The Hierarchy of Controls

7/29/2019 The Hierarchy of Controls

1/12

Risk assessment is the first step in reducing the risk that your customers and users are exposed to when

they use your products. The second step is Risk Reduction, sometimes called Risk Control or Risk

Mitigation. This article looks at the ways that risk can be controlled using the Hierarchy of Controls.

Figure 2 from ISO 121001 (shown below) illustrates this point.

The system is called a hierarchy because you must apply each level in the order that they fall in the list.

In terms of effectiveness at reducing risk, the first level in the hierarchy, elimination, is the most effec-

tive, down to the last, PPE*, which has the least effectiveness.

Its important to understand that questions must be asked after each step in the hierarchy is imple-

mented, and that is Is the risk reduced as much as possible? Is theresidual riska) incompliancewith

legal requirements, and b) acceptable to the user or worker?. When you can answer YES to all of these

questions, the last step is to ensure that you have warned the user of the residual risks, have identified

the required training needed and finally have made recommendations for any needed PPE.

*PPE Personal Protective Equipment. e.g. Protective eye wear,safetyboots, bump caps, hard hats,

clothing, gloves, respirators, etc. CSAZ1002 includesanything designed to be worn, held, or carried by

an individual for protection against one or more hazards. in this definition.
http://machinerysafety101.com/definitions/#riskhttp://machinerysafety101.com/definitions/#riskhttp://machinerysafety101.com/definitions/#riskhttp://machinerysafety101.com/definitions/#Compliancehttp://machinerysafety101.com/definitions/#Compliancehttp://machinerysafety101.com/definitions/#Compliancehttp://machinerysafety101.com/definitions/#safetyhttp://machinerysafety101.com/definitions/#safetyhttp://machinerysafety101.com/definitions/#safetyhttp://machinerysafety101.com/definitions/#safetyhttp://machinerysafety101.com/definitions/#Compliancehttp://machinerysafety101.com/definitions/#risk


2/12

ISO 12100:2010 Figure 2

Introducing the Hierarchy of Controls

The Hierarchy of Controls was developed in a number of different standards over the last 20 years or so.

The idea was to provide a common structure that would provide guidance to designers when control-

ling risk.

Typically, the first three levels of the hierarchy may be considered to be engineering controls because

they are part of the design process for a product. This does not mean that they must be done by

engineers!

Well look at each level in the hierarchy in detail. First, lets take a look at what is included in the

Hierarchy.


3/12

The Hierarchy of Controls includes:

1) Hazard Elimination or Substitution (Design)

2) Engineering Controls (see [1, 2, 8, 9, 10, and 11])

a) Barriers

b) Guards (Fixed, Movable w/interlocks)

c) Safeguarding Devices

d) Complementary Protective Measures

3) Information for Use (see [1, 2, 4, 7, 8, 12, and 13])

a) Hazard Warnings

b) Manuals

c) HMI* &Awareness Devices (lights, horns)

4) Administrative Controls (see [1, 2, 4, 5, 7, and 8])

a) Training

b) SOPs,

c) Hazardous Energy Control Procedures (see [5, 14])

d) Authorization

5) Personal Protective Equipment

a) Specification

b) Fitting

c) Training in use
http://machinerysafety101.com/definitions/#HMIhttp://machinerysafety101.com/definitions/#HMI


4/12

d) Maintenance

*HMIHuman-Machine Interface. Also called the console or operator station. The location on the

machine where the operator controls are located. Often includes a programmable screen or operator dis-

play, but can be a simple array of buttons, switches and indicator lights.

The manufacturer, developer or integrator of the system should provide the first three levels of the hier-

archy. Where they have not been provided, the workplace or user should provide them.

The last two levels must be provided by the workplace or user.

Effectiveness

Each layer in the hierarchy has a level of effectiveness that is related to the failure modes associ-ated with the control measures and the relative effectiveness in reducing risk in that layer. As

you go down the hierarchy, the reliability and effectiveness decrease as shown below.

There is no way to measure or specifically quantify the reliability or effectiveness of each layer

of the hierarchythat must wait until you make some selections from each level, and even then

it can be very hard to do. The important thing to understand is that Elimination is more effective

than Guarding (engineering controls), which is more effective than Awareness Means, etc.

