Guarding Emergency Stop Devices

This entry is part 4 of 13 in the series Emer­gency Stop

Can emer­gency stop devices that a prone to unin­tend­ed oper­a­tion be guard­ed? Find out!

Much con­fu­sion exists when it comes to Emer­gency Stop sys­tems, and clients often ask me if it is ‘OK’ to guard emer­gency stop devices like e-stop but­tons, foot ped­als, pull-cords, etc. With­out get­ting into a ton of reg­u­la­to­ry details, this arti­cle will look at the require­ments in for emer­gency stop devices in three key juris­dic­tions: Cana­da, the USA and the Euro­pean Union.

If you need infor­ma­tion on the func­tion­al aspects of emer­gency stop sys­tems, see “Emer­gency Stop — What’s so con­fus­ing about that?

Why Guard an Emergency Stop?

Gen­er­al­ly, emer­gency stop devices, or e-stop devices as they’re often called, need to be pro­tect­ed from unin­ten­tion­al use. This prob­lem occurs because e-stop devices have to be locat­ed close to where peo­ple work in order to be use­ful. An e-stop you can’t reach when you need it may as well not be there in the first place, so emer­gency stops are locat­ed at ‘nor­mal oper­a­tor sta­tions’. This often means they are locat­ed under the edge of a machine table, or on an oper­a­tor con­trol bar like that used on pow­er press­es, putting the e-stop with­in reach, but also in the ‘line-of-fire’ when it comes to the operator’s nor­mal move­ments.

To pre­vent unin­tend­ed oper­a­tion, peo­ple often want to put rings, col­lars, or worse — cov­ers — on or around the e-stop device to keep peo­ple from bump­ing the device. Some of these can be done and should be done, and oth­ers are nev­er per­mit­ted for good rea­son.

Regulatory Requirements

Let’s take a look at the key require­ments from the reg­u­la­tions world wide:

  1. Emer­gency Stop devices must be clear­ly iden­ti­fied. The tech­ni­cal stan­dards require that emer­gency stop devices be coloured RED with a YELLOW back­ground [1].
  2. They must be locat­ed with­in easy reach of the oper­a­tor. This applies to all nor­mal work­sta­tions where oper­a­tors inter­act with the machine. For main­te­nance and ser­vice activ­i­ties where work­ers may be in loca­tions oth­er than nor­mal work­sta­tions, a pen­dant or oth­er portable con­trol must be used to cause machine motion. This device must include an emer­gency stop con­trol along with oth­er com­ple­men­tary safe­guard­ing devices such as enabling devices and hold-to-run con­trols. Where access is only allowed under lock­out con­di­tions, this is not required [2], [3].
  3. But­tons must be palm or mush­room-shaped devices.
  4. Devices must require man­u­al reset­ting. This means that the device must latch in the oper­at­ed posi­tion and require a delib­er­ate action to reset the device. This includes actions such as: pulling put a pressed but­ton, twist­ing a but­ton to release the latched con­di­tion, press­ing a reset but­ton on a pull-cord to reset the tripped con­di­tion, etc [1].
  5. Unguard­ed. This means that easy access to the device may not be imped­ed, con­sid­er­ing the per­son­al pro­tec­tive equip­ment (PPE) that work­ers are required to wear. Devices that would be con­sid­ered to be guards would include:
  • Close fit­ting rings or col­lars that require a work­er to insert a fin­ger inside the ring or col­lar to reach the device and acti­vate it,
  • cov­ers that close over the device to pre­vent access,
  • lock­ing device that pre­vent access to the device, etc.

So, con­sid­er­ing point 5 above, isn’t this the end of the dis­cus­sion? Not at all! There are a few fac­tors to con­sid­er first.

An impor­tant con­sid­er­a­tion is the poten­tial for acci­den­tal oper­a­tion. Depend­ing on the machine or process, unin­ten­tion­al oper­a­tion of emer­gency stop devices may result in sig­nif­i­cant lost pro­duc­tion and/or dam­age to equip­ment. In cas­es like this, it is rea­son­able to pro­tect the device from inad­ver­tent oper­a­tion as long as the mea­sures tak­en to pro­tect the device do not impede the oper­a­tion of the device in emer­gency con­di­tions.

ISO 13850 [4] sup­ports this idea in Clause 4.4 Emer­gency stop device:

4.4.2 An emer­gency stop device shall be locat­ed at each oper­a­tor con­trol sta­tion, except where the risk assess­ment indi­cates that this is not nec­es­sary, as well as at oth­er loca­tions, as deter­mined by the risk assess­ment. It shall be posi­tioned such that it is read­i­ly acces­si­ble and capa­ble of non-haz­ardous actu­a­tion by the oper­a­tor and oth­ers who could need to actu­ate it. Mea­sures against inad­ver­tent actu­a­tion should not impair its acces­si­bil­i­ty. (Author’s Note: Bold text added for empha­sis.)

