5 Levels in the Hierarchy of Control: What Does It Mean for Your Process?

Introduction

In high-risk industries, process safety frameworks offer a disciplined and structured approach to managing risks associated with hazardous materials and operations effectively. One foundational strategy embedded in risk-based process safety frameworks is the Hierarchy of Controls Analysis (HCA). HCA is a methodical framework that prioritizes control measures based on their reliability and effectiveness in eliminating or mitigating hazards. The framework is widely recognized and recommended in best practice resources, such as OSHA’s 29 CFR 1910.119, where its principles are embedded, as well as in the CCPS Risk-Based Process Safety (RBPS) guidelines and international standards, including ISO 45001.

This article offers a technical deep dive into the five levels of HCA, discussing its application within Process Hazard Analysis (PHA), Safer Technology and Alternatives Analysis (STAA), and regulatory programs such as California’s CalARP. Examples are drawn from incident investigations, process safety audits, and international best practices.

Understanding the Hierarchy of Controls

The hierarchy ranks hazard control methods in order of decreasing effectiveness:

• Elimination – Remove the hazard entirely.
• Substitution – Replace the hazard with something less hazardous.
• Engineering Controls – Design physical changes to isolate people from the hazard.
• Administrative Controls – Implement procedures, training, and policies to reduce risk.
• Personal Protective Equipment (PPE) – Use equipment to protect the individual from residual hazards.

This sequence promotes the use of inherently safer systems wherever feasible. According to the CCPS’s “Inherently Safer Chemical Processes,” hazards should be tackled at their source rather than depending on administrative controls or PPE.

Level 1: Elimination

Elimination is the most effective control. It involves redesigning processes or workflows to remove hazardous conditions altogether. According to OSHA and CCPS, this step is ideally implemented during early design or HAZID stages.

Example: A batch reactor is initially designed to operate under vacuum. Engineers later modified the process design to operate under ambient pressure, eliminating the need for complex vacuum systems and preventing potential loss of containment due to vacuum failure.

Level 2: Substitution

Substitution replaces a hazardous chemical or process with one that poses less risk. While not always possible due to process constraints, early-stage design reviews or Management of Change (MOC) studies can uncover opportunities.

Example: Instead of using anhydrous ammonia for refrigeration, which poses toxic release risks, a facility switches to aqueous ammonia, significantly reducing the severity of accidental releases.

Level 3: Engineering Controls

These controls use design features or physical equipment to isolate the hazard. Engineering controls are often preferred over procedural or behavioral controls because they don’t rely on human consistency.

Example: A plant installs a double mechanical seal with a seal pot on a pump handling flammable solvents. This engineered safeguard significantly reduces the risk of leaks compared to relying solely on visual inspections.

Level 4: Administrative Controls

Administrative controls include work practices, procedures, and training. While often necessary, these measures rely heavily on human performance and are prone to failure unless combined with effective verification and monitoring systems.

Example: A lockout-tagout (LOTO) procedure is implemented for maintenance on energized systems. While this reduces exposure, the control is less reliable than installing interlocks or automatic isolation valves.

Level 5: Personal Protective Equipment (PPE)

PPE is the last resort and is considered the weakest level of protection in the hierarchy. It does not eliminate the hazard but offers a layer of defense in the event of exposure.

Example: Operators handling corrosive acids are provided with acid-resistant gloves and aprons. While essential, this does not prevent spills and is only effective when PPE is worn and maintained correctly.

Inherently Safer Design (ISD)

ISD enhances process safety management by reducing hazards through strategic design and operational practices. Originating in the UK in the late 1960s by Trevor Kletz, ISD has been embraced for over 50 years. It involves substituting benign chemicals, minimizing transportation risks, and adopting safer processing methods.

ISD presents a holistic approach to safer chemical processes. Practical applications include substituting chemicals, minimizing risks, and ensuring safety during commissioning. It constitutes the first level in the hierarchy, focusing on eliminating or reducing hazards. Other levels include segregation, passive, active, and procedural controls.

ISD strategies include minimizing quantities, substituting materials, moderating conditions, and simplifying designs. These aim to reduce hazards and improve safety. From a macro viewpoint, ISD focuses on community-based strategies, while at the micro level, it emphasizes plant-specific tactics.

