Understanding the Hierarchy of Controls

Last updated on June 14th, 2024 at 06:03 pm

Last Updated on 2024202420242024-0606-1414 by Douglas Nix

(Eds. note: This article was originally written in 2011 and was updated in Nov. 2018 and again in 2024.)

The Hierarchy of Controls illustrated as an inverted triangle with each level of the hierarchy written one above the other, starting with Inherently Sfe design, then Engineering Controls, then Information for Use, then Administrative Controls and finally descending to PPE at the bottom. An arrow with the text "Effectiveness" on it runs parallel to the triangle and points downward from Inherently safe design to PPE.
The Hierarchy of Controls

The “Hierarchy of Controls” is one approach to risk reduction that has become entrenched in the Occupational Health and Safety (OHS) sector. There are other approaches to risk reduction which are equally effective but are less rigidly structured. If you want to know more about those approaches, I recommend you visit Dr. Sidney Dekker’s site, “Safety Differently“, Dr. Robert Lang’s site, “Human Dymensions,” or Dr. Todd Conklin’s “Pre-Accident Investigations.” None of these approaches are wrong. Any approach that results in effectively reducing the risk for the people at the “sharp end of the stick” is a worthy approach. Onward.

Take note that ISO 12100 [1] is currently being revised. A new edition with changes and improvements should be expected in 2025.


TL;DR

The “Hierarchy of Controls” is a key strategy in machinery risk reduction. Developed over the past 20 years, it is prominently featured in ISO 12100, and in CSA Z432 [2] and ANSI B11.0 [3]. In North America, this hierarchy consists of five levels of controls applied in a specific order to maximize risk reduction. The most effective measure is “Inherently Safe Design,” which involves eliminating or substituting hazards. If this is not possible, “Engineering Controls” such as guards and interlocks are employed to prevent access to hazards. Next, “Information for Use” includes warnings, manuals, and training materials. “Administrative Controls” follow, involving training, procedures, and supervision to ensure safety. Lastly, “Personal Protective Equipment” (PPE) is used as a last resort when all other measures are insufficient. PPE includes items like safety glasses, hard hats, and gloves, but its effectiveness is limited due to potential misapplication and maintenance issues. Internationally and in the EU, the ISO hierarchy, which is limited to the first three levels mentioned previously, is used. The hierarchy is essential in systematic risk mitigation, aiming to make work environments safer by addressing hazards at their source and protecting workers through multiple layers of controls. For comprehensive risk reduction, it is vital to revisit and iterate the assessment to ensure all residual risks are minimized, and that new hazards that may have been introduced since the original risk assessment was done have been accounted for.



The first step: Risk Assessment

Risk assessment is the first step in reducing the risk that your customers and users are exposed to when they use your products. The second step is Risk Reduction, sometimes called Risk Control or Risk Mitigation. This article looks at the ways that risk can be controlled using the Hierarchy of Controls. Figure 2 from ISO 12100-1 (shown below) illustrates this point.

The system is called a hierarchy because you must apply each level in the order in which they appear on the list. In terms of effectiveness at reducing risk, the first level in the hierarchy, inherently safe deign including elimination and substitution of hazards, is the most effective, down to the last, PPE*, which is the least effective.

*PPE – Personal Protective Equipment. e.g., Protective eyewear, safety boots, bump caps, hard hats, clothing, gloves, respirators, etc. CSA Z1002 includes “…anything designed to be worn, held, or carried by an individual for protection against one or more hazards” in this definition.

It’s important to understand that questions must be asked after each step in the hierarchy is implemented, including:

  • Is the risk reduced as much as possible?
  • Is the residual risk,
    • in compliance with legal requirements, and
    • acceptable to the user or worker?

When you can answer ‘YES’ to all of these questions, the last step is to ensure that you have warned the user of the residual risks, identified the required training, and finally, made recommendations for any needed PPE.

Risk Reduction from the Designer's Viewpoint
Figure 1 – The Risk Reduction Process [1, Fig.2]

Introducing the Hierarchy of Controls

The Hierarchy of Controls has been developed into several different standards over the last twenty years or so, with ISO 12100 [1] emerging as the leading International standard. The idea was to provide a common structure that would guide designers when controlling risk.

Typically, the first three levels of the hierarchy may be considered to be ‘engineering controls’ because they are part of the design process for a product. This does not mean that they must be done by engineers!

