Hierarchy of Controls Explained (With Examples)

Every workplace risk needs a response. But not all responses are equal.

Posting a warning sign is a control. So is redesigning a process to remove the hazard entirely. Both reduce risk, but one is dramatically more effective than the other. The hierarchy of controls gives you a framework for choosing the right response, ranked from most effective to least.

If you work in mining, construction, oil and gas, or any high-hazard industry, this framework isn’t optional. It’s embedded in legislation, safety management systems, and risk assessment standards worldwide. Understanding it properly is the difference between controls that actually protect people and controls that just look good on paper.

What Is the Hierarchy of Controls?

The hierarchy of controls is a ranking system for risk control measures, ordered by effectiveness. It was developed by the occupational health and safety community and is referenced in standards like ISO 45001 and adopted by regulators including Safe Work Australia, MSHA (US), and the HSE (UK).

The idea is straightforward: when you identify a hazard, you should always try the most effective type of control first. Only move down the hierarchy when higher-level controls aren’t reasonably practicable.

The five levels, from most to least effective:

1. Elimination — Remove the hazard entirely
2. Substitution — Replace the hazard with something less dangerous
3. Engineering controls — Isolate people from the hazard
4. Administrative controls — Change the way people work
5. Personal protective equipment (PPE) — Protect the individual

Think of it as an inverted triangle. The top is the most reliable. The bottom is the least. Most organisations spend too much time at the bottom and not enough at the top.

Why the Hierarchy Matters

Here’s the uncomfortable truth: the further down the hierarchy you go, the more you depend on human behaviour. And human behaviour is unreliable.

PPE only works if someone wears it correctly, every time. Administrative controls only work if someone follows the procedure, every time. Engineering controls work regardless of what anyone does on a given day. Elimination means the hazard simply doesn’t exist.

This is why regulators push organisations up the hierarchy. It’s not bureaucratic preference. It’s physics. A guardrail doesn’t need someone to remember to clip on. A machine interlock doesn’t care if the operator is tired. Removing a hazardous substance from a process means no one can ever be exposed to it.

When you’re building a risk register or mapping controls in a bowtie analysis, the hierarchy tells you which controls deserve the most confidence and which ones need extra scrutiny.

Level 1: Elimination

Elimination means removing the hazard from the workplace entirely. No hazard, no risk. It’s the gold standard.

What It Looks Like

• Mining: Replacing underground mining with open-cut methods where geology allows, eliminating confined space hazards
• Construction: Prefabricating components offsite so workers don’t need to do high-risk assembly at height
• Manufacturing: Redesigning a process so a toxic chemical is no longer required
• General: Eliminating manual handling by automating a lifting task completely

Why It’s the Best

There’s nothing to maintain, no compliance to monitor, and no training required. The risk is gone. Full stop.

Why It’s Hard

Elimination often requires fundamental changes to processes, equipment, or design. It’s easiest to implement during the planning and design phase. Retrofitting elimination into an existing operation is usually expensive and sometimes impossible.

That’s why risk management needs to start early. By the time a mine is operating or a building is half-built, your elimination options have narrowed dramatically.

Real-World Example

A processing plant used a highly corrosive acid in one stage of mineral extraction. Rather than managing the acid handling risk with engineering controls and PPE, the engineering team trialled an alternative reagent that achieved the same extraction rate without the corrosion hazard. The acid was eliminated from the process entirely.

Level 2: Substitution

Substitution means replacing a hazardous material, process, or piece of equipment with something less dangerous. The task still gets done, but the risk profile drops.

What It Looks Like

• Construction: Using water-based paints instead of solvent-based ones to reduce VOC exposure
• Mining: Switching from emulsion explosives that require manual mixing to pre-packaged units
• Chemical processing: Replacing a highly toxic cleaning agent with a less toxic alternative
• General: Using electric-powered equipment instead of diesel to reduce exhaust fume exposure in enclosed spaces

The Catch

Substitution sounds simple, but you need to make sure the substitute doesn’t introduce new hazards. Swapping one chemical for another might reduce toxicity but increase flammability. Always do a risk assessment on the substitute, not just the original.

Real-World Example

An underground mine replaced diesel-powered light vehicles with battery-electric alternatives. This eliminated diesel particulate matter (DPM) exposure for underground workers, a known carcinogen, while maintaining operational capability. The substitution also reduced ventilation requirements, cutting operating costs.

Level 3: Engineering Controls

Engineering controls physically isolate people from hazards or reduce exposure through design. They don’t eliminate the hazard, but they create barriers between the hazard and the worker.

