Hierarchy Of Control: 5 Clear Levels of Risk Control

Here’s the specific answer you’re looking for, right up front: the hierarchy of risk control (also called the hierarchy of controls) is a five-level framework used worldwide to reduce workplace hazards in this exact order of preference — Elimination, Substitution, Engineering controls, Administrative controls, and Personal Protective Equipment (PPE). Higher levels (Elimination/Substitution) are inherently more effective because they remove or isolate the hazard, while lower levels (Administrative/PPE) rely on people behaving perfectly all the time. This order is endorsed by authoritative bodies such as NIOSH/CDC, OSHA (U.S.), the UK HSE, CCOHS (Canada), and is embedded within ISO 45001 practice.

Hierarchy of Control

If you’ve ever walked onto a site and seen hard hats and gloves everywhere but near-misses still piling up, you’ve witnessed the trap of starting at the bottom. The hierarchy exists because controls that remove or isolate the hazard protect everyone, all the time, without depending on perfect human behavior. PPE and rules still have a role, but they are the last lines of defense — not the first. This isn’t opinion; it’s the accepted approach in modern occupational health and safety frameworks.

The Five Levels at a Glance

This exact ordering (and the reason for it) is laid out consistently by NIOSH/CDC, OSHA, the UK HSE, and CCOHS.

Where the Hierarchy “lives” in standards and law

• ISO 45001 embeds the hierarchy into operational planning and control, requiring organizations to plan for eliminating hazards and reducing OH&S risks using a prioritized approach. It’s baked into how modern OH&S management systems are supposed to function.

• OSHA directs employers to select controls following the hierarchy, emphasizing elimination/substitution and engineering before admin and PPE.

• UK HSE guides duty-holders to identify hazards, assess risks, and control them using the most effective measures first, reviewing controls regularly as part of a step-by-step risk management process.

• CCOHS (Canada) presents a step-by-step approach to reduce hazards, following a similar ordered method.

Level 1 — Elimination: Design out the danger

What it is: Physically removing the hazard so there’s nothing left to harm anyone. Think of it as safety by design — and by absence.
Examples:

• Move a roof-mounted unit to ground level (no work at height).

• Prefabricate assemblies off-site to eliminate hot work in confined spaces.

• Decommission and remove an unused process line that still carries residual energy.

Why it’s best: Elimination protects everyone, 24/7, without ongoing effort or compliance. It is the foundation of NIOSH’s Prevention through Design (PtD) initiative — remove the risk before it ever reaches a worker.

Reality check: elimination is easiest early — during concept, procurement, or design. Late in the life cycle, it can be expensive; that’s why the best-performing organizations bring safety pros into design reviews, capex decisions, and management of change (MoC) from day one. This “front-load the fix” mindset is reflected in ISO 45001’s emphasis on planning and operational control.

Level 2 — Substitution: Choose a safer equivalent

What it is: Replacing the hazard with something less hazardous (Chemicals, processes, energy sources).
Examples:

• Swap solvent-based paints for water-based products to reduce VOC exposure.

• Replace powdered silica with less hazardous abrasives to cut respirable crystalline silica.

• Use battery-powered tools to eliminate trailing cords and secondary electrical hazards.

Pitfalls to avoid: “Regrettable substitution” — when you swap one hazard for another you didn’t measure. Always perform a comparative risk assessment (toxicity, flammability, exposure potential, life-cycle impacts) and consult the supplier SDS plus authoritative references. OSHA/NIOSH stresses that feasibility and combined controls are often necessary; substitution is powerful, but not always complete on its own.

Level 3 — Engineering controls: Isolate people from hazards

What it is: redesign the equipment or environment so the hazard is contained or separated from workers.

Examples:

• Machine guarding, two-hand controls, and light curtains to isolate pinch/crush zones.

• Enclosures and local exhaust ventilation (LEV) to capture welding fumes at the source.

• Sound-dampening enclosures and barriers to reduce noise levels below action limits.

• Interlocks and failsafes that force safe states (e.g., doors locked during operation).

Why it works: When engineered correctly, protection is built into the process and doesn’t rely on constant vigilance. Both NIOSH and OSHA emphasize engineering solutions as the preferred mid-tier approach after elimination/substitution.

Pro tip (Unique insight): Treat engineering controls like products with a lifecycle. Define design criteria (target exposure levels), commissioning tests, preventive maintenance, and leading indicators (e.g., LEV face velocity trending). If the control’s performance is measurable, you can manage it.

Level 4 — Administrative controls: Change the way people work

What it is: Policies, procedures, schedules, and training that reduce exposure by time, sequence, or behavior.

Examples:

• Permit-to-work systems for hot work or confined spaces.

• Time-weighted scheduling to reduce noise exposure below daily dose limits.

• Standard operating procedures (SOPs), checklists, signage, and competency training.

