The Third Level of the Hierarchy: Information for Use

This entry is part 3 of 3 in the series Hier­ar­chy of Con­trols

I’ve writ­ten about the Hier­ar­chy of Con­trols in past posts, but I’ve focused on the ‘engi­neer­ing’ side of the con­trol equa­tion: Phys­i­cal changes to machine design to elim­i­nate haz­ards, and mechan­i­cal or elec­tri­cal con­trol sys­tems that can reduce risk.

The first two lev­els of the Hier­ar­chy, Elimination/Substitution and Engi­neer­ing Con­trols, are typ­i­cal­ly more chal­leng­ing to apply in most people’s minds, because expert knowl­edge is required. These lev­els are also more effec­tive in con­trol­ling risk than the sub­se­quent lev­els.

The Third Level

iStock_000009386795Small - Photo of Instruction manualThe third lev­el of the Hier­ar­chy is ‘Infor­ma­tion for Use’, some­times abbre­vi­at­ed as ‘IFU.’ This lev­el is decep­tive­ly sim­ple, and is fre­quent­ly the lev­el peo­ple want to jump to when the oth­er con­trols seem too dif­fi­cult to imple­ment. Done well, infor­ma­tion for use can make a sig­nif­i­cant con­tri­bu­tion to risk con­trol. Unfor­tu­nate­ly, it’s done poor­ly or not at all more often than it’s done well.

Infor­ma­tion for use includes:

  • Instruc­tions and Man­u­als;
  • Oper­a­tor Device tags and Leg­end Plates;
  • HMI screens;
  • Haz­ard Warn­ing signs and labels;
  • Train­ing Mate­ri­als (text, video, audio) and Train­ing (face-to-face, webi­na­rs, self-direct­ed);
  • Sales and mar­ket­ing mate­ri­als.

Infor­ma­tion for use is need­ed in all the stages of the prod­uct life cycle: Trans­porta­tion, Instal­la­tion, Com­mis­sion­ing, Use, Main­te­nance, Ser­vice, Decom­mis­sion­ing and Dis­pos­al [1]. At each stage in the life cycle, the con­tent of the infor­ma­tion and the pre­sen­ta­tion may be dif­fer­ent. In every stage it can make a sig­nif­i­cant con­tri­bu­tion to risk reduc­tion by com­mu­ni­cat­ing the safe approach to the tasks in that stage, and the risks relat­ed to those tasks. The infor­ma­tion should include the intend­ed use and the fore­see­able mis­us­es of the prod­uct. This is a legal require­ment in the EU [2], and is a best-prac­tice in North Amer­i­ca.

In this arti­cle I’m going to focus on instruc­tion man­u­als. If you’re inter­est­ed in Haz­ard Warn­ings, includ­ing signs, labels, and inte­gra­tion into man­u­als and instruc­tions, watch for a future post on this top­ic.

Legal requirements and standards

In the Euro­pean Union, the legal oblig­a­tion to pro­vide infor­ma­tion with a prod­uct is enshrined in law [2].
No North Amer­i­can juris­dic­tions make an explic­it require­ment for instruc­tions or infor­ma­tion for use in law, but many prod­uct spe­cif­ic stan­dards include require­ments for the con­tent of man­u­als.

CSA Z432 [3] out­lines require­ments for con­tent in Clause 17, and in EN 60204–1 [7]. IEC 62079 [4], pro­vides guid­ance on the design and pre­sen­ta­tion of instruc­tions. ANSI Z535.6 [5], pro­vides spe­cif­ic instruc­tions on inclu­sion of haz­ard warn­ings in man­u­als and instruc­tions.

Train­ing require­ments are also dis­cussed in CSA Z432 [3], Clause 18.

5% Dis­count on ISO and IEC Stan­dards with code: CC2011

In the USA, pro­vid­ing infor­ma­tion for use with a prod­uct is con­sid­ered to be sound ‘due dili­gence’, how­ev­er, pro­vid­ing infor­ma­tion on resid­ual risk is often seen by lia­bil­i­ty lawyers as dan­ger­ous, since man­u­fac­tur­ers are pro­vid­ing infor­ma­tion, in writ­ing, that their prod­uct is not ‘per­fect­ly safe.’ If you’ve read any­thing I’ve writ­ten on risk assess­ment, you’ll know that there is no such state as ‘per­fect­ly safe.’ If a haz­ard exists, a poten­tial for harm exists, a prob­a­bil­i­ty can be assessed and thus risk exists, how­ev­er remote that risk may be. I think that this argu­ment by some lia­bil­i­ty lawyers is fatu­ous at best.

Ken­neth Ross, one of the lead­ing prod­uct lia­bil­i­ty lawyers in the USA, dis­cuss­es the require­ments for warn­ings and instruc­tions in an arti­cle pub­lished in 2007 [6]. In the arti­cle, he explains the US require­ments:

Prod­uct sell­ers must pro­vide “rea­son­able warn­ings and instruc­tions” about their prod­ucts’ risks. The law dif­fer­en­ti­ates warn­ings and instruc­tions as fol­lows:

Warn­ings alert users and con­sumers to the exis­tence and nature of prod­uct risks so that they can pre­vent harm either by appro­pri­ate con­duct dur­ing use or con­sump­tion or by choos­ing not to use or con­sume.”

Instruc­tions “inform per­sons how to use and con­sume prod­ucts safe­ly.”

A court has held that warn­ings, stand­ing alone, may have no prac­ti­cal rel­e­vance with­out instruc­tions and that instruc­tions with­out warn­ings may not be ade­quate.

There­fore, when the law talks about the “duty to warn,” it includes warn­ings on prod­ucts in the form of warn­ing labels; safe­ty infor­ma­tion in instruc­tions; instruc­tions that affir­ma­tive­ly describe how to use a prod­uct safe­ly; and safe­ty infor­ma­tion in oth­er means of com­mu­ni­ca­tion such as videos, adver­tis­ing, cat­a­logs and web­sites.

