Energy Con­trol Pro­ced­ures (HECP) (see [5, 14])

d)    Authorization/Permit to Work

5)    Per­son­al Pro­tect­ive Equipment

a)    Spe­cific­a­tion

b)    Fit­ting

c)    Train­ing in use

d)    Main­ten­ance

*HMI – Human-Machine Inter­face. Also called the ‘con­sole’ or ‘oper­at­or sta­tion’. The loc­a­tion on the machine where the oper­at­or con­trols are loc­ated. Often includes a pro­gram­mable screen or oper­at­or dis­play, but can be a simple array of but­tons, switches and indic­at­or lights.

The man­u­fac­turer, developer or integ­rat­or of the sys­tem can usu­ally provide only the first three levels of the hier­archy, as they do not nor­mally have con­trol over the work­place where the equip­ment of the sys­tem is used. Where they have not been provided, the work­place or user should provide them.

The last two levels must be provided by the work­place or user.


Each lay­er in the hier­archy has a level of effect­ive­ness that is related to the fail­ure modes asso­ci­ated with the con­trol meas­ures and the rel­at­ive effect­ive­ness in redu­cing risk in that lay­er. As you go down the hier­archy, the reli­ab­il­ity and effect­ive­ness decrease as shown in Fig. 2 below.

The Hierarchy of Controls illustrated as an inverted triangle with each level of the hierarchy written one above the other, starting with Inherently Sfe design, then Engineering Controls, then Information for Use, then Administrative Controls and finally descending to PPE at the bottom. An arrow with the text "Effectiveness" on it runs parallel to the triangle and points downward from Inherently safe design to PPE.
Fig­ure 2 – The Hier­archy of Controls

There is no way to meas­ure or spe­cific­ally quanti­fy the reli­ab­il­ity or effect­ive­ness of each lay­er of the hier­archy – that must wait until you make some selec­tions from each level, and even then it can be hard to do. The import­ant thing to under­stand is that Inher­ently Safe Design meas­ures will be more effect­ive than Guard­ing (engin­eer­ing con­trols), which is more effect­ive than Inform­a­tion for Use, etc.

1. Inherently Safe Design

The top level of the Hier­archy and the start­ing point in every effort to reduce risk is Inher­ently Safe Design. This level is more effect­ive because the word “inher­ently” indic­ates that these con­trol meas­ures are baked into the design. Remov­ing these con­trol meas­ures is there­fore impossible without per­man­ently dam­aging or des­troy­ing the product. For example, remov­ing sharp corners by radi­us­ing the corners dur­ing man­u­fac­tur­ing is effect­ively irre­vers­ible. This level of the hier­archy includes:

  • Con­sid­er­a­tion of geo­met­ric­al factors and phys­ic­al aspects (trav­el­ling and work­ing areas of mobile machines, zones of move­ment, the con­tact area with the user, form and rel­at­ive loc­a­tion of mech­an­ic­al com­pon­ents, etc.);
  • Tak­ing into account gen­er­al tech­nic­al know­ledge of machine design (mech­an­ic­al stresses, mater­i­al prop­er­ties, emis­sion val­ues for noise, vibra­tion, radi­ation, or tox­ic materials);
  • Choice of appro­pri­ate technology;
  • Apply­ing the prin­ciple of pos­it­ive mech­an­ic­al action;
  • Pro­vi­sions for stability;
  • Pro­vi­sions for maintainability;
  • Obser­va­tion of ergo­nom­ic principles;
  • Elec­tric­al Hazards;
  • Flu­id­ic (Hydraul­ic & Pneu­mat­ic) Hazards;
  • Inher­ently safe design prin­ciples for con­trol sys­tems (includes the use of ISO 13849, IEC62061, IEC 61511, or IEC 61508 fam­ily standards);
  • Switch­ing on of intern­al or extern­al power sources;
  • Start­ing and stop­ping of mechanisms;
  • The beha­viour of the machinery when power sources are interrupted;
  • Use of auto­mat­ic monitoring;
  • Safety func­tions imple­men­ted in pro­gram­mable con­trol sys­tems (includes the use of ISO 13849, IEC62061, IEC 61511, or IEC 61508 fam­ily standards);
  • Prin­ciples related to manu­al control;
  • Con­trol modes for set­ting, teach­ing, pro­cess changeover, fault-find­ing, clean­ing or maintenance;
  • Selec­tion of con­trol and oper­at­ing modes;
  • Apply­ing meas­ures to achieve elec­tro­mag­net­ic com­pat­ib­il­ity (EMC);
  • Pro­vi­sion of dia­gnost­ic sys­tems to aid fault-finding;
  • Min­im­iz­ing the prob­ab­il­ity of fail­ure of safety functions;
  • Lim­it­ing expos­ure to haz­ards through reli­ab­il­ity of equipment;
  • Lim­it­ing expos­ure to haz­ards through mech­an­iz­a­tion or auto­ma­tion of load­ing (feeding)/ unload­ing (remov­al) operations;
  • Lim­it­ing expos­ure to haz­ards through the loc­a­tion of set­ting and main­ten­ance points out­side danger zones.

