Guarding Emergency Stop Devices

This entry is part 4 of 13 in the series Emergency Stop

Can emer­gency stop devices that a prone to unin­ten­ded oper­a­tion be guarded? Find out!

Much con­fu­sion exists when it comes to Emergency Stop sys­tems, and cli­ents often ask me if it is ‘OK’ to guard emer­gency stop devices like e-​stop but­tons, foot ped­als, pull-​cords, etc. Without get­ting into a ton of reg­u­lat­ory details, this art­icle will look at the require­ments in for emer­gency stop devices in three key jur­is­dic­tions: Canada, the USA and the European Union.

If you need inform­a­tion on the func­tion­al aspects of emer­gency stop sys­tems, see “Emergency Stop – What’s so con­fus­ing about that?

Why Guard an Emergency Stop?

Generally, emer­gency stop devices, or e-​stop devices as they’re often called, need to be pro­tec­ted from unin­ten­tion­al use. This prob­lem occurs because e-​stop devices have to be loc­ated close to where people work in order to be use­ful. An e-​stop you can’t reach when you need it may as well not be there in the first place, so emer­gency stops are loc­ated at ‘nor­mal oper­at­or sta­tions’. This often means they are loc­ated under the edge of a machine table, or on an oper­at­or con­trol bar like that used on power presses, put­ting the e-​stop with­in reach, but also in the ‘line-​of-​fire’ when it comes to the operator’s nor­mal move­ments.

To pre­vent unin­ten­ded oper­a­tion, people often want to put rings, col­lars, or worse – cov­ers – on or around the e-​stop device to keep people from bump­ing the device. Some of these can be done and should be done, and oth­ers are nev­er per­mit­ted for good reas­on.

Regulatory Requirements

Let’s take a look at the key require­ments from the reg­u­la­tions world wide:

  1. Emergency Stop devices must be clearly iden­ti­fied. The tech­nic­al stand­ards require that emer­gency stop devices be col­oured RED with a YELLOW back­ground [1].
  2. They must be loc­ated with­in easy reach of the oper­at­or. This applies to all nor­mal work­sta­tions where oper­at­ors inter­act with the machine. For main­ten­ance and ser­vice activ­it­ies where work­ers may be in loc­a­tions oth­er than nor­mal work­sta­tions, a pendant or oth­er port­able con­trol must be used to cause machine motion. This device must include an emer­gency stop con­trol along with oth­er com­ple­ment­ary safe­guard­ing devices such as enabling devices and hold-​to-​run con­trols. Where access is only allowed under lock­out con­di­tions, this is not required [2], [3].
  3. Buttons must be palm or mushroom-​shaped devices.
  4. Devices must require manu­al reset­ting. This means that the device must latch in the oper­ated pos­i­tion and require a delib­er­ate action to reset the device. This includes actions such as: pulling put a pressed but­ton, twist­ing a but­ton to release the latched con­di­tion, press­ing a reset but­ton on a pull-​cord to reset the tripped con­di­tion, etc [1].
  5. Unguarded. This means that easy access to the device may not be impeded, con­sid­er­ing the per­son­al pro­tect­ive equip­ment (PPE) that work­ers are required to wear. Devices that would be con­sidered to be guards would include:
  • Close fit­ting rings or col­lars that require a work­er to insert a fin­ger inside the ring or col­lar to reach the device and activ­ate it,
  • cov­ers that close over the device to pre­vent access,
  • lock­ing device that pre­vent access to the device, etc.

So, con­sid­er­ing point 5 above, isn’t this the end of the dis­cus­sion? Not at all! There are a few factors to con­sider first.

An import­ant con­sid­er­a­tion is the poten­tial for acci­dent­al oper­a­tion. Depending on the machine or pro­cess, unin­ten­tion­al oper­a­tion of emer­gency stop devices may res­ult in sig­ni­fic­ant lost pro­duc­tion and/​or dam­age to equip­ment. In cases like this, it is reas­on­able to pro­tect the device from inad­vert­ent oper­a­tion as long as the meas­ures taken to pro­tect the device do not impede the oper­a­tion of the device in emer­gency con­di­tions.

