Most LOTO procedures fail twelve months after they are written. The control of hazardous energy standard prevents an estimated 120 fatalities and 50,000 injuries each year[1], yet it remains a fixture on OSHA's Top 10 most cited standards[2], with 2,177 violations recorded in FY2025[5]. The hardware is mature. The standard has not changed materially since 1989. So why do the citations keep climbing? Because most sites have a procedure on paper that no longer matches the machine on the floor.
- Part 1: What the Regulators Actually Require
- Part 2: The Six Elements of a Compliant ECP
- Part 3: Why Most Procedures Stop Matching Reality
- Part 4: How to Write a Machine-Specific ECP, Step by Step
- Part 5: Periodic Review, the Part Most Sites Get Wrong
- Part 6: Where Digital LOTO Changes the Conversation
- Part 7: Where The Lock Box Fits
This post answers a different question from the usual "what is LOTO" pieces. It is about how to write a machine-specific energy control procedure (ECP) that is correct on day one, and how to keep it correct after the next motor swap, the next guard relocation, and the next weekend shutdown.
Four questions every ECP must answer for the machine in front of you:
- What are all the energy sources, including stored?
- Where is each isolation point, and what device locks it?
- What is the sequence to shut down, isolate, release stored energy, verify zero state, and restore?
- Who is authorised to apply each lock, and how is removal handled if that person is unavailable?
If your current procedure cannot answer all four for the actual machine on the floor right now, it is not a machine-specific procedure. It is a draft.
Part 1: What the Regulators Actually Require
The US framework is 29 CFR 1910.147(c)(4)(ii)[1]. It requires that every energy control procedure be written, machine-specific, and address six elements covering shutdown and isolation steps, placement and removal of lockout devices, verification of isolation, identification of every energy source, identification of every isolation point, and the authorised employees responsible. A blanket site-wide procedure is not compliant. The regulator wants one document per machine, or per group of machines that operate as a single system.
The EU framework arrives at the same destination by a different route. The Machinery Directive 2006/42/EC places the design obligation on the manufacturer to enable safe energy isolation[3]. EN ISO 14118 sets the technical standard for preventing unexpected start-up[4]. For the site, this means the equivalent question of who is the instructed person or skilled person authorised to perform the isolation, and what does the documented method look like at the machine level. DACH auditors and DGUV inspectors will ask to see both the documented procedure and the training record that ties named workers to it.
The conclusion is the same on both sides of the Atlantic. A generic procedure binder fails an audit. A machine-specific procedure that matches the equipment passes one.
Part 2: The Six Elements of a Compliant ECP
The table below maps OSHA's six required elements to what a good ECP shows and to the failure mode auditors find most often. The same logic applies in EU jurisdictions, with the wording adjusted for local terminology.
| Required element (1910.147(c)(4)(ii)) | What good looks like | Common failure mode |
|---|---|---|
| Specific steps for shutting down, isolating, blocking, and securing | Step-by-step sequence written for the specific machine, in operator language, photographed at each isolation point | Generic site template that says "isolate all energy sources" without naming which points or in what order |
| Specific steps for placement, removal, and transfer of lockout devices | Names the device type at each isolation point (e.g. ball valve lockout, MCB lockout) and the padlock applied to it | Procedure lists devices generally but does not match the actual valve or breaker type on the machine |
| Specific requirements for testing equipment to verify isolation | Names the test method, the expected reading, and the person responsible for confirming zero state | "Confirm equipment is de-energised" with no method, no reading, no responsibility named |
| Identification of every energy source, including stored | All seven categories considered: electrical, hydraulic, pneumatic, thermal, chemical, gravity, and stored mechanical | Only electrical isolation captured. Stored hydraulic pressure or spring tension forgotten until someone is hurt |
| Identification of every isolation point | Specific location, tag number, and isolation device type for each point on the machine | Procedure says "main disconnect" without specifying which one on a machine with several |
| Authorised employees responsible for applying and removing devices | Roles named with training records traceable to 1910.147(c)(7) | Procedure names a job title that no longer exists, or a person who left the site two years ago |
For a step-by-step walk through the LOTO process itself, see our pillar guide to the six (and more) steps of lockout tagout.
Part 3: Why Most Procedures Stop Matching Reality
A site writes a machine-specific procedure during commissioning. Every energy source is identified. Every isolation point is documented. Every step matches the equipment on the floor. On day one, the procedure is accurate.
Six months later, a motor gets replaced. A guard is relocated. A pneumatic line is rerouted during a weekend shutdown. The equipment changes. The procedure does not. The operator follows the documented steps. The documented steps no longer account for every energy source. This is procedure drift, and it is the gap auditors find first[5].
Real-World Case: The pattern is consistent across industries. Sites with rigorous LOTO programmes still accumulate drift because maintenance work orders do not trigger a procedure review. The change happens on the floor. The procedure stays on the shelf. Sites that manage this well have one thing in common. They tie procedure review directly to equipment change orders, not to the annual calendar.
Part 4: How to Write a Machine-Specific ECP, Step by Step
Six steps from blank page to audit-ready procedure.
Step 1: Walk the machine with maintenance, not just paperwork
The procedure is not written from the equipment manual. It is written from the machine. Walk the line with the maintenance technician who services it. Photograph every disconnect, valve, and isolation point. Note the tag numbers as they actually appear on the equipment, not as they appear on the P&ID. The drawing and the reality often disagree.