We’ll examine each level in the hierarchy in detail. First, let’s examine what is included in the Hierarchy.

The Hierarchy of Controls includes:

  1. Inherently Safe Design, including Hazard Elimination or Substitution (Design)
  2. Engineering Controls (see [1, 2, 8, 9, 10, and 11])
    • Barriers
    • Guards (Fixed, Adjustable, Movable w/interlocks)
    • Safeguarding Devices (e.g., interlocking devices, two-hand controls, pressure-sensitive mats and edges, type 2 and type 4 light curtains, area scanners, radar scanners, and vision-based protective devices, etc.)
    • Complementary Protective Measures (e.g., emergency stop systems, measures for
      • the escape and rescue of trapped persons,
      • isolation and energy dissipation,
      • easy and safe handling of machines and their heavy component parts, and
      • safe access to machinery, etc.
  3. Information for Use (see [1, 2, 4, 7, 8, 12, and 13])
    • Hazard Warnings
    • Manuals
    • HMI* & Awareness Devices (lights, horns)
  4. Administrative Controls (see [1, 2, 4, 5, 7, and 8])
    • Training
    • Standard Operating Procedures (SOPs),
    • Hazardous Energy Control Procedures (HECP) (see [5, 14]),
    • Work authorization or permits
  5. Personal Protective Equipment
    • Specification
    • Fitting
    • Training in use and maintenance

*HMI—Human-Machine Interface. Also called the ‘console’ or ‘operator station’, this is the location on the machine where the operator controls are located. It often includes a programmable screen or operator display, but it can also be a simple array of buttons, switches, and indicator lights.

The system manufacturer, developer, or integrator can usually provide only the first three levels of the hierarchy, as they do not normally have control over the workplace where the system equipment is used. Where they have not been provided, the workplace or user should provide them.

The last two levels must be provided by the workplace or user.

Effectiveness

Each layer in the hierarchy has a level of effectiveness related to the failure modes associated with the control measures and the relative effectiveness in reducing risk in that layer. As you go down the hierarchy, reliability and effectiveness decrease, as shown in Fig. 2 below.

The Hierarchy of Controls illustrated as an inverted triangle with each level of the hierarchy written one above the other, starting with Inherently Sfe design, then Engineering Controls, then Information for Use, then Administrative Controls and finally descending to PPE at the bottom. An arrow with the text "Effectiveness" on it runs parallel to the triangle and points downward from Inherently safe design to PPE.
Figure 2 – The Hierarchy of Controls

There is no way to measure or specifically quantify the reliability or effectiveness of each layer of the hierarchy—that must wait until you make some selections from each level, and even then, it can be hard to do. The important thing to understand is that Inherently Safe Design measures will be more effective than Guarding (engineering controls), which is more effective than Information for Use, etc.

1. Inherently Safe Design

The top level of the Hierarchy and the starting point in every effort to reduce risk is Inherently Safe Design. This level is more effective because the word “inherently” indicates that these control measures are baked into the design. Removing these control measures is, therefore, impossible without permanently damaging or destroying the product. For example, removing sharp corners by radiusing the corners during manufacturing is effectively irreversible. This level of the hierarchy includes:

  • Consideration of geometrical factors and physical aspects (travelling and working areas of mobile machines, zones of movement, the contact area with the user, form and relative location of mechanical components, etc.);
  • Taking into account general technical knowledge of machine design (mechanical stresses, material properties, emission values for noise, vibration, radiation, or toxic materials);
  • Choice of appropriate technology;
  • Applying the principle of positive mechanical action;
  • Provisions for stability;
  • Provisions for maintainability;
  • Observation of ergonomic principles;
  • Electrical Hazards;
  • Fluidic (Hydraulic & Pneumatic) Hazards;
  • Inherently safe design principles for control systems (includes the use of ISO 13849, IEC62061, IEC 61511, or IEC 61508 family standards);
  • Switching on internal or external power sources;
  • Starting and stopping of mechanisms;
  • The behaviour of the machinery when power sources are interrupted;
  • Use of automatic monitoring;
  • Safety functions implemented in programmable control systems (includes the use of ISO 13849, IEC62061, IEC 61511, or IEC 61508 family standards);
  • Principles related to manual control;
  • Control modes for setting, teaching, process changeover, fault-finding, cleaning or maintenance;
  • Selection of control and operating modes;
  • Applying measures to achieve electromagnetic compatibility (EMC);
  • Provision of diagnostic systems to aid fault-finding;
  • Minimizing the probability of failure of safety functions;
  • Limiting exposure to hazards through reliability of equipment;
  • Limiting exposure to hazards through mechanization or automation of loading (feeding)/ unloading (removal) operations;
  • Limiting exposure to hazards through the location of setting and maintenance points outside danger zones.

