Understanding the Hierarchy of Controls

This entry is part 2 of 3 in the series Hierarchy of Controls

Risk assess­ment is the first step in redu­cing the risk that your cus­tom­ers and users are exposed to when they use your products. The second step is Risk Reduction, some­times called Risk Control or Risk Mitigation. This art­icle looks at the ways that risk can be con­trolled using the Hierarchy of Controls. Figure 2 from ISO 12100 – 1 (shown below) illus­trates this point.

The sys­tem is called a hier­archy because you must apply each level in the order that they fall in the list. In terms of effect­ive­ness at redu­cing risk, the first level in the hier­archy, elim­in­a­tion, is the most effect­ive, down to the last, PPE*, which has the least effect­ive­ness.

It’s import­ant to under­stand that ques­tions must be asked after each step in the hier­archy is imple­men­ted, and that is “Is the risk reduced as much as pos­sible? Is the resid­ual risk a) in com­pli­ance with leg­al require­ments, and b) accept­able to the user or work­er?”. When you can answer ‘YES’ to all of these ques­tions, the last step is to ensure that you have warned the user of the resid­ual risks, have iden­ti­fied the required train­ing needed and finally have made recom­mend­a­tions for any needed PPE.

*PPE – Personal Protective Equipment. e.g. Protective eye wear, safety boots, bump caps, hard hats, cloth­ing, gloves, res­pir­at­ors, etc. CSA Z1002 includes ‘…any­thing designed to be worn, held, or car­ried by an indi­vidu­al for pro­tec­tion against one or more haz­ards.’  in this defin­i­tion.

Risk Reduction from the Designer's Viewpoint
ISO 12100:2010 – Figure 2


Introducing the Hierarchy of Controls

The Hierarchy of Controls was developed in a num­ber of dif­fer­ent stand­ards over the last 20 years or so. The idea was to provide a com­mon struc­ture that would provide guid­ance to design­ers when con­trolling risk.

Typically, the first three levels of the hier­archy may be con­sidered to be ‘engin­eer­ing con­trols’ because they are part of the design pro­cess for a product. This does not mean that they must be done by engin­eers!

We’ll look at each level in the hier­archy in detail. First, let’s take a look at what is included in the Hierarchy.

The Hierarchy of Controls includes:

1)    Hazard Elimination or Substitution (Design)
2)    Engineering Controls (see [1, 2, 8, 9, 10, and 11])

a)    Barriers

b)    Guards (Fixed, Movable w/​interlocks)

c)    Safeguarding Devices

d)    Complementary Protective Measures

3)    Information for Use (see [1, 2, 4, 7, 8, 12, and 13])

a)    Hazard Warnings

b)    Manuals

c)    HMI* & Awareness Devices (lights, horns)

4)    Administrative Controls (see [1, 2, 4, 5, 7, and 8])

a)    Training

b)    SOP’s,

c)    Hazardous Energy Control Procedures (see [5, 14])

d)    Authorization

5)    Personal Protective Equipment

a)    Specification

b)    Fitting

c)    Training in use

d)    Maintenance

*HMI – Human-​Machine Interface. Also called the ‘con­sole’ or ‘oper­at­or sta­tion’. The loc­a­tion on the machine where the oper­at­or con­trols are loc­ated. Often includes a pro­gram­mable screen or oper­at­or dis­play, but can be a simple array of but­tons, switches and indic­at­or lights.

The man­u­fac­turer, developer or integ­rat­or of the sys­tem should provide the first three levels of the hier­archy. Where they have not been provided, the work­place or user should provide them.

The last two levels must be provided by the work­place or user.


Each lay­er in the hier­archy has a level of effect­ive­ness that is related to the fail­ure modes asso­ci­ated with the con­trol meas­ures and the rel­at­ive effect­ive­ness in redu­cing risk in that lay­er. As you go down the hier­archy, the reli­ab­il­ity and effect­ive­ness decrease as shown below.

Effectiveness of the Hierarchy of ControlsThere is no way to meas­ure or spe­cific­ally quanti­fy the reli­ab­il­ity or effect­ive­ness of each lay­er of the hier­archy – that must wait until you make some selec­tions from each level, and even then it can be very hard to do. The import­ant thing to under­stand is that Elimination is more effect­ive than Guarding (engin­eer­ing con­trols), which is more effect­ive than Awareness Means, etc.