ISO 13850 [4] sup­ports this idea in Clause 4.4 Emergency stop device:

4.4.2 An emer­gency stop device shall be loc­ated at each oper­at­or con­trol sta­tion, except where the risk assess­ment indic­ates that this is not neces­sary, as well as at oth­er loc­a­tions, as determ­ined by the risk assess­ment. It shall be posi­tioned such that it is read­ily access­ible and cap­able of non-​hazardous actu­ation by the oper­at­or and oth­ers who could need to actu­ate it. Measures against inad­vert­ent actu­ation should not impair its access­ib­il­ity. (Author’s Note: Bold text added for emphas­is.)

Summing Up

The key dif­fer­ence between North American think­ing and International/​EU think­ing is in the term “unguarded” as used in the North American stand­ards, versus [4, § 4.2.2], where the design­er is reminded, “Measures against inad­vert­ent actu­ation should not impair its access­ib­il­ity.”

In my opin­ion it is reas­on­able to pro­tect an emer­gency stop device from inad­vert­ent oper­a­tion by pla­cing a ring or oth­er sim­il­ar struc­ture around an emer­gency stop device as long as the struc­ture does not impair easy access to the device by the oper­at­or.

I know this opin­ion appears ini­tially to go against the estab­lished North American stand­ards, how­ever it can be logic­ally argued, based on the defin­i­tion of the word “guard”.

A guard is a device that pre­vents access to some­thing, usu­ally a haz­ard. Considering that we are talk­ing about a con­trol that is designed to reduce or lim­it harm, any struc­ture that does not pre­vent access to the emer­gency stop device asso­ci­ated with the struc­ture should be con­sidered to be accept­able.

That said, devices like:

  • hinged cov­ers;
  • doors;
  • lock­ing devices;
  • nar­row col­lars; and
  • any oth­er device or struc­ture

that unduly lim­its access to the emer­gency stop device can­not be con­sidered accept­able.

Effects of PPE

The phrase ‘unduly lim­its access’ has spe­cif­ic mean­ing here. If work­ers are expec­ted to be wear­ing PPE on the body part used to activ­ate the emer­gency stop device, such as gloves or boots for example, then the design of the struc­ture placed around the emer­gency stop device must take into account the added dimen­sions of the PPE, the reduc­tion in tact­ile cap­ab­il­ity that may occur (e.g. heavy work gloves make it hard to feel things eas­ily), and must com­pensate for the effects of the PPE. Big gloves/​boots = Big open­ing in the struc­ture.

Lighting and pro­tect­ive eye­wear can also play a part. You may need to use reflect­ive or lumin­es­cent paint, or illu­min­ated e-​stop devices, to high­light the loc­a­tion of the device in low light envir­on­ments or where very dark eye­wear is required, like that needed by weld­ers or used by work­ers around some infrared lasers with open beam paths.

Effects of State-​of-​Mind

It’s also import­ant to con­sider the likely state-​of-​mind of a work­er need­ing to use an emer­gency stop device. They are either urgently try­ing to stop the machine because,

  1. anoth­er safe­guard has failed an someone is involved with a haz­ard, includ­ing them­selves, or
  2. the machine is dam­aging itself or the product and they need to lim­it the dam­age.

Both scen­ari­os have a high level of urgency attached to them. The human mind tends to miss obvi­ous things includ­ing train­ing, when placed under high levels of stress. Structures placed around emer­gency stop devices, such as cov­ers, that com­pletely block access, even though they may be eas­ily opened, may be enough to pre­vent access in an emer­gency.

The answer you’ve all been waiting for!

So in the end, can you put a struc­ture around an emer­gency stop to reduce inad­vert­ent oper­a­tion of the device:

YES!

Just make sure that you con­sider all the factors that may affect it’s use, doc­u­ment your ana­lys­is, and don’t unduly restrict access to the device.

Need more help? Feel free to email me!


References

IEC – International Electrotechnical Commission

ISO – International Organization for Standardization

[1]  Safety of machinery – Electrical equip­ment of machines – Part 1: General require­ments, IEC 60204 – 1, 2005

[2]  Control of Hazardous Energy ­– Lockout and Other Methods, CSA Z460, 2005.

[3]  Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods, ANSI ASSE Z244.1, 2003.

[4]  Safety of machinery — Emergency stop — Principles for design, ISO 13850, 2006.

