Key Points
- Five tiers from most to least effective: elimination, substitution, engineering, administrative, PPE.
- Higher-level controls are preferred because they don't rely on human compliance.
- Risk assessments for permits must demonstrate the hierarchy has been considered.
- Digital PTW systems can prompt systematic hierarchy review during risk assessment.
Definition
The hierarchy of controls is a universally accepted framework in occupational safety for selecting the most effective risk reduction measures. It ranks controls from most to least effective in five tiers: elimination (removing the hazard entirely), substitution (replacing with a less dangerous alternative), engineering controls (isolating people from the hazard through physical barriers or design changes), administrative controls (changing how people work through procedures, training, and scheduling), and personal protective equipment (PPE — protecting the individual worker). The principle is that organizations should implement controls at the highest feasible level before relying on lower-level controls. Elimination and substitution are most effective because they remove the hazard at its source, requiring no ongoing human compliance. Engineering controls create physical barriers. Administrative controls and PPE are least effective because they depend on consistent human behavior. In permit-to-work practice, the hierarchy directly shapes risk assessments and permit conditions. The risk assessment for each permit should demonstrate the hierarchy was considered — documenting why higher-level controls are not feasible and specifying the combination of controls used. A well-designed digital PTW system can prompt assessors to work through the hierarchy systematically.
Related Terms
Job Safety Analysis (JSA)
A Job Safety Analysis is a structured process used to break down a task into individual steps and identify hazards associated with each step. For every identified risk, appropriate control measures are defined to reduce or eliminate the hazard. JSA is typically prepared before work begins and is often linked directly to the permit. In practice, it ensures that work is systematically thought through rather than executed based on assumptions.
PPE
Personal Protective Equipment (PPE) encompasses all equipment, clothing, and devices worn or used by workers to protect them from workplace hazards that cannot be fully eliminated through other control measures. In the hierarchy of controls — the universally accepted framework for managing workplace risks — PPE is positioned as the last line of defense, used only when hazards cannot be adequately controlled through elimination, substitution, engineering controls, or administrative measures. Common categories of PPE in industrial settings include head protection (hard hats), eye and face protection (safety glasses, goggles, face shields), hearing protection (earplugs, earmuffs), respiratory protection (masks, respirators, self-contained breathing apparatus), hand protection (gloves rated for specific hazards), foot protection (safety boots), fall protection (harnesses, lanyards), and specialized clothing (flame-resistant coveralls, chemical suits, high-visibility vests). The selection of appropriate PPE must be based on the specific hazards identified during the risk assessment — using the wrong type of PPE can be as dangerous as using none at all. In the permit-to-work process, required PPE is explicitly specified on the permit document based on the task risk assessment, and verification that all workers have the correct PPE is a prerequisite for work to commence. PPE must be properly fitted to each worker, regularly inspected for damage or wear, maintained according to manufacturer specifications, and replaced when it no longer provides adequate protection. Training workers in the correct use, care, and limitations of their PPE is equally important.
Dynamic Risk Assessment
Dynamic risk assessment refers to continuous evaluation of risks during the execution of work as conditions change. Unlike pre-planned assessments, it is performed in real time by workers on site. It is critical in environments where conditions evolve rapidly. In practice, it supports situational awareness and safe decision-making during execution.
HAZOP (Hazard and Operability Study)
A HAZOP (Hazard and Operability Study) is a structured and systematic risk assessment technique used to identify potential hazards and operability problems in industrial processes, systems, and facilities. Developed in the 1960s by ICI (Imperial Chemical Industries), HAZOP has become the gold standard for process hazard analysis in the chemical, petrochemical, oil and gas, pharmaceutical, and energy industries worldwide. The methodology works by systematically examining each element of a process using a set of guide words — such as "no," "more," "less," "reverse," and "other than" — applied to process parameters like flow, temperature, pressure, level, and composition. For each deviation identified, the HAZOP team evaluates the potential causes, consequences, existing safeguards, and whether additional risk reduction measures are needed. A HAZOP study is typically conducted by a multidisciplinary team including process engineers, operations personnel, safety professionals, instrumentation specialists, and maintenance representatives, led by an experienced HAZOP facilitator. The study produces a comprehensive record of all identified hazards, their potential consequences, and recommended actions — this documentation becomes a critical reference for permit-to-work processes because it identifies the specific hazards that permits must address in each area of the facility. HAZOP studies are required by major process safety regulations including OSHA's PSM standard, the EU Seveso Directive, and industry guidelines such as IEC 61882. They are typically conducted during the design phase of new facilities, before major modifications, and periodically throughout the operational life of existing plants to ensure that evolving conditions are captured.
Permit to Work (PTW)
A Permit to Work is a formal control process used to manage hazardous work activities in industrial environments. It ensures that work is properly planned, risks are identified and mitigated, and responsibilities are clearly assigned before work begins. The permit defines conditions under which the work can be carried out, including required safety measures, isolations, and approvals. In practice, PTW acts as the central coordination tool between operations, maintenance, and contractors to prevent accidents and conflicts between activities.
More in Risk & Safety
Point of Work Risk Assessment (PWRA)
PWRA is a risk assessment performed at the exact location where work will take place just before starting. It verifies that planned controls are still valid in the actual environment. It acts as a final validation between planning and execution.
Residual Risk
Residual risk is the level of risk that remains after all control measures have been implemented. It cannot be fully eliminated but must be reduced to an acceptable level. Understanding residual risk is critical for decision-making.
Last Minute Risk Assessment (LMRA)
LMRA is a final safety check performed immediately before starting work. It ensures that nothing has changed since the original assessment. It is often performed by the work team on site.
Simultaneous Operations (SIMOPS)
SIMOPS refers to multiple work activities taking place at the same time in the same area. These activities may interact and create additional risks. Proper coordination is essential to avoid conflicts.
Frequently Asked Questions
Why is PPE considered the least effective control?
PPE depends entirely on human behavior — workers must select, wear, and maintain it correctly. Unlike elimination or engineering controls, PPE does not reduce the hazard itself; it only provides a barrier between the worker and the hazard.
How does the hierarchy apply in PTW?
The risk assessment for each permit should systematically work through the hierarchy. For example, before authorizing hot work, consider whether the task can be done without heat (elimination), whether cold cutting can be used (substitution), whether barriers can isolate the area (engineering), and what PPE is required (last resort).
Explore Our Guides
Deepen your knowledge with our comprehensive guides and expert resources.
Pirkka Paronen
CEO, Gate Apps
CEO of Gate Apps, expert in digital permit-to-work and HSEQ software.