Summing Up

The key dif­fer­ence between North Amer­i­can think­ing and International/EU think­ing is in the term “unguard­ed” as used in the North Amer­i­can stan­dards, ver­sus [4, § 4.2.2], where the design­er is remind­ed, “Mea­sures against inad­ver­tent actu­a­tion should not impair its acces­si­bil­i­ty.”

In my opin­ion it is rea­son­able to pro­tect an emer­gency stop device from inad­ver­tent oper­a­tion by plac­ing a ring or oth­er sim­i­lar struc­ture around an emer­gency stop device as long as the struc­ture does not impair easy access to the device by the oper­a­tor.

I know this opin­ion appears ini­tial­ly to go against the estab­lished North Amer­i­can stan­dards, how­ev­er it can be log­i­cal­ly argued, based on the def­i­n­i­tion of the word “guard”.

A guard is a device that pre­vents access to some­thing, usu­al­ly a haz­ard. Con­sid­er­ing that we are talk­ing about a con­trol that is designed to reduce or lim­it harm, any struc­ture that does not pre­vent access to the emer­gency stop device asso­ci­at­ed with the struc­ture should be con­sid­ered to be accept­able.

That said, devices like:

  • hinged cov­ers;
  • doors;
  • lock­ing devices;
  • nar­row col­lars; and
  • any oth­er device or struc­ture

that undu­ly lim­its access to the emer­gency stop device can­not be con­sid­ered accept­able.

Effects of PPE

The phrase ‘undu­ly lim­its access’ has spe­cif­ic mean­ing here. If work­ers are expect­ed to be wear­ing PPE on the body part used to acti­vate the emer­gency stop device, such as gloves or boots for exam­ple, then the design of the struc­ture placed around the emer­gency stop device must take into account the added dimen­sions of the PPE, the reduc­tion in tac­tile capa­bil­i­ty that may occur (e.g. heavy work gloves make it hard to feel things eas­i­ly), and must com­pen­sate for the effects of the PPE. Big gloves/boots = Big open­ing in the struc­ture.

Light­ing and pro­tec­tive eye­wear can also play a part. You may need to use reflec­tive or lumi­nes­cent paint, or illu­mi­nat­ed e-stop devices, to high­light the loca­tion of the device in low light envi­ron­ments or where very dark eye­wear is required, like that need­ed by welders or used by work­ers around some infrared lasers with open beam paths.

Effects of State-of-Mind

It’s also impor­tant to con­sid­er the like­ly state-of-mind of a work­er need­ing to use an emer­gency stop device. They are either urgent­ly try­ing to stop the machine because,

  1. anoth­er safe­guard has failed an some­one is involved with a haz­ard, includ­ing them­selves, or
  2. the machine is dam­ag­ing itself or the prod­uct and they need to lim­it the dam­age.

Both sce­nar­ios have a high lev­el of urgency attached to them. The human mind tends to miss obvi­ous things includ­ing train­ing, when placed under high lev­els of stress. Struc­tures placed around emer­gency stop devices, such as cov­ers, that com­plete­ly block access, even though they may be eas­i­ly opened, may be enough to pre­vent access in an emer­gency.

The answer you’ve all been waiting for!

So in the end, can you put a struc­ture around an emer­gency stop to reduce inad­ver­tent oper­a­tion of the device:

YES!

Just make sure that you con­sid­er all the fac­tors that may affect it’s use, doc­u­ment your analy­sis, and don’t undu­ly restrict access to the device.

Need more help? Feel free to email me!


References

IEC – Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion

ISO – Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion

[1]  Safe­ty of machin­ery — Elec­tri­cal equip­ment of machines — Part 1: Gen­er­al require­ments, IEC 60204–1, 2005

[2]  Con­trol of Haz­ardous Ener­gy ­– Lock­out and Oth­er Meth­ods, CSA Z460, 2005.

[3]  Con­trol of Haz­ardous Ener­gy – Lockout/Tagout and Alter­na­tive Meth­ods, ANSI ASSE Z244.1, 2003.

[4]  Safe­ty of machin­ery — Emer­gency stop — Prin­ci­ples for design, ISO 13850, 2006.

Emergency Stop Categories

I’ve noticed a lot of peo­ple look­ing for infor­ma­tion on Emer­gency Stop cat­e­gories recent­ly; this arti­cle is aimed at those read­ers who want to under­stand this top­ic in more depth. First, a clar­i­fi­ca­tion: Emer­gency stop cat­e­gories DO NOT EXIST, but stop cat­e­gories do. A stop cat­e­go­ry is a descrip­tion of a con­trol func­tion — what the con­trol does — and not the archi­tec­ture of the sys­tem that pro­vides the func­tion. Stop cat­e­gories are often con­fused with cir­cuit or sys­tem archi­tec­ture cat­e­gories from EN 954–1[1] and ISO 13849–1 [2].  The con­fu­sion between these two sets of Cat­e­gories often leads to incor­rect assump­tions about the appli­ca­tion of these require­ments.