1. Hazard Elimination or Substitution

Hazard Elimination

Hazard elimination is the most effective means of reducing risk from a particularhazard, for the

simple reason that once the hazard has been eliminated there is no remaining risk. Remember

that risk is a function of severity and probability. Since both severity and probability are affected

by the existence of the hazard, eliminating the hazard reduces the risk from that particular hazard

to zero. Some practitioners consider this to mean the elimination is 100% effective, however its

my opinion that this is not the case because even elimination has failure modes that can re-

introduce the hazard.

Failure Modes:

Hazard elimination can fail if the hazard is reintroduced into the design. With machinery this

isnt that likely to occur, but in processes, services and workplaces it can occur.
http://machinerysafety101.com/definitions/#HumanMachinehttp://machinerysafety101.com/definitions/#HumanMachinehttp://machinerysafety101.com/definitions/#HumanMachinehttp://machinerysafety101.com/definitions/#hazardhttp://machinerysafety101.com/definitions/#hazardhttp://machinerysafety101.com/definitions/#hazardhttp://machinerysafety101.com/definitions/#hazardhttp://machinerysafety101.com/definitions/#HumanMachine


5/12

Substitution

Substitution requires the designer to substitute a less hazardous material or process for the origi-

nal material or process. For example, beryllium is a highly toxic metal that is used in some high

tech applications. Inhalation or skin contact with beryllium dust can do seriousharmto a person

very quickly, causing acute beryllium disease. Long term exposure can cause chronic beryllium

disease. Substituting a less toxic material with similar properties in place of the beryllium in the

process could reduce or eliminate the possibility of beryllium disease, depending on the exact

content of the substitute material. If the substitute material includes any amount of beryllium,

then the risk is only reduced. If it contains no beryllium, the risk is eliminated. Note that the risk

can also be reduced by ensuring that the beryllium dust is not created by the process, since beryl-

lium is not toxic unless ingested.

Alternatively, using processes to handle the beryllium without creating dust or particles could

reduce the exposure to the material in forms that are likely to cause beryllium disease. An exam-

ple of this could be substitution of water-jet cutting instead of mechanical sawing of the material.

Failure Modes:

Reintroduction of the substituted material into a process is the primary failure mode, however

there may be others that are specific to the hazard and the circumstances. In the above example,

preand post-cutting handling of the material could still create dust or small particles, resulting

in exposure to beryllium. A substituted material might introduce other, new hazards, or might

create failure modes in the final product that would result in risks to the end user. Careful consid-eration is required!

If neither elimination or substitution is possible, we move to the next level in the hierarchy.

2. Engineering Controls

Engineering controls typically include various types of mechanical guards [16, 17, & 18], inter-

locking systems [9, 10, 11, & 15], and safeguarding devices like light curtains or fences, area

scanners, safety mats and two-hand controls [19]. These systems are proactive in nature, actingautomatically to prevent access to a hazard and therefore preventing injury. These systems are

designed to act before a person can reach thedanger zoneand be exposed to the hazard.

Control reliability
http://machinerysafety101.com/definitions/#harmhttp://machinerysafety101.com/definitions/#harmhttp://machinerysafety101.com/definitions/#harmhttp://machinerysafety101.com/definitions/#DZhttp://machinerysafety101.com/definitions/#DZhttp://machinerysafety101.com/definitions/#DZhttp://machinerysafety101.com/definitions/#DZhttp://machinerysafety101.com/definitions/#harm


6/12

Barrierguards and fixed guards are not evaluated for reliability because they do not rely on a

control system for their effectiveness. As long as they are placed correctly in the first place, and

are otherwise properly designed to contain the hazards they are protecting, then nothing more is

required. On the other hand, safeguarding devices, like interlocked guards, light fences, light cur-

tains, area scanners, safety mats, two-hand controls and safety edges, all rely on a control systemfor their effectiveness. Correct application of these devices requires correct placement based on

the stopping performance of the hazard and correct integration of the safety device into the safety

related parts of the control system [19]. The degree of reliability is based on the amount of risk

reduction that is being required of the safeguarding device and the degree of risk present in the

unguarded state [9, 10].

There are many detailed technical requirements for engineering controls that I cant get into in

this article, but you can learn more by checking out the references at the end of this article and

other articles on this blog.

Failure Modes

Failure modes for engineering controls are as many and as varied as the devices used and the

methods of integration chosen. This discussion will have to wait for another article!