The pre­ced­ing list comes from the head­ings in ISO 12100 [1], chapter 6.2. [1, 6.2] includes much more detail on the types of meas­ures that can be used to reduce risk using inher­ently safe design meas­ures. I strongly recom­mend that all machinery design­ers, includ­ing mech­an­ic­al and con­trol sys­tems design­ers, have a copy of ISO 12100 at hand while doing their design work.

The older defin­i­tion of the first level of the Hier­archy only included haz­ard elim­in­a­tion and haz­ard sub­sti­tu­tion. These are still val­id ways to reduce risk, but they have some spe­cif­ic fail­ure modes that are worth discussing.

Haz­ard elim­in­a­tion is the most effect­ive means of redu­cing risk from a par­tic­u­lar haz­ard, for the simple reas­on that once the haz­ard has been elim­in­ated there is no remain­ing risk. Remem­ber that risk is a func­tion of sever­ity and prob­ab­il­ity. Since both sever­ity and prob­ab­il­ity are affected by the exist­ence of the haz­ard, elim­in­at­ing the haz­ard reduces the risk from that par­tic­u­lar haz­ard to zero. Some prac­ti­tion­ers con­sider this to mean the elim­in­a­tion is 100% effect­ive, how­ever, it’s my opin­ion that this is not the case because even elim­in­a­tion has fail­ure modes that can re-intro­duce the hazard.

Failure Modes:

Haz­ard elim­in­a­tion can fail if the haz­ard is rein­tro­duced into the design. With machinery, this isn’t that likely to occur, but in pro­cesses, ser­vices and work­places it can occur.


Sub­sti­tu­tion requires the design­er to sub­sti­tute a less haz­ard­ous mater­i­al or pro­cess for the ori­gin­al mater­i­al or pro­cess. For example, beryl­li­um is a highly tox­ic met­al that is used in some high tech applic­a­tions. Inhal­a­tion or skin con­tact with beryl­li­um dust can do ser­i­ous harm to a per­son very quickly, caus­ing acute beryl­li­um dis­ease. Long-term expos­ure can cause chron­ic beryl­li­um dis­ease. Sub­sti­tut­ing a less tox­ic mater­i­al with sim­il­ar prop­er­ties in place of the beryl­li­um in the pro­cess could reduce or elim­in­ate the pos­sib­il­ity of beryl­li­um dis­ease, depend­ing on the exact con­tent of the sub­sti­tute mater­i­al. If the sub­sti­tute mater­i­al includes any amount of beryl­li­um, then the risk is only reduced. If it con­tains no beryl­li­um, the risk is elim­in­ated. Note that the risk can also be reduced by ensur­ing that the beryl­li­um dust is not cre­ated by the pro­cess since beryl­li­um is not tox­ic unless ingested.

Altern­at­ively, using pro­cesses to handle the beryl­li­um without cre­at­ing dust or particles could reduce the expos­ure to the mater­i­al in forms that are likely to cause beryl­li­um dis­ease. An example of this could be the sub­sti­tu­tion of water-jet cut­ting instead of mech­an­ic­al saw­ing of the material.

Failure Modes:

Rein­tro­duc­tion of the sub­sti­tuted mater­i­al into a pro­cess is the primary fail­ure mode, how­ever, there may be oth­ers that are spe­cif­ic to the haz­ard and the cir­cum­stances. In the above example, pre- and post-cut­ting hand­ling of the mater­i­al could still cre­ate dust or small particles, res­ult­ing in expos­ure to beryl­li­um. A sub­sti­tuted mater­i­al might intro­duce oth­er, new haz­ards, or might cre­ate fail­ure modes in the final product that would res­ult in risks to the end user. Care­ful con­sid­er­a­tion is required!