The preceding list comes from the headings in ISO 12100, chapter 6.2. [1, 6.2] includes much more detail on the types of measures that can be used to reduce risk using inherently safe design measures. I strongly recommend that all machinery designers, including mechanical and control systems designers, have a copy of ISO 12100 at hand while doing their design work.

The older definition of the first level of the hierarchy only included hazard elimination and hazard substitution. These are still valid ways to reduce risk, but they have some specific failure modes that are worth discussing.

Hazard elimination is the most effective means of reducing risk from a particular hazard for the simple reason that once the hazard has been eliminated, there is no remaining risk. Remember that risk is a function of severity and probability. Since both severity and probability are affected by the existence of the hazard, eliminating the hazard reduces the risk from that particular hazard to zero. Some practitioners consider this to mean the elimination is 100% effective. However, it’s my opinion that this is not the case because even elimination has failure modes that can re-introduce the hazard.

Failure Modes:

Hazard elimination can fail if the hazard is reintroduced into the design. With machinery, this isn’t that likely to occur, but in processes, services and workplaces, it can occur.

Substitution

Substitution requires the designer to substitute a less hazardous material or process for the original material or process. For example, beryllium is a highly toxic metal that is used in some high-tech applications. Inhalation or skin contact with beryllium dust can do serious harm to a person very quickly, causing acute beryllium disease. Long-term exposure can cause chronic beryllium disease. Substituting a less toxic material with similar properties in place of the beryllium in the process could reduce or eliminate the possibility of beryllium disease, depending on the exact content of the substitute material. If the substitute material includes any amount of beryllium, then the risk is only reduced. If it contains no beryllium, the risk is eliminated. Note that the risk can also be reduced by ensuring that the beryllium dust is not created by the process since beryllium is not toxic unless ingested.

Alternatively, using processes to handle the beryllium without creating dust or particles could reduce the exposure to the material in forms that are likely to cause beryllium disease. An example of this could be the substitution of water-jet cutting instead of mechanical sawing of the material.

Failure Modes:

Reintroduction of the substituted material into a process is the primary failure mode, however, there may be others that are specific to the hazard and the circumstances. In the above example, pre- and post-cutting handling of the material could still create dust or small particles, resulting in exposure to beryllium. A substituted material might introduce other new hazards or might create failure modes in the final product that would result in risks to the end user. Careful consideration is required!

If neither elimination nor substitution is possible, we move to the next level in the hierarchy.

2. Engineering Controls

Engineering controls typically include various types of mechanical guards [19, 20, 21], interlocking systems [10-14 & 19], and safeguarding devices like light curtains or fences, area scanners, safety mats and two-hand controls. These systems are proactive in nature, acting automatically to prevent access to a hazard and, therefore, preventing injury. These systems are designed to act before a person can reach the danger zone and be exposed to the hazard and, therefore reduce risk by preventing access to the hazard(s).

Functional Safety

Functional safety is sometimes called “control reliability.” Functional safety is the characteristic of a safety system that allows it to operate correctly in response to its inputs under the intended conditions of use. Barrier guards and fixed guards are not evaluated for reliability because they do not rely on a control system for their effectiveness. As long as they are located correctly in the first place, and are otherwise properly designed to contain the hazards they are protecting, then nothing more is required. On the other hand, safeguarding devices, like interlocked guards, light fences, light curtains, area scanners, safety mats, two-hand controls and safety edges, all rely on a control system for their effectiveness. Correct application of these devices requires correct placement based on the stopping performance of the hazard and correct integration of the safety device into the safety-related parts of the control system [11, 12, 13 & 14]. The degree of reliability is based on the amount of risk reduction that is required of the safeguarding device and the degree of risk present in the unguarded state [1, 2, 3, 11, 13, 14].

There are many detailed technical requirements for engineering controls that I can’t get into in this article, but you can learn more by checking out the references at the end of this article and other articles on this blog. If you are interested in learning more, I teach an online course on the topic called Functional Safety 101.