1. Hazard Elimination or Substitution

Hazard Elimination

Hazard elim­in­a­tion is the most effect­ive means of redu­cing risk from a par­tic­u­lar haz­ard, for the simple reas­on that once the haz­ard has been elim­in­ated there is no remain­ing risk. Remember that risk is a func­tion of sever­ity and prob­ab­il­ity. Since both sever­ity and prob­ab­il­ity are affected by the exist­ence of the haz­ard, elim­in­at­ing the haz­ard reduces the risk from that par­tic­u­lar haz­ard to zero. Some prac­ti­tion­ers con­sider this to mean the elim­in­a­tion is 100% effect­ive, how­ever it’s my opin­ion that this is not the case because even elim­in­a­tion has fail­ure modes that can re-​introduce the haz­ard.

Failure Modes:

Hazard elim­in­a­tion can fail if the haz­ard is rein­tro­duced into the design. With machinery this isn’t that likely to occur, but in pro­cesses, ser­vices and work­places it can occur.


Substitution requires the design­er to sub­sti­tute a less haz­ard­ous mater­i­al or pro­cess for the ori­gin­al mater­i­al or pro­cess. For example, beryl­li­um is a highly tox­ic met­al that is used in some high tech applic­a­tions. Inhalation or skin con­tact with beryl­li­um dust can do ser­i­ous harm to a per­son very quickly, caus­ing acute beryl­li­um dis­ease. Long term expos­ure can cause chron­ic beryl­li­um dis­ease. Substituting a less tox­ic mater­i­al with sim­il­ar prop­er­ties in place of the beryl­li­um in the pro­cess  could reduce or elim­in­ate the pos­sib­il­ity of beryl­li­um dis­ease, depend­ing on the exact con­tent of the sub­sti­tute mater­i­al. If the sub­sti­tute mater­i­al includes any amount of beryl­li­um, then the risk is only reduced. If it con­tains no beryl­li­um, the risk is elim­in­ated. Note that the risk can also be reduced by ensur­ing that the beryl­li­um dust is not cre­ated by the pro­cess, since beryl­li­um is not tox­ic unless inges­ted.

Alternatively, using pro­cesses to handle the beryl­li­um without cre­at­ing dust or particles could reduce the expos­ure to the mater­i­al in forms that are likely to cause beryl­li­um dis­ease. An example of this could be sub­sti­tu­tion of water-​jet cut­ting instead of mech­an­ic­al saw­ing of the mater­i­al.

Failure Modes:

Reintroduction of the sub­sti­tuted mater­i­al into a pro­cess is the primary fail­ure mode, how­ever there may be oth­ers that are spe­cif­ic to the haz­ard and the cir­cum­stances. In the above example, pre- and post-​cutting hand­ling of the mater­i­al could still cre­ate dust or small particles, res­ult­ing in expos­ure to beryl­li­um. A sub­sti­tuted mater­i­al might intro­duce oth­er, new haz­ards, or might cre­ate fail­ure modes in the final product that would res­ult in risks to the end user. Careful con­sid­er­a­tion is required!

If neither elim­in­a­tion or sub­sti­tu­tion is pos­sible, we move to the next level in the hier­archy.

2. Engineering Controls

Engineering con­trols typ­ic­ally include vari­ous types of mech­an­ic­al guards [16, 17, & 18], inter­lock­ing sys­tems [9, 10, 11, & 15], and safe­guard­ing devices like light cur­tains or fences, area scan­ners, safety mats and two-​hand con­trols [19]. These sys­tems are pro­act­ive in nature, act­ing auto­mat­ic­ally to pre­vent access to a haz­ard and there­fore pre­vent­ing injury. These sys­tems are designed to act before a per­son can reach the danger zone and be exposed to the haz­ard.

Control reliability

Barrier guards and fixed guards are not eval­u­ated for reli­ab­il­ity because they do not rely on a con­trol sys­tem for their effect­ive­ness. As long as they are placed cor­rectly in the first place, and are oth­er­wise prop­erly designed to con­tain the haz­ards they are pro­tect­ing, then noth­ing more is required. On the oth­er hand, safe­guard­ing devices, like inter­locked guards, light fences, light cur­tains, area scan­ners, safety mats, two-​hand con­trols and safety edges, all rely on a con­trol sys­tem for their effect­ive­ness. Correct applic­a­tion of these devices requires cor­rect place­ment based on the stop­ping per­form­ance of the haz­ard and cor­rect integ­ra­tion of the safety device into the safety related parts of the con­trol sys­tem [19]. The degree of reli­ab­il­ity is based on the amount of risk reduc­tion that is being required of the safe­guard­ing device and the degree of risk present in the unguarded state [9, 10].

There are many detailed tech­nic­al require­ments for engin­eer­ing con­trols that I can’t get into in this art­icle, but you can learn more by check­ing out the ref­er­ences at the end of this art­icle and oth­er art­icles on this blog.