Awareness Devices

Of special note are awareness devices. This group includes warning lights, horns, buzzers,

bells, etc. These devices have some aspects that are similar to engineering controls, in that theyare usually part of the machine control system, but they are also sometimes classed as informa-

tion for use, particularly when you consider indicator or warning lights and HMI screens. In

addition to these active types of devices, awareness devices may also include lines painted or

taped on the floor or on the edge of a step or elevation change, warning chains, signage, etc.

Signage may also be included in the class of information for use, along with HMI screens.

Failure Modes

Failure modes for Awareness Devices include:

Ignoring the warnings (Complacency or Failure to comprehend the meaning of thewarning);

Failure to maintain the device (warning lights burned out or removed); Defeat of the device (silencing an audible warning device);
http://machinerysafety101.com/definitions/#Barrier_guardhttp://machinerysafety101.com/definitions/#Barrier_guardhttp://machinerysafety101.com/definitions/#Barrier_guard


7/12

Inappropriate selection of the device (invisible or inaudible in the predominatingconditions).

Complementary Protective Measures

Complementary Protective measures are a class of controls that are separate from the various

types of safeguarding because they generally cannot prevent injury, but may reduce the severity

of injury or the probability of the injury occurring. Complementary protective measures are reac-

tive in nature, meaning that they are not automatic. They must be manually activated by a user

before anything will occur, e.g. pressing anemergency stop button. They can only complement

the protection provided by the automatic systems.

A good example of this is the Emergency Stop system that is designed into many machines. On

its own, theemergency stopsystem will do nothing to prevent an injury. The system must be

activated manually by pressing a button or pulling a cable. This relies on someone detecting a

problem and realizing that the machine needs to be stopped to avoid or reduce the severity of an

injury that is about to occur or is occurring.Emergency stopcan only ever be a back-up measure

to the automatic interlocks and safeguarding devices used on the machine. In many cases, the

next step in emergency response after pressing the emergency stop is to call 911.

Failure Modes:

The failure modes for these kinds of controls are too numerous to list here, however they range

from simple failure to replace a fixedguardorbarrierfence, to failure of electrical, pneumatic orhydraulic controls. These failure modes are enough of a concern that a new field of safety engi-

neering called Functional Safety Engineering has grown up around the need to be able to ana-

lyze the probability of failure of these systems and to use additional design elements to reduce

the probability of failure to a level we can tolerate. For more on this, see [9, 10, 11].

Once you have exhausted all the possibilities in Engineering Controls, you can move to the next

level down in the hierarchy.

3. Information for Use

This is a very broad topic, including manuals, instruction sheets, information labels on the prod-

uct, hazard warning signs and labels, HMI screens, indicator and warning lights, training materi-

als, video, photographs, drawings, bills of materials, etc. There are some excellent standards now

available that can guide you in developing these materials [1, 12 and 13].
http://machinerysafety101.com/definitions/#EstpBtnhttp://machinerysafety101.com/definitions/#EstpBtnhttp://machinerysafety101.com/definitions/#EstpBtnhttp://machinerysafety101.com/definitions/#estophttp://machinerysafety101.com/definitions/#estophttp://machinerysafety101.com/definitions/#estophttp://machinerysafety101.com/definitions/#estophttp://machinerysafety101.com/definitions/#estophttp://machinerysafety101.com/definitions/#estophttp://machinerysafety101.com/definitions/#guardhttp://machinerysafety101.com/definitions/#guardhttp://machinerysafety101.com/definitions/#guardhttp://machinerysafety101.com/definitions/#guardhttp://machinerysafety101.com/definitions/#guardhttp://machinerysafety101.com/definitions/#guardhttp://machinerysafety101.com/definitions/#Barrier_guardhttp://machinerysafety101.com/definitions/#Barrier_guardhttp://machinerysafety101.com/definitions/#Barrier_guardhttp://machinerysafety101.com/definitions/#Barrier_guardhttp://machinerysafety101.com/definitions/#guardhttp://machinerysafety101.com/definitions/#guardhttp://machinerysafety101.com/definitions/#estophttp://machinerysafety101.com/definitions/#estophttp://machinerysafety101.com/definitions/#EstpBtn


8/12

Failure Modes:

The major failure modes in this level include:

Poorly written or incomplete materials; Provision of the materials in a language that is not understood by the user; Failure by the user to read and understand the materials; Inability to access the materials when needed; Etcetera.