Emer­gency stop” is a descrip­tion of a con­trol func­tion, with the added “emer­gency” telling you WHEN this stop func­tion is intend­ed to be used — only dur­ing an emer­gency sit­u­a­tion. A “cycle stop” is also a func­tion­al descrip­tion that tells the user WHAT the stop func­tion does. Both the emer­gency stop func­tion and the cycle stop func­tion use the SAME stop cat­e­gories, with some lim­i­ta­tions on the emer­gency stop func­tion. More about that lat­er in this arti­cle.

Stop Categories

The stop cat­e­gories dis­cussed here are not exclu­sive to emer­gency stop func­tions. They are STOP func­tions and may be used for nor­mal stop­ping func­tions as well as the Emer­gency Stop func­tion.

Stop cat­e­gories and func­tion­al safe­ty sys­tem archi­tec­ture cat­e­gories are not the same, and there are sig­nif­i­cant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stan­dards at you in this post, and I will pro­vide ref­er­ences at the end if you want to dig deep­er.

Func­tion­al safe­ty archi­tec­tur­al cat­e­gories are defined and described in ISO 13849–1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Cat­e­gories B, 1–4, check out this series of posts on ISO 13849–1 Cat­e­gories.

Originating Standards

There are three stan­dards that define the require­ments for stop cat­e­gories, and thank­ful­ly they are fair­ly close­ly har­monised, mean­ing that the def­i­n­i­tions for the cat­e­gories are essen­tial­ly the same in each doc­u­ment. They are:

  • ISO 13850, Safe­ty of machin­ery — Emer­gency stop func­tion — Prin­ci­ples for design [3]
  • IEC 60204–1, Safe­ty of machin­ery — Elec­tri­cal equip­ment of machines — Part 1: Gen­er­al require­ments (aka EN 60204–1) [4]
  • NFPA 79, Elec­tri­cal Stan­dard for Indus­tri­al Machin­ery [5]

A new Cana­di­an stan­dard was added in 2016, CSA C22.2 No. 301 [9]. This stan­dard draws heav­i­ly on a num­ber of stan­dards for core mate­r­i­al, includ­ing IEC 60204–1 and NFPA 79. No. 301 uses iden­ti­cal def­i­n­i­tions for stop func­tion cat­e­gories.

Down­load ANSI stan­dards

Down­load IEC stan­dards

Stop Category Definitions

Emergency Stop ButtonThe stop cat­e­gories are bro­ken down into three gen­er­al groups in [4], [5], and  [9]:

  • Cat­e­go­ry 0 — Equiv­a­lent to pulling the plug;
  • Cat­e­go­ry 1 — Bring things to a grace­ful stop, then pull the plug; and
  • Cat­e­go­ry 2 — Bring things to a stop and hold them there under pow­er.

Let’s look at the def­i­n­i­tions in more detail. For com­par­i­son, I’m going to show the def­i­n­i­tions from the stan­dards side-by-side.

Table 1
Com­par­i­son of Stop Cat­e­gories
Cat­e­go­ry IEC 60204–1 NFPA 79 CSA C22.2 No. 301
0 stop­ping by imme­di­ate removal of pow­er to the machine actu­a­tors (i.e. an uncon­trolled stop – see 3.56); is an uncon­trolled stop by imme­di­ate­ly remov­ing pow­er to the machine actu­a­tors.

stop­ping by imme­di­ate removal of pow­er to the machine actu­a­tors (i.e., an uncon­trolled stop;

1 a con­trolled stop (see 3.11) with pow­er avail­able to the machine actu­a­tors to achieve the stop and then removal of pow­er when the stop is achieved; is a con­trolled stop with pow­er to the machine actu­a­tors avail­able to achieve the stop then remove pow­er when the stop is achieved.

a con­trolled stop with pow­er avail­able to the machine actu­a­tors to achieve the stop and then removal of pow­er when the stop is achieved;

2 a con­trolled stop with pow­er left avail­able to the machine actu­a­tors. is a con­trolled stop with pow­er left avail­able to the machine actu­a­tors.

a con­trolled stop with pow­er left avail­able to the machine actu­a­tors.

Def­i­n­i­tions from IEC 60204–1:

3.11 con­trolled stop
>stop­ping of machine motion with elec­tri­cal pow­er to the machine actu­a­tors main­tained dur­ing the stop­ping process
3.56 uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tri­cal pow­er to the machine actu­a­tors
NOTE This def­i­n­i­tion does not imply any par­tic­u­lar state of oth­er stop­ping devices, for exam­ple mechan­i­cal or hydraulic brakes.

As you can see, the Stop Cat­e­go­ry descrip­tions are vir­tu­al­ly iden­ti­cal, with the pri­ma­ry dif­fer­ence being the use of the def­i­n­i­tions in the IEC stan­dard instead of includ­ing that infor­ma­tion in the descrip­tion as in the NFPA stan­dard.