Failure Modes

Failure modes for engin­eer­ing con­trols are as many and as var­ied as the devices used and the meth­ods of integ­ra­tion chosen. This dis­cus­sion will have to wait for anoth­er art­icle!

Awareness Devices

Of spe­cial note are ‘aware­ness devices’. This group includes warn­ing lights, horns, buzzers, bells, etc. These devices have some aspects that are sim­il­ar to engin­eer­ing con­trols, in that they are usu­ally part of the machine con­trol sys­tem, but they are also some­times classed as ‘inform­a­tion for use’, par­tic­u­larly when you con­sider indic­at­or or warn­ing lights and HMI screens. In addi­tion to these ‘act­ive’ types of devices, aware­ness devices may also include lines painted or taped on the floor or on the edge of a step or elev­a­tion change, warn­ing chains, sig­nage, etc. Signage may also be included in the class of ‘inform­a­tion for use’, along with HMI screens.

Failure Modes

Failure modes for Awareness Devices include:

  • Ignoring the warn­ings (Complacency or Failure to com­pre­hend the mean­ing of the warn­ing);
  • Failure to main­tain the device (warn­ing lights burned out or removed);
  • Defeat of the device (silen­cing an aud­ible warn­ing device);
  • Inappropriate selec­tion of the device (invis­ible or inaud­ible in the pre­dom­in­at­ing con­di­tions).

Complementary Protective Measures

Complementary Protective meas­ures are a class of con­trols that are sep­ar­ate from the vari­ous types of safe­guard­ing because they gen­er­ally can­not pre­vent injury, but may reduce the sever­ity of injury or the prob­ab­il­ity of the injury occur­ring. Complementary pro­tect­ive meas­ures are react­ive in nature, mean­ing that they are not auto­mat­ic. They must be manu­ally activ­ated by a user before any­thing will occur, e.g. press­ing an emer­gency stop but­ton. They can only com­ple­ment the pro­tec­tion provided by the auto­mat­ic sys­tems.

A good example of this is the Emergency Stop sys­tem that is designed into many machines. On its own, the emer­gency stop sys­tem will do noth­ing to pre­vent an injury. The sys­tem must be activ­ated manu­ally by press­ing a but­ton or pulling a cable. This relies on someone detect­ing a prob­lem and real­iz­ing that the machine needs to be stopped to avoid or reduce the sever­ity of an injury that is about to occur or is occur­ring. Emergency stop can only ever be a back-​up meas­ure to the auto­mat­ic inter­locks and safe­guard­ing devices used on the machine. In many cases, the next step in emer­gency response after press­ing the emer­gency stop is to call 911.

Failure Modes:

The fail­ure modes for these kinds of con­trols are too numer­ous to list here, how­ever they range from simple fail­ure to replace a fixed guard or bar­ri­er fence, to fail­ure of elec­tric­al, pneu­mat­ic or hydraul­ic con­trols. These fail­ure modes are enough of a con­cern that a new field of safety engin­eer­ing called ‘Functional Safety Engineering’ has grown up around the need to be able to ana­lyze the prob­ab­il­ity of fail­ure of these sys­tems and to use addi­tion­al design ele­ments to reduce the prob­ab­il­ity of fail­ure to a level we can tol­er­ate. For more on this, see [9, 10, 11].

Once you have exhausted all the pos­sib­il­it­ies in Engineering Controls, you can move to the next level down in the hier­archy.

3. Information for Use

This is a very broad top­ic, includ­ing manu­als, instruc­tion sheets, inform­a­tion labels on the product, haz­ard warn­ing signs and labels, HMI screens, indic­at­or and warn­ing lights, train­ing mater­i­als, video, pho­to­graphs, draw­ings, bills of mater­i­als, etc. There are some excel­lent stand­ards now avail­able that can guide you in devel­op­ing these mater­i­als [1, 12 and 13].

Failure Modes:

The major fail­ure modes in this level include:

  • Poorly writ­ten or incom­plete mater­i­als;
  • Provision of the mater­i­als in a lan­guage that is not under­stood by the user;
  • Failure by the user to read and under­stand the mater­i­als;
  • Inability to access the mater­i­als when needed;
  • Etcetera.

When all pos­sib­il­it­ies for inform­ing the user have been covered, you can move to the next level down in the hier­archy. Note that this is the usu­al sep­ar­a­tion point between the man­u­fac­turer and the user of a product. This is nicely illus­trated in Fig 2 from ISO 12100 above. It is import­ant to under­stand at this point that the resid­ual risk posed by the product to the user may not yet be tol­er­able. The user is respons­ible for imple­ment­ing the next two levels in the hier­archy in most cases. The man­u­fac­turer can make recom­mend­a­tions that the user may want to fol­low, but typ­ic­ally that is the extent of influ­ence that the man­u­fac­turer will have on the user.

