
Lockout-Tagout - restlessdesign
https://en.wikipedia.org/wiki/Lockout-tagout
======
taneq
After working in mining for a long while, where this kind of isolation
procedure is standard and is taken very seriously (pretty much any breach of
procedure is an instantly firable offense) it's terrifying coming back home
and seeing people working on house wiring etc. with nothing more than a
turned-off circuit breaker protecting them from electrocution or other injury.
I've seen some trades start to pick up isolation procedures but they're
generally still far behind industry best practices.

~~~
ebiester
How would you recommend people working on their own house implement anything
more than turning off the circuit breaker? (I'm not doing anything electrical
in general, but sometimes small fixes are necessary for home owners.)

~~~
zaarn
What I learned when doing electrical work in germany, the procedure for safe
electrical working is as follows:

\- Switch off (at circuit breaker)

\- Prevent switching on (lock the breaker)

\- Check voltage free (multimeter cleared for 230V/120V operation with long,
isolated test leads)

\- Ground and short (put a plug into the socket connecting earth, live and
neutral, you can DIY that at home safely by cutting open an unused cord and
soldering all three wires together)

\- Cover nearby powered equipment

~~~
amluto
> Ground and short (put a plug into the socket connecting earth, live and
> neutral

Hmm. Given that breakers in the US don’t disconnect the neutral, grounding the
neutral can introduce potentially unpleasant stray currents.

On the flip side, as far as I can tell, it’s entirely possible for a code-
compliant installation to give you a moderate zap if you touch the neutral
with the breaker off: if you have a long feeder to the panel, and someone
turns on a big, single-phase load on a different breaker, the voltage drop on
the feeder neutral could zap you. Imagine a 50A inrush current a across 1 ohm.
That’s 50V for a few cycles.

~~~
zaarn
Atleast in germany the standard breakers don't either but the GFCI does and
3-phase breakers need to interrupt all phases. The neutral is also somewhat
regularly grounded in the building's I've seen and atleast one grounding point
is required at the distro point. Plus the breakers will trip at 50A inrush
anyway.

(From experience, 50V AC won't kill you unless you are standing in a bathtub
and covered yourself in conductive gel, you'll just get some minor pain in
most cases)

~~~
amluto
> The neutral is also somewhat regularly grounded in the building's I've seen
> and atleast one grounding point is required at the distro point.

Hmm. Are phase-to-neutral loads permitted? If so, does this mean that the
building and ground are allowed to carry neutral currents? This seems like a
bad idea.

I’m not an electrician, but I’ve seen enough problems caused by “objectionable
current” (the US code name for currents through what is supposed to be ground
even in the absence of a fault) that I think that neutral should be treated as
a hot wire whose voltage to ground just happens to be quite low. This would
involve all breakers switching the neutral as well as having a reliable
mechanism to detect neutral-to-ground faults.

Newer US GFCI devices are supposed to detect neutral-to-ground faults, so
that’s a start, but I don’t think any of them will actually disconnect the
neutral if such a fault is detected. They do this by inductively coupling a
low voltage 120 Hz common mode waveform on hot + neutral, or maybe just on
neutral. It’s a cute trick.

~~~
zaarn
Any building since 2007 has a GFCI installed (TAB2007-6.1§10 in Germany). Not
as is common in the US in the sockets but in the breaker box itself. GFCI
sockets and plugs are very rare and only exists for legacy installation that
cannot be upgraded (insurance is expensive without one).

We use the TN-C-S system, wherein before the GFCI you have 3-phase with a PEN
that is shorted to ground when it enters the building, then it is split into
PE and N wires. The GFCI is 3-phase with only 1 phase being put into the
building (usually, though multiple phases aren't uncommon in larger housings).
The PE wire is connected to the heating system and various other ground
potential points (either to provide ground or obtain ground potential). The N
wire is shorted to PE before entering the socket (or the socket itself shorts
these two). Once it leaves a socket the entire thing becomes unpolarized, so
to speak, so devices after the socket can't short PE and N without polarized
plugs.