If neither elim­in­a­tion or sub­sti­tu­tion is pos­sible, we move to the next level in the hierarchy.

2. Engineering Controls

Engin­eer­ing con­trols typ­ic­ally include vari­ous types of mech­an­ic­al guards [16, 17, & 18], inter­lock­ing sys­tems [9, 10, 11, & 15], and safe­guard­ing devices like light cur­tains or fences, area scan­ners, safety mats and two-hand con­trols [19]. These sys­tems are pro­act­ive in nature, act­ing auto­mat­ic­ally to pre­vent access to a haz­ard and there­fore pre­vent­ing injury. These sys­tems are designed to act before a per­son can reach the danger zone and be exposed to the haz­ard and there­fore reduce risk by pre­vent­ing access to the hazard(s).

Functional Safety

Func­tion­al safety is some­times called “con­trol reli­ab­il­ity.” Func­tion­al safety is the char­ac­ter­ist­ic of a safety sys­tem that allows it to oper­ate cor­rectly in response to its inputs under the inten­ded con­di­tions of use. Bar­ri­er guards and fixed guards are not eval­u­ated for reli­ab­il­ity because they do not rely on a con­trol sys­tem for their effect­ive­ness. As long as they are loc­ated cor­rectly in the first place, and are oth­er­wise prop­erly designed to con­tain the haz­ards they are pro­tect­ing, then noth­ing more is required. On the oth­er hand, safe­guard­ing devices, like inter­locked guards, light fences, light cur­tains, area scan­ners, safety mats, two-hand con­trols and safety edges, all rely on a con­trol sys­tem for their effect­ive­ness. Cor­rect applic­a­tion of these devices requires cor­rect place­ment based on the stop­ping per­form­ance of the haz­ard and cor­rect integ­ra­tion of the safety device into the safety-related parts of the con­trol sys­tem [19]. The degree of reli­ab­il­ity is based on the amount of risk reduc­tion that is being required of the safe­guard­ing device and the degree of risk present in the unguarded state [9, 10].

There are many detailed tech­nic­al require­ments for engin­eer­ing con­trols that I can­’t get into in this art­icle, but you can learn more by check­ing out the ref­er­ences at the end of this art­icle and oth­er art­icles on this blog. If you are inter­ested in learn­ing more, I teach an online course on the top­ic called Func­tion­al Safety 101.

Failure Modes

Fail­ure modes for engin­eer­ing con­trols are as many and as var­ied as the devices used and the meth­ods of integ­ra­tion chosen. This dis­cus­sion will have to wait for anoth­er article!

Awareness Devices

Of spe­cial note are “aware­ness devices.” This group includes warn­ing lights, horns, buzzers, bells, etc. These devices have some aspects that are sim­il­ar to engin­eer­ing con­trols, in that they are usu­ally part of the machine con­trol sys­tem, but they are also some­times classed as ‘inform­a­tion for use’, par­tic­u­larly when you con­sider indic­at­or or warn­ing lights and HMI screens. In addi­tion to these ‘act­ive’ types of devices, aware­ness devices may also include lines painted or taped on the floor or on the edge of a step or elev­a­tion change, warn­ing chains, sig­nage, etc. Sig­nage may also be included in the class of ‘inform­a­tion for use’, along with HMI screens.

Failure Modes

Fail­ure modes for Aware­ness Devices include:

  • Ignor­ing the warn­ings (Com­pla­cency or Fail­ure to com­pre­hend the mean­ing of the warning);
  • Fail­ure to main­tain the device (warn­ing lights burned out or removed);
  • The defeat of the device (silen­cing an aud­ible warn­ing device by dis­con­nec­tion, stuff­ing foam into a horn, etc.);
  • Inap­pro­pri­ate selec­tion of the device (invis­ible or inaud­ible in the pre­dom­in­at­ing conditions).

Complementary Protective Measures

Com­ple­ment­ary Pro­tect­ive meas­ures are a class of con­trols that are sep­ar­ate from the vari­ous types of safe­guard­ing because they gen­er­ally can­not pre­vent injury, but may reduce the sever­ity of an injury or the prob­ab­il­ity of the injury occur­ring. Com­ple­ment­ary pro­tect­ive meas­ures are react­ive in nature, mean­ing that they are not auto­mat­ic. They must be manu­ally activ­ated by a user before any­thing will occur, e.g. press­ing an emer­gency stop but­ton. They can only com­ple­ment the pro­tec­tion provided by auto­mat­ic systems.