What It Looks Like

• Guards and barriers: Machine guarding, guardrails on elevated platforms, blast shields
• Ventilation: Local exhaust ventilation to capture dust or fumes at the source
• Interlocks: Machine interlocks that prevent operation when guards are removed
• Isolation: Physical barriers between pedestrians and mobile equipment
• Automation: Remote operation of equipment in hazardous zones
• Containment: Bunded areas for chemical storage, sealed transfer systems

Why They’re Effective

Engineering controls work passively. Once installed, they protect everyone in the area without requiring individual action. A guardrail doesn’t need someone to decide to use it. A ventilation system extracts fumes whether the operator remembers to turn it on or not (assuming it’s interlocked or always-on).

In Bowtie Terms

If you use bowtie analysis, engineering controls often appear as preventive barriers on the left side of the bowtie, or as mitigation barriers on the right. They’re the barriers you have the most confidence in because they don’t rely on human behaviour.

In a well-designed bowtie, you want to see engineering controls as your primary barriers, with administrative controls and PPE as backup layers. If your bowtie is dominated by procedures and PPE, that’s a red flag. Your risk matrix might show residual risk as “medium,” but the actual reliability of those controls tells a different story.

Real-World Example

A quarry operation had repeated near-misses between haul trucks and light vehicles at an intersection. Administrative controls (procedures, radios, speed limits) weren’t working consistently. The site installed a physical traffic separation barrier with a controlled crossing point and automated traffic lights triggered by approaching haul trucks. Near-misses at that intersection dropped to zero.

Level 4: Administrative Controls

Administrative controls change the way people work. They rely on human behaviour, training, and compliance to reduce risk exposure.

What It Looks Like

• Procedures and safe work methods: Standard operating procedures, job safety analyses (JSAs)
• Training and competency: Inductions, refresher training, competency assessments
• Permits to work: Hot work permits, confined space entry permits, isolation permits
• Signage and warnings: Hazard signs, labels, line markings
• Scheduling: Rotating workers to limit exposure time, scheduling noisy work during low-occupancy periods
• Supervision: Direct oversight of high-risk tasks

Why They’re Lower on the Hierarchy

Administrative controls depend on people doing the right thing, every time. And people don’t. They get tired, distracted, complacent, or rushed. Procedures get outdated. Training gets forgotten. Signs get ignored.

This doesn’t mean administrative controls are useless. They’re essential. But they should never be your primary defence against a serious hazard. They work best as additional layers on top of engineering controls.

The Spreadsheet Problem

Here’s where many organisations struggle. They have hundreds of administrative controls documented in spreadsheet-based risk registers, but no way to track whether those controls are actually working. A procedure exists, so the control is ticked as “in place.” But is it being followed? When was it last reviewed? Has anyone been trained on the latest version?

This is exactly the kind of gap that dedicated risk management software addresses. When your controls are linked to your risks with trackable owners, review dates, and effectiveness ratings, you can see which administrative controls are actually functioning and which are just paperwork.

Real-World Example

A construction site implemented a permit-to-work system for all work at height. The permit required a specific checklist, supervisor sign-off, and a site inspection before work began. In the first month, compliance was 95%. By month six, it had dropped to 60%, with permits being pre-signed and checklists completed after the work was done. The administrative control hadn’t changed, but its effectiveness had degraded significantly.

Level 5: Personal Protective Equipment (PPE)

PPE is the last line of defence. It doesn’t prevent the hazard or reduce it. It protects the individual from the consequences if all other controls fail.

What It Looks Like

• Head protection: Hard hats, bump caps
• Eye and face protection: Safety glasses, goggles, face shields
• Hearing protection: Earplugs, earmuffs
• Respiratory protection: Dust masks, half-face respirators, SCBA
• Hand protection: Gloves (chemical, cut-resistant, thermal)
• Fall protection: Harnesses, lanyards, self-retracting lifelines
• High-visibility clothing: Reflective vests, hi-vis shirts

Why It’s at the Bottom

PPE is the least effective control for several reasons:

• It only protects the person wearing it (and only if they’re wearing it correctly)
• It’s often uncomfortable, which reduces compliance
• It can create new hazards (e.g., reduced visibility, restricted movement, heat stress)
• It requires ongoing maintenance, inspection, and replacement
• It fails catastrophically. A harness either holds or it doesn’t. There’s no partial protection.

When PPE Is Appropriate

PPE is appropriate when:

• Higher-level controls aren’t reasonably practicable (yet)
• As an interim measure while engineering controls are being implemented
• As an additional layer of protection alongside higher-level controls
• For residual risks that can’t be further reduced

PPE should never be your sole control for a serious hazard. If your risk assessment identifies a life-threatening risk and the only control is PPE, something has gone wrong in your control selection process.

Real-World Example

Workers in a grinding workshop were issued P2 respirators for silica dust exposure. Compliance audits showed only 40% of workers wore them correctly at any given time. The site then installed local exhaust ventilation (engineering control) at each grinding station, reducing airborne silica to below the exposure standard. Respirators were retained as a secondary measure, but the primary control no longer depended on individual behaviour.