• Access control and separation of pedestrian/vehicle routes.

Limitations: These controls rely on attention, memory, and culture. They’re vital, but fragile — that’s why they belong below elimination, substitution, and engineering in the hierarchy. HSE includes “record and review” steps precisely because administrative controls drift without feedback.

Make them stick: Design administrative controls as systems with evidence — e.g., competency matrices linked to task authorization, electronic permits with interlocks, or digital work instructions that won’t advance unless critical steps are acknowledged. Pair with behavior-independent controls wherever possible.

Level 5 — PPE: The essential last line

What it is: Equipment worn by workers to protect against remaining exposure (respirators, gloves, eye/face protection, fall arrest, arc-rated clothing).

When to use it: As an interim control while higher-order controls are being engineered, and as a residual control where hazards can’t be fully eliminated or isolated. OSHA explicitly frames PPE as the least preferred option after higher-order measures are implemented.

Make PPE smarter: Adopt task-based exposure profiles that tie PPE selection to measurable hazards (e.g., specific APF for airborne concentrations, cut levels by EN/ANSI ratings, arc ratings to incident energy). Build PPE programs that include fit, comfort, and usability, or workers will “self-derate” protection.

How to Apply the Hierarchy

1. Define the exposure you’re trying to beat. Quantify it (noise dBA, mg/m³, incident energy, line-of-fire frequency). If you can’t measure it, you can’t meaningfully reduce it. This reflects the measurement ethos in modern OH&S systems.

2. Start at the top — always. Can we remove the task or redesign it? If not, can we substitute with a less hazardous method or material? NIOSH’s core message is to work down the list, not up.

3. Engineer for isolation. If the hazard must exist, design guards, barriers, LEV, enclosures, or automation. Commission and verify performance against acceptance criteria (e.g., LEV capture velocity).

4. Add administrative scaffolding. Standardize the safe way of working, schedule to reduce exposure time, and ensure competence with targeted training and permits. Then record and review — the HSE cycle matters.

5. Specify PPE precisely. Based on the measured residual risk. Document rationale (e.g., respirator APF vs. exposure level). Train, fit-test, and audit.

6. Stack controls for resilience. Most robust solutions layer controls (e.g., LEV + interlocks + SOPs + PPE) so a single failure doesn’t expose workers. OSHA explicitly notes that combined approaches are often required.

7. Review after change. Every change in people, plant, or process can invalidate your control strategy; build review gates into management of change and your ISO 45001 operational planning.

Decision Guide: Choosing the right control at each level

Elimination/Substitution — Questions to ask

• Can we perform the work elsewhere or differently to remove the hazard (e.g., ground-level assembly to avoid height; cold-cutting rather than torch-cutting)?

• Is there a less hazardous material/process that achieves the same technical outcome (compare toxicity, flammability, volatility, by-products, dustiness, and exposure potential)?

• What does the full lifecycle look like — storage, process, maintenance, disposal?

Engineering controls — Design checklist

• Does the solution isolate the hazard (guarding, enclosure, separation, automation)?

• Can we measure its effectiveness (e.g., airflow, noise reduction, barrier integrity)?

• What’s the failure mode, and how will it be detected (interlocks, alarms, inspections)?

Administrative controls — Reliability boosters

• Is the control observable and auditable (permits, checklists, digital trails)?

• Are competencies verified (not just trained)?

• Do schedules respect exposure limits (e.g., time-weighted averages)?

PPE — Fit for the purpose

• Is selection tied to quantified residual hazard (e.g., NRR for noise, APF for respirators)?

• Do we have fit testing, comfort trials, and user feedback loops to prevent non-use?

• Are storage, replacement cycles, and compatibility (e.g., with other PPE) defined?

These questions operationalize the hierarchy’s intent: prioritize elimination and isolation; make lower-order controls verifiable, not just “on paper.”

Linking the Hierarchy to your Risk Assessment and ISO 45001

A risk assessment without the hierarchy is just a list. HSE’s risk management model is explicit: identify hazards, assess risks, control them, record, and review. ISO 45001 requires that operational planning apply the hierarchy as you determine controls, which practically means your risk register should show a trace from hazard → control options (by hierarchy level) → chosen set → performance measures → review cadence. This closes the loop between intent and implementation.

Examples you can reuse

Example A — Welding bay retrofit (Manufacturing)

• Hazard: Metal fume exposure, UV radiation, and hot work ignition.

• Controls chosen:

  • Substitution: Switch to lower-fume consumables where feasible.

  • Engineering: LEV at the arc, welding curtains, and automatic shutoff for extraction failures.

  • Administrative: Hot-work permit in mixed-use areas; fume monitoring; welder competency matrix.

  • PPE: Appropriate respirators based on measured residual exposure; eye/face and skin protection.