Emergency Stop Categories

I’ve noticed a lot of people look­ing for inform­a­tion on Emergency Stop cat­egor­ies recently; this art­icle is aimed at those read­ers who want to under­stand this top­ic in more depth. Stop cat­egor­ies are often con­fused with cir­cuit or sys­tem archi­tec­ture cat­egor­ies from EN 954 – 1[1] and ISO 13849 – 1 [2]. The con­fu­sion between these two sets of Categories often leads to incor­rect assump­tions about the applic­a­tion of these require­ments.

Categories

The cat­egor­ies dis­cussed here are not exclus­ive to emer­gency stop func­tions. They are STOP func­tions and may be used for the nor­mal stop func­tions as well as the E-​stop func­tion.

Stop cat­egor­ies and func­tion­al safety sys­tem archi­tec­ture cat­egor­ies are not the same, and there are sig­ni­fic­ant dif­fer­ences that need to be under­stood by con­trol sys­tem design­ers. I’m going to sling a num­ber of stand­ards at you in this post, and I will provide ref­er­ences at the end if you want to dig deep­er.

Functional safety archi­tec­tur­al cat­egor­ies are defined and described in ISO 13849 – 1, and I’ve writ­ten quite a bit on these in the past. If you want to know more about Categories B, 1 – 4, check out this series of posts on ISO 13849 – 1 Categories.

Originating Standards

There are three stand­ards that define the require­ments for emer­gency stop cat­egor­ies, and thank­fully they are fairly closely har­mon­ised, mean­ing that the defin­i­tions for the cat­egor­ies are essen­tially the same in each doc­u­ment. They are:

  • ISO 13850, Safety of machinery — Emergency stop func­tion — Principles for design [3]
  • IEC 60204 – 1, Safety of machinery – Electrical equip­ment of machines – Part 1: General require­ments (aka EN 60204 – 1) [4]
  • NFPA 79, Electrical Standard for Industrial Machinery [5]

A new Canadian stand­ard was added in 2016, CSA C22.2 No. 301 [9]. This stand­ard draws heav­ily on a num­ber of stand­ards for core mater­i­al, includ­ing IEC 60204 – 1 and NFPA 79. No. 301 uses identic­al defin­i­tions for stop func­tion cat­egor­ies.

Download ANSI stand­ards

Download IEC stand­ards

Stop Category Definitions

Emergency Stop ButtonThe cat­egor­ies are broken down into three gen­er­al groups in [4], [5], and  [9]:

  • Category 0 – Equivalent to pulling the plug;
  • Category 1 – Bring things to a grace­ful stop, then pull the plug; and
  • Category 2 – Bring things to a stop and hold them there under power.

Let’s look at the defin­i­tions in more detail. For com­par­is­on, I’m going to show the defin­i­tions from the two stand­ards side-​by-​side.

Table 1
Comparison of Stop Function Categories
Category IEC 60204 – 1 NFPA 79 CSA C22.2 No. 301
0 stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e. an uncon­trolled stop – see 3.56); is an uncon­trolled stop by imme­di­ately remov­ing power to the machine actu­at­ors.

stop­ping by imme­di­ate remov­al of power to the machine actu­at­ors (i.e., an uncon­trolled stop;

1 a con­trolled stop (see 3.11) with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved; is a con­trolled stop with power to the machine actu­at­ors avail­able to achieve the stop then remove power when the stop is achieved.

a con­trolled stop with power avail­able to the machine actu­at­ors to achieve the stop and then remov­al of power when the stop is achieved;

2 a con­trolled stop with power left avail­able to the machine actu­at­ors. is a con­trolled stop with power left avail­able to the machine actu­at­ors.

a con­trolled stop with power left avail­able to the machine actu­at­ors.

Definitions from IEC 60204 – 1:

3.11 con­trolled stop
>stop­ping of machine motion with elec­tric­al power to the machine actu­at­ors main­tained dur­ing the stop­ping pro­cess
3.56 uncon­trolled stop
stop­ping of machine motion by remov­ing elec­tric­al power to the machine actu­at­ors
NOTE This defin­i­tion does not imply any par­tic­u­lar state of oth­er stop­ping devices, for example mech­an­ic­al or hydraul­ic brakes.

As you can see, the Category descrip­tions are vir­tu­ally identic­al, with the primary dif­fer­ence being the use of the defin­i­tions in the IEC stand­ard instead of includ­ing that inform­a­tion in the descrip­tion as in the NFPA stand­ard.