Applying the Hierarchy: A Practical Process

Knowing the hierarchy is one thing. Applying it systematically is another. Here’s a practical approach:

Step 1: Identify the Hazard

Use a structured method like HAZOP, FMEA, or SWIFT to identify hazards. Don’t rely on gut feel.

Step 2: Start at the Top

For each hazard, ask: can we eliminate it? If yes, do that. If not, document why and move to substitution. Work your way down.

Step 3: Document Your Reasoning

Record why higher-level controls weren’t reasonably practicable. “It’s too expensive” isn’t enough. You need to demonstrate that the cost is grossly disproportionate to the risk reduction. Regulators will ask.

Step 4: Layer Your Controls

Real-world risk management uses multiple controls from different levels of the hierarchy. A well-controlled hazard might have an engineering control as the primary barrier, an administrative control as a backup, and PPE as a last resort.

This layered approach is exactly what bowtie analysis visualises. Each barrier on the bowtie represents a control, and you can see at a glance whether your barriers are clustered at the bottom of the hierarchy (risky) or spread across multiple levels (robust).

Step 5: Monitor Effectiveness

Controls degrade over time. Engineering controls need maintenance. Administrative controls need compliance monitoring. PPE needs inspection and replacement. Build review cycles into your risk management process.

If you’re tracking controls in a risk register, make sure each control has an owner, a review date, and a way to record whether it’s actually working, not just whether it exists.

Common Mistakes

Jumping Straight to PPE

It’s the easiest control to implement. Buy some gear, hand it out, tick the box. But it’s also the least effective. Challenge yourself and your team to exhaust higher levels first.

Treating Administrative Controls as Sufficient

“We have a procedure for that” is not the same as “that risk is controlled.” Procedures are important but fragile. Pair them with engineering controls wherever possible.

Ignoring the Hierarchy During Change

When processes, equipment, or personnel change, controls can become invalid. A machine guard that worked for the old process might not cover the new one. Review your controls whenever something changes.

Not Tracking Control Effectiveness

If you can’t demonstrate that your controls are working, you can’t demonstrate that your risks are managed. This is where spreadsheet-based registers fail. They track what controls exist but not whether they’re effective.

Confusing Control Type with Control Quality

An engineering control isn’t automatically good, and an administrative control isn’t automatically bad. A poorly maintained guardrail is worse than a well-implemented permit system. The hierarchy guides your preferences, not your final judgment.

The Hierarchy in Australian and International Standards

The hierarchy of controls is embedded in workplace health and safety legislation across Australia and internationally:

• ISO 45001:2018 (Clause 8.1.2) explicitly requires organisations to apply the hierarchy of controls when planning actions to address OH&S risks
• Safe Work Australia’s model WHS Act requires duty holders to eliminate risks so far as is reasonably practicable, and if that’s not possible, minimise them by working down the hierarchy
• ISO 31000:2018 doesn’t prescribe the hierarchy directly but requires risk treatment options to be selected based on effectiveness, which aligns with the hierarchy’s ranking
• Mining regulations across Australian states (e.g., Queensland’s Mining and Quarrying Safety and Health Act) specifically reference the hierarchy in principal hazard management plans

If you’re building a safety management system or updating your risk framework, the hierarchy isn’t a suggestion. It’s a legal requirement in most jurisdictions.

How RiskSight Helps You Apply the Hierarchy

Applying the hierarchy of controls across an entire operation, with dozens of hazards, hundreds of controls, and multiple sites, gets complex fast. That’s where purpose-built software makes a real difference.

RiskSight lets you:

• Map controls to specific hierarchy levels in your risk register, so you can instantly see if you’re over-relying on PPE and administrative controls
• Visualise control layers in bowtie diagrams, with each barrier tagged by hierarchy level
• Track control effectiveness with owners, review dates, and degradation alerts, so you know when an engineering control needs maintenance or a procedure needs updating
• Run structured risk assessments using HAZOP, FMEA, SWIFT, WRAC, and other methodologies with built-in guided wizards
• Generate reports that show regulators and leadership exactly how the hierarchy has been applied across your risk portfolio

Instead of burying control information in disconnected spreadsheets, you get a single system that links hazards to controls to actions, with full visibility for everyone who needs it.

Start Applying the Hierarchy Properly

The hierarchy of controls works. But only if you apply it systematically, document your decisions, layer your controls, and monitor their effectiveness over time.

If you’re still managing controls in spreadsheets or disconnected documents, you’re making it harder than it needs to be.

Start a free 30-day trial of RiskSight — no credit card required, demo data included — and see how purpose-built risk management software helps you apply the hierarchy of controls across your entire operation. Map your controls, track their effectiveness, and show your regulators exactly how you’re managing risk.