This avoids problems with the inrush since the inrush voltage against ground
will be grounded away shortly after entering the socket (and trip your
breakers). It also means that it's less likely that a single broken wire
results in the entire GFCI becoming useless, though if neutral is broken it
can become somewhat dangerous (but the device stops working).

------
RandomBacon
Always verify the equipment you are working on is still physically LO-TO. I
heard a story about one person who LO-TO a breaker on Friday, and Monday it
had power when he went to work on it. The guy went to check the breaker, and
the breaker was sitting on the ground with the lock still attached, and a new
breaker in its place.

~~~
csours
Hooo boy. I think there might be a few more breakers on the ground if that was
me.

~~~
Gibbon1
You misspelled 'teeth'

------
frankwiles
When I started at the Lawrence Journal-World (the company who Open Sourced
Django) I was forced to watch a really old cheesy video about Lock-Out Tag-Out
which at the seemed stupid for a web developer. Then I was walked to the
office past some of the biggest machines I’d ever been near to that point in
my life. Then I got it.

It definitely saved a few peoples limbs at that company alone.

~~~
Cthulhu_
In software development the closest equivalent I can think of would be locking
files in older version control systems like SVN.

------
beart
I started up a piece of industrial equipment that some one was working on just
out of site. He didn't lock it out or even disconnect the power at the switch
right next to him. He screamed at me when his arm almost got ripped off. It's
an amazing mix of terror for having almost hurt someone and rage at that same
person for putting you in that position.

------
Intermernet
This is unofficially gaining a 3rd step: "Try out". Sometimes people fail to
properly lock and tag, and it's usually worth physically testing that the
equipment is actually disabled before someone is injured or killed due to
incorrect locking / tagging.

EDIT: This is obviously mentioned in the article! Mea culpa ;-)

~~~
Semiapies
Hey, it definitely won't kill anyone to reiterate it.

------
zwilson
Ex oil and gas health, safety, and environmental advisor, turned software
engineer. This was a critical turning point for safety in almost every
industry. Here's an unfortunate, but memorable example of its real-world
importance: [https://www.theguardian.com/us-news/2015/aug/12/bumble-
bee-f...](https://www.theguardian.com/us-news/2015/aug/12/bumble-bee-foods-
settlement-man-cooked-death-tuna)

#edit: Oxford comma ocd

------
geekamongus
Side note: The most secure locks that Master makes (in regards to being pick
resistant) are their LOTO padlocks, and they are usually about $10. Most of
their other consumer locks are pretty easy to bypass with basic picks, but get
marketed as being the "best" in security and cost a lot more.

~~~
black6
In my experience this is not true. Some LO/TO locks even have plastic shackles
and bodies (for the obvious electrical work). They’re not supposed to be pick
proof and super secure—they’re a visual and physical reminder that the system
is secured for worker safety. If a lock needs to be removed by someone other
than the lock owner there is an OSHA process to remove out that involves
cutting and discarding that particular lock.

~~~
n0ric
I recommend watching LockPickingLawyer's video on the lock the parent comment
is talking about:
[https://youtu.be/y4XGY0_cwcM](https://youtu.be/y4XGY0_cwcM). Master used a
very pick resistant core for their LOTO locks but skimped out on the higher
priced general-use models.

~~~
black6
That _is_ baffling as he says in the video! I’ve never seen anyone on any
worksite I’ve been on trying to pick a LO/TO lock, so I just assumed the cores
were just as insubstantial.

~~~
jsmith45
I suspect it is very deliberate.

Their normal cores are so shitty that there is a reasonable chance that the
wrong key will work to open the lock, especially if somebody is trying to open
it quickly.

With LOTO locks, Bob could die if Alice's key works on Bob's lock. (e.g. both
on working on equipment powered by different circuit breaks, and Alice
confuses the breakers, and removes the lock from BOB's breaker, because her
key happened to work on it).

A few reports of that happening, and their LOTO locks could be banned from
many worksites due to unions rightfully insisting on it.