Download ANSI stand­ards

Download IEC stand­ards

Minimum Requirements

[4], [5], and [9] require that all machines have at least a Category 0 stop. This could be achieved by switch­ing off (i.e., by using the dis­con­nect­ing means to switch off power for example), by phys­ic­ally “pulling the plug” from the power sup­ply sock­et on the wall, or through a ‘mas­ter con­trol relay’ cir­cuit, or through an emer­gency stop cir­cuit. Note that this does not require that all machines have an e-​stop!! The need for an emer­gency stop func­tion is determ­ined through the risk assess­ment, based on the poten­tial to avoid or lim­it harm. If these goals can­not be achieved through an emer­gency stop func­tion, there is no require­ment to have one. I have yet to read legis­la­tion in any jur­is­dic­tion that states that all machines must have an e-​stop. Certain classes of machines may have this require­ment, nor­mally defined in the rel­ev­ant machinery stand­ard, e.g., ISO 10218 – 1 [10] for indus­tri­al robots.

ISO 13850 lim­its the selec­tion of stop cat­egory to Category 0 or 1 and excludes Category 2. This exclu­sion can be found in NFPA 79, IEC 60204 – 1, and CSA C22.2 No. 301 as well. Category 2 may only be used for oper­a­tion­al or “nor­mal” stop­ping func­tions.

To learn more about how to determ­ine the need for an emer­gency stop, see, “Emergency Stop – What’s so con­fus­ing about that?”

Selecting a Stop Function

How do you decide on what cat­egory to use? First, a risk assess­ment is required. Second, a start/​stop ana­lys­is should be con­duc­ted. More on this top­ic a bit later.

Once the risk assess­ment is com­plete, ask these ques­tions:

1) Will the machinery stop safely under an uncon­trolled stop?

If the machinery does not have a sig­ni­fic­ant amount of iner­tia, mean­ing it won’t coast more than a very short time, then a Category 0 stop may be all that is required.

2) If the machinery can coast when power is removed, or if the machinery can be stopped more quickly under con­trol than when power is simply removed, then a Category 1 stop is likely the best choice, even if the power-​off coast­ing time is fairly short.

Vertical axes that may col­lapse when power is removed will likely need addi­tion­al mech­an­ic­al hard­ware to pre­vent the tool­ing from fall­ing dur­ing an emer­gency stop con­di­tion. This could be a mech­an­ic­al brake or oth­er means that will pre­vent the tool­ing from fall­ing unex­pec­tedly.

3) If the machinery includes devices that require power to keep them in a safe state, then a Category 2 stop is likely the best choice.

If you choose to use a Category 2 stop, be aware that leav­ing power on the machinery leaves the user open to haz­ards related to hav­ing power on the machinery. Careful risk assess­ment is required in these cases espe­cially.

Category 2 stops are not per­mit­ted for emer­gency stop­ping, although you may use them for nor­mal stop func­tions. ISO 13850, IEC 60204 – 1, and NFPA 79  expli­citly lim­it emer­gency stop func­tions to Categories 0 and 1. CSA C22.2 No. 301 per­mits the use of Category 2 stop func­tions for emer­gency stop­ping.

Risk Assessment and Stop/​Start Analysis

Risk assess­ment is crit­ic­al to the spe­cific­a­tion of all safety-​related func­tions. While emer­gency stop is not a safe­guard, it is con­sidered to be a ‘com­ple­ment­ary pro­tect­ive meas­ure’ [6, 6.2.3.5.3], [7, 3.19, 6.3]. Understanding the haz­ards that need to be con­trolled and the degree of risk related to the haz­ards is basic design inform­a­tion that will provide spe­cif­ic dir­ec­tion on the stop cat­egory required and the degree of con­trol reli­ab­il­ity neces­sary to provide the expec­ted risk reduc­tion.

Stop/​Start Analysis is quite simple, ori­gin­at­ing in ISO 12100. It amounts to con­sid­er­ing all of the inten­ded stop/​start con­di­tions for the machinery and then includ­ing con­di­tions that may res­ult from reas­on­ably fore­see­able fail­ure modes of the machinery and fore­see­able mis­uses of the machinery. Create a table with three columns as a start­ing point, sim­il­ar to Table 2.

