Using E-Stops in Lockout Procedures

Last updated on August 17th, 2022 at 12:23 pm

Article updated on 2019-09-29. Ed.

Disconnect Switch with Lock and Tag
Rotary Disconnect Switch with Lock and Tag

Control of hazardous energy is one of the key ways that maintenance and service workers are protected while maintaining industrial equipment. Not so long ago we only thought about ‘Lockout’ or ‘Lockout/Tagout’ procedures, but there is much more to protecting these workers than ‘just’ locking out energy sources. Inevitably conditions come up where safeguards may need to be removed or temporarily bypassed in order to diagnose problems or to make critical but infrequent adjustments to the equipment, and this is where Hazardous Energy Control Procedures, or HECP, come in.

One of the questions I often get when helping clients with developing HECPs for their equipment is, “Can we use the emergency stop circuit for lockout?” As usual, there is a short answer and a long answer to that simple question!

The Short Answer

The short answer to this question is NO. Lockout requires that sources of hazardous energy be physically isolated or blocked. Control system safety functions, including interlocks and emergency stops, may be able to meet parts, but not all of these requirements. Read on if you’d like to know why.

The Long Answer

Lockout

Lockout procedures are now grouped with other adjustment, diagnostic, and test procedures into what are called Hazardous Energy Control Procedures or HECP. In the USA, OSHA publishes a lockout standard in 29 CFR 1910.147, and ANSI publishes ANSI/ASSP Z244.1.

Download ANSI standards

In Canada, we didn’t have a standard for HECP until 2005 when CSA Z460 was published. All the Provinces and Territories have some language in their legislation that at least alludes to the need for control of hazardous energy. In the Province of Ontario where I live, this requirement shows up in Ontario Regulation 851, Sections 42, 75 and 76. These legislative requirements have been in place for decades in most cases.

Internationally, control of hazardous energy is dealt with in ISO 14118:2000, Safety of machinery ? Prevention of unexpected start-up.

In the EU, the requirement to implement HECP comes from the Machinery Directive, 2006/42/EC. Have a look at Annex I, 1.6.3:

1.6.3. Isolation of energy sources

Machinery must be fitted with means to isolate it from all energy sources. Such isolators must be clearly identified. They must be capable of being locked if reconnection could endanger persons. Isolators must also be capable of being locked where an operator is unable, from any of the points to which he has access, to check that the energy is still cut off.

In the case of machinery capable of being plugged into an electricity supply, removal of the plug is sufficient, provided that the operator can check from any of the points to which he has access that the plug remains removed.

After the energy is cut off, it must be possible to dissipate normally any energy remaining or stored in the circuits of the machinery without risk to persons.

As an exception to the requirement laid down in the previous paragraphs, certain circuits may remain connected to their energy sources in order, for example, to hold parts, to protect information, to light interiors, etc. In this case, special steps must be taken to ensure operator safety.

2006/42/EC, Safety of Machinery Directive

Download ISO Standards

If you have a look at the sections of the Ontario regulations, see sections 42, 75 & 76, they don’t tell you how to perform lockout, and they make little mention of what to do with live work for troubleshooting purposes. The US OSHA regulations read more like a standard, but because they are in legislation they are prescriptive. You MUST meet this minimum requirement, and you may exceed it.

Let’s look at how “lockout” is defined in the standards.

Canada (Ontario) USA (OSHA) European Union
Lockout ? placement of a lockout device on an energy-isolating device in accordance with an established procedure.

 

CSA Z460, 2013

Lockout. The placement of a lockout device on an energy isolating device, in accordance with an established procedure, ensuring that the energy isolating device and the equipment being controlled cannot be operated until the lockout device is removed.

 

Tagout. The placement of a tagout device on an energy isolating device, in accordance with an established procedure, to indicate that the energy isolating device and the equipment being controlled may not be operated until the tagout device is removed.

29 CFR 1910.147

2.14 lockout/tagout: The placement of a lock/tag on the energy isolating device in accordance with an established procedure, indicating that the energy isolating device shall not be operated until removal of the lock/tag in accordance with an established procedure. (The term ?lockout/tagout? allows the use of a lockout device, a tagout device, or a combination of both.)

ANSI Z244.1-2003

3.3 isolation and energy dissipation

procedure which consists of all of the four following actions:

a) isolating (disconnecting, separating) the machine (or defined parts of the machine) from all power supplies;

b) locking (or otherwise securing), if necessary (for instance, when the operator is not able, from every location he may be at, to check that the power supply remains interrupted), all the isolating units in the ?isolated? position;

c) dissipating or restraining (containing) any stored energy which may give rise to a hazard.