So it actually is worth having better cores to ensure only the correct keys
will work.

------
asperous
[https://www.oregonlive.com/silicon-
forest/2018/10/intel_sued...](https://www.oregonlive.com/silicon-
forest/2018/10/intel_sued_for_1_million_in_wo.html)

Pretty recent death caused partially by not following this procedure.

------
downerending
Too lazy to include a link, but I believe when work is done on electrified
train rails, they attach a huge bar across the power rails to short them. If
they're inadvertently powered, breakers elsewhere trip. (Or, worst case, the
bar melts?)

~~~
NamTaf
I'm not sure how this works for electrified rails (i.e. a third-rail that
provides power to the engines), however for a standard rail line (i.e. just 2
tracks, with either an overhead providing electricity, or diesel engines) is
used as a method of safety using the track signalling.

Specifically, in many rail signalling network systems, a signal will turn red
when it detects a short between the two rails in its section (i.e. an axle
rolls into it). It will then turn back green when that short disappears.
Workers can therefore clip something between both rails, which triggers the
signal relay and makes the signal light green.

This is absolutely not isolation & lockout though, because it doesn't actually
remove the energy source. That's not to say it's not a valuable process
though, but an isolation & lockout for this sort of circumstance either
involves locking the track switches to direct traffic away from the worksite,
or installing a derailer [1] on the track that phyiscally throws the train off
the rail into the dirt so it stops well clear of the work site.

The above obviously doesn't work if you're working on a running system, though
(which does happen, occasionally). In that instance, the track clip lets
trains stop at the red light, radio to the worksite, have the worksite clear,
then remove the clip, let the train through, then resume work. It's different
levels of safety for different perceived risks.

[1]:
[https://en.wikipedia.org/wiki/Derail](https://en.wikipedia.org/wiki/Derail)

~~~
tialaramex
Track circuit operating clips are used for the system you're talking about,
they're just a pretty simple arrangement of giant spring clips with a
deliberately short lead between them, workers are trained to apply the clips
starting with the side away from the third rail, the lead is too short to make
it possible to connect the third rail to the running rail if you've done it
this way.

The big metal bar is different, as the poster explained it will short the
(supposedly dead) power circuit in a third rail system, taking several hundred
volts at quite a lot of amps until the short is detected, hence it can't just
be a couple of metal clips and a cheap cable like TCOC. If some idiot re-
enables power to the circuit or a fault elsewhere re-energises it despite it
notionally being switched off, the bar will turn that into a full short and
everybody will know there's a problem, although I'm not sure that would save
anybody who happens to actually be touching the now surprisingly live rail at
the time it's energised.

On overhead systems there is similarly an arrangement where a worker - after
confirming that the power is supposedly dead - ensures this is true by
physically grounding it. Again it's a failsafe.

------
zxcvgm
John Ward recently did a video on various lockout-tagout devices for
electrical systems:
[https://youtu.be/3fMueAINzcI](https://youtu.be/3fMueAINzcI)

------
alsysadmin
I've spent many career years in sysadmin / process automation for
manufacturing companies, and LOTO is one of many pieces of proper procedure
and process that really impresses me about that industry. I worked at a big
steel recycling plant, and the zero tolerance effort put toward safety and
generally ensuring that this type of stuff was upheld was impressive. Not
locking out a machine, or forgetting your lock on a machine was a fireable
offense with like, one warning I think. You certainly didn't want to be the
guy who was working on a machine that morning, and left your lock on it when
you went home while someone else was working on it. They'd call you and get
you out of bed real quick if it meant the machine couldn't start up because
your lock is on there and you weren't accounted for.

SRE's and operations people can pick up good habits from manufacturing gigs. A
lot of the same concepts like uptime, good documentation, procedure,
discipline are really important to the business at all levels. When lives are
at risk good companies put a large sum of time and money in making sure
everyone is on the same page.

------
symplee
Any software patterns comparable to this?