When all possibilities for informing the user have been covered, you can move to the next level

down in the hierarchy. Note that this is the usual separation point between the manufacturer and

the user of a product. This is nicely illustrated in Fig 2 from ISO 12100 above. It is important to

understand at this point that the residual risk posed by the product to the user may not yet be tol-

erable. The user is responsible for implementing the next two levels in the hierarchy in most

cases. The manufacturer can make recommendations that the user may want to follow, but typi-

cally that is the extent of influence that the manufacturer will have on the user.

4. Administrative Controls

This level in the hierarchy includes:

Training; Standard Operating Procedures (SOPs); Safe working procedures e.g. Hazardous Energy Control, Lockout, Tagout (where

permitted by law), etc.;

Authorization; and Supervision.

Training is the method used to get the information provided by the manufacturer to the worker or

end user. This can be provided by the manufacturer, by a third party, or self-taught by the user or

worker.

SOPs can include any kind of procedure instituted by the workplace to reduce risk. For exam-

ple, requiring workers who drive vehicles to do a walk-around inspection of the vehicle before

use, and logging of any problems found during the inspection is an example of an SOP to reduce

risk while driving.

Safe working procedures can be strongly influenced by the manufacturer through the information

for use provided. Maintenance procedures for hazardous tasks provided in the maintenance man-

ual are an example of this.


9/12

Authorization is the procedure that an employer uses to authorize a worker to carry out a particu-

lar task. For example, an employer might put a policy in place that only permits licensed electri-

cians to access electrical enclosures and carry out work with the enclosure live. The employer

might require that workers who may need to use ladders in their work take a ladder safety and a

fall protection training course. Once the prerequisites for authorization are completed, the workeris authorized by the employer to carry out the task.

Supervision is one of the most critical of the Administrative Controls. Sound supervision can

make all of the above work. Failure to properly supervise work can cause all of these measures

to fail.

Failure Modes

Administrative controls have many failure modes. Here are some of the most common:

Failure to train; Failure to inform workers regarding the hazards present and the related risks; Failure to create and implement SOPs; Failure to provide and maintain special equipment needed to implement SOPs; No formal means of authorizationi.e. How do you KNOW that Joe has his lift

truck license?;

Failure to supervise adequately.Im sure you can think ofMANY other ways that Administrative Controls can go wrong!

5. Personal Protective Equipment (PPE)

PPE includes everything from safety glasses, to hardhats and bump caps, to fire-retardant cloth-

ing, hearing defenders, and work boots. Some standards even include warning devices that are

worn by the user, such as gas detectors and person-down detectors, in this group.

PPE is probably the single most over-used and least understood risk control measure. It falls at

the bottom of the hierarchy for a number of reasons:

1. It is a measure of last resort;2. It permits the hazard to come as close to the person as their clothing;3. It is often incorrectly specified;4. It is often poorly fitted;5. It is often poorly maintained; and6. It is often improperly used.


10/12

The problems with PPE are hard to deal with. You cannot glue or screw a set of safety glasses to

a persons face, so ensuring the the protective equipment is used is a big problem that goes back

to supervision.

Many small and medium sized enterprises do not have the expertise in the organization to prop-erly specify, fit and maintain the equipment.

User comfort is extremely important. Uncomfortable equipment wont be used forlong.

Finally, by the time that properly specified, fitted and used equipment can do its job, the hazard

is as close to the person as it can get. The probability of failure at this point is very high, which is

what makes PPE a measure of last resort, complementary to the more effective measures that can

be provided in the first three levels of the hierarchy.

If workers are not properly trained and adequately informed about the hazards they face and the

reasons behind the use of PPE, they are deprived of the opportunity to make safe choices, even if

that choice is to refuse the work.

Failure Modes

Failure modes for PPE include:

Incorrect specification (not suitable for the hazard); Incorrect fit (allows hazard to bypass PPE); Poor maintenance (prevents or restricts vision or movement, increasing the risk;

causes PPE failure under stress or allows hazard to bypass PPE);

Incorrect usage (failure to train and inform users, incorrect selection or specificationof PPE).