The law says that a man­u­fac­tur­er has a duty to warn where: (1) the prod­uct is dan­ger­ous; (2) the dan­ger is or should be known by the man­u­fac­tur­er; (3) the dan­ger is present when the prod­uct is used in the usu­al and expect­ed man­ner; and (4) the dan­ger is not obvi­ous or well known to the user.”

Read Mr. Ross’ lat­est arti­cle on warn­ings.

This prac­ti­cal and sen­si­ble approach is very sim­i­lar to that in the EU. Note the require­ment that “instruc­tions that affir­ma­tive­ly describe how to use a prod­uct safe­ly.” The  old list of “don’ts” doesn’t cut it — you must tell your user how to use the prod­uct in an affir­ma­tive way.

Second Best

So why is it that so many man­u­fac­tur­ers set­tle for man­u­als that are bare­ly ‘sec­ond best’? In many com­pa­nies, the doc­u­men­ta­tion func­tion is:

  • not seen to add val­ue to the prod­uct;
  • not under­stood to have legal import in lim­it­ing prod­uct lia­bil­i­ty;
  • giv­en lit­tle effort.

The per­cep­tion seems to be that man­u­als are pro­duced pri­mar­i­ly to fill fil­ing cab­i­nets and that cus­tomers don’t use the infor­ma­tion pro­vid­ed. This leads to man­u­als that are writ­ten after-the-fact by engi­neers, or worse, the role of ‘tech­ni­cal writer’ is seen to be an entry lev­el posi­tion often filled by interns or co-op stu­dents, with lit­tle over­sight by qual­i­fied peo­ple.

End-user train­ing is fre­quent­ly giv­en even less thought than the man­u­als. When designed togeth­er, the man­u­al will sup­port the train­ing pro­gram, and the train­ers can use the man­u­al as one of the pri­ma­ry train­ing tools. This pro­vides con­ti­nu­ity, and ensures that the train­ing process is prop­er­ly doc­u­ment­ed.

iStock_000012657812Small - Techncial ManualMy expe­ri­ence is that few engi­neers are excel­lent writ­ers. There are some, no doubt. Writ­ing man­u­als takes a sound under­stand­ing of edu­ca­tion­al the­o­ry, includ­ing an under­stand­ing of the audi­ence to whom the mate­r­i­al is direct­ed. The lev­el of tech­ni­cal sophis­ti­ca­tion required for a sim­ple house­hold prod­uct is com­plete­ly dif­fer­ent from that required for the tech­ni­cal sup­port man­u­al for an indus­tri­al weld­ing laser.
The engi­neers design­ing and inte­grat­ing an indus­tri­al sys­tem are often too close to the design of the prod­uct to be able to write effec­tive­ly to the tar­get audi­ence. Assump­tions about the lev­el of edu­ca­tion that the user will have are often incor­rect, and key steps may be skipped because they are assumed to be ‘com­mon knowl­edge.’

Qual­i­ty doc­u­men­ta­tion is also a cus­tomer ser­vice issue. Prod­ucts that are well doc­u­ment­ed require less cus­tomer ser­vice sup­port, and when cus­tomers do need sup­port, they are gen­er­al­ly more sat­is­fied with the result.

New Delivery Methods

The deliv­ery meth­ods for tech­ni­cal doc­u­ments have changed con­sid­er­ably in recent years. Large, ring-bound paper man­u­als are being dis­placed by on-line, inter­ac­tive doc­u­men­ta­tion that can be accessed at the user inter­face. The use of PDF-for­mat man­u­als has jumped, and this brings in the abil­i­ty to link error mes­sages gen­er­at­ed by the con­trol sys­tem to the sec­tions of the man­u­al that relat­ed to that aspect of the sys­tem. Video and ani­ma­tions can be added that pro­vide at-a-glance under­stand­ing of the oper­a­tion of the machin­ery. WiFi net­works in indus­tri­al facil­i­ties, along with the accep­tance of mobile pad-com­put­ing devices like the Apple iPad, mean users can have the instruc­tions where they need them, and tech­ni­cians and ser­vice per­son­nel can take the man­u­al with them to the area where a prob­lem exists, and can use the doc­u­ments even in very low-light con­di­tions.

Find­ing tech­ni­cal writ­ing resources can be a chal­lenge, par­tic­u­lar­ly if you are look­ing to move away from paper to elec­tron­ic doc­u­men­ta­tion. The stan­dards men­tioned in this arti­cle are a good place to start.
Doc­u­men­ta­tion can range from writ­ing through tech­ni­cal illus­tra­tions, ani­ma­tion and video pro­duc­tion. Find­ing indi­vid­u­als who can pro­vide you with pro­fes­sion­al ser­vices in these areas in a time­ly way and at a rea­son­able price is not an easy task. If you need assis­tance rang­ing from a few ques­tions that need answers to hir­ing a tech­ni­cal writer, Com­pli­ance InSight Con­sult­ing can help. Con­tact me for more infor­ma­tion!

Are your prod­uct man­u­als as good as they could be? What kinds of chal­lenges have you had with get­ting them writ­ten, or used? Add your com­ments below!


5% Dis­count on ISO and IEC Stan­dards with code: CC2011

[1]    “Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion”, ISO Stan­dard 12100, 2010

[2]    “DIRECTIVE 2006/42/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 17 May 2006 on machin­ery, and amend­ing Direc­tive 95/16/EC”, Annex 1, Clause 1.7, Euro­pean Com­mis­sion, 2006.

[3]    “Safe­guard­ing of Machin­ery”, CSA Stan­dard Z432, Cana­di­an Stan­dards Asso­ci­a­tion, 2004.

[4]    “Prepa­ra­tion of instruc­tions – Struc­tur­ing, con­tent and pre­sen­ta­tion”, IEC Stan­dard 62079, Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion, 2001.