4. Administrative Controls

This level in the hier­archy includes:

  • Training;
  • Standard Operating Procedures (SOP’s);
  • Safe work­ing pro­ced­ures e.g. Hazardous Energy Control, Lockout, Tagout (where per­mit­ted by law), etc.;
  • Authorization; and
  • Supervision.

Training is the meth­od used to get the inform­a­tion provided by the man­u­fac­turer to the work­er or end user. This can be provided by the man­u­fac­turer, by a third party, or self-​taught by the user or work­er.
SOP’s can include any kind of pro­ced­ure insti­tuted by the work­place to reduce risk. For example, requir­ing work­ers who drive vehicles to do a walk-​around inspec­tion of the vehicle before use, and log­ging of any prob­lems found dur­ing the inspec­tion is an example of an SOP to reduce risk while driv­ing.
Safe work­ing pro­ced­ures can be strongly influ­enced by the man­u­fac­turer through the inform­a­tion for use provided. Maintenance pro­ced­ures for haz­ard­ous tasks provided in the main­ten­ance manu­al are an example of this.
Authorization is the pro­ced­ure that an employ­er uses to author­ize a work­er to carry out a par­tic­u­lar task. For example, an employ­er might put a policy in place that only per­mits licensed elec­tri­cians to access elec­tric­al enclos­ures and carry out work with the enclos­ure live. The employ­er might require that work­ers who may need to use lad­ders in their work take a lad­der safety and a fall pro­tec­tion train­ing course. Once the pre­requis­ites for author­iz­a­tion are com­pleted, the work­er is ‘author­ized’ by the employ­er to carry out the task.
Supervision is one of the most crit­ic­al of the Administrative Controls. Sound super­vi­sion can make all of the above work. Failure to prop­erly super­vise work can cause all of these meas­ures to fail.

Failure Modes

Administrative con­trols have many fail­ure modes. Here are some of the most com­mon:

  • Failure to train;
  • Failure to inform work­ers regard­ing the haz­ards present and the related risks;
  • Failure to cre­ate and imple­ment SOP’s;
  • Failure to provide and main­tain spe­cial equip­ment needed to imple­ment SOP’s;
  • No form­al means of author­iz­a­tion – i.e. How do you KNOW that Joe has his lift truck license?;
  • Failure to super­vise adequately.

I’m sure you can think of MANY oth­er ways that Administrative Controls can go wrong!

5. Personal Protective Equipment (PPE)

PPE includes everything from safety glasses, to hard­hats and bump caps, to fire-​retardant cloth­ing, hear­ing defend­ers, and work boots. Some stand­ards even include warn­ing devices that are worn by the user, such as gas detect­ors and person-​down detect­ors, in this group.
PPE is prob­ably the single most over-​used and least under­stood risk con­trol meas­ure. It falls at the bot­tom of the hier­archy for a num­ber of reas­ons:

  1. It is a meas­ure of last resort;
  2. It per­mits the haz­ard to come as close to the per­son as their cloth­ing;
  3. It is often incor­rectly spe­cified;
  4. It is often poorly fit­ted;
  5. It is often poorly main­tained; and
  6. It is often improp­erly used.

The prob­lems with PPE are hard to deal with. You can­not glue or screw a set of safety glasses to a person’s face, so ensur­ing the the pro­tect­ive equip­ment is used is a big prob­lem that goes back to super­vi­sion.

Many small and medi­um sized enter­prises do not have the expert­ise in the organ­iz­a­tion to prop­erly spe­cify, fit and main­tain the equip­ment.

User com­fort is extremely import­ant. Uncomfortable equip­ment won’t be used for long.

Finally, by the time that prop­erly spe­cified, fit­ted and used equip­ment can do it’s job, the haz­ard is as close to the per­son as it can get. The prob­ab­il­ity of fail­ure at this point is very high, which is what makes PPE a meas­ure of last resort, com­ple­ment­ary to the more effect­ive meas­ures that can be provided in the first three levels of the hier­archy.

If work­ers are not prop­erly trained and adequately informed about the haz­ards they face and the reas­ons behind the use of PPE, they are deprived of the oppor­tun­ity to make safe choices, even if that choice is to refuse the work.