Time to Apply the Hierarchy

So now you know something about thehierarchy of controls. Each layer has its own intricacies and

nuances that can only be learned by training and experience. With a documentedrisk assessmentinhand, you can begin to apply the hierarchy to control the risks. Dont forget to iterate the assessment

post-control to document the degree of risk reduction achieved. You may create new hazards when con-

trol measures are applied, and you may need to add additional control measures to achieve effective risk

reduction.
http://machinerysafety101.com/definitions/#hierarchyhttp://machinerysafety101.com/definitions/#hierarchyhttp://machinerysafety101.com/definitions/#hierarchyhttp://machinerysafety101.com/definitions/#RiskAssthttp://machinerysafety101.com/definitions/#RiskAssthttp://machinerysafety101.com/definitions/#RiskAssthttp://machinerysafety101.com/definitions/#RiskAssthttp://machinerysafety101.com/definitions/#hierarchy


11/12

The documents referenced below should give you a good start in understanding some of these

challenges.

References

5% Discount on All Standards with code: CC2011

NOTE: [1], [2], and[3] were combined by ISO and republished as ISO 12100:2010. This standard has no

technical changes from the preceding standards, but combines them in a single document. ISO/TR

141212 remains current and should be used with the current edition ofISO 12100.

[1] Safety of machineryBasic concepts, general principles for designPart 1: Basic terminol-

ogy and methodology, ISO Standard 121001, 2003.

[2] Safety of machinery

Basic concepts, general principles for design

Basic terminology andmethodology, Part 2: Technical principles, ISO Standard 121002, 2003.

[3] Safety of MachineryRisk AssessmentPart 1: Principles, ISO Standard 141211, 2007.

[4] Safety of machineryPrevention ofunexpected start-up,ISO 14118, 2000

[5] Control ofhazardous energyLockout and other methods, CSAZ460, 2005

[6] Fluid power systems and componentsGraphic symbols and circuit diagramsPart 1:

Graphic symbols for conventional use and data-processing applications, ISO Standard 12191, 2006

[7] Pneumatic fluid powerGeneral rules and safety requirements for systems and their compo-

nents, ISO Standard 4414, 1998

[8] American National Standard for Industrial Robots and Robot SystemsSafety Requirements,

ANSI/RIAR15.06, 1999.

[9] Safety of machinerySafety-related parts of control systemsPart 1: General principles for

design,ISO Standard 138491, 2006

[10] Safety of machineryFunctional safety of safety-related electrical, electronic and programma-

ble electronic control systems, IEC Standard 62061, 2005

[11] Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC

Standard 61508-X, seven parts.

[12] Preparation of InstructionsStructuring, Content and Presentation, IEC Standard 62079,

2001

[13] American National Standard For Product Safety Information in Product Manuals, Instructions,

and Other Collateral Materials,ANSI Standard Z535.6, 2010.

[14] Control of Hazardous Energy Lockout/Tagout and Alternative Methods,ANSI Standard Z244.1,

2003.

[15] Safety of MachineryInterlocking devices associated with guardsprinciples for design and

selection, EN 1088+A1:2008.

[16] Safety of MachineryGuardsGeneral requirements for the design and construction of
http://www.kqzyfj.com/click-4048199-10731854http://www.kqzyfj.com/click-4048199-10731854http://www.kqzyfj.com/click-4048199-10731854http://machinerysafety101.com/definitions/#UnxStrthttp://machinerysafety101.com/definitions/#UnxStrthttp://machinerysafety101.com/definitions/#UnxStrthttp://machinerysafety101.com/definitions/#HazNrghttp://machinerysafety101.com/definitions/#HazNrghttp://machinerysafety101.com/definitions/#HazNrghttp://machinerysafety101.com/definitions/#HazNrghttp://machinerysafety101.com/definitions/#UnxStrthttp://www.kqzyfj.com/click-4048199-10731854


12/12

fixed and movable guards, EN 953+A1:2009.

[17] Safety of machineryGuardsGeneral requirements for the design and construction of

fixed and movable guards, ISO 14120.

[18] Safety of machinerySafety distances to prevent hazard zones being reached by upper and

lower limbs, ISO 13857:2008.[19] Safety of machineryPositioning of safeguards with respect to the approach speeds of parts

of the human body, ISO 13855:2010.

The Hierarchy of Controls

Documents

Transcript of The Hierarchy of Controls