(Would help to have a use-case example. And how the pattern helped Vs. what
was being done before)

~~~
pjc50
"Lock" as in mutex? Although those don't come with a tag, which could be very
handy when debugging.

~~~
fredley
Depending on the system, I think you can find out who owns the lock.

------
NamTaf
I'm a mech engineer working with heavy machinery, and isolation & lockout
rules everything around me. It's probably the most important method of
implementing safeworking at an operational level [1]. I was responsible for
rolling it out at the first site at my company, implementing the process and
documentation, and then seeding it across to other sites.

There's a concept called the hierarchy of hazard control [2]. At the top is
eliminating the hazard - just removing it completely. It goes down through
substitution, engineering controls, admin controls and then protective
equipment is right at the bottom as the least effective method of protection.
I&L aims to address the hazards right at the top by eliminating them, which is
by far the most effective means of ensuring safety.

It does this by following a process: First, isolate the energy source.
Secondly, lock that isolation out so it cannot be reactivated. Third, test for
dead by showing that a) the isolation cannot be removed, and b) that there is
no residual energy source remaining.

For example, an electrical isolation point might be a switch, which when
thrown firstly breaks the circuit, but then also drains out any capacitors or
other residual energy storage. The isolating person throws the switch, locks
it out, tries to throw the switch back against the lock to show it's secure,
then tests the system for dead by trying to power it up or by testing
terminals for a voltage to prove that the energy sources have been drained.
Once that's all done, they'll then complete the rest of the process and let
others lock on to the system.

When someone locks on to an isolated system, there should be sufficient
documentation and indication to show that the system is isolated and safe. It
might mean that if a mechanical latch is rotated to the 'safe' position,
there's a sign that rotates into view from the isolation point so the
protected person who is locking on to the isolation can see it, whereas when
it's not locked out they cannot. The protected person can in theory go and
test the lockout to ensure it's in place, but usually (where I'm at) it's
controlled by a dual sign-off process when the above can't be achieved. Then
the protected person throws their lock on the isolation point, and that
ensures that none of the isolations can be released until they remove their
lock. Critically, those who place the isolation are generally a controlled set
of people who are trained more highly than the protected person level who just
has to know how to verify isolations are in place and then lock on. In
general, the people working on the isolated system don't place their own
isolations unless it's a simple system/process.

The whole process essentially provides a method of accounting for every person
working on a system, and letting them be confident that it can't be powered up
whilst working on it. It's not supposed to be secure locks. Mine, for example,
have plastic casings, and ones designed for electrical work have a plastic
bolt which I could probably easily remove with a bit of percussive persuasion.
However, you also realistically generally can't stop a malicious person
bypassing those safety measures, e.g. by wiring around a circuit-breaker or by
undoing some bolts to remove a latch. So it's not intended to stop malicious
parties, but it prevents the vastly more frequent case of were someone starts
a machine when someone else is working in it.

It gets far more complex than all that too, for example covering how you pass
secure isolations between shifts, or how you chain together layers of an
isolated system to a single isolation point, but the above should hopefully
provide some insight into why this stuff exists and why it takes the form it
does.

[1]: I would consider the concept of 'safety in design' higher overall because
that's about removing the hazard from existing at the design stage, but once
it exists then I&L is generally the gold standard for dealing with it.

[2]:
[https://en.wikipedia.org/wiki/Hierarchy_of_hazard_controls](https://en.wikipedia.org/wiki/Hierarchy_of_hazard_controls)

------
swixmix
[https://www.osha.gov/laws-
regs/regulations/standardnumber/19...](https://www.osha.gov/laws-
regs/regulations/standardnumber/1915/1915.89)

------
sunkenvicar
This is a large part of my job because all equipment must be locked out before
it is serviced.

------
Igelau
Can we talk about how bad that lockout hasp graphic is? It looks like a drunk
person broke the last crayon drawing it and just decided to have Inkscape run
a trace on what they had.

~~~
defterGoose
I noticed that too. It's like bad, stylized clip-art. They even have an image
of a real one further down the article.