Table 2
Example Start/​Stop Analysis

Description Start Condition Stop Condition
Lubricant Pump Lubricant Pump Start Button Pressed Lubricant Pump Stop Button Pressed
Low Lubricant Level in reser­voir
High-​pressure drop across lub­ric­ant fil­ter
Main Spindle Motor Start enabled and Start Button Pressed Low Lubricant Pressure
Stop but­ton pressed
Feed Advance motor Feed Advance but­ton pressed Feed Stop but­ton pressed
Feed end of travel lim­it reached
Emergency Stop All motions stop, lub­ric­ant pump remains run­ning

The above table is simply an example of what a start/​stop ana­lys­is might look like. You can have as much detail as you like.

Control Reliability Requirements

Both ISO 13849 – 1 and IEC 62061 [8] base the ini­tial require­ments for reli­ab­il­ity on the out­come of the risk assess­ment (PLr or SILr). If the stop­ping con­di­tion is part of nor­mal oper­a­tion, then simple cir­cuit require­ments (i.e. PLa, Category 1) are all that may be required. If the stop­ping con­di­tion is inten­ded to be an Emergency Stop, then addi­tion­al ana­lys­is is needed to determ­ine exactly what may be required.

More Information

How have you typ­ic­ally imple­men­ted your stops and emer­gency stop sys­tems?

Have you ever used the START/​STOP ana­lys­is meth­od?

I care about what you think as a read­er, so please leave me com­ments and ques­tions! If you would prefer to dis­cuss your ques­tion privately,  con­tact me dir­ectly.

Ed. Note: This art­icle was updated 25-​Aug-​2017.

References

5% Discount on All Standards with code: CC2011 

[1]          Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. CEN Standard EN 954 – 1.1996.

[2]          Safety of Machinery — Safety Related Parts of Control Systems — Part 1: General Principles for Design. ISO Standard 13849 – 1. 2015. Download ISO Standards 

[3]          Safety of machinery — Emergency stop func­tion — Principles for design. ISO Standard 13850. 2015

[4]          Electrical Equipment of Industrial Machines. IEC Standard 60204 – 1. 2009. Download IEC stand­ards

[5]          Electrical Standard for Industrial Machinery, ANSI/​NFPA Standard 79, 2015. Download stand­ards from ANSI

[6]          Safeguarding of Machinery. CSA Standard Z432, 2016.

[7]          Safety of machinery — General prin­ciples for design — Risk assess­ment and risk reduc­tion. ISO Standard 12100. 2010.

[8]          Safety of machinery – Functional safety of safety-​related elec­tric­al, elec­tron­ic and pro­gram­mable elec­tron­ic con­trol sys­tems. IEC Standard 62061. 2005.

[9]         Industrial elec­tric­al machinery. CSA Standard C22.2 No. 301. 2016.

[10]       Robots and robot­ic devices — Safety require­ments for indus­tri­al robots — Part 1: Robots. ISO Standard 10218 – 1. 2011.

Using E-​Stops in Lockout Procedures

This entry is part 6 of 13 in the series Emergency Stop

Emergency stop devices are some­times, incor­rectly, used as part of a lock­out pro­ced­ure for machinery. Learn more about how to cor­rectly used these devices as part of Hazardous Energy Control Procedures for indus­tri­al machinery.

Disconnect Switch with Lock and TagControl of haz­ard­ous energy is one of the key ways that main­ten­ance and ser­vice work­ers are pro­tec­ted while main­tain­ing indus­tri­al equip­ment. Not so long ago we only thought about ‘Lockout’ or ‘Lockout/​Tagout’ pro­ced­ures, but there is much more to pro­tect­ing these work­ers than ‘just’ lock­ing out energy sources. Inevitably con­di­tions come up where safe­guards may need to be removed or tem­por­ar­ily bypassed in order to dia­gnose prob­lems or to make crit­ic­al but infre­quent adjust­ments to the equip­ment, and this is where Hazardous Energy Control Procedures, or HECP, come in.

One of the ques­tions I often get when help­ing cli­ents with devel­op­ing HECPs for their equip­ment is, “Can we use the emer­gency stop cir­cuit for lock­out?”. As usu­al, there is a short answer and a long answer to that simple ques­tion!

The Short Answer

The short answer to this ques­tion is NO. Lockout requires that sources of haz­ard­ous energy be phys­ic­ally isol­ated or blocked. Control sys­tems may be able to meet parts, but not all of this require­ment. Read on if you’d like to know why.