Order of Risk Reduction under ISD

• First Order: Elimination of hazards
• Second Order: Risk reduction through substitution or minimization

Despite its benefits, barriers include misconceptions about ISD’s applicability to existing processes. The CCPS 20/20 Plan emphasizes the importance of clear directives and management commitment to ensure employee understanding and adoption. To institutionalize ISD, companies must implement written policies, tools, and conduct regular audits to ensure effective implementation. A strong ISD culture encourages creative risk reduction from all employees.

HCA Applications

In Process Hazard Analysis (PHA), every identified risk or hazardous scenario should be systematically examined through the lens of the hierarchy. According to CCPS guidelines and widely adopted industry practice, each safeguard identified during a PHA session should be categorized by control order—typically labeled as first-order (elimination or substitution), second-order (engineering), or third-order (administrative or PPE-based).

Assigning control order classifications helps the PHA team evaluate whether a more robust control could be applied instead of defaulting to lower-level options. For example, if a deviation involving a high-pressure buildup in a heat exchanger results in a recommendation for an alarm and operator response, the team should challenge this by asking: Could the risk be addressed by eliminating the source of overpressure? Could equipment be substituted or redesigned with a larger operating margin? Could automatic isolation or relief systems be implemented to replace reliance on operator intervention?

This mindset shifts the team from documenting the status quo to exploring inherently safer alternatives. Facilitators should encourage brainstorming at each node to determine whether first- or second-order controls are feasible. Teams often discover that some engineering controls or even elimination options had not been previously considered simply due to legacy assumptions or cost concerns.

Furthermore, when recommendations are captured in the PHA worksheet, their assigned control order can be used during post-PHA risk reduction analysis, budget planning, or STAA reviews to prioritize inherently safer and more reliable safeguards.

In the context of the Safer Technology and Alternatives Analysis (STAA), as mandated by the EPA Risk Management Program (RMP) for petroleum refineries, facilities must explicitly demonstrate that higher-order controls have been evaluated. Per 40 CFR 68.67(c)(8), inherently safer technologies must be considered and documented.

HCA Use in CalARP Program Level 4

CalARP Program Level 4 facilities are required to perform HCA as part of STAA. The California Accidental Release Prevention regulations (CCR Title 19, Division 2, Chapter 4.5) emphasize that any recommendation to retain a lower-order control, such as PPE, must be accompanied by a justification explaining why higher-order controls were deemed infeasible. This regulatory layering encourages a more disciplined and well-documented evaluation of safety measures.

HCA Use in Incident Investigation

Following an incident involving a flash fire during tank maintenance, the investigation revealed that the only safeguard in place was a hot work permit. A thorough Hierarchy of Controls Analysis (HCA) revealed that engineering controls like fixed gas detectors and tank isolation could have significantly reduced the likelihood of ignition. This case underscores the importance of not settling for procedural safeguards.

Barriers to Higher-Level Controls

Several real-world constraints limit the implementation of elimination or substitution:

• Legacy infrastructure with limited flexibility
• High initial capital expenditure
• Lack of cross-functional integration during early design
• Underestimation of long-term operational risk costs

However, studies referenced in CCPS’s “Process Safety for Engineers” suggest that long-term benefits of inherently safer systems, including reduced downtime, insurance costs, and regulatory scrutiny, often justify the initial investment.

Best Practices for Applying HCA

• Label controls during PHA as first, second, or third order.
• Develop a formal HCA worksheet with justification fields.
• Prioritize inherently safer designs during early project phases.
• Incorporate HCA reviews in MOC and PSSR workflows.
• Use bowtie analysis or LOPA to assess the actual risk reduction from proposed controls.

Sample HCA Worksheet

Refer to the table below, which presents control classifications for common process hazards like toxic releases, overpressure, and runaway reactions.

Global Parallels and Standards

The hierarchy is also central to international risk management systems:

• ISO 45001:2018 (Clause 8.1.2) calls for eliminating hazards before applying other risk controls.
• The EU Seveso III Directive emphasizes prevention and control through safer design.
• Singapore’s WSH (Major Hazards Installations) Regulations and Australia’s COMAH models include HCA principles.

Conclusion

Hierarchy of Controls Analysis (HCA) is more than a theoretical model; it is a practical, regulatory-backed methodology that must be embedded in all phases of process safety, from design to decommissioning. Organizations that systematically apply HCA improve their resilience, reduce the likelihood of incidents, and comply with evolving safety regulations.

Saltegra Consulting helps clients integrate HCA into PHAs, MOCs, STAA reviews, and other relevant documents, supporting the development of technically sound, audit-ready safety practices that align with OSHA PSM, EPA RMP, and global standards. Contact us today!