Step 2: Inventory every energy source
Work through the seven categories one at a time: electrical, hydraulic, pneumatic, thermal, chemical, gravity, and stored mechanical. Stored energy is where most procedures fail. A capacitor bank can hold a charge for minutes after disconnect. A raised hydraulic ram can drop if the line is opened without first bleeding pressure. A spring under tension can release when its retainer is removed. None of these are exotic. All of them have killed people.
Step 3: Photograph each isolation point and tag the device type
For every isolation point, capture an image and name the device class: ball valve lockout, gate valve lockout, MCB lockout, plug lockout, cable lockout. The procedure will reference these images and device types directly, which removes ambiguity at the point of use.
Step 4: Write the sequence in operator language
The reader is the authorised employee on the floor at three in the morning, not the engineer who designed the line. Use verbs the operator uses. Number the steps. Specify the order: shut down using normal stop, isolate at the named disconnect, release stored energy by the named method, apply the named lockout device and the worker's padlock, verify zero energy state by the named test.
Step 5: Pre-build the lockout kit that matches the procedure
A procedure that lists devices the site does not own is a procedure that gets bypassed at three in the morning. Build the kit alongside the procedure. Standardise kit composition across machines where the energy types repeat. See our range of pre-built and customisable LOTO kits for a starting point.
Step 6: Walk-through with the authorised employee who will run it
The final check is not a desk review. It is a physical walk with the worker who will actually use the procedure on a real shutdown. They will catch what the writer missed. They will also catch the moments where engineer language fails operator clarity. Revise on the spot.
Best Practice: Want a starting template rather than a blank page? Our partner Zentri publishes a free LOTO procedure template that maps to the six required elements above, with a worked example you can adapt to your own equipment. Download the template here.
Part 5: Periodic Review, the Part Most Sites Get Wrong
OSHA 1910.147(c)(6) requires a periodic inspection of each energy control procedure at least annually[1]. The instinct is to read this as a paperwork exercise: print the procedures, sign them off, file them.
The harder question is whether each procedure still matches the equipment. The trigger that should drive an update is the maintenance work order, not the calendar. A motor replacement should not close out without a check on whether the replacement changed the isolation method. A guard relocation should not be signed off without confirming the procedure still reads correctly with the guard in its new position.
For the audit-checklist detail, see our guide to conducting a LOTO periodic inspection. The five most common mistakes that surface during these inspections are covered in our piece on five common LOTO mistakes and how to avoid them.
Part 6: Where Digital LOTO Changes the Conversation
Paper procedures decay because the cost of updating them is high and the visibility of decay is low. A procedure printed in a binder in 2022 sits in that binder until someone happens to read it.
Digital procedures version-control automatically. When the document is updated, the previous version is archived and the new one becomes the only one accessible to users at the point of use. QR-code verification at the isolation point catches a different class of error, namely the wrong machine. An operator scanning the tag on the equipment in front of them confirms the procedure they are following is for that equipment, not the sister machine on the next line.
Audit-trail data is the second shift. A digital platform records what was actually done, when, and by whom. The paper sign-off sheet records what someone wrote down. For an auditor, the difference is the difference between a procedure that works and a procedure that exists. Our sister brand Zentri covers this on its digital LOTO platform and on its features page.
Part 7: Where The Lock Box Fits
The procedure tells the authorised employee what to do. The lockout kit gives them the means to do it. The two artefacts have to match, or the procedure gets bypassed at the point of use.
We supply the hardware that sits inside your procedure. For most sites, that means matched sets of LOTO kits built around the energy types your machines actually present, and LOTO padlocks sized and keyed for the team that will apply them.
If you are writing or rewriting procedures and want to standardise kit composition across the site, send us your energy-type breakdown and we will propose a kit standard you can pair with each procedure.
Ready to Standardise Your Procedures?
Contact The Lock Box with your energy-type breakdown by machine, and we will return a kit specification that pairs with each procedure on your site.
For the digital procedure layer that version-controls each ECP and ties audit-trail data to every lock applied, request a Zentri demo.
The point of an energy control procedure is not the document. The point is that the worker doing the maintenance goes home at the end of the shift. A machine-specific procedure that matches the equipment, paired with a lockout kit that matches the procedure, is the only version of this work that actually protects the person on the floor.
References
- OSHA. 29 CFR 1910.147 - The Control of Hazardous Energy (Lockout/Tagout). Occupational Safety and Health Administration. https://www.osha.gov/laws-regs/regulations/standardnumber/1910/1910.147
- OSHA. Top 10 Most Frequently Cited Standards, Fiscal Year 2025. Occupational Safety and Health Administration. https://www.osha.gov/top10citedstandards
- European Union. (2006). Directive 2006/42/EC of the European Parliament and of the Council on machinery. EUR-Lex. https://eur-lex.europa.eu
- International Organization for Standardization. EN ISO 14118: Safety of machinery - Prevention of unexpected start-up. ISO. https://www.iso.org
- Nugent, M. (2026). Why Your Lockout Procedures Stop Matching Reality Within 12 Months. ISHN. https://www.ishn.com/articles/115325-why-your-lockout-procedures-stop-matching-reality-within-12-months