[5]    “Amer­i­can Nation­al Stan­dard For Prod­uct Safe­ty Infor­ma­tion in Prod­uct Man­u­als, Instruc­tions, and Oth­er Col­lat­er­al Mate­ri­als”, ANSI Stan­dard Z535.6, Amer­i­can Nation­al Stan­dards Insti­tute, 2006.

[6]    K. Ross. “Dan­ger! The Legal Duty to Warn and Instruct”, Risk Man­age­ment Mag­a­zine, [web] 2007, Avail­able: No longer avail­able.

[7]      “Safe­ty of machin­ery — Elec­tri­cal equip­ment of machines — Part 1: Gen­er­al require­ments”, CENELEC Stan­dard EN 60204–1, CENELEC, 2009.

Hockey Teams and Risk Reduction or What Makes Roberto Luongo = PPE

This entry is part 1 of 3 in the series Hier­ar­chy of Con­trols

Spe­cial Co-Author, Tom Doyle

Last week we saw the Boston Bru­ins earn the Stan­ley Cup. I was root­ing for the green, blue and white, and the ruin of my voice on Thurs­day was ample evi­dence that no amount of cheer­ing helped. While I was watch­ing the game with friends and col­leagues, I real­ized that Rober­to Luon­go and Tim Thomas were their respec­tive team’s PPE*. Sound odd? Let me explain.

Risk Assessment and the Hierarchy of Controls

Equip­ment design­ers need to under­stand  OHS* risk. The only proven method for under­stand­ing risk is risk assess­ment. Once that is done, the next play in the game is the reduc­tion of risks by elim­i­nat­ing haz­ards wher­ev­er pos­si­ble and con­trol­ling those that remain.

Con­trol comes in a cou­ple of flavours:

  • Haz­ard mod­i­fi­ca­tion to reduce the sever­i­ty of injury, or
  • prob­a­bil­i­ty mod­i­fi­ca­tion to reduce the prob­a­bil­i­ty of a work­er com­ing togeth­er with the haz­ard.

These ideas have been for­mal­ized in the Hier­ar­chy of Con­trols. Briefly, the Hier­ar­chy starts with haz­ard elim­i­na­tion or sub­sti­tu­tion, and flows down through engi­neer­ing con­trols, infor­ma­tion for use, admin­is­tra­tive con­trols and final­ly PPE. As you move down through the Hier­ar­chy, the effec­tive­ness and the reli­a­bil­i­ty of the mea­sures declines.

It’s impor­tant to rec­og­nize that we haven’t done a risk assess­ment in writ­ing this post. This step was skipped for the pur­pose of this example—to apply the hier­ar­chy cor­rect­ly, you MUST start with a risk assess­ment!

So how does this relate to Hock­ey?

Hockey and the Hierarchy of Controls

Hazard Identification and Exposure to Risk

If we con­sid­er the goal as the work­er — the thing we don’t want “injured”, the puck is the haz­ard, and the act of scor­ing a goal as the act of injur­ing a per­son, then the rest quick­ly becomes clear.

Level 1: Hazard Elimination

By def­i­n­i­tion, if we elim­i­nate the puck, we no longer have a game. We just have a bunch of big guys skat­ing around in cool jer­seys with sticks, maybe hav­ing a fight or two, because they’re bored or just don’t know what else to do. Since we want to have a game, either to play or to watch, we have to allow the risk of injury to exist. We could call this the “intrin­sic risk”, as it is the risk that exists before we add any con­trols.

Level 2: Hazard Substitution

The Cen­ter and the Wingers (col­lec­tive­ly the “For­wards” or the “Offen­sive Line”), act as haz­ard “sub­sti­tu­tion”. We’ve already estab­lished that elim­i­na­tion of the haz­ard results in the loss of the intend­ed function—no puck, no game. The for­wards only let the oth­er team have the puck on rare occa­sion, if they’re play­ing well. This is a great idea, but still a lit­tle too opti­mistic after all. Both teams are try­ing to get the puck in the oppos­ing net and both teams have qual­i­fied to play the final game. If they fail to keep the puck beyond the oth­er team’s blue line, or at least beyond the cen­ter line, then the next lay­er of pro­tec­tion kicks in, with the Defen­sive Line.

Level 3: Engineering Controls

As the puck moves down the ice, the Defen­sive Line engages the approach­ing puck, attempt­ing to block access to the area clos­er to the goal. They act as a mov­able bar­ri­er between the net and the puck.  They will do what­ev­er is nec­es­sary to keep the haz­ard from com­ing in con­tact with the net. As engi­neer­ing con­trols, their coor­di­na­tion and posi­tion­ing are crit­i­cal in ensur­ing suc­cess.

The sys­tem will fail if the con­trols have poor:

  • posi­tion­ing,
  • choice of mate­ri­als (play­ers),
  • tim­ing, etc.

These risk con­trols fail reg­u­lar­ly, so are less desir­able than hav­ing the For­ward Line han­dle Risk Con­trol.

Level 4: Information for Use and Awareness Means

In a hock­ey game, the infor­ma­tion for use is the rule book. This infor­ma­tion tells play­ers, coach­es, and offi­cials how the game is to be played, and what the intend­ed use of the game should be. Activ­i­ties like spear­ing, trip­ping, and blind-side checks are not per­mit­ted.

The aware­ness means are pro­vid­ed by the roar of the fans. As the puck heads for the home-team’s goal, the home fans will roar, let­ting the team know, if they don’t know already, that the goal is at risk from the puck. Hope­ful­ly the defen­sive line can react in time and get between the puck and the net.

Level 5: Administrative Controls

Infor­ma­tion for use from the pre­vi­ous step is the basis for all the fol­low­ing con­trols. The team’s coach­es, or “super­vi­sors”, use this infor­ma­tion to give train­ing in the form of hock­ey prac­tice. The For­ward Line and Defen­sive Line could be con­sid­ered the Sup­pli­ers and Users. They all need to know what to do to avoid haz­ardous sit­u­a­tions, and what to do when one aris­es, to reduce the num­ber of poten­tial fail­ures.