Failure Modes

Failure modes for PPE include:

  • Incorrect spe­cific­a­tion (not suit­able for the haz­ard);
  • Incorrect fit (allows haz­ard to bypass PPE);
  • Poor main­ten­ance (pre­vents or restricts vis­ion or move­ment, increas­ing the risk; causes PPE fail­ure under stress or allows haz­ard to bypass PPE);
  • Incorrect usage (fail­ure to train and inform users, incor­rect selec­tion or spe­cific­a­tion of PPE).

Time to Apply the Hierarchy

So now you know some­thing about the ‘hier­archy of con­trols’. Each lay­er has its own intric­a­cies and nuances that can only be learned by train­ing and exper­i­ence. With a doc­u­mented risk assess­ment in hand, you can begin to apply the hier­archy to con­trol the risks. Don’t for­get to iter­ate the assess­ment post-​control to doc­u­ment the degree of risk reduc­tion achieved. You may cre­ate new haz­ards when con­trol meas­ures are applied, and you may need to add addi­tion­al con­trol meas­ures to achieve effect­ive risk reduc­tion.

The doc­u­ments ref­er­enced below should give you a good start in under­stand­ing some of these chal­lenges.


5% Discount on All Standards with code: CC2011 

NOTE: [1], [2], and[3]  were com­bined by ISO and repub­lished as ISO 12100:2010. This stand­ard has no tech­nic­al changes from the pre­ced­ing stand­ards, but com­bines them in a single doc­u­ment. ISO/​TR 14121 – 2 remains cur­rent and should be used with the cur­rent edi­tion of ISO 12100.

[1]             Safety of machinery – Basic con­cepts, gen­er­al prin­ciples for design – Part 1: Basic ter­min­o­logy and meth­od­o­logy, ISO Standard 12100 – 1, 2003.
[2]            Safety of machinery – Basic con­cepts, gen­er­al prin­ciples for design – Basic ter­min­o­logy and meth­od­o­logy, Part 2: Technical prin­ciples, ISO Standard 12100 – 2, 2003.
[3]            Safety of Machinery – Risk Assessment – Part 1: Principles, ISO Standard 14121 – 1, 2007.
[4]            Safety of machinery — Prevention of unex­pec­ted start-​up, ISO 14118, 2000
[5]            Control of haz­ard­ous energy – Lockout and oth­er meth­ods, CSA Z460, 2005
[6]            Fluid power sys­tems and com­pon­ents – Graphic sym­bols and cir­cuit dia­grams – Part 1: Graphic sym­bols for con­ven­tion­al use and data-​processing applic­a­tions, ISO Standard 1219 – 1, 2006
[7]            Pneumatic flu­id power – General rules and safety require­ments for sys­tems and their com­pon­ents, ISO Standard 4414, 1998
[8]            American National Standard for Industrial Robots and Robot Systems — Safety Requirements, ANSI/​RIA R15.06, 1999.
[9]            Safety of machinery — Safety-​related parts of con­trol sys­tems — Part 1: General prin­ciples for design, ISO Standard 13849 – 1, 2006
[10]          Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems, IEC Standard 62061, 2005
[11]           Functional safety of electrical/​electronic/​programmable elec­tron­ic safety-​related sys­tems, IEC Standard 61508-​X, sev­en parts.
[12]          Preparation of Instructions — Structuring, Content and Presentation, IEC Standard 62079, 2001
[13]          American National Standard For Product Safety Information in Product Manuals, Instructions, and Other Collateral Materials, ANSI Standard Z535.6, 2010.
[14]          Control of Hazardous Energy Lockout/​Tagout and Alternative Methods, ANSI Standard Z244.1, 2003.
[15]          Safety of Machinery — Interlocking devices asso­ci­ated with guards — prin­ciples for design and selec­tion, EN 1088+A1:2008.
[16]          Safety of Machinery — Guards – General require­ments for the design and con­struc­tion of fixed and mov­able guards, EN 953+A1:2009.
[17]          Safety of machinery — Guards — General require­ments for the design and con­struc­tion of fixed and mov­able guards, ISO 14120.
[18]         Safety of machinery — Safety dis­tances to pre­vent haz­ard zones being reached by upper and lower limbs, ISO 13857:2008.
[19]         Safety of machinery — Positioning of safe­guards with respect to the approach speeds of parts of the human body, ISO 13855:2010.

5% Discount on All Standards with code: CC2011 

Using E-​Stops in Lockout Procedures

This entry is part 6 of 11 in the series Emergency Stop

Emergency stop devices are some­times, incor­rectly, used as part of a lock­out pro­ced­ure for machinery. Learn more about how to cor­rectly used these devices as part of Hazardous Energy Control Procedures for indus­tri­al machinery.