The Long Answer

Lockout

Lockout pro­ced­ures are now grouped with oth­er adjust­ment, dia­gnost­ic and test pro­ced­ures into what are called Hazardous Energy Control Procedures or HECP. In the USA, OSHA pub­lishes a lock­out stand­ard in 29 CFR 1910.147, and ANSI pub­lishes ANSI Z244.1.

Download ANSI stand­ards

In Canada we didn’t have a stand­ard for HECP until 2005 when CSA Z460 was pub­lished, although all the Provinces and Territories have some lan­guage in their legis­la­tion that at least alludes to the need for con­trol of haz­ard­ous energy. In the Province of Ontario where I live, this require­ment shows up in Ontario Regulation 851, Sections 42, 75 and 76.

In the EU, con­trol of haz­ard­ous energy is dealt with in ISO 14118:2000, Safety of machinery — Prevention of unex­pec­ted start-​up.

Download ISO Standards

If you have a look at the sec­tions from the Ontario reg­u­la­tions, they don’t tell you how to per­form lock­out, and they make little men­tion of what to do with live work for troubleshoot­ing pur­poses. The US OSHA reg­u­la­tions read more like a stand­ard, but because they are in legis­la­tion they are pre­script­ive. You MUST meet this min­im­um require­ment, and you may exceed it.

Let’s look at how lock­out is defined in the stand­ards.

Canada (Ontario) USA (OSHA) European Union

Lockout — place­ment of a lock or tag on an energy-​isolating device in accord­ance with an estab­lished pro­ced­ure, thereby indic­at­ing that the energy-​isolating device is not to be oper­ated until remov­al of the lock or tag in accord­ance with an estab­lished pro­ced­ure.

CSA Z460, 2005

Lockout. The place­ment of a lock­out device on an energy isol­at­ing device, in accord­ance with an estab­lished pro­ced­ure, ensur­ing that the energy isol­at­ing device and the equip­ment being con­trolled can­not be oper­ated until the lock­out device is removed.

Tagout. The place­ment of a tagout device on an energy isol­at­ing device, in accord­ance with an estab­lished pro­ced­ure, to indic­ate that the energy isol­at­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

29 CFR 1910.147

2.14 lockout/​tagout: The place­ment of a lock/​tag on the energy isol­at­ing device in accord­ance with an estab­lished pro­ced­ure, indic­at­ing that the energy isol­at­ing device shall not be oper­ated until remov­al of the lock/​tag in accord­ance with an estab­lished pro­ced­ure. (The term “lockout/​tagout” allows the use of a lock­out device, a tagout device, or a com­bin­a­tion of both.)

ANSI Z244.1 – 2003


3.3 isol­a­tion and energy dis­sip­a­tion

pro­ced­ure which con­sists of all of the four fol­low­ing actions:

a) isol­at­ing (dis­con­nect­ing, sep­ar­at­ing) the machine (or defined parts of the machine) from all power sup­plies;

b) lock­ing (or oth­er­wise secur­ing), if neces­sary (for instance in large machines or in install­a­tions), all the isol­at­ing units in the “isol­ated” pos­i­tion;

c) dis­sip­at­ing or restrain­ing [con­tain­ing] any stored energy which may give rise to a haz­ard.

NOTE Energy con­sidered in c) above may be stored in e.g.:

  • mech­an­ic­al parts con­tinu­ing to move through iner­tia;
  • mech­an­ic­al parts liable to move by grav­ity;
  • capa­cit­ors, accu­mu­lat­ors;
  • pres­sur­ized flu­ids;
  • springs.

d) veri­fy­ing by using a safe work­ing pro­ced­ure that the actions taken accord­ing to a), b) and c) above have pro­duced the desired effect.

ISO 14118 – 2000

As you can see, the defin­i­tions are fairly sim­il­ar, although slightly dif­fer­ent terms may be used. The ISO stand­ard actu­ally provides the best guid­ance over­all in my opin­ion. Note that these excerpts are all taken from the defin­i­tions sec­tions of the rel­ev­ant doc­u­ments.