Failure Modes

Failure modes for engineering controls are as many and as varied as the devices used and the methods of integration chosen. This discussion will have to wait for another article!

Awareness Devices

Of special note are “awareness devices.” This group includes warning lights, horns, buzzers, bells, etc. These devices have some aspects that are similar to engineering controls, in that they are usually part of the machine control system, but they are also sometimes classed as ‘information for use’, particularly when you consider indicator or warning lights and HMI screens. In addition to these ‘active’ types of devices, awareness devices may also include lines painted or taped on the floor or on the edge of a step or elevation change, warning chains, signage, etc. Signage may also be included in the class of ‘information for use’, along with HMI screens.

Failure Modes

Failure modes for Awareness Devices include:

  • Ignoring the warnings (Complacency or Failure to comprehend the meaning of the warning);
  • Failure to maintain the device (warning lights burned out or removed);
  • The defeat of the device (silencing an audible warning device by disconnection, stuffing foam into a horn, etc.);
  • Inappropriate selection of the device (invisible or inaudible in the predominating conditions).

Complementary Protective Measures

Complementary Protective measures are a class of controls that are separate from the various types of safeguarding because they generally cannot prevent injury but may reduce the severity of an injury or the probability of the injury occurring. Complementary protective measures are reactive in nature, meaning that they are not automatic. They must be manually activated by a user before anything will occur, e.g. pressing an emergency stop button. They can only complement the protection provided by automatic systems.

A good example of this is the Emergency Stop system that is designed into many machines. On its own, the emergency stop system will do nothing to prevent an injury. The system must be activated manually by pressing a button or pulling a cable. This relies on someone detecting a problem and realizing that the machine needs to be stopped to avoid or reduce the severity of an injury that is about to occur or is occurring. The emergency stop can only ever be a backup measure to the automatic interlocks and safeguarding devices used on the machine. In many cases, the next step in emergency response after pressing the emergency stop is to call 911. To learn more about emergency stop functions, see my series on this topic.

Failure Modes:

The failure modes for these kinds of controls are too numerous to list here; however, they range from simple failure to replace a fixed guard or barrier fence to the failure of electrical, pneumatic or hydraulic controls. These failure modes are enough of a concern that a new field of safety engineering called ‘Functional Safety Engineering’ has grown up around the need to be able to analyze the probability of failure of these systems and to use additional design elements to reduce the probability of failure to a level we can tolerate. For more on this, see [11, 12, 13, 14].

Once you have exhausted all the possibilities in Engineering Controls, you can move to the next level down in the hierarchy.

3. Information for Use

This is a very broad topic, including manuals, instruction sheets, information labels on the product, hazard warning signs and labels, HMI screens, indicator and warning lights, training materials, videos, photographs, drawings, bills of materials, etc. Some excellent standards now available can guide you in developing these materials [1, 2, 3, 15 & 16]. To learn more about hazard warning labels, see our series on this topic. To learn more about Information for Use, see this article.

Failure Modes:

The major failure modes at this level include:

  • Poorly written or incomplete materials;
  • Provision of the materials in a language that is not understood by the user;
  • Failure by the user to read and understand the materials;
  • Inability to access the materials when needed;
  • Etc.

When all possibilities for informing the user have been covered, you can move to the next level down in the hierarchy. Note that this is the usual separation point between the manufacturer and the user of a product. This is nicely illustrated in Fig. 1 [1, Fig. 2] above. It is important to understand at this point that the residual risk posed by the product to the user may not yet be tolerable. The user is responsible for implementing the next two levels in the hierarchy in most cases. The manufacturer can make recommendations that the user may want to follow, but typically that is the extent of influence that the manufacturer will have on the user.

4. Administrative Controls

This level in the hierarchy includes:

  • Training;
  • Standard Operating Procedures (SOPs);
  • Safe working procedures e.g. Hazardous Energy Control Procedures (HECP), Lockout, Tagout (where permitted by law), etc.;
  • Authorization; and
  • Supervision.

Training is the method used to get the information provided by the manufacturer to the worker or end user. This can be provided by the manufacturer, by a third party, or self-taught by the user or worker.
SOPs can include any procedure instituted by the workplace to reduce risk. For example, requiring workers who drive vehicles to do a walk-around inspection of the vehicle before use and log any problems found during the inspection is an example of an SOP to reduce risk while driving.