Down­load ANSI stan­dards

Down­load IEC stan­dards

Minimum Requirements

[4], [5], and [9] require that all machines have at least a Cat­e­go­ry 0 stop. This could be achieved by switch­ing off (i.e., by using the dis­con­nect­ing means to switch off pow­er for exam­ple), by phys­i­cal­ly “pulling the plug” from the pow­er sup­ply sock­et on the wall, or through a ‘mas­ter con­trol relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-stop!! The need for an emer­gency stop func­tion is deter­mined in two ways:

  1. Exis­tence of a Type-C (i.e., machine spe­cif­ic) tech­ni­cal stan­dard that requires that type of machin­ery to have an emer­gency stop func­tion, or
  2. through the risk assess­ment, based on the poten­tial to avoid or lim­it harm.

If these goals can­not be achieved through an emer­gency stop func­tion, there is no require­ment to have one. I have yet to read leg­is­la­tion (not stan­dards) in any juris­dic­tion that states that all machines must have an e-stop. Cer­tain class­es of machines may have this require­ment, nor­mal­ly defined in the rel­e­vant type-C machin­ery stan­dard, e.g., ISO 10218–1 [10] for indus­tri­al robots.

ISO 13850 lim­its the selec­tion of stop cat­e­go­ry to Cat­e­go­ry 0 or 1 and excludes Cat­e­go­ry 2. This exclu­sion can be found in NFPA 79, IEC 60204–1, and CSA C22.2 No. 301 as well. Cat­e­go­ry 2 may only be used for oper­a­tional or “nor­mal” stop­ping func­tions.

To learn more about how to deter­mine the need for an emer­gency stop, see, “Emer­gency Stop – What’s so con­fus­ing about that?”

Selecting a Stop Function

How do you decide on what stop cat­e­go­ry to use? First, a risk assess­ment is required. Sec­ond, a start/stop analy­sis should be con­duct­ed. More on this top­ic a bit lat­er.

Once the risk assess­ment is com­plete, ask these ques­tions:

1) Will the machin­ery stop safe­ly using an uncon­trolled stop?

If the machin­ery does not have a sig­nif­i­cant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Cat­e­go­ry 0 stop may be all that is required.

2) If the machin­ery can coast when pow­er is removed, or if the machin­ery can be stopped more quick­ly under con­trol than when pow­er is sim­ply removed, then a Cat­e­go­ry 1 stop is like­ly the best choice, even if the pow­er-off coast­ing time is fair­ly short.

Ver­ti­cal axes that may col­lapse when pow­er is removed will like­ly need addi­tion­al mechan­i­cal hard­ware to pre­vent the tool­ing from falling dur­ing an emer­gency stop con­di­tion. This could be a mechan­i­cal brake or oth­er means that will pre­vent the tool­ing from falling unex­pect­ed­ly.

3) If the machin­ery includes devices that require pow­er to keep them in a safe state, then a Cat­e­go­ry 2 stop is like­ly the best choice.

If you choose to use a Cat­e­go­ry 2 stop, be aware that leav­ing pow­er on the machin­ery leaves the user open to haz­ards relat­ed to hav­ing pow­er on the machin­ery. Care­ful risk assess­ment is required in these cas­es espe­cial­ly.

Cat­e­go­ry 2 stops are not per­mit­ted for emer­gency stop func­tions, although you may use them for nor­mal stop func­tions. ISO 13850, IEC 60204–1, and NFPA 79  explic­it­ly lim­it emer­gency stop func­tions to Cat­e­gories 0 and 1. CSA C22.2 No. 301 per­mits the use of Cat­e­go­ry 2 stop func­tions for emer­gency stop­ping.

Risk Assessment and Stop/Start Analysis

Risk assess­ment is crit­i­cal to the spec­i­fi­ca­tion of all safe­ty-relat­ed func­tions. While emer­gency stop is not a safe­guard, it is con­sid­ered to be a ‘com­ple­men­tary pro­tec­tive mea­sure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Under­stand­ing the haz­ards that need to be con­trolled and the degree of risk relat­ed to the haz­ards is basic design infor­ma­tion that will pro­vide spe­cif­ic direc­tion on the stop cat­e­go­ry required and the degree of con­trol reli­a­bil­i­ty nec­es­sary to pro­vide the expect­ed risk reduc­tion.

Stop/Start Analy­sis is quite sim­ple, orig­i­nat­ing in ISO 12100. It amounts to con­sid­er­ing all of the intend­ed stop/start con­di­tions for the machin­ery and then includ­ing con­di­tions that may result from rea­son­ably fore­see­able fail­ure modes of the machin­ery and fore­see­able mis­us­es of the machin­ery. Cre­ate a table with three columns as a start­ing point, sim­i­lar to Table 2.