Note 1 to entry Energy considered in c) may be stored in e.g. mechanical parts continuing to move through inertia, e.g. backdriving of a ventilation fan, mechanical parts liable to move by gravity, capacitors and accumulators, pressurized fluids and springs.

d) verifying by using a safe working procedure (e.g. by measuring) that the actions taken according to a), b) and c) have produced the desired effect.

ISO 14118-2018

As you can see, the definitions are fairly similar, although slightly different terms may be used. The ISO standard actually provides the best guidance overall in my opinion. Note that these excerpts are all taken from the definitions sections of the relevant documents.

One of the big differences between the US and Canada is the idea of ‘tagout’ (pronounced TAG-out for those not familiar with the term). Tagout is identical to lockout with the exception of the device that is attached to the energy isolating device. Under certain circumstances, the US permits the use of a tag without a lock to secure the energy isolation device. This is not permitted in Canada under any circumstance, and the term ‘tagout’ is not officially recognized. In Canada, the term is often taken to mean the addition of a tag to the locking device,  a mandatory part of the procedure.

Use of Controls for Energy Isolation

This is where the ‘rubber meets the road’ – how is the source of hazardous energy isolated effectively? To understand the requirements, let’s look at the definition of an Energy Isolating Device.

Canada USA EU
Energy-isolating device ? a mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: a manually operated electrical circuit breaker; a disconnect switch; a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors; a line valve; a block; and other devices used to block or isolate energy (push-button selector switches and other control-type devices are not energy-isolating devices).

 

CSA Z460, 2005

Note – Bold added for emphasis – DN

Energy isolating device. A mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: A manually operated electrical circuit breaker; a disconnect switch; a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors, and, in addition, no pole can be operated independently; a line valve; a block; and any similar device used to block or isolate energy. Push buttons, selector switches and other control circuit type devices are not energy isolating devices.

 

Note – Bold added for emphasis – DN

Tagout device. A prominent warning device, such as a tag and a means of attachment, which can be securely fastened to an energy isolating device in accordance with an established procedure, to indicate that the energy isolating device and the equipment being controlled may not be operated until the tagout device is removed.

29 CFR 1910.147

2.8 energy isolating device: A mechanical device that physically prevents the transmission or release of energy, including but not limited to the following: a manually operated electrical circuit breaker, a disconnect switch, a manually operated switch by which the conductors of a circuit can be disconnected from all ungrounded supply conductors and, in addition, no pole can be operated independently; a line valve; a block; and any similar device used to block or isolate energy.

2.20.1 tagout device: A prominent warning means such as a tag and a means of attachment, which can be securely fastened to an energy isolating device to indicate that the energy isolating device and the equipment being controlled may not be operated until the tagout device is removed.

ANSI Z244.1-2003

4.1 Isolation and energy dissipation

 

Machines shall be provided with means intended for isolation and energy dissipation (see clause 5), especially with a view to major maintenance, work on power circuits and decommissioning in accordance with the essential safety requirement expressed in ISO/TR 12100-2:1992, annex A, 1.6.3.

Note – ISO/TR 12100-2 was withdrawn in Oct-10 and replaced by ISO 12100-2010. – DN Read more on this.

5.1 Devices for isolation from power supplies
5.1.1
Isolation devices shall:

  • ensure a reliable isolation (disconnection, separation);
  • have a reliable mechanical link between the manual control and the isolating element(s);
  • be equipped with clear and unambiguous identification of the state of the isolation device which corresponds to each position of its manual control (actuator).

NOTE 1 For electrical equipment, a supply disconnecting device complying with IEC 60204-1:1997, 5.3 “Supply disconnecting (isolating) device” meets this requirement.

NOTE 2 Plug and socket systems (for electrical supplies), or their pneumatic, hydraulic or mechanical equivalents, are examples of isolating devices with which it is possible to achieve a visible and reliable discontinuity in the power supply circuits.

For electrical plug/socket combinations, see IEC 60204-1:1997, 5.3.2 d).

NOTE 3 For hydraulic and pneumatic equipment, see also EN 982:1996, 5.1.6 and EN 983:1996, 5.1.6.

ISO 14118-2000

As you can see from the above definitions, all the jurisdictions require that devices used for energy isolation are reliable, manually operable, mechanical devices. The standards do no explicitly exclude emergency stop or interlocking systems, although CSA Z460 includes an important note to the definition that explains that control system devices are not energy isolation devices.

While electrical control systems that meet high levels of design reliability may meet the reliability requirements, they do not meet the requirements for physical, mechanical disconnection of the source of hazardous energy. I posted a video looking at the relative reliability of a disconnecting switch vs. an interlock using a safety PLC which you might find interesting. If you want to skip the regulatory analysis and get right down to the functional safety analysis, skip ahead to about 21:30 where I start the analysis.