The manufacturer can strongly influence safe working procedures through the information provided for use. Maintenance procedures for hazardous tasks provided in the maintenance manual are an example of this.

Authorization is the procedure that an employer uses to authorize a worker to carry out a particular task. For example, an employer might put a policy in place that only permits licensed electricians to access electrical enclosures and carry out work with the enclosure live. The employer might require that workers who may need to use ladders in their work take a ladder safety and fall protection training course. Once the prerequisites for authorization are completed, the worker is ‘authorized’ by the employer to carry out the task.

Supervision is one of the most critical of the Administrative Controls. Sound supervision can make all of the above work. Failure to properly supervise work can cause all of these measures to fail.

Failure Modes

Administrative controls have many failure modes. Here are some of the most common:

  • Failure to train;
  • Failure to inform workers regarding the hazards present and the related risks;
  • Failure to create and implement SOPs;
  • Failure to provide and maintain the special equipment needed to implement SOPs;
  • No formal means of authorization – i.e., How do you KNOW that Joe has his lift truck license?;
  • Failure to supervise adequately.

I’m sure you can think of MANY other ways that Administrative Controls can go wrong!

5. Personal Protective Equipment (PPE)

PPE includes everything from protective eyewear to hard hats and bump caps to fire-retardant clothing, hearing defenders, and protective footwear. Some standards even include warning devices that are worn by the user, such as gas detectors and person-down detectors, in this group.

PPE is probably the single most over-used and least understood risk control measure. It falls at the bottom of the hierarchy for a number of reasons:

  1. It is a measure of last resort;
  2. It permits the hazard to come as close to the person as the PPE;
  3. It is often incorrectly specified;
  4. It is often poorly fitted;
  5. It is often poorly maintained; and
  6. It is often improperly used.

The problems with PPE are hard to deal with:

  • You cannot glue or screw a set of protective eyewear to a person’s face, so ensuring the protective equipment is used is a big problem that goes back to training.
  • Many small and medium-sized enterprises lack the organizational expertise to specify, fit, and maintain the equipment properly.
  • User comfort is extremely important. Uncomfortable equipment won’t be used for long.
  • Finally, when properly specified, fitted and used so the equipment can do its job, the hazard is as close to the person as it can get. The probability of failure at this point is very high, which is another reason why PPE is considered a measure of last resort, complementary to the more effective measures that can be provided in the first three levels of the hierarchy.
  • If workers are not properly trained and adequately informed about the hazards they face and the reasons behind using PPE, they are deprived of the opportunity to make safe choices, including the right to refuse work.

Failure Modes

Failure modes for PPE include:

  • Incorrect specification (e.g., not suitable for the hazard);
  • Incorrect fit (i.e., allows hazard to bypass PPE);
  • Poor maintenance (e.g., prevents or restricts vision or movement, increasing the risk; causes PPE failure under stress or allows hazard to bypass PPE), or introduces new hazards (i.e., shared PPE is a vehicle for transferring biological hazard from one person to another);
  • Incorrect usage (e.g., failure to train and inform users, incorrect selection or specification of PPE).

Time to Apply the Hierarchy

So now you know something about the ‘hierarchy of controls’. Each layer has its own intricacies and nuances that can only be learned by training and experience. With a documented risk assessment in hand, you can begin to apply the hierarchy to control the risks. Don’t forget to iterate the assessment post-control to document the degree of risk reduction achieved. You may create new hazards when control measures are applied, and you may need to add additional control measures to achieve effective risk reduction.

The documents referenced below should give you a good start in understanding some of these challenges.


References

[1] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100. Geneva: International Organization for Standardization (ISO). 2010.

[2] Safeguarding of Machinery, CSA Z432. Toronto: Canadian Standards Association (CSA). 2023.

[3] American National Standard Safety of Machinery – General Requirements and Risk Assessment, ANSI B11.0. New York: American National Standards Institute (ANSI). 2020.

[4] Safety of machinery — Risk assessment — Part 2: Practical guidance and examples of methods, ISO/TR 14121-2. Geneva: International Organization for Standardization (ISO). 2012.

[5] Safety of machinery—Prevention of unexpected start-up, ISO 14118. Geneva: International Organization for Standardization (ISO). 2017.

[7] Control of hazardous energy—Lockout and other methods, CSA Z460. Toronto: Canadian Standards Association (CSA). 2013.