One of the big dif­fer­ences between the US and Canada is the idea of ‘tagout’ (pro­nounced TAG-​out for those not famil­i­ar with the term). Tagout is identic­al to lock­out with the excep­tion of the device that is attached to the energy isol­at­ing device. Under cer­tain cir­cum­stances the US per­mits the use of a tag without a lock to secure the energy isol­a­tion device. This is not per­mit­ted in Canada under any cir­cum­stance, and the term ‘tagout’ is not offi­cially recog­nized. In Canada the term is often taken to mean the addi­tion of a tag to the lock­ing device,  a man­dat­ory part of the pro­ced­ure.

Use of Controls for Energy Isolation

This is where the ‘rub­ber meets the road’ – how is the source of haz­ard­ous energy isol­ated effect­ively? To under­stand the require­ments, let’s look at the defin­i­tion for an Energy Isolating Device.

Canada USA EU

Energy-​isolating device — a mech­an­ic­al device that phys­ic­ally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a manu­ally oper­ated elec­tric­al cir­cuit break­er; a dis­con­nect switch; a manu­ally oper­ated switch by which the con­duct­ors of a cir­cuit can be dis­con­nec­ted from all ungroun­ded sup­ply con­duct­ors; a line valve; a block; and oth­er devices used to block or isol­ate energy (push-​button select­or switches and oth­er control-​type devices are not energy-​isolating devices).

CSA Z460, 2005

Note – Bold added for emphas­is – DN

Energy isol­at­ing device. A mech­an­ic­al device that phys­ic­ally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: A manu­ally oper­ated elec­tric­al cir­cuit break­er; a dis­con­nect switch; a manu­ally oper­ated switch by which the con­duct­ors of a cir­cuit can be dis­con­nec­ted from all ungroun­ded sup­ply con­duct­ors, and, in addi­tion, no pole can be oper­ated inde­pend­ently; a line valve; a block; and any sim­il­ar device used to block or isol­ate energy. Push but­tons, select­or switches and oth­er con­trol cir­cuit type devices are not energy isol­at­ing devices.

Note – Bold added for emphas­is – DN

Tagout device. A prom­in­ent warn­ing device, such as a tag and a means of attach­ment, which can be securely fastened to an energy isol­at­ing device in accord­ance with an estab­lished pro­ced­ure, to indic­ate that the energy isol­at­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

29 CFR 1910.147

2.8 energy isol­at­ing device: A mech­an­ic­al device that phys­ic­ally pre­vents the trans­mis­sion or release of energy, includ­ing but not lim­ited to the fol­low­ing: a manu­ally oper­ated elec­tric­al cir­cuit break­er, a dis­con­nect switch, a manu­ally oper­ated switch by which the con­duct­ors of a cir­cuit can be dis­con­nec­ted from all ungroun­ded sup­ply con­duct­ors and, in addi­tion, no pole can be oper­ated inde­pend­ently; a line valve; a block; and any sim­il­ar device used to block or isol­ate energy.

2.20.1 tagout device: A prom­in­ent warn­ing means such as a tag and a means of attach­ment, which can be securely fastened to an energy isol­at­ing device to indic­ate that the energy isol­at­ing device and the equip­ment being con­trolled may not be oper­ated until the tagout device is removed.

ANSI Z244.1 – 2003

4.1 Isolation and energy dis­sip­a­tion

Machines shall be provided with means inten­ded for isol­a­tion and energy dis­sip­a­tion (see clause 5), espe­cially with a view to major main­ten­ance, work on power cir­cuits and decom­mis­sion­ing in accord­ance with the essen­tial safety require­ment expressed in ISO/​TR 12100 – 2:1992, annex A, 1.6.3.

Note – ISO/​TR 12100 – 2 was with­drawn in Oct-​10 and replaced by ISO 12100 – 2010. – DN Read more on this.

5.1 Devices for isol­a­tion from power sup­plies
5.1.1
Isolation devices shall:

  • ensure a reli­able isol­a­tion (dis­con­nec­tion, sep­ar­a­tion);
  • have a reli­able mech­an­ic­al link between the manu­al con­trol and the isol­at­ing element(s);
  • be equipped with clear and unam­bigu­ous iden­ti­fic­a­tion of the state of the isol­a­tion device which cor­res­ponds to each pos­i­tion of its manu­al con­trol (actu­at­or).

