Lockout/tagout isn't a niche rule. In FY2025 it ranked fourth on OSHA's Top 10 most-cited standards, up a place from the year before, and it has sat in that list for well over a decade. OSHA estimates that following the standard prevents around 120 deaths and 50,000 injuries every year. When employers get it wrong, the cost lands hard: the maximum federal penalty for a willful or repeat violation now sits above $165,000.
The standard itself, 29 CFR 1910.147, is the control of hazardous energy rule. It governs how you isolate machines and equipment before anyone services or maintains them, so stored or restarting energy can't injure the person doing the work. Across federal OSHA and 27 state-plan jurisdictions, our analysis identified 4,771 FY2025 citations under this standard, carrying roughly $21.9 million in penalties (combined public OSHA/DOL data, FY2025). Of those, 156 were repeat citations and 18 were willful.
Here's the part worth sitting with. Most of those citations don't come from exotic failures. They come from a short list of the same gaps, repeated across thousands of sites. This guide walks the standard requirement by requirement, in plain language, and pairs each one with what our enforcement analysis shows employers actually miss.
## When lockout/tagout is required, and when it isn't
The scope clause, 1910.147(a), is where a lot of confusion starts. The standard applies during the servicing and maintenance of machines and equipment where the unexpected start-up, re-energisation, or release of stored energy could injure a worker. If someone has to reach into, clean, unjam, set up, or repair equipment where an energy source could catch them out, lockout/tagout is in play.
Two boundaries matter. Normal production operations generally fall outside the standard. And the minor servicing exception covers small tasks that are routine, repetitive, and integral to production, but only when alternative effective protection is in place. That exception is narrower than people assume, and leaning on it without genuine alternative protection is a common way to end up cited. If you're unclear on where digital energy isolation fits into all this, our overview of [how digital lockout/tagout works in practice](/resources/blog/what-is-digital-loto-how-digital-lockouttagout-works-in-practice) is a good starting point.
## Build a written energy-control programme
Clause (c)(1) is the foundation. It requires an energy-control programme built on three pillars: documented procedures, employee training, and periodic inspection. The programme is the thing OSHA expects to exist as a coherent system, not a folder of disconnected paperwork.
This is where some employers fall at the first hurdle. In our narrative-classified subset (federal OSHA plus Illinois state-plan citations, n=2,095), programme-level failures accounted for 10.7% of citations. These are cases where the underlying system was missing or inadequate, before you even get to how individual procedures were written or used.
## Write energy-control procedures, the biggest single gap
Clause (c)(4) requires documented, machine-specific energy-control procedures. Each procedure has to spell out the scope and purpose, the steps for shutting down and isolating the equipment, the steps for applying and removing isolation devices, and the requirements for testing and verifying that isolation worked.
Procedures are the single largest weak point in the data. Procedure failures made up 31.1% of the classified subset, the top category by a clear margin. Looked at another way, when we indexed each citation by the specific record an inspector couldn't find, missing or inadequate procedure documentation was the gap in 41.1% of cases. Generic, one-size-fits-all procedures are a recurring theme. For the detail on building these properly, see our step-by-step guide to [writing a machine-specific LOTO procedure](/resources/blog/how-to-write-a-machine-specific-loto-procedure-step-by-step), and for the failure patterns to design out, [common 1910.147 failures and how to avoid them](/resources/blog/loto-violations-common-osha-1910147-failures-and-how-to-avoid-them).
## Know exactly who must be trained
The definitions in clause (b), read alongside the training requirements in (c)(7), set out three categories of worker. Authorised employees are the ones who actually apply locks and tags and perform the energy isolation. Affected employees operate or work near the equipment but don't perform the lockout themselves. Other employees simply need to recognise that a lockout is in force and leave it alone.
Each group needs training matched to its role, and retraining is triggered by changes to procedures, equipment, or job assignment, or whenever an inspection turns up gaps in someone's understanding. Training failures accounted for 18.4% of the classified subset. A frequent pattern is sites that train authorised employees reasonably well but never properly brief affected and other employees on what a lockout means for them.
## Use lockout hardware that meets the standard
Clause (c)(5) sets requirements for the locks, tags, and other devices themselves. They have to be durable enough for the environment they're used in, standardised by colour, shape, or size across the site, and substantial enough that they can't be removed without deliberate force. They also have to be identifiable, so anyone can see whose lock is on a device and that it means do not operate. Tags carry extra requirements, because a tag only warns. It doesn't physically stop the equipment being energised.
Hardware failures made up 2.3% of the classified subset. They're often the quiet result of improvised kit: a personal padlock pressed into service, tags faded past the point of legibility, or devices that don't actually fit the energy-isolating points on the equipment. The fix is cheap relative to the risk, which is what makes this category frustrating to see in the data at all.