[8] Fluid power systems and components—Graphic symbols and circuit diagrams—Part 1: Graphic symbols for conventional use and data-processing applications, ISO 1219-1. Geneva: International Organization for Standardization (ISO). 2012.

[9] Pneumatic fluid power—General rules and safety requirements for systems and their components, ISO 4414. Geneva: International Organization for Standardization (ISO). 2010.

[10] American National Standard for Industrial Robots and Robot Systems—Safety Requirements, ANSI/RIA R15.06. New York: American National Standards Institute (ANSI). 2012.

[11] Safety of machinery—Safety-related parts of control systems—Part 1: General principles for design, ISO 13849-1. Geneva: International Organization for Standardization (ISO). 2023.

[12] Safety of machinery — Safety-related parts of control systems — Part 2: Validation, ISO 13849-2. Geneva: International Organization for Standardization (ISO). 2012. (Under revision)

[13] Safety of machinery—Functional safety of safety-related electrical, electronic and programmable electronic control systems, IEC 62061. Geneva: International Electrotechnical Commission (IEC). 2021+AMD1:2024.

[14] Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC 61508, seven parts. Geneva: International Electrotechnical Commission (IEC). 2010. (Under revision)

[15] Safety of machinery — Instruction handbook — General drafting principles, ISO 20607. Geneva: International Organization for Standardization (ISO). 2019.

[16] American National Standard For Product Safety Information in Product Manuals, Instructions, and Other Collateral Materials, ANSI Z535.6. New York: American National Standards Institute (ANSI). 2023.

[17] Control of Hazardous Energy Lockout/Tagout and Alternative Methods, ANSI/ASSP Z244.1. New York: American National Standards Institute (ANSI). 2016 (R2020).

[18] Safety of machinery—Prevention of unexpected start-up, ISO 14118. Geneva: International Organization for Standardization (ISO). 2017.

[19] Safety of machinery — Interlocking devices associated with guards — Principles for design and selection, ISO 14119. Geneva: International Organization for Standardization (ISO). 2013. (Under revision)

[20] Safety of machinery—Guards—General requirements for the design and construction of fixed and movable guards, ISO 14120. Geneva: International Organization for Standardization (ISO). 2015.

[21] Safety of machinery—Safety distances to prevent hazard zones being reached by upper and lower limbs, ISO 13857. Geneva: International Organization for Standardization (ISO). 2019.

[22] Safety of machinery—Positioning of safeguards with respect to the approach speeds of parts of the human body, ISO 13855. Geneva: International Organization for Standardization (ISO). 2010. (Under revision)

© 2011 – 2024, Compliance inSight Consulting Inc. Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

7 thoughts on “Understanding the Hierarchy of Controls

  1. Hi Doug,
    From my point of view, your articles are ones of the most interesting and well explained I have ever found. My compliments.
    Below is an excerpt from your article on which I would like to share a point of view of mine.

    “The emergency stop can only ever be a backup measure to the automatic interlocks and safeguarding devices used on the machine.”

    Next is an interpretation on the Emergency Stop on which I would kindly ask your opinion. The objective is to determine what Functional Safety requirements the “emergency scenario” affects, i.e., how the Safe Stop and Emergency Stop functions differ in terms of both behavioral and reliability requirements.

    To do this, I assumed to evaluate a mishap scenario by analyzing the behavior of typical hazard components (hazard triangle) and the Hazard – Mishap transition and the definition of Risk.
    Hazard components:
    1) HS: Hazard Source
    2) IMs: Initiating mechanisms (IM1……..IMn)
    3) TTO (Target Threat Outcome).

    Mishap Risk = R = S_mishap * P_mishap
    S_mishap = Mishap Severity (according to one of the relevant definitions i.e. ISO/TR 14121-2 or UN EN ISO 13849-1 etc)
    P_mishap = P(HS)*P(IM1)*…..*P(IMm)

    If I consider the Emergency Stop to be a backup of the Safe Stop function on door opening (door intrelock), from the moment it fails to prevent the accident, due to a fault or misbehavior of the ‘operator or tampering, an “emergency scenario” is determined in which, the state of hazard or even the occurrence of the mishap (i.e. operator gets involved by the dangerous movement) that had been mitigated by the Safe Stop function is reconstituted.
    Under such de facto conditions, the risk assessment that must mitigate Emergency Stop function remains the same as that made for the Safe Stop function, i.e., the risk profile of the dangerous axis is the same in the two cases.
    What does change, however, is the “behavioral” requirement of the Safe Stop and Emergency Stop functions e.g. the stopping times are more restrictive in the Emergency Stop given the proximity or involvement of the operator on the hazardous axis and the Stop Category. For the latter, a Cat 0 might be sufficient for the Safe Stop while a Cat 1 would be required for the Emergency Stop.