Table 2
Exam­ple Start/Stop Analy­sis

Descrip­tion Start Con­di­tion Stop Con­di­tion
Lubri­cant Pump Lubri­cant Pump Start But­ton Pressed Lubri­cant Pump Stop But­ton Pressed
Low Lubri­cant Lev­el in reser­voir
High-pres­sure drop across lubri­cant fil­ter
Main Spin­dle Motor Start enabled and Start But­ton Pressed Low Lubri­cant Pres­sure
Stop but­ton pressed
Feed Advance motor Feed Advance but­ton pressed Feed Stop but­ton pressed
Feed end of trav­el lim­it reached
Emer­gency Stop All motions stop, lubri­cant pump remains run­ning

The above table is sim­ply an exam­ple of what a start/stop analy­sis might look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849–1 and IEC 62061 [8] base the ini­tial require­ments for reli­a­bil­i­ty on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then sim­ple cir­cuit require­ments (i.e. PLa, Cat­e­go­ry 1) are all that may be required. If the stop­ping con­di­tion is intend­ed to be an Emer­gency Stop, then addi­tion­al analy­sis is need­ed to deter­mine exact­ly what may be required.

More Information

How have you typ­i­cal­ly imple­ment­ed your stops and emer­gency stop sys­tems?

Have you ever used the START/STOP analy­sis method?

I care about what you think as a read­er, so please leave me com­ments and ques­tions! If you would pre­fer to dis­cuss your ques­tion pri­vate­ly,  con­tact me direct­ly.

Ed. Note: This arti­cle was updat­ed 15-Jan-2018.

References

5% Dis­count on All Stan­dards with code: CC2011 

[1]          Safe­ty of Machin­ery — Safe­ty Relat­ed Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ci­ples for Design. CEN Stan­dard EN 954–1.1996.

[2]          Safe­ty of Machin­ery — Safe­ty Relat­ed Parts of Con­trol Sys­tems — Part 1: Gen­er­al Prin­ci­ples for Design. ISO Stan­dard 13849–1. 2015. Down­load ISO Stan­dards 

[3]          Safe­ty of machin­ery — Emer­gency stop func­tion — Prin­ci­ples for design. ISO Stan­dard 13850. 2015

[4]          Elec­tri­cal Equip­ment of Indus­tri­al Machines. IEC Stan­dard 60204–1. 2009. Down­load IEC stan­dards

[5]          Elec­tri­cal Stan­dard for Indus­tri­al Machin­ery, ANSI/NFPA Stan­dard 79, 2015. Down­load stan­dards from ANSI

[6]          Safe­guard­ing of Machin­ery. CSA Stan­dard Z432, 2016.

[7]          Safe­ty of machin­ery — Gen­er­al prin­ci­ples for design — Risk assess­ment and risk reduc­tion. ISO Stan­dard 12100. 2010.

[8]          Safe­ty of machin­ery – Func­tion­al safe­ty of safe­ty-relat­ed elec­tri­cal, elec­tron­ic and pro­gram­ma­ble elec­tron­ic con­trol sys­tems. IEC Stan­dard 62061. 2005.

[9]         Indus­tri­al elec­tri­cal machin­ery. CSA Stan­dard C22.2 No. 301. 2016.

[10]       Robots and robot­ic devices — Safe­ty require­ments for indus­tri­al robots — Part 1: Robots. ISO Stan­dard 10218–1. 2011.

Using E-Stops in Lockout Procedures

This entry is part 6 of 13 in the series Emer­gency Stop

Emer­gency stop devices are some­times, incor­rect­ly, used as part of a lock­out pro­ce­dure for machin­ery. Learn more about how to cor­rect­ly used these devices as part of Haz­ardous Ener­gy Con­trol Pro­ce­dures for indus­tri­al machin­ery.

Disconnect Switch with Lock, Tag, and Gang-hasp
An elec­tri­cal rotary dis­con­nect­ing device han­dle with a typ­i­cal lock, tag, and gang-hasp.

Con­trol of haz­ardous ener­gy is one of the key ways that main­te­nance and ser­vice work­ers are pro­tect­ed while main­tain­ing indus­tri­al equip­ment. Not so long ago we only thought about ‘Lock­out’ or ‘Lockout/Tagout’ pro­ce­dures, but there is much more to pro­tect­ing these work­ers than ‘just’ lock­ing out ener­gy sources. Inevitably con­di­tions come up where safe­guards may need to be removed or tem­porar­i­ly bypassed in order to diag­nose prob­lems or to make crit­i­cal but infre­quent adjust­ments to the equip­ment, and this is where Haz­ardous Ener­gy Con­trol Pro­ce­dures, or HECP, come in.

One of the ques­tions I often get when help­ing clients with devel­op­ing HECPs for their equip­ment is, “Can we use the emer­gency stop cir­cuit for lock­out?” As usu­al, there is a short answer and a long answer to that sim­ple ques­tion!