A “Per­mit to Work” is giv­en to the play­ers by the coach when they form the lines. The coach ensures that the right peo­ple are on the ice for each set of cir­cum­stances, decid­ing when line changes hap­pen as the game pro­gress­es, adapt­ing the peo­ple per­mit­ted to work to the spe­cif­ic con­di­tions on the ice.

Level 6: Personal Protective Equipment (PPE)

All of this brings me to Rober­to Luon­go and Tim Thomas. So how is a Goalie like PPE?

Goalies are the “last-ditch” pro­tec­tion. It’s clear that the first 5 lev­els of the hier­ar­chy don’t always work, since every type of con­trol, even haz­ard elim­i­na­tion, has fail­ure modes. To give a bit of back­up, we should make sure that we add extra pro­tec­tion in the form of PPE.

The puck wasn’t elim­i­nat­ed, since hav­ing a hock­ey game is the point, after all. The puck wasn’t kept dis­tant by the For­ward Line. The Defen­sive Line failed to main­tain safe dis­tance between the goal and the puck, and now all that is left is the goalie (or your pro­tec­tive eye­wear, boots, hard­hat, or what­ev­er). In the 2011 Stan­ley Cup Final game, Luon­go equaled long pants and long sleeves, while Thomas equaled a suit of armour. The Bruin’s “PPE” afford­ed supe­ri­or pro­tec­tion in this case.

As any­one who has used pro­tec­tive eye­wear knows, par­ti­cles can get by your eye­wear. There are lots of fac­tors, includ­ing how well they fit, if you’re wear­ing them (prop­er­ly or at all!), etc. If the gear is fit­ted and used prop­er­ly by a per­son who under­stands WHY and HOW to use the equip­ment, then the PPE is more like Tim Thomas, and you may be able to “shut out” injury. Most of the time. Remem­ber that even Tim Thomas miss­es stop­ping some shots on goal and the oth­er guys can still score.

When your PPE doesn’t fit prop­er­ly, isn’t select­ed prop­er­ly, is worn out (or psy­ched out as the case may be), or isn’t used prop­er­ly, then it’s more like Rober­to Luon­go. Some­times it works per­fect­ly, and life is good. Some­times it fails com­plete­ly and you end up injured or worse.

Goalies are also like PPE because they are RIGHT THERE. Right before injury will occur. PPE is RIGHT THERE, pro­tect­ing you—5 mm from the sur­face of your eye, or in your ear, 2 mm from your ear drum. By this point the harm­ful ener­gy is RIGHT THERE, ready to hurt you, and injury is immi­nent. A sim­ple mis­place­ment or bad fit con­di­tion and you’re blind­ed or deaf or… well you get the idea!

On Wednes­day night, 15-Jun-2011, every­thing failed for the Van­cou­ver Canucks. The team’s spir­it was down, and they went into the game think­ing “We just don’t want to lose!” instead of Boston’s “We’re tak­ing that Cup home!”. Even the tout­ed Home Ice Advan­tage wasn’t enough to psych out the Bru­ins, and in the end I think it turned on the Canucks as the fans real­ized that the game was lost. The warn­ings failed, the guards failed, and the PPE failed. Some­body got hurt, and unfor­tu­nate­ly for Cana­di­an fans, it was the Canucks. Luck­i­ly it wasn’t a fatal­i­ty! Even being #2 in the NHL is a long stretch bet­ter than fill­ing a cool­er draw­er in the morgue.

So the next time you’re set­ting up a job, an assem­bly line, a new machine, or a new work­place, check out your team and make sure that you’ve got the right play­ers on the ice. You only get one chance to get it right. Sure, you can change the lines and upgrade when you need to, but once some­one scores a goal, you have an injured per­son and big­ger prob­lems to deal with.

Spe­cial thanks to Tom Doyle for his con­tri­bu­tions to this post!

*Per­son­al Pro­tec­tive Equip­men­tOc­cu­pa­tion­al Health and Safe­ty

Understanding the Hierarchy of Controls

This entry is part 2 of 3 in the series Hier­ar­chy of Con­trols

Risk assess­ment is the first step in reduc­ing the risk that your cus­tomers and users are exposed to when they use your prod­ucts. The sec­ond step is Risk Reduc­tion, some­times called Risk Con­trol or Risk Mit­i­ga­tion. This arti­cle looks at the ways that risk can be con­trolled using the Hier­ar­chy of Con­trols. Fig­ure 2 from ISO 12100–1 (shown below) illus­trates this point.

The sys­tem is called a hier­ar­chy because you must apply each lev­el in the order that they fall in the list. In terms of effec­tive­ness at reduc­ing risk, the first lev­el in the hier­ar­chy, elim­i­na­tion, is the most effec­tive, down to the last, PPE*, which has the least effec­tive­ness.

It’s impor­tant to under­stand that ques­tions must be asked after each step in the hier­ar­chy is imple­ment­ed, and that is “Is the risk reduced as much as pos­si­ble? Is the resid­ual risk a) in com­pli­ance with legal require­ments, and b) accept­able to the user or work­er?”. When you can answer ‘YES’ to all of these ques­tions, the last step is to ensure that you have warned the user of the resid­ual risks, have iden­ti­fied the required train­ing need­ed and final­ly have made rec­om­men­da­tions for any need­ed PPE.

*PPE — Per­son­al Pro­tec­tive Equip­ment. e.g. Pro­tec­tive eye wear, safe­ty boots, bump caps, hard hats, cloth­ing, gloves, res­pi­ra­tors, etc. CSA Z1002 includes ‘…any­thing designed to be worn, held, or car­ried by an indi­vid­ual for pro­tec­tion against one or more haz­ards.’  in this def­i­n­i­tion.

Risk Reduction from the Designer's Viewpoint
ISO 12100:2010 — Fig­ure 2


Introducing the Hierarchy of Controls

The Hier­ar­chy of Con­trols was devel­oped in a num­ber of dif­fer­ent stan­dards over the last 20 years or so. The idea was to pro­vide a com­mon struc­ture that would pro­vide guid­ance to design­ers when con­trol­ling risk.