This entry is part 6 of 11 in the series Emergency Stop

Disconnect Switch with Lock and TagControl of haz­ard­ous energy is one of the key ways that main­ten­ance and ser­vice work­ers are pro­tec­ted while main­tain­ing indus­tri­al equip­ment. Not so long ago we only thought about ‘Lockout’ or ‘Lockout/​Tagout’ pro­ced­ures, but there is much more to pro­tect­ing these work­ers than ‘just’ lock­ing out energy sources. Inevitably con­di­tions come up where safe­guards may need to be removed or tem­por­ar­ily bypassed in order to dia­gnose prob­lems or to make crit­ic­al but infre­quent adjust­ments to the equip­ment, and this is where Hazardous Energy Control Procedures, or HECP, come in.

One of the ques­tions I often get when help­ing cli­ents with devel­op­ing HECPs for their equip­ment is, “Can we use the emer­gency stop cir­cuit for lock­out?”. As usu­al, there is a short answer and a long answer to that simple ques­tion!

The Short Answer

The short answer to this ques­tion is NO. Lockout requires that sources of haz­ard­ous energy be phys­ic­ally isol­ated or blocked. Control sys­tems may be able to meet parts, but not all of this require­ment. Read on if you’d like to know why.

The Long Answer


Lockout pro­ced­ures are now grouped with oth­er adjust­ment, dia­gnost­ic and test pro­ced­ures into what are called Hazardous Energy Control Procedures or HECP. In the USA, OSHA pub­lishes a lock­out stand­ard in 29 CFR 1910.147, and ANSI pub­lishes ANSI Z244.1.

Download ANSI stand­ards

In Canada we didn’t have a stand­ard for HECP until 2005 when CSA Z460 was pub­lished, although all the Provinces and Territories have some lan­guage in their legis­la­tion that at least alludes to the need for con­trol of haz­ard­ous energy. In the Province of Ontario where I live, this require­ment shows up in Ontario Regulation 851, Sections 42, 75 and 76.

In the EU, con­trol of haz­ard­ous energy is dealt with in ISO 14118:2000, Safety of machinery — Prevention of unex­pec­ted start-​up.

Download ISO Standards 

If you have a look at the sec­tions from the Ontario reg­u­la­tions, they don’t tell you how to per­form lock­out, and they make little men­tion of what to do with live work for troubleshoot­ing pur­poses. The US OSHA reg­u­la­tions read more like a stand­ard, but because they are in legis­la­tion they are pre­script­ive. You MUST meet this min­im­um require­ment, and you may exceed it.

Let’s look at how lock­out is defined in the stand­ards.

Canada (Ontario) USA (OSHA) European Union

Lockout — place­ment of a lock or tag on an energy-​isolating device in accord­ance with an estab­lished pro­ced­ure, thereby indic­at­ing that the energy-​isolating device is not to be oper­ated until remov­al of the lock or tag in accord­ance with an estab­lished pro­ced­ure.

CSA Z460, 2005

Lockout. The place­ment of a lock­out device on an energy isol­at­ing device, in accord­ance with an estab­lished pro­ced­ure, ensur­ing that the energy isol­at­ing device and the equip­ment being con­trolled can­not be oper­ated until the lock­out device is removed.

Tagout. The place­ment of a tagout device on an energy isol­at­ing device, in accord­ance with an estab­lished pro­ced­ure, to indic­ate that the energy isol­at­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

29 CFR 1910.147

2.14 lockout/​tagout: The place­ment of a lock/​tag on the energy isol­at­ing device in accord­ance with an estab­lished pro­ced­ure, indic­at­ing that the energy isol­at­ing device shall not be oper­ated until remov­al of the lock/​tag in accord­ance with an estab­lished pro­ced­ure. (The term “lockout/​tagout” allows the use of a lock­out device, a tagout device, or a com­bin­a­tion of both.)

ANSI Z244.1 – 2003

3.3 isol­a­tion and energy dis­sip­a­tion

pro­ced­ure which con­sists of all of the four fol­low­ing actions:

a) isol­at­ing (dis­con­nect­ing, sep­ar­at­ing) the machine (or defined parts of the machine) from all power sup­plies;

b) lock­ing (or oth­er­wise secur­ing), if neces­sary (for instance in large machines or in install­a­tions), all the isol­at­ing units in the “isol­ated” pos­i­tion;

c) dis­sip­at­ing or restrain­ing [con­tain­ing] any stored energy which may give rise to a haz­ard.