The Short Answer

The short answer to this ques­tion is NO. Lock­out requires that sources of haz­ardous ener­gy be phys­i­cal­ly iso­lat­ed or blocked. Con­trol sys­tems may be able to meet parts, but not all of this require­ment. Read on if you’d like to know why.

The Long Answer

Lockout

Lock­out pro­ce­dures are now grouped with oth­er adjust­ment, diag­nos­tic and test pro­ce­dures into what are called Haz­ardous Ener­gy Con­trol Pro­ce­dures or HECP. In the USA, OSHA pub­lish­es a lock­out stan­dard in 29 CFR 1910.147, and ANSI pub­lish­es ANSI Z244.1.

Down­load ANSI stan­dards

In Cana­da, we didn’t have a stan­dard for HECP until 2005 when CSA Z460 was pub­lished, although all the Provinces and Ter­ri­to­ries have some lan­guage in their leg­is­la­tion that at least alludes to the need for con­trol of haz­ardous ener­gy. In the Province of Ontario where I live, this require­ment shows up in Ontario Reg­u­la­tion 851, Sec­tions 42, 75 and 76.

In the EU, con­trol of haz­ardous ener­gy is dealt with in ISO 14118:2000, Safe­ty of machin­ery — Pre­ven­tion of unex­pect­ed start-up.

Down­load ISO Stan­dards

If you have a look at the sec­tions of the Ontario reg­u­la­tions, they don’t tell you how to per­form lock­out, and they make lit­tle men­tion of what to do with live work for trou­bleshoot­ing pur­pos­es. The US OSHA reg­u­la­tions read more like a stan­dard, but because they are in leg­is­la­tion they are pre­scrip­tive. You MUST meet this min­i­mum require­ment, and you may exceed it.

Let’s look at how “lock­out” is defined in the stan­dards.

Cana­da (Ontario) USA (OSHA) Euro­pean Union
Lock­out — place­ment of a lock or tag on an ener­gy-iso­lat­ing device in accor­dance with an estab­lished pro­ce­dure, there­by indi­cat­ing that the ener­gy-iso­lat­ing device is not to be oper­at­ed until removal of the lock or tag in accor­dance with an estab­lished pro­ce­dure.

CSA Z460, 2005

Lock­out. The place­ment of a lock­out device on an ener­gy iso­lat­ing device, in accor­dance with an estab­lished pro­ce­dure, ensur­ing that the ener­gy iso­lat­ing device and the equip­ment being con­trolled can­not be oper­at­ed until the lock­out device is removed.

Tagout. The place­ment of a tagout device on an ener­gy iso­lat­ing device, in accor­dance with an estab­lished pro­ce­dure, to indi­cate that the ener­gy iso­lat­ing device and the equip­ment being con­trolled may not be oper­at­ed until the tagout device is removed.

29 CFR 1910.147

2.14 lockout/tagout: The place­ment of a lock/tag on the ener­gy iso­lat­ing device in accor­dance with an estab­lished pro­ce­dure, indi­cat­ing that the ener­gy iso­lat­ing device shall not be oper­at­ed until removal of the lock/tag in accor­dance with an estab­lished pro­ce­dure. (The term “lockout/tagout” allows the use of a lock­out device, a tagout device, or a com­bi­na­tion of both.)

ANSI Z244.1–2003

 

3.3 iso­la­tion and ener­gy dis­si­pa­tion

pro­ce­dure which con­sists of all of the four fol­low­ing actions:

a) iso­lat­ing (dis­con­nect­ing, sep­a­rat­ing) the machine (or defined parts of the machine) from all pow­er sup­plies;

b) lock­ing (or oth­er­wise secur­ing), if nec­es­sary (for instance in large machines or in instal­la­tions), all the iso­lat­ing units in the “iso­lat­ed” posi­tion;

c) dis­si­pat­ing or restrain­ing [con­tain­ing] any stored ener­gy which may give rise to a haz­ard.

NOTE Ener­gy con­sid­ered in c) above may be stored in e.g.:

  • mechan­i­cal parts con­tin­u­ing to move through iner­tia;
  • mechan­i­cal parts liable to move by grav­i­ty;
  • capac­i­tors, accu­mu­la­tors;
  • pres­sur­ized flu­ids;
  • springs.

d) ver­i­fy­ing by using a safe work­ing pro­ce­dure that the actions tak­en accord­ing to a), b) and c) above have pro­duced the desired effect.

ISO 14118–2000

As you can see, the def­i­n­i­tions are fair­ly sim­i­lar, although slight­ly dif­fer­ent terms may be used. The ISO stan­dard actu­al­ly pro­vides the best guid­ance over­all in my opin­ion. Note that these excerpts are all tak­en from the def­i­n­i­tions sec­tions of the rel­e­vant doc­u­ments.

