I haven't encountered the hierarchy in years, but I've always felt it was a bit of a weird idea.

The first and third tiers (elimination and controls) are the same thing: separating the hazard from potential injury conditions. This can be spatial separation, temporal separation, or a dozen other kinds. A real-world example is how xray techs have to physically leave the exposure area and stand behind a lead panel to turn on the beam. The hazard (radiation exposure) remains, but the system is safe because the tech can't be exposed to it. We use this all the time in software. Process boundaries are a form of spatial separation, mutexes enforce temporal separation. test/prod systems, principle of least privilege, separation of concerns, etc.

If the hazard is "a production shell with unrestricted privileges", then won't "elimination" mean "don't give people production shells"? This can be achieved by many ways, such as pre-made queries (with new queries that could only be added vi a PR/review process), better observability, using IaaC like terraform, etc...

Instead, the author says "we could eliminate the production environment or we could eliminate the database" which really makes no sense.

Love this synthesis of safety and software thinking that seems apropos Ross Anderson's musings on software safety engineering.