Hierarchy of Controls Explained: 5 Layers Leaders Misuse

OSHA, NIOSH and ISO 45001:2018 all place stronger controls above worker-dependent actions, yet many executive safety reviews still begin with PPE availability. This article explains the five layers of the hierarchy of controls and shows where leaders misuse them when a fatal-risk exposure needs a real barrier, not a reassuring slide.

Why the hierarchy of controls matters

The hierarchy of controls is a risk-reduction model that ranks controls from most reliable to least reliable, beginning with elimination and ending with personal protective equipment. Its value is not academic, because it tells leaders whether an operation has removed exposure, engineered exposure down, changed the way work is done, or merely dressed the worker for failure.

On the Headline Podcast, Andreza Araujo and Dr. Megan Tranter often return to the same leadership question: what changes in the work after the conversation ends? The hierarchy gives that question a practical test. If the only visible change after an incident is a new glove, new sign, or new briefing, the organization may have responded emotionally while leaving the exposure architecture untouched.

Across 25+ years leading EHS in multinationals, Andreza Araujo has seen that a control only deserves the name when it changes exposure conditions. During her PepsiCo South America tenure, where the accident ratio fell 50% in six months, the lesson was not that workers needed more reminders. Leaders had to alter how risk was designed, supervised and escalated.

1. Elimination removes the exposure

Elimination means the hazardous task, substance, energy or interface no longer exists in the work process. It is the strongest layer because the worker cannot be hurt by an exposure that has been removed from the job.

The leadership trap is to call a reduced exposure an eliminated exposure. A confined-space task moved from night shift to day shift is not eliminated. A chemical decanted less often is not eliminated. When executives review prevention through design, the test is whether the hazardous interaction disappeared, not whether the task became easier to supervise.

For a senior EHS leader, the practical question is simple enough to be uncomfortable. Could this work be avoided through design, procurement, automation, prefabrication, substitution of the business requirement, or a different maintenance strategy? If the answer is yes and the company still chooses PPE, the hierarchy has been read but not governed.

2. Substitution changes the hazard

Substitution replaces a more dangerous material, process, tool or method with a less dangerous one. It is weaker than elimination because exposure remains, but it can materially reduce consequence when the substitute is technically valid.

The common misuse is cosmetic substitution. A product labeled as safer may introduce a new health exposure, a new fire risk, or a maintenance burden that shifts the hazard to another team. ISO 45001:2018 expects organizations to consider change and procurement risk, which means substitution needs a risk review before the purchase order is treated as a control.

In practice, leaders should ask which exposure changed, which consequence changed, and which new failure mode appeared. The answer belongs in the risk register, because substitution without traceable ownership becomes another control that looks strong during an audit and weak during work.

3. Engineering controls separate people from energy

Engineering controls reduce risk by physically separating the person from the hazard, such as guarding, interlocks, ventilation, isolation, remote handling or enclosure. This layer usually produces the best balance between reliability and operational feasibility when elimination or substitution cannot happen.

The maintenance-bypass trap appears when a guard that operators remove to clear jams, an interlock that fails during cleaning, or a ventilation system that is disabled because it slows production cannot protect the worker at the moment it matters. That is why engineering controls need verification under real work conditions, not only commissioning records.

A strong executive review connects this layer to bow-tie barrier questions. Leaders should know the top event, the engineered barrier that prevents it, the method for detecting degradation, and the person who can stop work when the barrier is unavailable. Without those answers, the organization has equipment, although it may not have a dependable control.

4. Administrative controls shape decisions

Administrative controls reduce risk through procedures, permits, training, supervision, scheduling, competency rules and work planning. They are essential, but they depend on attention, time pressure, memory and leadership discipline.

This is where many companies overestimate themselves. A procedure can be technically correct while the shift team receives a deadline that rewards shortcutting it. A permit can be signed while nobody verifies the isolation. A training record can be complete while the supervisor has never watched the task under abnormal conditions.

Co-host Andreza Araujo explores this gap in Safety Culture: From Theory to Practice, where culture is treated as the way decisions are made when nobody is performing for the audit. For leaders, the administrative-control test is whether the rule changes a decision in the first hour of work, especially when production, fatigue or hierarchy pressures the team.

5. PPE protects the person after exposure remains

Personal protective equipment reduces injury severity after exposure still exists, which is why it sits at the bottom of the hierarchy. It matters, but it should rarely be presented as the main answer to a serious or fatal exposure.

The market often treats PPE as the visible proof that safety acted quickly. Hard hats, gloves, harnesses and respirators are easy to buy, photograph and audit, while redesign, substitution and engineering controls require budget and operational negotiation. The leadership error is not using PPE, because PPE still matters when exposure remains. The error is allowing PPE to become the final decision.

For fatal-risk work, leaders should ask whether PPE is the last layer or the only layer. A fall-arrest harness without rescue planning, a respirator without exposure monitoring, or cut-resistant gloves without machine guarding can create the impression of control while the exposure remains largely unchanged.

How to compare weak and strong controls

A control is strong when it reduces exposure without relying mainly on the worker making the perfect choice every time. The table below gives leaders a fast way to test whether an action belongs high or low in the hierarchy.

For executives, the table is also a budget conversation. A low-cost control can be expensive if it leaves high-energy exposure in place, while a capital control can be cheaper than years of injuries, investigations and operational disruption.

Where leaders should place the hierarchy in governance

The hierarchy belongs in risk governance, not only in training slides. It should appear in risk registers, capital decisions, incident reviews, contractor scopes and executive dashboards.

That is why a safety risk register should show current control level, target control level, owner and verification method. Without those fields, the register can list hazards while hiding whether the organization is climbing the hierarchy or accepting worker-dependent controls by default.

There is also a link with ALARP and residual risk. A leader cannot credibly say a risk is as low as reasonably practicable if higher-order controls were dismissed without technical and financial reasoning. The hierarchy turns that phrase into a governance question: what did we choose not to do, and why?

Each month without a hierarchy review allows weak controls to become normal, especially in maintenance, shutdown and contractor work where exposure changes faster than dashboards.

Conclusion

The hierarchy of controls is useful only when leaders use it to move risk upward, from worker-dependent protection toward design, substitution and engineered separation. The model has 5 layers, but the leadership decision is binary: either the exposure changed, or the organization mostly documented its acceptance of that exposure.

Headline Podcast exists as the space where leadership and safety come together to shape better workplaces and better lives. Bring the hierarchy into your next executive safety review, then ask which controls would still protect people when production pressure, fatigue and silence are present.