• Why it works: Exposure is captured at source; process selection reduces emission; admin/PPE manages residuals. This mirrors NIOSH/OSHA guidance.

Example B — Falls from height (Construction)

• Hazard: Working on roof-mounted equipment.

• Controls chosen:

  • Elimination: Relocate HVAC units to ground-level pads during replacement.

  • Engineering: Guardrails and fixed ladders with cages for residual access points; anchor points for rare tasks.

  • Administrative: Permit-to-work for exceptions; weather/wind thresholds.

  • PPE: Fall arrest only when engineered access isn’t possible.

• Why it works: The task itself moves to ground level — classic elimination — and residual access is guarded. CDC

Example C — Solvent exposure (Labs/printing)

• Hazard: VOCs from a solvent-based process.

• Controls chosen:

  • Substitution: Adopt water-based alternatives verified by trials and SDS comparison.

  • Engineering: Enclose remaining solvent tasks; interlock fume hoods with sash position sensors.

  • Administrative: Chemical inventory control; training on decanting in hoods only.

  • PPE: Nitrile gloves and appropriate cartridges only for residual tasks.

• Why it works: substitution reduces inherent hazard; engineering isolates the rest; administrative and PPE plug small gaps. OSHA notes that feasibility and combined methods matter.

Common Mistakes

1. Jumping to PPE because it’s fast
   Fix: require a “hierarchy justification” note for every risk, signed off during risk review. If a team chooses PPE/admin, they must document why higher levels were not feasible and what’s planned to move up the hierarchy.

2. Assuming substitution is automatically safer
   Fix: run a comparative assessment (toxicity, exposure potential, process compatibility). Treat substitution as a mini-project with trials and monitoring.

3. Treating engineering controls as set-and-forget
   Fix: build performance indicators into PM (e.g., capture velocity logs, guard interlock tests) and trigger MoC when indicators trend the wrong way.

4. Paper defenses without verification
   Fix: convert administrative controls into auditable mechanisms (e-permits, digital checklists linked to training records), and include them in HSE step-by-step reviews.

A Simple, Reusable Template for Your Risk Register

Add these columns to make your hierarchy visible:

• Hazard → Undesired Event/Exposure → Measured Baseline

• Control Options Considered (by hierarchy level)

• Chosen Controls (stacked) with acceptance criteria

• Owner and Due Date

• Verification method (what you’ll measure and how often)

• Residual Risk (post-control)

• Next Higher-Order Opportunity (what would move you up the hierarchy next review)

This keeps the team honest about moving upward over time, which is the spirit of ISO 45001’s continuous improvement.

Frequently Asked Questions

Q: Is PPE ever “enough”?
A: Yes — for short-term/interim work and residual exposures after higher levels are implemented. But if your main control is PPE for a routine, high-exposure task, you likely haven’t followed the hierarchy properly. OSHA’s guidance is clear on prioritizing engineering and higher.

Q: Do we always need to use all five levels?
A: No. Use the highest feasible control(s) and stack as needed. OSHA’s worksheet illustrates combining methods (e.g., LEV + training + maintenance + PPE).

Q: How do we prove “feasibility” when skipping a higher level?
A: Document technical/economic constraints, pilot results, and risk comparisons. Revisit at each management-of-change or annual review. That’s defensible in both ISO 45001 audits and regulator conversations.

Q: Where do psychosocial risks fit?
A: Same logic: eliminate root causes (e.g., workload design, schedule control) before relying on resilience training. NIOSH’s Total Worker Health® resources describe this application.

Putting it all together (Ranking your Options)

When you’re faced with a hazard, run this thought experiment in order:

1. Can we not do this task at all? (Eliminate)

2. If we must, can we do it in a safer way or with a safer input? (Substitute)

3. If it still must happen, can we isolate people? (Engineer)

4. If they must be near it, can we time/sequence/train it down? (Admin)

5. And what must people wear? (PPE)

If your first viable answer is below #3, ask “What would it take to move one level higher within six months?” Then track that in your risk register’s Next Higher-Order Opportunity column.

Conclusion

If your organization consistently designs and buys safety into the process (Levels 1–3) and uses paper and PPE only to polish residual risk (Levels 4–5), you will see fewer incidents, less variability, and stronger compliance — because you won’t be depending on perfect human behavior to survive a risky process. That is the intent of the hierarchy of risk control and the reason it’s embedded in modern OH&S guidance and standards worldwide.

Related Posts

9 Dreadful Work At Height Hazards And Control Measures

What Are Administrative Controls And Their Workplace Application

Hierarchy Of Fall Protection

Risk Control: Definition & How It Works

10 Dangerous Examples of Chemical Hazards to Look Out For

How to Identify Ergonomic Hazard and Risk Factors

What is a Risk Assessment Matrix? Clear Tips to Understand It