One of the big dif­fer­ences between the US and Cana­da is the idea of ‘tagout’ (pro­nounced TAG-out for those not famil­iar with the term). Tagout is iden­ti­cal to lock­out with the excep­tion of the device that is attached to the ener­gy iso­lat­ing device. Under cer­tain cir­cum­stances, the US per­mits the use of a tag with­out a lock to secure the ener­gy iso­la­tion device. This is not per­mit­ted in Cana­da under any cir­cum­stance, and the term ‘tagout’ is not offi­cial­ly rec­og­nized. In Cana­da, the term is often tak­en to mean the addi­tion of a tag to the lock­ing device,  a manda­to­ry part of the pro­ce­dure.

Use of Controls for Energy Isolation

This is where the ‘rub­ber meets the road’ — how is the source of haz­ardous ener­gy iso­lat­ed effec­tive­ly? To under­stand the require­ments, let’s look at the def­i­n­i­tion of an Ener­gy Iso­lat­ing Device.

Cana­da USA EU
Ener­gy-iso­lat­ing device — a mechan­i­cal device that phys­i­cal­ly pre­vents the trans­mis­sion or release of ener­gy, includ­ing but not lim­it­ed to the fol­low­ing: a man­u­al­ly oper­at­ed elec­tri­cal cir­cuit break­er; a dis­con­nect switch; a man­u­al­ly oper­at­ed switch by which the con­duc­tors of a cir­cuit can be dis­con­nect­ed from all unground­ed sup­ply con­duc­tors; a line valve; a block; and oth­er devices used to block or iso­late ener­gy (push-but­ton selec­tor switch­es and oth­er con­trol-type devices are not ener­gy-iso­lat­ing devices).

CSA Z460, 2005

Note — Bold added for empha­sis — DN

Ener­gy iso­lat­ing device. A mechan­i­cal device that phys­i­cal­ly pre­vents the trans­mis­sion or release of ener­gy, includ­ing but not lim­it­ed to the fol­low­ing: A man­u­al­ly oper­at­ed elec­tri­cal cir­cuit break­er; a dis­con­nect switch; a man­u­al­ly oper­at­ed switch by which the con­duc­tors of a cir­cuit can be dis­con­nect­ed from all unground­ed sup­ply con­duc­tors, and, in addi­tion, no pole can be oper­at­ed inde­pen­dent­ly; a line valve; a block; and any sim­i­lar device used to block or iso­late ener­gy. Push but­tons, selec­tor switch­es and oth­er con­trol cir­cuit type devices are not ener­gy iso­lat­ing devices.

Note — Bold added for empha­sis — DN

Tagout device. A promi­nent warn­ing device, such as a tag and a means of attach­ment, which can be secure­ly fas­tened to an ener­gy iso­lat­ing device in accor­dance with an estab­lished pro­ce­dure, to indi­cate that the ener­gy iso­lat­ing device and the equip­ment being con­trolled may not be oper­at­ed until the tagout device is removed.

29 CFR 1910.147

2.8 ener­gy iso­lat­ing device: A mechan­i­cal device that phys­i­cal­ly pre­vents the trans­mis­sion or release of ener­gy, includ­ing but not lim­it­ed to the fol­low­ing: a man­u­al­ly oper­at­ed elec­tri­cal cir­cuit break­er, a dis­con­nect switch, a man­u­al­ly oper­at­ed switch by which the con­duc­tors of a cir­cuit can be dis­con­nect­ed from all unground­ed sup­ply con­duc­tors and, in addi­tion, no pole can be oper­at­ed inde­pen­dent­ly; a line valve; a block; and any sim­i­lar device used to block or iso­late ener­gy.

2.20.1 tagout device: A promi­nent warn­ing means such as a tag and a means of attach­ment, which can be secure­ly fas­tened to an ener­gy iso­lat­ing device to indi­cate that the ener­gy iso­lat­ing device and the equip­ment being con­trolled may not be oper­at­ed until the tagout device is removed.

ANSI Z244.1–2003

4.1 Iso­la­tion and ener­gy dis­si­pa­tion

Machines shall be pro­vid­ed with means intend­ed for iso­la­tion and ener­gy dis­si­pa­tion (see clause 5), espe­cial­ly with a view to major main­te­nance, work on pow­er cir­cuits and decom­mis­sion­ing in accor­dance with the essen­tial safe­ty require­ment expressed in ISO/TR 12100–2:1992, annex A, 1.6.3.

Note — ISO/TR 12100–2 was with­drawn in Oct-10 and replaced by ISO 12100–2010. — DN Read more on this.

5.1 Devices for iso­la­tion from pow­er sup­plies
5.1.1
Iso­la­tion devices shall:

  • ensure a reli­able iso­la­tion (dis­con­nec­tion, sep­a­ra­tion);
  • have a reli­able mechan­i­cal link between the man­u­al con­trol and the iso­lat­ing element(s);
  • be equipped with clear and unam­bigu­ous iden­ti­fi­ca­tion of the state of the iso­la­tion device which cor­re­sponds to each posi­tion of its man­u­al con­trol (actu­a­tor).