NOTE 1 For elec­tric­al equip­ment, a sup­ply dis­con­nect­ing device com­ply­ing with IEC 60204 – 1:1997, 5.3 “Supply dis­con­nect­ing (isol­at­ing) device” meets this require­ment.

NOTE 2 Plug and sock­et sys­tems (for elec­tric­al sup­plies), or their pneu­mat­ic, hydraul­ic or mech­an­ic­al equi­val­ents, are examples of isol­at­ing devices with which it is pos­sible to achieve a vis­ible and reli­able dis­con­tinu­ity in the power sup­ply cir­cuits.

For elec­tric­al plug/​socket com­bin­a­tions, see IEC 60204 – 1:1997, 5.3.2 d).

NOTE 3 For hydraul­ic and pneu­mat­ic equip­ment, see also EN 982:1996, 5.1.6 and EN 983:1996, 5.1.6.

ISO 14118 – 2000


Brady 65675 Large Plug Lockout Device
BRADY Small Plug Lockout Device

As you can see from the above defin­i­tions, all the jur­is­dic­tions require that devices used for energy isol­a­tion are reli­able, manu­ally oper­able, mech­an­ic­al devices. While elec­tric­al con­trol sys­tems that meet high levels of design reli­ab­il­ity may meet the reli­ab­il­ity require­ments, they do not meet the require­ments for phys­ic­al, mech­an­ic­al dis­con­nec­tion of the source of haz­ard­ous energy. Operator devices are spe­cific­ally excluded from this use in Canada and the USA. Note that plug and sock­et com­bin­a­tions are per­mit­ted in all jur­is­dic­tions. Lockout devices such as Brady 65675 Large Plug Lockout Device like the Brady Small Plug Lockout Device shown here and sim­il­ar devices can be used for this pur­pose. With some plugs it is pos­sible to put a small lock through a hole in one of the con­tacts. In some jur­is­dic­tions, even the simple act of put­ting the plug in your back pock­et while con­duct­ing the work is suf­fi­cient.

In addi­tion, the energy isol­a­tion device is required to be able to be locked in the off, isol­ated, or blocked pos­i­tion. There are emer­gency stop but­ton oper­at­ors that can be pur­chased with an integ­rated lock cyl­in­der, and there are some con­trol oper­at­or accessor­ies avail­able that will allow con­trol push but­tons and select­or switches to be locked in one pos­i­tion or anoth­er, but these do not meet the require­ments of the above stand­ards. They can be used in addi­tion to an energy isol­a­tion device as part of the pro­ced­ure, but not on their own as the sole means of pre­vent­ing unex­pec­ted start-​up.

BRADY Button Locking Device
BRADY Button Locking Device

Conclusions

Each machine or piece of equip­ment is required to have an HECP that is spe­cif­ic to that piece of equip­ment. ‘Global’ HECP’s are sel­dom use­ful except as a tem­plate doc­u­ment. Development of HECPs takes some care­ful thought and a thor­ough under­stand­ing of the kinds of work that will need to be done to main­tain and ser­vice the machinery. Individual jur­is­dic­tions have some dif­fer­ences in the details of their reg­u­la­tions, but ulti­mately the require­ments come down to the same thing: Protecting work­ers.

Control sys­tem devices such as stop but­tons and emer­gency stop devices are not accep­ted as energy isol­at­ing devices and can­not be used for this pur­pose, although they may be used as part of the HECP shut­down pro­ced­ure lead­ing up to the phys­ic­al isol­a­tion of the haz­ard­ous energy sources.

Excellent stand­ards exist that cov­er devel­op­ment of these pro­ced­ures and should be ref­er­enced as spe­cif­ic HECP are developed.

5% Discount on All Standards with code: CC2011

104602 – BRADY Button Locking Device
BRADY Button Locking Device

References

Canada

Ontario Regulation 851, Sections 42, 75 and 76.

CSA Z460-​05 (R2010) – Control of haz­ard­ous energy — Lockout and oth­er meth­ods

USA

29 CFR 1910.147The con­trol of haz­ard­ous energy (lockout/​tagout).

ANSI Z244.1 – 2003 (R2008) – Control of Hazardous Energy – Lockout/​Tagout and Alternative Methods

Download stand­ards

Allen-Bradley 8579
Allen-​Bradley 8579
International

ISO 14118 2000, Safety of machinery — Prevention of unex­pec­ted start-​up

Download ISO Standards