Typ­i­cal­ly, the first three lev­els of the hier­ar­chy may be con­sid­ered to be ‘engi­neer­ing con­trols’ because they are part of the design process for a prod­uct. This does not mean that they must be done by engi­neers!

We’ll look at each lev­el in the hier­ar­chy in detail. First, let’s take a look at what is includ­ed in the Hier­ar­chy.

The Hier­ar­chy of Con­trols includes:

1)    Haz­ard Elim­i­na­tion or Sub­sti­tu­tion (Design)
2)    Engi­neer­ing Con­trols (see [1, 2, 8, 9, 10, and 11])

a)    Bar­ri­ers

b)    Guards (Fixed, Mov­able w/interlocks)

c)    Safe­guard­ing Devices

d)    Com­ple­men­tary Pro­tec­tive Mea­sures

3)    Infor­ma­tion for Use (see [1, 2, 4, 7, 8, 12, and 13])

a)    Haz­ard Warn­ings

b)    Man­u­als

c)    HMI* & Aware­ness Devices (lights, horns)

4)    Admin­is­tra­tive Con­trols (see [1, 2, 4, 5, 7, and 8])

a)    Train­ing

b)    SOP’s,

c)    Haz­ardous Ener­gy Con­trol Pro­ce­dures (see [5, 14])

d)    Autho­riza­tion

5)    Per­son­al Pro­tec­tive Equip­ment

a)    Spec­i­fi­ca­tion

b)    Fit­ting

c)    Train­ing in use

d)    Main­te­nance

*HMI — Human-Machine Inter­face. Also called the ‘con­sole’ or ‘oper­a­tor sta­tion’. The loca­tion on the machine where the oper­a­tor con­trols are locat­ed. Often includes a pro­gram­ma­ble screen or oper­a­tor dis­play, but can be a sim­ple array of but­tons, switch­es and indi­ca­tor lights.

The man­u­fac­tur­er, devel­op­er or inte­gra­tor of the sys­tem should pro­vide the first three lev­els of the hier­ar­chy. Where they have not been pro­vid­ed, the work­place or user should pro­vide them.

The last two lev­els must be pro­vid­ed by the work­place or user.


Each lay­er in the hier­ar­chy has a lev­el of effec­tive­ness that is relat­ed to the fail­ure modes asso­ci­at­ed with the con­trol mea­sures and the rel­a­tive effec­tive­ness in reduc­ing risk in that lay­er. As you go down the hier­ar­chy, the reli­a­bil­i­ty and effec­tive­ness decrease as shown below.

Effectiveness of the Hierarchy of ControlsThere is no way to mea­sure or specif­i­cal­ly quan­ti­fy the reli­a­bil­i­ty or effec­tive­ness of each lay­er of the hier­ar­chy — that must wait until you make some selec­tions from each lev­el, and even then it can be very hard to do. The impor­tant thing to under­stand is that Elim­i­na­tion is more effec­tive than Guard­ing (engi­neer­ing con­trols), which is more effec­tive than Aware­ness Means, etc.

1. Hazard Elimination or Substitution

Hazard Elimination

Haz­ard elim­i­na­tion is the most effec­tive means of reduc­ing risk from a par­tic­u­lar haz­ard, for the sim­ple rea­son that once the haz­ard has been elim­i­nat­ed there is no remain­ing risk. Remem­ber that risk is a func­tion of sever­i­ty and prob­a­bil­i­ty. Since both sever­i­ty and prob­a­bil­i­ty are affect­ed by the exis­tence of the haz­ard, elim­i­nat­ing the haz­ard reduces the risk from that par­tic­u­lar haz­ard to zero. Some prac­ti­tion­ers con­sid­er this to mean the elim­i­na­tion is 100% effec­tive, how­ev­er it’s my opin­ion that this is not the case because even elim­i­na­tion has fail­ure modes that can re-intro­duce the haz­ard.

Failure Modes:

Haz­ard elim­i­na­tion can fail if the haz­ard is rein­tro­duced into the design. With machin­ery this isn’t that like­ly to occur, but in process­es, ser­vices and work­places it can occur.


Sub­sti­tu­tion requires the design­er to sub­sti­tute a less haz­ardous mate­r­i­al or process for the orig­i­nal mate­r­i­al or process. For exam­ple, beryl­li­um is a high­ly tox­ic met­al that is used in some high tech appli­ca­tions. Inhala­tion or skin con­tact with beryl­li­um dust can do seri­ous harm to a per­son very quick­ly, caus­ing acute beryl­li­um dis­ease. Long term expo­sure can cause chron­ic beryl­li­um dis­ease. Sub­sti­tut­ing a less tox­ic mate­r­i­al with sim­i­lar prop­er­ties in place of the beryl­li­um in the process  could reduce or elim­i­nate the pos­si­bil­i­ty of beryl­li­um dis­ease, depend­ing on the exact con­tent of the sub­sti­tute mate­r­i­al. If the sub­sti­tute mate­r­i­al includes any amount of beryl­li­um, then the risk is only reduced. If it con­tains no beryl­li­um, the risk is elim­i­nat­ed. Note that the risk can also be reduced by ensur­ing that the beryl­li­um dust is not cre­at­ed by the process, since beryl­li­um is not tox­ic unless ingest­ed.

Alter­na­tive­ly, using process­es to han­dle the beryl­li­um with­out cre­at­ing dust or par­ti­cles could reduce the expo­sure to the mate­r­i­al in forms that are like­ly to cause beryl­li­um dis­ease. An exam­ple of this could be sub­sti­tu­tion of water-jet cut­ting instead of mechan­i­cal saw­ing of the mate­r­i­al.