NOTE 1 For elec­tri­cal equip­ment, a sup­ply dis­con­nect­ing device com­ply­ing with IEC 60204–1:1997, 5.3 “Sup­ply dis­con­nect­ing (iso­lat­ing) device” meets this require­ment.

NOTE 2 Plug and sock­et sys­tems (for elec­tri­cal sup­plies), or their pneu­mat­ic, hydraulic or mechan­i­cal equiv­a­lents, are exam­ples of iso­lat­ing devices with which it is pos­si­ble to achieve a vis­i­ble and reli­able dis­con­ti­nu­ity in the pow­er sup­ply cir­cuits.

For elec­tri­cal plug/socket com­bi­na­tions, see IEC 60204–1:1997, 5.3.2 d).

NOTE 3 For hydraulic and pneu­mat­ic equip­ment, see also EN 982:1996, 5.1.6 and EN 983:1996, 5.1.6.

ISO 14118–2000

 

BRADY Small Plug Lockout Device
BRADY Small Plug Lock­out Device

As you can see from the above def­i­n­i­tions, all the juris­dic­tions require that devices used for ener­gy iso­la­tion are reli­able, man­u­al­ly oper­a­ble, mechan­i­cal devices. While elec­tri­cal con­trol sys­tems that meet high lev­els of design reli­a­bil­i­ty may meet the reli­a­bil­i­ty require­ments, they do not meet the require­ments for phys­i­cal, mechan­i­cal dis­con­nec­tion of the source of haz­ardous ener­gy. Oper­a­tor devices are specif­i­cal­ly exclud­ed from this use in Cana­da and the USA. Note that plug and sock­et com­bi­na­tions are per­mit­ted in all juris­dic­tions. Lock­out devices such as Brady 65675 Large Plug Lock­out Device, like the Brady Small Plug Lock­out Device shown here and sim­i­lar devices, can be used for this pur­pose. With some plugs, it is pos­si­ble to put a small lock through a hole in one of the blades or pins. In some juris­dic­tions, even the sim­ple act of putting the plug in your back pock­et while con­duct­ing the work is suf­fi­cient.

BRADY Button Locking Device
BRADY But­ton Lock­ing Device

In addi­tion, the ener­gy iso­la­tion device is required to be able to be locked in the off, iso­lat­ed, or blocked posi­tion. There are emer­gency stop but­ton oper­a­tors that can be pur­chased with an inte­grat­ed lock cylin­der, and there are some con­trol oper­a­tor acces­sories avail­able that will allow con­trol push­but­tons and selec­tor switch­es to be locked in one posi­tion or anoth­er, but these do not meet the require­ments of the above stan­dards. They can be used in addi­tion to an ener­gy iso­la­tion device as part of the pro­ce­dure, but not on their own as the sole means of pre­vent­ing unex­pect­ed start-up.

Conclusions

Each machine or piece of equip­ment is required to have a HECP that is spe­cif­ic to that piece of equip­ment. ‘Glob­al’ HECP’s are sel­dom use­ful except as a tem­plate doc­u­ment. Devel­op­ment of HECPs takes some care­ful thought and a thor­ough under­stand­ing of the kinds of work that will need to be done to main­tain and ser­vice the machin­ery. Indi­vid­ual juris­dic­tions have some dif­fer­ences in the details of their reg­u­la­tions, but ulti­mate­ly the require­ments come down to the same thing: Pro­tect­ing work­ers.

Con­trol sys­tem devices such as stop but­tons and emer­gency stop devices are not accept­ed as ener­gy iso­lat­ing devices and can­not be used for this pur­pose, although they may be used as part of the HECP shut­down pro­ce­dure lead­ing up to the phys­i­cal iso­la­tion of the haz­ardous ener­gy sources.

Excel­lent stan­dards exist that cov­er devel­op­ment of these pro­ce­dures and should be ref­er­enced as spe­cif­ic HECP are devel­oped.

5% Dis­count on All Stan­dards with code: CC2011

References

Canada

Ontario Reg­u­la­tion 851, Sec­tions 42, 75 and 76.

CSA Z460-05 (R2010) — Con­trol of haz­ardous ener­gy — Lock­out and oth­er meth­ods

USA

29 CFR 1910.147The con­trol of haz­ardous ener­gy (lockout/tagout).

ANSI Z244.1 — 2003 (R2008) — Con­trol of Haz­ardous Ener­gy – Lockout/Tagout and Alter­na­tive Meth­ods

Down­load stan­dards

Allen-Bradley 8579
Allen-Bradley 8579

International

ISO 14118 2000, Safe­ty of machin­ery — Pre­ven­tion of unex­pect­ed start-up

Down­load ISO Stan­dards