The Hierarchy of Control: A UK Guide for Risk Assessors

Risk assessment without a hierarchy of control is just hazard-spotting. The hierarchy is what turns the question “what could go wrong?” into the question “what’s the best available way to stop it going wrong?” — and the order of the layers matters because not every control is as good as every other.

This guide explains the five layers, where the hierarchy comes from in UK law, how it’s used in NEBOSH and IOSH training, and the messy real-world cases where the layers overlap or compete. It’s written for the people who actually do risk assessments — line managers, supervisors, dutyholders, and competent persons under Regulation 7 of the MHSWR — not for academics.

What is the hierarchy of control?

The hierarchy of control is a ranked list of risk-reduction strategies, ordered from most effective to least effective. The standard UK version has five layers:

1. Eliminate — remove the hazard altogether
2. Substitute — replace the hazard with something less dangerous
3. Engineering controls — physical changes that isolate workers from the hazard
4. Administrative controls — changes to how work is organised, scheduled, or supervised
5. Personal Protective Equipment (PPE) — equipment worn by the worker to reduce exposure

The principle is that each layer is more reliable than the one beneath it. Elimination removes the hazard entirely, so it can’t fail; PPE depends on the worker wearing it, fitting it correctly, and using it for the entire exposure period — three failure points the higher layers don’t have.

Some versions of the hierarchy add a sixth layer between Engineering and Administrative — Reduce (limit exposure time or quantity). The HSE’s own materials on PPE use a five-layer version. NEBOSH and IOSH typically teach the ISO 45001 simplified five-layer version. The exact number of layers matters less than understanding why elimination outranks PPE.

Where the hierarchy comes from in UK law

The legal origin of the hierarchy of control is Schedule 1 to the Management of Health and Safety at Work Regulations 1999. Schedule 1 sets out nine “general principles of prevention” that employers must apply when selecting protective measures under Regulation 4. The nine principles are:

1. avoiding risks
2. evaluating the risks which cannot be avoided
3. combating the risks at source
4. adapting the work to the individual
5. adapting to technical progress
6. replacing the dangerous by the non-dangerous or the less dangerous
7. developing a coherent overall prevention policy
8. giving collective protective measures priority over individual protective measures
9. giving appropriate instructions to employees

The hierarchy of control is the practical distillation of these principles. Principle 1 (“avoiding risks”) maps to Eliminate. Principle 6 (“replacing the dangerous by the non-dangerous or the less dangerous”) maps to Substitute. Principle 8 (“giving collective protective measures priority over individual protective measures”) is the legal basis for placing engineering and administrative controls above PPE in the hierarchy.

Schedule 1 has the force of law. The hierarchy diagrams in textbooks and posters are summaries of the legal duty in Schedule 1, not a separate framework. When HSE inspectors challenge a risk assessment, they’re often challenging it against Schedule 1 — and an assessment that jumped to PPE without considering elimination, substitution, or engineering controls fails Schedule 1, regardless of whether the PPE itself was adequate.

For more on the regulation behind the hierarchy, see our MHSWR 1999 guide.

The five layers explained, with worked examples

Layer 1: Eliminate

Eliminate the hazard. Don’t reduce it; don’t substitute it; remove it entirely so it cannot harm anyone. This is the most reliable control because there is nothing left to fail.

Worked example. A factory uses a solvent-based degreaser containing dichloromethane. The worker is exposed during cleaning operations. The COSHH assessment identifies the substance as a category 2 carcinogen. Elimination at the hazard level: switch to a steam-cleaning process that removes the need for the solvent altogether. The hazard is gone. The administrative effort, ventilation requirement, PPE requirement, and health surveillance requirement that came with the solvent all disappear with it.

Eliminate often looks expensive at first sight and is rarely chosen on capital cost alone. It tends to win on whole-life cost — once the engineering, training, audit, surveillance and PPE-management costs of the lower-layer alternatives are added in, the elimination option is often cheaper over five years.

Layer 2: Substitute

Replace the hazard with a less harmful one. The work still gets done; the risk profile changes.

Worked example. A construction site uses solvent-based paints for steelwork protection. Worker exposure to volatile organic compounds is high. Substitution: switch to a water-based intumescent coating. The work still happens; the hazard reduces from “category 3 VOC exposure with respiratory health surveillance required” to “low-grade dermal hazard with skin protection required.” Substitution doesn’t eliminate the need for risk control, but it lowers the level of control required and reduces the cost of getting it right.