    The above is summarized in more detailed terms below:
    Initial Hazard Scenario -> to be mitigated with Door Interlock -> Safe Stop
    Pmishap= P(dangerous movement)* P(operator near movement)*P(operator error)
    Severity= S2
    R= S2*Pmishap

    Mitigated Hazard Scenario
    Pmishap= P(dangerous movement)* P(operator near movement)*P(operator error)*P(fail safe stop function on door opening)

    If the safety function fails P(fail safe stop function on door opening)=1 then Pmishap increases and returns to the pre-mitigation value. In this situation, the EStop function will have to provide mitigation of the initial risk

    What changes in the emergency situation is the “behavioral” requirement of the stop function since in that scenario, in the worst case scenario the operator is involved on the axis and the accident in progress..
    For example:

    1) Safe stop (door opening): stop in cat 0 with stop time x / PL = d

    2) Emergency stop : Stop cat 1 with stop time x/10/ PL = d

    -> PL identical

    Do you agree with this point of view?

    Thanks in advance for your reply

    1. Hi Paolo,

      Thank you for your comment; you are very kind.

      You pose an interesting question. First, we must remember that ISO 13850 sets the PLmin = c, so it cannot be less than this. Next, we must consider one of the key ways interlock functions differ from emergency stop functions. In the case of an interlock, the safety function is required to operate automatically and “unseen.” When the guard is opened, the interlock safety function must generate a stop command immediately with no conscious act on the user’s part other than opening the guard.

      On the other hand, an emergency stop safety function is a “complementary protective measure,” which means it must “complement” the primary safeguards, in this case, the interlocking safety function. The phrase “complementary protective measure” is not precise even to native English speakers. In English, “complement” can be used as a verb. When used this way, it means to “add to (something) in a way that enhances or improves it; make perfect.” So, it is not the primary safeguard, and in fact, it is not a safeguard at all. As you said in your comment, it is a backup in case something unforeseen occurs. Additionally, it requires an intentional action by a person.

      The interlocking function reduces the risk created by the hazard. In your example, you said that the interlock meets PL=d. So, that means that we have done an FMEA or an FMEDA and determined that we can meet a DCavg of at least MEDIUM (90% ≤ DC < 99%), and the PFH will fall in the range between 10-6 and 10-7 per hour. This is to say that the failure modes of the interlock should be well understood. However, the process itself may have other failure modes that may be unforeseen and which cannot be controlled by the guard interlocking safety function.

      During the control system’s 20-year mission, this failure rate yields between 0.168 and 0.0168 failures during mission time, assuming three shifts per day, 7 days per week, and 50 weeks per year for 20 years. Fewer usage hours would further reduce the number of failures over the mission time. So, if the safety function fails because of an unforeseen condition, the emergency stop function could be called upon to reduce or limit the harm. First, a person would need to perceive the failure and then activate the emergency stop system.

      In the case you describe, PL=c should be adequate. However, a higher PL might be required when no other safety functions are provided on the machine, e.g., some testing machines or other simple machines. That determination must be made based on the risk assessment.

      Concerning the stop categories, the emergency stop should be Category 0 or 1, while the guard interlock could be Category 0, 1, or 2. The guard interlock must deal with the process without damaging the machine. Depending on the stopping characteristics of the load, Category 1 is the most common, but the other two are possible. Category 2 is only permitted for an emergency stop function under specific conditions since one of the basic requirements for an emergency stop function is the removal of power from the machine actuators. A good engineering rationale for the use of Category 2 would be needed to justify its use.

  2. Dear Doug,

    Thanks for all the knowledge you share on your site, it’s a goldmine.