Safety PLCs and Lockout
BRADY Small Plug Lockout Device
BRADY Small Plug Lockout Device

Operator devices are specifically excluded from this use in Canada and the USA. Note that plug and socket combinations are permitted in all jurisdictions.

Lockout devices like the Brady Small Plug Lockout Device or the Brady 65675 Large Plug Lockout Device to secure a plug. With some plugs, it is possible to put a small lock through a hole in one of the blades or pins. In some jurisdictions, even the simple act of putting the plug into your back pocket while conducting the work is sufficient.

BRADY Button Locking Device
Button Locking Device

In addition, the energy isolation device is required to be able to be locked in the off, isolated, or blocked position. There are emergency stop button operators that can be purchased with an integrated lock cylinder, and there are some control operator accessories available that will allow control pushbuttons and selector switches to be locked in one position or another, but these do not meet the requirements of the above standards. They can be used in addition to an energy isolation device as part of the equipment shutdown procedure, but not on their own as the sole means of preventing unexpected start-up.

Conclusions

Each machine or piece of equipment is required to have a HECP that is specific to that piece of equipment. ‘Global’ HECP’s are seldom useful except as a template document. The development of HECPs takes some careful thought and a thorough understanding of the kinds of work that will need to be done to maintain and service the machinery. Individual jurisdictions have some differences in the details of their regulations, but ultimately the requirements come down to the same thing: Protecting workers.

Control system devices such as stop buttons and emergency stop devices are not accepted as energy isolating devices and cannot be used for this purpose, although they may be used as part of the HECP shutdown procedure leading up to the physical isolation of the hazardous energy sources.

Excellent standards exist that cover the development of these procedures and should be referenced as specific HECP are developed.


References

Canada

Ontario Regulation 851, Sections 42, 75 and 76.

CSA Z460-13 (R2018)Control of hazardous energy ? Lockout and other methods

USA

29 CFR 1910.147The control of hazardous energy (lockout/tagout).

ANSI/ASSP Z244.1 – 2016 Control of Hazardous Energy ? Lockout/Tagout and Alternative Methods

ANSI Z244.1 – 2003 (R2008) – Control of Hazardous Energy ? Lockout/Tagout and Alternative Methods (withdrawn)

Download standards

Allen-Bradley 8579
Allen-Bradley 8579

International

ISO 14118:2017, Safety of machinery ? Prevention of unexpected start-up

Download ISO Standards

IEC 60364-5-53:2019, Low-voltage electrical installations – Part 5-53: Selection and erection of electrical equipment – Devices for protection for safety, isolation, switching, control and monitoring

IEC 61439-1:2011, Low-voltage switchgear and controlgear assemblies – Part 1: General rules

IEC 61439-2:2011, Low-voltage switchgear and controlgear assemblies – Part 2: Power switchgear and controlgear assemblies

© 2010 – 2022, Compliance inSight Consulting Inc. Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

6 thoughts on “Using E-Stops in Lockout Procedures

  1. There are machines that need power on to make sensor adjustments. You might need to have only the estop locked out to enable the sensors to have power for adjusting.

    1. Hi Floyd,
      You are correct. This is why hazardous energy control procedures encompass more than “just” lockout. Partial or complete re-energization is often needed for adjustment and fault finding. Under these conditions, additional administrative controls, supplemental guarding or other measures might be needed. Once the machine goes into a partial or complete re-energization it is no longer locked out. Emergency stop devices and systems cannot be used for energy isolation because they are typically not sufficiently reliable to be used for this purpose. You can use the e-stop as part of the graceful shutdown procedure, BUT, it cannot be used for the final energy isolation. You still must use a device that is rated for isolation purposes (IEC 60947-1), can be manually operated and can be locked in the OFF, isolated or blocked state.

  2. Great comparison and explanation! You are quite right that padlocking the estop is NOT a means of energy isolation. Instead locking the estop is simply a means of ensuring that the estop is not reset, and if all is working as it should and electricity is the ONLY source of energy, it means that a reset and re-initiation of operation would not happen. However there is still electrical energy available, since the lock is not an isolation device.

    In addition, everyone needs to remember that energy isolation (and lock-out) is NOT just about electrical energy. Usually there are multiple sources of energy.

    1. Roberta,
      Absolutely right. Lockout requires energy isolation using a device intended for the purpose. Control circuits cannot provide this functionality. Each energy source requires a means to reliably shut-off and isolate it from the machinery, or in the case of sources like gravity which cannot be shut-off, their effect must be reliably blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.