Failure Modes:

Rein­tro­duc­tion of the sub­sti­tut­ed mate­r­i­al into a process is the pri­ma­ry fail­ure mode, how­ev­er there may be oth­ers that are spe­cif­ic to the haz­ard and the cir­cum­stances. In the above exam­ple, pre- and post-cut­ting han­dling of the mate­r­i­al could still cre­ate dust or small par­ti­cles, result­ing in expo­sure to beryl­li­um. A sub­sti­tut­ed mate­r­i­al might intro­duce oth­er, new haz­ards, or might cre­ate fail­ure modes in the final prod­uct that would result in risks to the end user. Care­ful con­sid­er­a­tion is required!

If nei­ther elim­i­na­tion or sub­sti­tu­tion is pos­si­ble, we move to the next lev­el in the hier­ar­chy.

2. Engineering Controls

Engi­neer­ing con­trols typ­i­cal­ly include var­i­ous types of mechan­i­cal guards [16, 17, & 18], inter­lock­ing sys­tems [9, 10, 11, & 15], and safe­guard­ing devices like light cur­tains or fences, area scan­ners, safe­ty mats and two-hand con­trols [19]. These sys­tems are proac­tive in nature, act­ing auto­mat­i­cal­ly to pre­vent access to a haz­ard and there­fore pre­vent­ing injury. These sys­tems are designed to act before a per­son can reach the dan­ger zone and be exposed to the haz­ard.

Control reliability

Bar­ri­er guards and fixed guards are not eval­u­at­ed for reli­a­bil­i­ty because they do not rely on a con­trol sys­tem for their effec­tive­ness. As long as they are placed cor­rect­ly in the first place, and are oth­er­wise prop­er­ly designed to con­tain the haz­ards they are pro­tect­ing, then noth­ing more is required. On the oth­er hand, safe­guard­ing devices, like inter­locked guards, light fences, light cur­tains, area scan­ners, safe­ty mats, two-hand con­trols and safe­ty edges, all rely on a con­trol sys­tem for their effec­tive­ness. Cor­rect appli­ca­tion of these devices requires cor­rect place­ment based on the stop­ping per­for­mance of the haz­ard and cor­rect inte­gra­tion of the safe­ty device into the safe­ty relat­ed parts of the con­trol sys­tem [19]. The degree of reli­a­bil­i­ty is based on the amount of risk reduc­tion that is being required of the safe­guard­ing device and the degree of risk present in the unguard­ed state [9, 10].

There are many detailed tech­ni­cal require­ments for engi­neer­ing con­trols that I can’t get into in this arti­cle, but you can learn more by check­ing out the ref­er­ences at the end of this arti­cle and oth­er arti­cles on this blog.

Failure Modes

Fail­ure modes for engi­neer­ing con­trols are as many and as var­ied as the devices used and the meth­ods of inte­gra­tion cho­sen. This dis­cus­sion will have to wait for anoth­er arti­cle!

Awareness Devices

Of spe­cial note are ‘aware­ness devices’. This group includes warn­ing lights, horns, buzzers, bells, etc. These devices have some aspects that are sim­i­lar to engi­neer­ing con­trols, in that they are usu­al­ly part of the machine con­trol sys­tem, but they are also some­times classed as ‘infor­ma­tion for use’, par­tic­u­lar­ly when you con­sid­er indi­ca­tor or warn­ing lights and HMI screens. In addi­tion to these ‘active’ types of devices, aware­ness devices may also include lines paint­ed or taped on the floor or on the edge of a step or ele­va­tion change, warn­ing chains, sig­nage, etc. Sig­nage may also be includ­ed in the class of ‘infor­ma­tion for use’, along with HMI screens.

Failure Modes

Fail­ure modes for Aware­ness Devices include:

  • Ignor­ing the warn­ings (Com­pla­cen­cy or Fail­ure to com­pre­hend the mean­ing of the warn­ing);
  • Fail­ure to main­tain the device (warn­ing lights burned out or removed);
  • Defeat of the device (silenc­ing an audi­ble warn­ing device);
  • Inap­pro­pri­ate selec­tion of the device (invis­i­ble or inaudi­ble in the pre­dom­i­nat­ing con­di­tions).

Complementary Protective Measures

Com­ple­men­tary Pro­tec­tive mea­sures are a class of con­trols that are sep­a­rate from the var­i­ous types of safe­guard­ing because they gen­er­al­ly can­not pre­vent injury, but may reduce the sever­i­ty of injury or the prob­a­bil­i­ty of the injury occur­ring. Com­ple­men­tary pro­tec­tive mea­sures are reac­tive in nature, mean­ing that they are not auto­mat­ic. They must be man­u­al­ly acti­vat­ed by a user before any­thing will occur, e.g. press­ing an emer­gency stop but­ton. They can only com­ple­ment the pro­tec­tion pro­vid­ed by the auto­mat­ic sys­tems.

A good exam­ple of this is the Emer­gency Stop sys­tem that is designed into many machines. On its own, the emer­gency stop sys­tem will do noth­ing to pre­vent an injury. The sys­tem must be acti­vat­ed man­u­al­ly by press­ing a but­ton or pulling a cable. This relies on some­one detect­ing a prob­lem and real­iz­ing that the machine needs to be stopped to avoid or reduce the sever­i­ty of an injury that is about to occur or is occur­ring. Emer­gency stop can only ever be a back-up mea­sure to the auto­mat­ic inter­locks and safe­guard­ing devices used on the machine. In many cas­es, the next step in emer­gency response after press­ing the emer­gency stop is to call 911.

Failure Modes:

The fail­ure modes for these kinds of con­trols are too numer­ous to list here, how­ev­er they range from sim­ple fail­ure to replace a fixed guard or bar­ri­er fence, to fail­ure of elec­tri­cal, pneu­mat­ic or hydraulic con­trols. These fail­ure modes are enough of a con­cern that a new field of safe­ty engi­neer­ing called ‘Func­tion­al Safe­ty Engi­neer­ing’ has grown up around the need to be able to ana­lyze the prob­a­bil­i­ty of fail­ure of these sys­tems and to use addi­tion­al design ele­ments to reduce the prob­a­bil­i­ty of fail­ure to a lev­el we can tol­er­ate. For more on this, see [9, 10, 11].