A good example of this is the Emer­gency Stop sys­tem that is designed into many machines. On its own, the emer­gency stop sys­tem will do noth­ing to pre­vent an injury. The sys­tem must be activ­ated manu­ally by press­ing a but­ton or pulling a cable. This relies on someone detect­ing a prob­lem and real­iz­ing that the machine needs to be stopped to avoid or reduce the sever­ity of an injury that is about to occur or is occur­ring. The emer­gency stop can only ever be a backup meas­ure to the auto­mat­ic inter­locks and safe­guard­ing devices used on the machine. In many cases, the next step in emer­gency response after press­ing the emer­gency stop is to call 911. To learn more about emer­gency stop, see my series on this top­ic.

Failure Modes:

The fail­ure modes for these kinds of con­trols are too numer­ous to list here, how­ever, they range from simple fail­ure to replace a fixed guard or bar­ri­er fence to the fail­ure of elec­tric­al, pneu­mat­ic or hydraul­ic con­trols. These fail­ure modes are enough of a con­cern that a new field of safety engin­eer­ing called ‘Func­tion­al Safety Engin­eer­ing’ has grown up around the need to be able to ana­lyze the prob­ab­il­ity of fail­ure of these sys­tems and to use addi­tion­al design ele­ments to reduce the prob­ab­il­ity of fail­ure to a level we can tol­er­ate. For more on this, see [9, 10, 11].

Once you have exhausted all the pos­sib­il­it­ies in Engin­eer­ing Con­trols, you can move to the next level down in the hierarchy.

3. Information for Use

This is a very broad top­ic, includ­ing manu­als, instruc­tion sheets, inform­a­tion labels on the product, haz­ard warn­ing signs and labels, HMI screens, indic­at­or and warn­ing lights, train­ing mater­i­als, video, pho­to­graphs, draw­ings, bills of mater­i­als, etc. There are some excel­lent stand­ards now avail­able that can guide you in devel­op­ing these mater­i­als [1, 12 and 13]. To learn more about haz­ard warn­ing labels, see our series on this top­ic. To learn more about Inform­a­tion for Use, see this art­icle.

Failure Modes:

The major fail­ure modes in this level include:

  • Poorly writ­ten or incom­plete materials;
  • Pro­vi­sion of the mater­i­als in a lan­guage that is not under­stood by the user;
  • Fail­ure by the user to read and under­stand the materials;
  • Inab­il­ity to access the mater­i­als when needed;
  • Etc.

When all pos­sib­il­it­ies for inform­ing the user have been covered, you can move to the next level down in the hier­archy. Note that this is the usu­al sep­ar­a­tion point between the man­u­fac­turer and the user of a product. This is nicely illus­trated in Fig 2 from ISO 12100 above. It is import­ant to under­stand at this point that the resid­ual risk posed by the product to the user may not yet be tol­er­able. The user is respons­ible for imple­ment­ing the next two levels in the hier­archy in most cases. The man­u­fac­turer can make recom­mend­a­tions that the user may want to fol­low, but typ­ic­ally that is the extent of influ­ence that the man­u­fac­turer will have on the user.

4. Administrative Controls

This level in the hier­archy includes:

  • Train­ing;
  • Stand­ard Oper­at­ing Pro­ced­ures (SOP’s);
  • Safe work­ing pro­ced­ures e.g. Haz­ard­ous Energy Con­trol Pro­ced­ures (HECP), Lock­out, Tagout (where per­mit­ted by law), etc.;
  • Author­iz­a­tion; and
  • Super­vi­sion.

Train­ing is the meth­od used to get the inform­a­tion provided by the man­u­fac­turer to the work­er or end user. This can be provided by the man­u­fac­turer, by a third party, or self-taught by the user or worker.
SOP’s can include any kind of pro­ced­ure insti­tuted by the work­place to reduce risk. For example, requir­ing work­ers who drive vehicles to do a walk-around inspec­tion of the vehicle before use, and log­ging of any prob­lems found dur­ing the inspec­tion is an example of an SOP to reduce risk while driving.
Safe work­ing pro­ced­ures can be strongly influ­enced by the man­u­fac­turer through the inform­a­tion for use provided. Main­ten­ance pro­ced­ures for haz­ard­ous tasks provided in the main­ten­ance manu­al are an example of this.
Author­iz­a­tion is the pro­ced­ure that an employ­er uses to author­ize a work­er to carry out a par­tic­u­lar task. For example, an employ­er might put a policy in place that only per­mits licensed elec­tri­cians to access elec­tric­al enclos­ures and carry out work with the enclos­ure live. The employ­er might require that work­ers who may need to use lad­ders in their work take a lad­der safety and a fall pro­tec­tion train­ing course. Once the pre­requis­ites for author­iz­a­tion are com­pleted, the work­er is ‘author­ized’ by the employ­er to carry out the task.
Super­vi­sion is one of the most crit­ic­al of the Admin­is­trat­ive Con­trols. Sound super­vi­sion can make all of the above work. Fail­ure to prop­erly super­vise work can cause all of these meas­ures to fail.

