The Hierarchy of Hazard Controls(www.hillelwayne.com)
40 pointsby surprisetalk4 months ago3 comments
  • AlotOfReading4 months ago
    I haven't encountered the hierarchy in years, but I've always felt it was a bit of a weird idea.

    The first and third tiers (elimination and controls) are the same thing: separating the hazard from potential injury conditions. This can be spatial separation, temporal separation, or a dozen other kinds. A real-world example is how xray techs have to physically leave the exposure area and stand behind a lead panel to turn on the beam. The hazard (radiation exposure) remains, but the system is safe because the tech can't be exposed to it. We use this all the time in software. Process boundaries are a form of spatial separation, mutexes enforce temporal separation. test/prod systems, principle of least privilege, separation of concerns, etc.

    • kvmet4 months ago
      Elimination is not the same as separating someone from the hazard. Edit: elimination is (re)moving the hazard and a control is adding a barrier or moving the person

      Elimination is completely getting rid of the hazard. (In the case of x-ray it would be just not doing an x-ray at all)

    • eternityforest4 months ago
      Controls can fail. Tanks of toxic waste can leak. Toxic waste that doesn't exist is much safer, assuming its not needed to prevent danger elsewhere.
      • AlotOfReading4 months ago
        They end up looking very similar in your FMEA or fault tree analysis.
    • 4 months ago
      undefined
  • nonrandomstring4 months ago
    Love this synthesis of safety and software thinking that seems apropos Ross Anderson's musings on software safety engineering.
  • theamk4 months ago
    If the hazard is "a production shell with unrestricted privileges", then won't "elimination" mean "don't give people production shells"? This can be achieved by many ways, such as pre-made queries (with new queries that could only be added vi a PR/review process), better observability, using IaaC like terraform, etc...

    Instead, the author says "we could eliminate the production environment or we could eliminate the database" which really makes no sense.