Once you have exhaust­ed all the pos­si­bil­i­ties in Engi­neer­ing Con­trols, you can move to the next lev­el down in the hier­ar­chy.

3. Information for Use

This is a very broad top­ic, includ­ing man­u­als, instruc­tion sheets, infor­ma­tion labels on the prod­uct, haz­ard warn­ing signs and labels, HMI screens, indi­ca­tor and warn­ing lights, train­ing mate­ri­als, video, pho­tographs, draw­ings, bills of mate­ri­als, etc. There are some excel­lent stan­dards now avail­able that can guide you in devel­op­ing these mate­ri­als [1, 12 and 13].

Failure Modes:

The major fail­ure modes in this lev­el include:

  • Poor­ly writ­ten or incom­plete mate­ri­als;
  • Pro­vi­sion of the mate­ri­als in a lan­guage that is not under­stood by the user;
  • Fail­ure by the user to read and under­stand the mate­ri­als;
  • Inabil­i­ty to access the mate­ri­als when need­ed;
  • Etcetera.

When all pos­si­bil­i­ties for inform­ing the user have been cov­ered, you can move to the next lev­el down in the hier­ar­chy. Note that this is the usu­al sep­a­ra­tion point between the man­u­fac­tur­er and the user of a prod­uct. This is nice­ly illus­trat­ed in Fig 2 from ISO 12100 above. It is impor­tant to under­stand at this point that the resid­ual risk posed by the prod­uct to the user may not yet be tol­er­a­ble. The user is respon­si­ble for imple­ment­ing the next two lev­els in the hier­ar­chy in most cas­es. The man­u­fac­tur­er can make rec­om­men­da­tions that the user may want to fol­low, but typ­i­cal­ly that is the extent of influ­ence that the man­u­fac­tur­er will have on the user.

4. Administrative Controls

This lev­el in the hier­ar­chy includes:

  • Train­ing;
  • Stan­dard Oper­at­ing Pro­ce­dures (SOP’s);
  • Safe work­ing pro­ce­dures e.g. Haz­ardous Ener­gy Con­trol, Lock­out, Tagout (where per­mit­ted by law), etc.;
  • Autho­riza­tion; and
  • Super­vi­sion.

Train­ing is the method used to get the infor­ma­tion pro­vid­ed by the man­u­fac­tur­er to the work­er or end user. This can be pro­vid­ed by the man­u­fac­tur­er, by a third par­ty, or self-taught by the user or work­er.
SOP’s can include any kind of pro­ce­dure insti­tut­ed by the work­place to reduce risk. For exam­ple, requir­ing work­ers who dri­ve vehi­cles to do a walk-around inspec­tion of the vehi­cle before use, and log­ging of any prob­lems found dur­ing the inspec­tion is an exam­ple of an SOP to reduce risk while dri­ving.
Safe work­ing pro­ce­dures can be strong­ly influ­enced by the man­u­fac­tur­er through the infor­ma­tion for use pro­vid­ed. Main­te­nance pro­ce­dures for haz­ardous tasks pro­vid­ed in the main­te­nance man­u­al are an exam­ple of this.
Autho­riza­tion is the pro­ce­dure that an employ­er uses to autho­rize a work­er to car­ry out a par­tic­u­lar task. For exam­ple, an employ­er might put a pol­i­cy in place that only per­mits licensed elec­tri­cians to access elec­tri­cal enclo­sures and car­ry out work with the enclo­sure live. The employ­er might require that work­ers who may need to use lad­ders in their work take a lad­der safe­ty and a fall pro­tec­tion train­ing course. Once the pre­req­ui­sites for autho­riza­tion are com­plet­ed, the work­er is ‘autho­rized’ by the employ­er to car­ry out the task.
Super­vi­sion is one of the most crit­i­cal of the Admin­is­tra­tive Con­trols. Sound super­vi­sion can make all of the above work. Fail­ure to prop­er­ly super­vise work can cause all of these mea­sures to fail.

Failure Modes

Admin­is­tra­tive con­trols have many fail­ure modes. Here are some of the most com­mon:

  • Fail­ure to train;
  • Fail­ure to inform work­ers regard­ing the haz­ards present and the relat­ed risks;
  • Fail­ure to cre­ate and imple­ment SOP’s;
  • Fail­ure to pro­vide and main­tain spe­cial equip­ment need­ed to imple­ment SOP’s;
  • No for­mal means of autho­riza­tion — i.e. How do you KNOW that Joe has his lift truck license?;
  • Fail­ure to super­vise ade­quate­ly.

I’m sure you can think of MANY oth­er ways that Admin­is­tra­tive Con­trols can go wrong!

5. Personal Protective Equipment (PPE)

PPE includes every­thing from safe­ty glass­es, to hard­hats and bump caps, to fire-retar­dant cloth­ing, hear­ing defend­ers, and work boots. Some stan­dards even include warn­ing devices that are worn by the user, such as gas detec­tors and per­son-down detec­tors, in this group.
PPE is prob­a­bly the sin­gle most over-used and least under­stood risk con­trol mea­sure. It falls at the bot­tom of the hier­ar­chy for a num­ber of rea­sons:

  1. It is a mea­sure of last resort;
  2. It per­mits the haz­ard to come as close to the per­son as their cloth­ing;
  3. It is often incor­rect­ly spec­i­fied;
  4. It is often poor­ly fit­ted;
  5. It is often poor­ly main­tained; and
  6. It is often improp­er­ly used.

The prob­lems with PPE are hard to deal with. You can­not glue or screw a set of safe­ty glass­es to a person’s face, so ensur­ing the the pro­tec­tive equip­ment is used is a big prob­lem that goes back to super­vi­sion.

Many small and medi­um sized enter­pris­es do not have the exper­tise in the orga­ni­za­tion to prop­er­ly spec­i­fy, fit and main­tain the equip­ment.