Failure Modes

Admin­is­trat­ive con­trols have many fail­ure modes. Here are some of the most common:

  • Fail­ure to train;
  • Fail­ure to inform work­ers regard­ing the haz­ards present and the related risks;
  • Fail­ure to cre­ate and imple­ment SOP’s;
  • Fail­ure to provide and main­tain the spe­cial equip­ment needed to imple­ment SOP’s;
  • No form­al means of author­iz­a­tion – i.e. How do you KNOW that Joe has his lift truck license?;
  • Fail­ure to super­vise adequately.

I’m sure you can think of MANY oth­er ways that Admin­is­trat­ive Con­trols can go wrong!

5. Personal Protective Equipment (PPE)

PPE includes everything from safety glasses, to hard­hats and bump caps, to fire-retard­ant cloth­ing, hear­ing defend­ers, and work boots. Some stand­ards even include warn­ing devices that are worn by the user, such as gas detect­ors and per­son-down detect­ors, in this group.
PPE is prob­ably the single most over-used and least under­stood risk con­trol meas­ure. It falls at the bot­tom of the hier­archy for a num­ber of reasons:

  1. It is a meas­ure of last resort;
  2. It per­mits the haz­ard to come as close to the per­son as the PPE;
  3. It is often incor­rectly specified;
  4. It is often poorly fitted;
  5. It is often poorly main­tained; and
  6. It is often improp­erly used.

The prob­lems with PPE are hard to deal with:

  • You can­not glue or screw a set of safety glasses to a per­son’s face, so ensur­ing the pro­tect­ive equip­ment is used is a big prob­lem that goes back to training.
  • Many small and medi­um-sized enter­prises do not have the expert­ise in the organ­iz­a­tion to prop­erly spe­cify, fit and main­tain the equipment.
  • User com­fort is extremely import­ant. Uncom­fort­able equip­ment won’t be used for long.
  • Finally, by the time that prop­erly spe­cified, fit­ted and used equip­ment can do its job, the haz­ard is as close to the per­son as it can get. The prob­ab­il­ity of fail­ure at this point is very high, which is what makes PPE a meas­ure of last resort, com­ple­ment­ary to the more effect­ive meas­ures that can be provided in the first three levels of the hierarchy.
  • If work­ers are not prop­erly trained and adequately informed about the haz­ards they face and the reas­ons behind the use of PPE, they are deprived of the oppor­tun­ity to make safe choices, includ­ing the right to refuse the work.

Failure Modes

Fail­ure modes for PPE include:

  • Incor­rect spe­cific­a­tion (not suit­able for the hazard);
  • Incor­rect fit (allows haz­ard to bypass PPE);
  • Poor main­ten­ance (pre­vents or restricts vis­ion or move­ment, increas­ing the risk; causes PPE fail­ure under stress or allows haz­ard to bypass PPE);
  • Incor­rect usage (fail­ure to train and inform users, incor­rect selec­tion or spe­cific­a­tion of PPE).

Time to Apply the Hierarchy

So now you know some­thing about the ‘hier­archy of con­trols’. Each lay­er has its own intric­a­cies and nuances that can only be learned by train­ing and exper­i­ence. With a doc­u­mented risk assess­ment in hand, you can begin to apply the hier­archy to con­trol the risks. Don’t for­get to iter­ate the assess­ment post-con­trol to doc­u­ment the degree of risk reduc­tion achieved. You may cre­ate new haz­ards when con­trol meas­ures are applied, and you may need to add addi­tion­al con­trol meas­ures to achieve effect­ive risk reduction.

The doc­u­ments ref­er­enced below should give you a good start in under­stand­ing some of these challenges.