The trap with substitution is the assumption that “less harmful” means “no longer harmful.” A risk assessment is still required for the substituted product. A good substitution moves the residual risk down a category, not down to zero.

Layer 3: Engineering controls

Physical changes to equipment, the workplace or the process that separate the worker from the hazard. Local exhaust ventilation, machine guarding, interlocked enclosures, sound-attenuating cabins, automated systems that remove the need for manual intervention. Engineering controls don’t depend on the worker doing anything — they work passively, every time, for everyone in scope.

Worked example. A workshop uses a circular saw for cutting timber. The risk assessment identifies finger contact with the rotating blade as a serious foreseeable injury. Engineering control: a fixed guard over the blade with a riving knife behind it, plus a push-stick required for any cut shorter than the guard’s clearance. The guard is in place whether the operator is paying attention or not. Compare this with the alternative — a sign saying “keep hands clear of the blade” — which only works if the operator reads it, remembers it, and acts on it every single time.

Reg 11(2) of PUWER 1998 sets out a specific hierarchy for protecting workers from dangerous parts of machinery: fixed guards first, then other guards or protection devices, then jigs and push-sticks, then information, instruction, training and supervision. PUWER’s hierarchy is the engineering-controls layer of the broader hierarchy of control made specific for machinery.

Layer 4: Administrative controls

Changes to how work is organised, scheduled, supervised, or carried out. Permit-to-work systems, safe systems of work, job rotation to limit individual exposure, supervision arrangements, training, signage, written procedures.

Worked example. A water-treatment site has a confined space that has to be entered for routine inspection twice a year. The hazard cannot be eliminated (the inspection has to happen). Substitution and engineering controls reduce the hazard but don’t remove it (the space remains confined; oxygen levels can drop). Administrative control: a permit-to-work system requiring atmospheric testing before entry, a top-man with rescue equipment, communication protocols, and a defined entry duration. The work happens under controlled conditions.

Administrative controls depend on people following procedures. They can fail in three ways: the procedure isn’t right; the worker doesn’t know it; the worker knows it but doesn’t follow it. This is why they sit below engineering controls in the hierarchy — engineering doesn’t depend on human compliance, and administrative does.

For more on permit systems specifically, see our Permit to Work guide.

Layer 5: Personal Protective Equipment (PPE)

The last resort. Equipment worn by the worker to reduce exposure to a residual hazard that the higher layers can’t fully control. Hearing protection, respirators, gloves, safety footwear, fall-arrest harnesses, eye protection.

PPE has three structural weaknesses that put it at the bottom of the hierarchy:

• It depends on the wearer. A respirator that’s not worn protects nobody. A glove worn on the wrong hand protects nobody.
• It depends on fit. Hearing protection that doesn’t seal properly does nothing. A respirator with a face-seal failure delivers contaminated air directly to the lungs.
• It depends on the user being trained, motivated, and supervised. All three can fail.

PPE remains essential — there is residual risk in almost every workplace that the higher layers can’t fully eliminate. The point isn’t that PPE is bad. The point is that an assessment that jumps to PPE without first considering whether elimination, substitution, engineering or administrative control is feasible has skipped the legal duty in Schedule 1.

For more on PPE specifically, see our PPE Regulations guide.

The simplified hierarchy in ISO 45001 (the NEBOSH version)

ISO 45001:2018 — the international standard for occupational health and safety management systems — sets out its own version of the hierarchy at clause 8.1.2. The ISO version is the same five layers in the same order as the standard UK practitioner version, with cleaner labelling. NEBOSH courses (the General Certificate, the Diploma, the construction-specific and fire-specific certificates) use this version.

The ISO version is what most modern UK organisations cite in their safety policies because it aligns with the management-system standard. The MHSWR Schedule 1 version remains the legal source. They’re saying the same thing in different language.

Where the layers overlap in real workplaces

Textbook hierarchies present the layers as discrete and ordered. Real workplaces rarely cooperate. Five recurring complications:

1. Hybrid controls

A control measure often combines layers. A fume cabinet is engineering (the cabinet creates the airflow that captures the contaminant) but its effectiveness depends on the worker positioning their hands inside the cabinet correctly — which is administrative. The right answer in the assessment is to record the engineering control as the primary measure and the user-behaviour element as a supporting administrative control. Both have to be in place for the control to work.