User com­fort is extreme­ly impor­tant. Uncom­fort­able equip­ment won’t be used for long.

Final­ly, by the time that prop­er­ly spec­i­fied, fit­ted and used equip­ment can do it’s job, the haz­ard is as close to the per­son as it can get. The prob­a­bil­i­ty of fail­ure at this point is very high, which is what makes PPE a mea­sure of last resort, com­ple­men­tary to the more effec­tive mea­sures that can be pro­vid­ed in the first three lev­els of the hier­ar­chy.

If work­ers are not prop­er­ly trained and ade­quate­ly informed about the haz­ards they face and the rea­sons behind the use of PPE, they are deprived of the oppor­tu­ni­ty to make safe choic­es, even if that choice is to refuse the work.

Failure Modes

Fail­ure modes for PPE include:

  • Incor­rect spec­i­fi­ca­tion (not suit­able for the haz­ard);
  • Incor­rect fit (allows haz­ard to bypass PPE);
  • Poor main­te­nance (pre­vents or restricts vision or move­ment, increas­ing the risk; caus­es PPE fail­ure under stress or allows haz­ard to bypass PPE);
  • Incor­rect usage (fail­ure to train and inform users, incor­rect selec­tion or spec­i­fi­ca­tion of PPE).

Time to Apply the Hierarchy

So now you know some­thing about the ‘hier­ar­chy of con­trols’. Each lay­er has its own intri­ca­cies and nuances that can only be learned by train­ing and expe­ri­ence. With a doc­u­ment­ed risk assess­ment in hand, you can begin to apply the hier­ar­chy to con­trol the risks. Don’t for­get to iter­ate the assess­ment post-con­trol to doc­u­ment the degree of risk reduc­tion achieved. You may cre­ate new haz­ards when con­trol mea­sures are applied, and you may need to add addi­tion­al con­trol mea­sures to achieve effec­tive risk reduc­tion.

The doc­u­ments ref­er­enced below should give you a good start in under­stand­ing some of these chal­lenges.


5% Dis­count on All Stan­dards with code: CC2011

NOTE: [1], [2], and[3]  were com­bined by ISO and repub­lished as ISO 12100:2010. This stan­dard has no tech­ni­cal changes from the pre­ced­ing stan­dards, but com­bines them in a sin­gle doc­u­ment. ISO/TR 14121–2 remains cur­rent and should be used with the cur­rent edi­tion of ISO 12100.

[1]             Safe­ty of machin­ery – Basic con­cepts, gen­er­al prin­ci­ples for design – Part 1: Basic ter­mi­nol­o­gy and method­ol­o­gy, ISO Stan­dard 12100–1, 2003.
[2]            Safe­ty of machin­ery – Basic con­cepts, gen­er­al prin­ci­ples for design – Basic ter­mi­nol­o­gy and method­ol­o­gy, Part 2: Tech­ni­cal prin­ci­ples, ISO Stan­dard 12100–2, 2003.
[3]            Safe­ty of Machin­ery – Risk Assess­ment – Part 1: Prin­ci­ples, ISO Stan­dard 14121–1, 2007.
[4]            Safe­ty of machin­ery — Pre­ven­tion of unex­pect­ed start-up, ISO 14118, 2000
[5]            Con­trol of haz­ardous ener­gy – Lock­out and oth­er meth­ods, CSA Z460, 2005
[6]            Flu­id pow­er sys­tems and com­po­nents – Graph­ic sym­bols and cir­cuit dia­grams – Part 1: Graph­ic sym­bols for con­ven­tion­al use and data-pro­cess­ing appli­ca­tions, ISO Stan­dard 1219–1, 2006
[7]            Pneu­mat­ic flu­id pow­er — Gen­er­al rules and safe­ty require­ments for sys­tems and their com­po­nents, ISO Stan­dard 4414, 1998
[8]            Amer­i­can Nation­al Stan­dard for Indus­tri­al Robots and Robot Sys­tems — Safe­ty Require­ments, ANSI/RIA R15.06, 1999.
[9]            Safe­ty of machin­ery — Safe­ty-relat­ed parts of con­trol sys­tems — Part 1: Gen­er­al prin­ci­ples for design, ISO Stan­dard 13849–1, 2006
[10]          Safe­ty of machin­ery – Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems, IEC Stan­dard 62061, 2005
[11]           Func­tion­al safe­ty of electrical/electronic/programmable elec­tron­ic safe­ty-relat­ed sys­tems, IEC Stan­dard 61508-X, sev­en parts.
[12]          Prepa­ra­tion of Instruc­tions — Struc­tur­ing, Con­tent and Pre­sen­ta­tion, IEC Stan­dard 62079, 2001
[13]          Amer­i­can Nation­al Stan­dard For Prod­uct Safe­ty Infor­ma­tion in Prod­uct Man­u­als, Instruc­tions, and Oth­er Col­lat­er­al Mate­ri­als, ANSI Stan­dard Z535.6, 2010.
[14]          Con­trol of Haz­ardous Ener­gy Lockout/Tagout and Alter­na­tive Meth­ods, ANSI Stan­dard Z244.1, 2003.
[15]          Safe­ty of Machin­ery — Inter­lock­ing devices asso­ci­at­ed with guards — prin­ci­ples for design and selec­tion, EN 1088+A1:2008.
[16]          Safe­ty of Machin­ery — Guards — Gen­er­al require­ments for the design and con­struc­tion of fixed and mov­able guards, EN 953+A1:2009.
[17]          Safe­ty of machin­ery — Guards — Gen­er­al require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120.
[18]         Safe­ty of machin­ery — Safe­ty dis­tances to pre­vent haz­ard zones being reached by upper and low­er limbs, ISO 13857:2008.
[19]         Safe­ty of machin­ery — Posi­tion­ing of safe­guards with respect to the approach speeds of parts of the human body, ISO 13855:2010.

5% Dis­count on All Stan­dards with code: CC2011