5% Dis­count on All Stand­ards with code: CC2011 Hierarchy of Controls, Understanding the Hierarchy of Controls, Machinery Safety 101

NOTE: [1], [2], and[3]  were com­bined by ISO and repub­lished as ISO 12100:2010. This stand­ard has no tech­nic­al changes from the pre­ced­ing stand­ards but com­bines them in a single doc­u­ment. ISO/TR 14121 – 2 remains cur­rent and should be used with the cur­rent edi­tion of ISO 12100.

[1]            Safety of machinery – Basic con­cepts, gen­er­al prin­ciples for design – Part 1: Basic ter­min­o­logy and meth­od­o­logy, ISO 12100 – 1, 2003. (With­drawn)
[2]            Safety of machinery – Basic con­cepts, gen­er­al prin­ciples for design – Basic ter­min­o­logy and meth­od­o­logy, Part 2: Tech­nic­al prin­ciples, ISO Stand­ard 12100 – 2, 2003. (With­drawn)
[3]            Safety of Machinery – Risk Assess­ment – Part 1: Prin­ciples, ISO Stand­ard 14121 – 1, 2012.
[4]            Safety of machinery — Pre­ven­tion of unex­pec­ted start-up, ISO 14118, 2017.
[5]            Con­trol of haz­ard­ous energy – Lock­out and oth­er meth­ods, CSA Z460, 2013.
[6]            Flu­id power sys­tems and com­pon­ents – Graph­ic sym­bols and cir­cuit dia­grams – Part 1: Graph­ic sym­bols for con­ven­tion­al use and data-pro­cessing applic­a­tions, ISO Stand­ard 1219 – 1, 2012.
[7]            Pneu­mat­ic flu­id power – Gen­er­al rules and safety require­ments for sys­tems and their com­pon­ents, ISO Stand­ard 4414, 2010.
[8]            Amer­ic­an Nation­al Stand­ard for Indus­tri­al Robots and Robot Sys­tems — Safety Require­ments, ANSI/RIA R15.06, 2012.
[9]            Safety of machinery — Safety-related parts of con­trol sys­tems — Part 1: Gen­er­al prin­ciples for design, ISO Stand­ard 13849 – 1, 2015.
[10]          Safety of machinery – Func­tion­al safety of safety-related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems, IEC Stand­ard 62061, 2005.
[11]           Func­tion­al safety of electrical/electronic/programmable elec­tron­ic safety-related sys­tems, IEC Stand­ard 61508‑X, sev­en parts.
[12]          Pre­par­a­tion of Instruc­tions — Struc­tur­ing, Con­tent and Present­a­tion, IEC Stand­ard 62079, 2001. Replaced by Pre­par­a­tion of instruc­tions for use – Struc­tur­ing, con­tent and present­a­tion – Part 1: Gen­er­al prin­ciples and detailed require­ments, IEC 82079 – 1:2012.
[13]          Amer­ic­an Nation­al Stand­ard For Product Safety Inform­a­tion in Product Manu­als, Instruc­tions, and Oth­er Col­lat­er­al Mater­i­als, ANSI Z535.6, 2010 (R2017).
[14]           Con­trol of Haz­ard­ous Energy Lockout/Tagout and Altern­at­ive Meth­ods, ANSI Z244.1, 2016.
[15]          Safety of Machinery — Inter­lock­ing devices asso­ci­ated with guards — prin­ciples for design and selec­tion, EN 1088+A1:2008. (With­drawn) Replaced by Safety of machinery — Pre­ven­tion of unex­pec­ted start-up, ISO 14118:2017.
[16]          Safety of Machinery — Guards – Gen­er­al require­ments for the design and con­struc­tion of fixed and mov­able guards, EN 953+A1:2009. (With­drawn) Replaced by Safety of machinery — Guards — Gen­er­al require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120:2015.
[17]          Safety of machinery — Guards — Gen­er­al require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120.
[18]         Safety of machinery — Safety dis­tances to pre­vent haz­ard zones being reached by upper and lower limbs, ISO 13857:2008.
[19]          Safety of machinery — Pos­i­tion­ing of safe­guards with respect to the approach speeds of parts of the human body, ISO 13855:2010.

5% Dis­count on All Stand­ards with code: CC2011 Hierarchy of Controls, Understanding the Hierarchy of Controls, Machinery Safety 101

Series Nav­ig­a­tionThe Third Level of the Hier­archy: Inform­a­tion for UseISO/TR 21260 will help”>Force and injury — How hard is too hard? ISO/TR 21260 will help