    I’m wondering whether lower Layers can functionally replace higher Layers on the inverted pyramid “Hierarchy of Controls”:

    Top layer = Inherently safe design
    2nd layer = Safeguarding

    Bottom layer = PPE

    I’ll explain with an example:

    A work zone, where people are allowed to introduce foreign objects in the course of their work, has a rotating frame which should be moving only when the zone is absolutely empty so as to avoid crushing danger. Therefore, START condition is:
    – No persons
    – No foreign objects

    The Top Layer measure is to seek “Inherently safe design” but it’s impossible without detection of Foreign objects.

    Therefore we use the 2nd Layer measure “Safeguarding”: a full-size AOPD (with related safety logics and drive control) covers the whole zone at ground level and detects both Persons and Foreign objects, thus realizing the required interlocking.

    So, we have satisfied to safety requirements by using a low-layer solution, since the high-layer measures were not enough.

    Does it mean that we can ignore the requirements of “Inherently safe design”, such as ISO 13854 (safety gaps to avoid crushing) which would apply if the zone was always free of Foreign objects? Can we make the zone narrow with potential crushing spots and rely on our AOPD only?

    In other words, on the inverted pyramid “Hierarchy of Controls”, shall we implement ALL layers starting from Top until the requirements are reached, or can we “drop” the previous layers if it is shown that the lower Layer is doing all the job alone?

    Many thanks,
    Sylvestre

    1. Hi Sylvestre,

      There are a few schools of thought when it comes to risk mitigation measures. In the machinery sector, the convention is that all applicable measures at each level in the hierarchy must be applied before you can move down the hierarchy to the next level. You can see this clearly in ISO 12100:2010, Fig. 2, “Risk reduction process from point of view of designer.” This approach is used because the levels are placed in descending order of reliability, i.e., inherently safe design measures are more reliable than engineering controls, which are more reliable than information for use. PPE is at the bottom of the hierarchy because it relies on several very fallible requirements being met: the PPE must be selected appropriately, it must be correctly fitted, and it must be used. All you need to do is walk into many manufacturing plants to see people walking around with their protective eyewear on the top of their heads to know how hard it is to ensure that people use their PPE when it’s needed.
      ISO standards are written for product designers and manufacturers, leaving the workplace requirements, like safe working procedures, training, and provision of PPE to the employer. This approach is used because workplace safety regulations vary widely around the world, and in all cases are regulated by national or regional legislation.

      Another school of thought holds that manufacturers must simply apply every possible means of risk reduction to a product design, so a rigid hierarchy is not needed. Just do it all.

      I recommend that you buy a copy of ISO 12100:2010 and read clause 6. That clause lays out all of the various risk reduction methods that are used in machinery. You’ll find that inherently safe design is a much broader aspect of machine design than is described in your example. For example, if the electrical system is designed and tested according to IEC 60204-1, then you have applied inherently safe design measures to the electrical system. If you have safety functions that rely on the control system, like safety mats for example, and you have followed ISO 13849 in designing the safety functions, then you have applied inherently safe design measures to the safety-related parts of the control system. I could give more examples, but you get the idea.

      If your idea is that the first three levels of the hierarchy are too hard to apply, so you just want to skip down to PPE, you missed the point entirely.

  3. Good article Doug.
    I entirely agree there is a great deal of mis-understanding about the hierarchy of control out there, however, I do think in many instances its a wilful misunderstanding. Its much easier and cheaper to supply a pair of gloves that install appropriate guarding.

    1. Stewart,
      Thanks for the kind words!
      I completely agree with you regarding the willful misapplication of the Hierarchy. I also agree that this is only partially due to ignorance of the hierarchy and it’s correct application. Looking at Fig. 2 from ISO 12100, the breakdown that we are talking about happens at the point where the risk related to the machinery is transferred to the user and therefore to the worker. If you look at the bands illustrating the decreasing level of risk on the right side of that figure, you will note that the manufacturer or designer is seldom able to reduce the risks to a tolerable or acceptable level based solely on engineering controls, and that information for use, administrative controls and PPE are required in most cases to effectively control the risk. Failure on the part of employers to implement these measures and to skip directly to PPE is one of the key elements contributing to workplace injuries and fatalities. Since most of us think ‘It can’t happen here or to me!” at some level, many employers, particularly small and medium sized employers don’t actually believe that they can have a serious injury or a fatality in their workplace. Once it happens they are shocked. Unfortunately, that why we have to have regulators to enforce these requirements. The problem is that in many cases this is reactive and not proactive, and someone is already in hospital or worse.

      Doug

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.