2. Stacked controls

For high-consequence hazards, control at one layer is rarely enough. A confined space entry might use elimination at the design stage (eliminate routine entries through process redesign) plus substitution (use a less hazardous cleaning agent so the residual entry needs less PPE) plus engineering (mechanical ventilation) plus administrative (permit-to-work, atmospheric testing) plus PPE (escape sets). The hierarchy doesn’t say “pick the highest layer that works” — it says “start with the highest layer and work down, applying as many layers as the residual risk requires.”

3. Cost vs effectiveness

Reasonably practicable, the test from the parent Act, allows cost to be weighed against the level of risk reduction. An elimination option that would prevent one minor injury per decade at a capital cost of several million pounds is unlikely to pass the reasonably-practicable test; an engineering option at a fraction of the cost that delivers most of the risk reduction may. The hierarchy is the order of preference; reasonably practicable is the affordability test that sits over the top.

4. New hazards introduced by controls

Substituting one substance for another can introduce new risks. Replacing a solvent with a water-based alternative may introduce slip hazards, microbial risks, or different respiratory exposures. The hierarchy applies to each hazard, not just the original — substituted controls require their own assessment.

5. Worker behaviour at the boundaries

An engineering control with a defeat mechanism that workers routinely bypass — interlocks defeated, guards removed, ventilation switched off because it’s noisy — is functionally an administrative control with extra steps. Whether a control works as engineering or as administrative is determined by what workers actually do, not what the design specification says.

How the hierarchy is used in NEBOSH and IOSH assessment

Both NEBOSH and IOSH expect candidates to apply the hierarchy in answer to risk-control questions. NEBOSH NG1 scenario questions and Diploma examination questions routinely ask candidates to “outline the hierarchy of control” or “suggest controls and explain why they are appropriate.” Marks are awarded for naming the layers in order, providing layer-appropriate examples, and explaining why higher layers are preferred.

IOSH Managing Safely teaches a simplified version focused on practical decision-making for line managers. IOSH Working Safely treats the hierarchy at awareness level for general workers.

The question that catches candidates is not “what are the five layers” — it’s “in this scenario, why is the engineering control you’ve suggested better than the PPE alternative?” Good answers reference the structural reliability of higher layers (passive vs active, doesn’t depend on user behaviour, protects everyone in scope) — not just the order of the diagram.

For preparation routes, see our IOSH Managing Safely course and NEBOSH National General Certificate course.

Common mistakes in applying the hierarchy

Five recurring errors from work with UK organisations:

1. Skipping straight to PPE

The most common error. The risk assessment identifies a hazard; the controls section lists PPE; the higher layers were never considered. This fails Schedule 1, fails any HSE inspection that scrutinises the assessment, and leaves the worker reliant on the least reliable layer.

2. Treating training as administrative control

Training appears in administrative controls in most diagrams. But training is also a prerequisite for every other layer — the engineering control has to be operated correctly, the PPE has to be worn correctly, the substituted product has to be used correctly. Training as a primary control measure is rarely enough on its own; training as a supporting requirement for other layers is non-negotiable.

3. Confusing reduction with elimination

Reducing exposure time, exposure quantity, or the number of people exposed is not elimination. It’s a useful control (sometimes labelled as a sixth layer, sometimes treated as engineering or administrative depending on the mechanism), but it’s not the top of the hierarchy.

4. Recording the chosen control without recording the layers considered

HSE inspectors looking at a risk assessment expect to see evidence that the hierarchy was applied — which higher layers were considered, why they weren’t selected, why the chosen layer was the right one. A risk assessment that records only the final control without showing the reasoning fails the “suitable and sufficient” test in Regulation 3 of MHSWR.

5. Static assessments

The hierarchy is applied at the assessment stage. But the work changes — new equipment, new substances, new staff, new processes. A control that was reasonably practicable five years ago may no longer be the highest available layer; a substituted product may now have an elimination alternative that didn’t exist before. Reviewing the assessment against the current hierarchy is part of the Regulation 3 review duty.