NOTE Energy con­sidered in c) above may be stored in e.g.:

  • mech­an­ic­al parts con­tinu­ing to move through iner­tia;
  • mech­an­ic­al parts liable to move by grav­ity;
  • capa­cit­ors, accu­mu­lat­ors;
  • pres­sur­ized flu­ids;
  • springs.

d) veri­fy­ing by using a safe work­ing pro­ced­ure that the actions taken accord­ing to a), b) and c) above have pro­duced the desired effect.

ISO 14118 – 2000

As you can see, the defin­i­tions are fairly sim­il­ar, although slightly dif­fer­ent terms may be used. The ISO stand­ard actu­ally provides the best guid­ance over­all in my opin­ion. Note that these excerpts are all taken from the defin­i­tions sec­tions of the rel­ev­ant doc­u­ments.

One of the big dif­fer­ences between the US and Canada is the idea of ‘tagout’ (pro­nounced TAG-​out for those not famil­i­ar with the term). Tagout is identic­al to lock­out with the excep­tion of the device that is attached to the energy isol­at­ing device. Under cer­tain cir­cum­stances the US per­mits the use of a tag without a lock to secure the energy isol­a­tion device. This is not per­mit­ted in Canada under any cir­cum­stance, and the term ‘tagout’ is not offi­cially recog­nized. In Canada the term is often taken to mean the addi­tion of a tag to the lock­ing device,  a man­dat­ory part of the pro­ced­ure.

Use of Controls for Energy Isolation

This is where the ‘rub­ber meets the road’ – how is the source of haz­ard­ous energy isol­ated effect­ively? To under­stand the require­ments, let’s look at the defin­i­tion for an Energy Isolating Device.

Canada USA EU

Energy-​isolating device — a mech­an­ic­al device that phys­ic­ally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a manu­ally oper­ated elec­tric­al cir­cuit break­er; a dis­con­nect switch; a manu­ally oper­ated switch by which the con­duct­ors of a cir­cuit can be dis­con­nec­ted from all ungroun­ded sup­ply con­duct­ors; a line valve; a block; and oth­er devices used to block or isol­ate energy (push-​button select­or switches and oth­er control-​type devices are not energy-​isolating devices).

CSA Z460, 2005

Note – Bold added for emphas­is – DN

Energy isol­at­ing device. A mech­an­ic­al device that phys­ic­ally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: A manu­ally oper­ated elec­tric­al cir­cuit break­er; a dis­con­nect switch; a manu­ally oper­ated switch by which the con­duct­ors of a cir­cuit can be dis­con­nec­ted from all ungroun­ded sup­ply con­duct­ors, and, in addi­tion, no pole can be oper­ated inde­pend­ently; a line valve; a block; and any sim­il­ar device used to block or isol­ate energy. Push but­tons, select­or switches and oth­er con­trol cir­cuit type devices are not energy isol­at­ing devices.

Note – Bold added for emphas­is – DN

Tagout device. A prom­in­ent warn­ing device, such as a tag and a means of attach­ment, which can be securely fastened to an energy isol­at­ing device in accord­ance with an estab­lished pro­ced­ure, to indic­ate that the energy isol­at­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

29 CFR 1910.147

2.8 energy isol­at­ing device: A mech­an­ic­al device that phys­ic­ally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a manu­ally oper­ated elec­tric­al cir­cuit break­er, a dis­con­nect switch, a manu­ally oper­ated switch by which the con­duct­ors of a cir­cuit can be dis­con­nec­ted from all ungroun­ded sup­ply con­duct­ors and, in addi­tion, no pole can be oper­ated inde­pend­ently; a line valve; a block; and any sim­il­ar device used to block or isol­ate energy.

2.20.1 tagout device: A prom­in­ent warn­ing means such as a tag and a means of attach­ment, which can be securely fastened to an energy isol­at­ing device to indic­ate that the energy isol­at­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

ANSI Z244.1 – 2003

4.1 Isolation and energy dis­sip­a­tion

Machines shall be provided with means inten­ded for isol­a­tion and energy dis­sip­a­tion (see clause 5), espe­cially with a view to major main­ten­ance, work on power cir­cuits and decom­mis­sion­ing in accord­ance with the essen­tial safety require­ment expressed in ISO/​TR 12100 – 2:1992, annex A, 1.6.3.

Note – ISO/​TR 12100 – 2 was with­drawn in Oct-​10 and replaced by ISO 12100 – 2010. – DN Read more on this.