## Apply and remove isolation in the right sequence
Clause (d) lays out the application sequence, and the order isn't optional. It runs: prepare for shutdown, shut the machine down, isolate every energy source, apply your locks and tags, control any stored or residual energy, then verify a zero-energy state before work begins. That final step, often called the try step, is where you confirm isolation actually held rather than assuming it did.
Clause (e) covers release: inspect the work area, confirm everyone is clear, remove the devices in order, and notify affected employees before re-energising. Execution failures, where the procedure existed but wasn't followed correctly in the field, made up 18.6% of the classified subset, and execution was the missing evidence in 21.7% of cases. Our [pre-execution and post-execution checklist](/resources/blog/loto-execution-checklist-pre-execution-and-post-execution-checks) breaks this sequence down into the checks that catch the common slips.
## Run the annual periodic inspection
Clause (c)(6) requires a periodic inspection of your energy-control procedures at least once a year. It has to be carried out by an authorised employee who isn't using the procedure being inspected, and you have to certify that it happened, naming the procedure, the date, the employees involved, and the inspector.
Inspection failures came in at 14.7% of the classified subset. The annual inspection is easy to skip because nothing breaks when you miss it, right up until an incident or an audit exposes that procedures drifted out of date with the equipment they describe. Our piece on running a [periodic LOTO review that proves procedures work](/resources/blog/periodic-loto-review-prove-procedures-work) covers how to make the inspection meaningful rather than a box-tick.
## Handle group lockout, contractors, and shift handovers
Clause (f) adds requirements for the harder cases. Group lockout under (f)(3) covers situations where several authorised employees work under one isolation, and it has to give each worker the same protection they'd have with a personal lock. Shift and personnel changes under (f)(4) require continuity of protection so a lockout doesn't lapse when one crew hands over to the next.
Outside personnel are the other case worth flagging. Clause (f)(2) requires that you and any contractors working on your equipment inform each other of your respective lockout/tagout procedures, so neither side is caught out by the other's locks. Contractor-coordination citations were a small slice of the data at 0.9% of the classified subset, but they carried a higher median penalty than the dataset as a whole. That fits the pattern you'd expect: when a contractor and a host employer each assume the other has isolated the equipment, the gap between them tends to surface in a serious way.
Group-control failures made up 2.5% of the classified subset. The risk in all of these (f) cases is concentrated, because when shared control breaks down, more than one person can be exposed at once. We go deeper on the multi-person side in our guide to [managing multi-person LOTO without losing visibility](/resources/blog/group-lockouttagout-how-to-manage-multi-person-loto-without-losing-visibility).
## What the enforcement record really shows
Step back from the individual clauses and a clear shape emerges. The two largest evidence gaps, missing procedure documentation (41.1%) and missing proof of correct execution (21.7%), together account for nearly two-thirds of the classified citations. The most severe cases bear this out too: 58 citations in the subset involved an injury described in the narrative. The median penalty across the subset was $4,600, which tells you most of these aren't headline-grabbing willful cases. They're routine, preventable lapses that add up.
The throughline is that 1910.147 compliance is mostly a documentation and observability problem. Can you produce the right machine-specific procedure on demand? Can you show that the isolation steps were actually carried out, by whom, and when? Sites that can answer both questions tend to stay out of the citation data. That's exactly the gap a digital energy-isolation system is built to close, with machine-specific procedures, a verifiable application sequence, and an audit log of who did what. If a compliance review is on your horizon, our [LOTO audit preparation checklist](/resources/blog/how-to-prepare-for-a-loto-audit-compliance-checklist) is a practical place to pressure-test where you stand, and you can see how the full lifecycle fits together on our [lockout/tagout platform page](/lockout-tagout).
---
### A note on the data and method
The FY2025 figures in this article come from public OSHA enforcement records and public OSHA violation-detail pages, classified by Zentri under a published, deterministic rule set. To check the classification holds up, a second reviewer applied the same published rule to a fresh sample of citations without seeing the first reviewer's results. That blind check returned agreement scores (Cohen's κ) of 1.000 on failure category, 0.818 on evidence gap, and 0.931 on severity.
Dataset-wide totals cover federal OSHA and 27 state-plan jurisdictions. The requirement-by-requirement percentages cover the narrative-classified subset (federal OSHA and Illinois state-plan citations, n=2,095), because reliable narrative detail isn't available for the other state plans.
> This analysis uses public OSHA/DOL enforcement data and public OSHA violation-detail pages. Citation records may be contested, amended, settled, withdrawn, or updated after publication. Zentri has normalized and classified public records for research purposes; the analysis should not be read as legal findings beyond the underlying OSHA records.
**Sources:** OSHA Top 10 Most Frequently Cited Standards, FY2025; 29 CFR 1910.147 regulation text and OSHA Control of Hazardous Energy guidance; Zentri FY2025 OSHA enforcement analysis.
---
*Written by Matthew Nugent, co-founder of Zentri. A chemical engineer with ten years of industrial process operations experience, Matthew works on closing the gap between how energy-control procedures are written and how they actually hold up on the floor.*