5.1 Devices for isol­a­tion from power sup­plies
Isolation devices shall:

  • ensure a reli­able isol­a­tion (dis­con­nec­tion, sep­ar­a­tion);
  • have a reli­able mech­an­ic­al link between the manu­al con­trol and the isol­at­ing element(s);
  • be equipped with clear and unam­bigu­ous iden­ti­fic­a­tion of the state of the isol­a­tion device which cor­res­ponds to each pos­i­tion of its manu­al con­trol (actu­at­or).

NOTE 1 For elec­tric­al equip­ment, a sup­ply dis­con­nect­ing device com­ply­ing with IEC 60204 – 1:1997, 5.3 “Supply dis­con­nect­ing (isol­at­ing) device” meets this require­ment.

NOTE 2 Plug and sock­et sys­tems (for elec­tric­al sup­plies), or their pneu­mat­ic, hydraul­ic or mech­an­ic­al equi­val­ents, are examples of isol­at­ing devices with which it is pos­sible to achieve a vis­ible and reli­able dis­con­tinu­ity in the power sup­ply cir­cuits.

For elec­tric­al plug/​socket com­bin­a­tions, see IEC 60204 – 1:1997, 5.3.2 d).

NOTE 3 For hydraul­ic and pneu­mat­ic equip­ment, see also EN 982:1996, 5.1.6 and EN 983:1996, 5.1.6.

ISO 14118 – 2000

Brady 65675 Large Plug Lockout Device
BRADY Small Plug Lockout Device

As you can see from the above defin­i­tions, all the jur­is­dic­tions require that devices used for energy isol­a­tion are reli­able, manu­ally oper­able, mech­an­ic­al devices. While elec­tric­al con­trol sys­tems that meet high levels of design reli­ab­il­ity may meet the reli­ab­il­ity require­ments, they do not meet the require­ments for phys­ic­al, mech­an­ic­al dis­con­nec­tion of the source of haz­ard­ous energy. Operator devices are spe­cific­ally excluded from this use in Canada and the USA. Note that plug and sock­et com­bin­a­tions are per­mit­ted in all jur­is­dic­tions. Lockout devices such as Brady 65675 Large Plug Lockout Device like the Brady Small Plug Lockout Device shown here and sim­il­ar devices can be used for this pur­pose. With some plugs it is pos­sible to put a small lock through a hole in one of the con­tacts. In some jur­is­dic­tions, even the simple act of put­ting the plug in your back pock­et while con­duct­ing the work is suf­fi­cient.

In addi­tion, the energy isol­a­tion device is required to be able to be locked in the off, isol­ated, or blocked pos­i­tion. There are emer­gency stop but­ton oper­at­ors that can be pur­chased with an integ­rated lock cyl­in­der, and there are some con­trol oper­at­or accessor­ies avail­able that will allow con­trol push but­tons and select­or switches to be locked in one pos­i­tion or anoth­er, but these do not meet the require­ments of the above stand­ards. They can be used in addi­tion to an energy isol­a­tion device as part of the pro­ced­ure, but not on their own as the sole means of pre­vent­ing unex­pec­ted start-​up.

BRADY Button Locking Device
BRADY Button Locking Device


Each machine or piece of equip­ment is required to have an HECP that is spe­cif­ic to that piece of equip­ment. ‘Global’ HECP’s are sel­dom use­ful except as a tem­plate doc­u­ment. Development of HECPs takes some care­ful thought and a thor­ough under­stand­ing of the kinds of work that will need to be done to main­tain and ser­vice the machinery. Individual jur­is­dic­tions have some dif­fer­ences in the details of their reg­u­la­tions, but ulti­mately the require­ments come down to the same thing: Protecting work­ers.

Control sys­tem devices such as stop but­tons and emer­gency stop devices are not accep­ted as energy isol­at­ing devices and can­not be used for this pur­pose, although they may be used as part of the HECP shut­down pro­ced­ure lead­ing up to the phys­ic­al isol­a­tion of the haz­ard­ous energy sources.

Excellent stand­ards exist that cov­er devel­op­ment of these pro­ced­ures and should be ref­er­enced as spe­cif­ic HECP are developed.

5% Discount on All Standards with code: CC2011 

104602 – BRADY Button Locking Device
BRADY Button Locking Device



Ontario Regulation 851, Sections 42, 75 and 76.

CSA Z460-​05 (R2010) – Control of haz­ard­ous energy — Lockout and oth­er meth­ods


29 CFR 1910.147The con­trol of haz­ard­ous energy (lockout/​tagout).

ANSI Z244.1 – 2003 (R2008) – Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods

Download stand­ards

Allen-Bradley 8579
Allen-​Bradley 8579

ISO 14118 2000, Safety of machinery — Prevention of unex­pec­ted start-​up

Download ISO Standards