Protection against unexpected start-up (ISO 14118) – analysis of energy isolation systems

Why this matters today

Protection against unexpected start-up is no longer a minor implementation detail that can be left until the end of a project. In practice, the decision on how to isolate and dissipate energy, and how to confirm a safe state during changeovers, cleaning, jam clearing, and service work, affects personnel safety, the control system architecture, the machine acceptance process, and the responsibilities of the manufacturer or integrator all at once. If this issue is treated only as a matter of the “main switch” or simply stopping the drive, the project usually ends up being reworked: additional valves, interlocks, isolation points, changes to control sequences, and revisions to the technical documentation become necessary. These are not cost-neutral changes. Most often, they mean a delayed commissioning date, disputes over the scope of supply, and greater difficulty justifying the selected protective measures during conformity assessment.

The reason is simple: unexpected start-up rarely results from a single error. It is usually the consequence of a flawed design assumption that stopping motion is equivalent to removing the hazard. In many machines, however, the real issue is residual energy, automatic restoration of the power supply, components dropping under gravity, restart after fault reset, or intervention from several independent control sources. For the design team, this means separating three questions that are often confused in practice: what must be stopped, what must be isolated, and what must be kept in a safe state for the entire time a person is inside the hazard zone. This is exactly where decisions are made that later determine the cost of the cabinet, pneumatics, hydraulics, service procedures, and validation.

At this stage, the most useful decision criterion is this: once a person has entered the hazard zone, is there any path by which hazardous motion can arise without their deliberate action and outside their control? If the answer is not an unequivocal no, functional stopping alone is not enough, and energy isolation, together with protection against its unintended restoration, must be analysed. This is best assessed not by declaration, but by observable design indicators: the number of energy sources requiring isolation, the time needed to reach a safe state, the method used to confirm loss of energy, the number of operator interventions performed outside production mode, and the number of places where personnel are tempted to “bypass” the safeguard because the correct procedure is too slow or too burdensome. That last point naturally connects with the issue of safeguard tampering and bypassing, because poorly selected energy isolation very often does not remove the problem, but merely shifts it into day-to-day operation.

A good example is a station with a movable guard where opening the guard stops the drive, but a vertical actuator remains pressurised and the system returns to the automatic cycle once the guard is closed. Formally, the operator “should not” reach further into the zone, but in reality they will remove a part, clean a sensor, or correct the gripper position. If, in such a scenario, no controlled energy isolation and dissipation has been provided, together with conditions for restart, the hazard arises not during normal production but during these short, repetitive interventions. From a design perspective, this is the point at which it must be decided whether the problem is properly addressed by a well-designed energy isolation system, or whether it moves into the area of interlocking devices with guard locking and limiting the possibility of bypassing. If the assumptions about use are unclear, the answer does not come from intuition, but from a sound risk assessment carried out in accordance with ISO 12100, applied in a practical way and taking real machine tasks into account.

Only in that context do the requirements of ISO 14118 make proper sense. The standard does not replace risk assessment and does not provide a single universal energy isolation scheme; instead, it structures the way of thinking about preventing unexpected start-up in foreseeable operating states and interventions. In practice, it should be read together with risk assessment carried out in accordance with ISO 12100 and, where guards and interlocks are involved, with the requirements for limiting tampering. This also matters from a responsibility standpoint: if the machine is supplied as an assembly, a line, or an incomplete machine intended for integration, the boundaries of responsibility for energy isolation functions must be described precisely enough to avoid a gap between suppliers. That is why this issue requires decisions now, not after installation: adding “safe isolation” late to a finished concept almost always costs more than defining it correctly at the start.

Where cost or risk most often increases

In projects aimed at preventing unexpected start-up, costs rarely increase because someone “added too much safety.” Much more often, the problem starts with the wrong question being asked at the outset: whether energy needs to be isolated, which energy sources actually need to be dissipated, who performs the task, and what state the machine must remain in after the intervention. If these assumptions are not defined clearly enough, the team designs a solution that appears simple, only to revisit it after acceptance testing, following user comments, or after analysing an accident scenario. That is when the most expensive corrections arise: changes to the control architecture, rework of the pneumatic or hydraulic system, additional equipment in the cabinets, new procedures, and renewed agreement on responsibilities between the machine supplier, the integrator, and the end user. In practice, the assessment criterion is clear: if the team cannot describe the required energy state of the machine for a specific intervention task, the decision on how to isolate energy is still premature.

A second source of cost is treating energy isolation as nothing more than stopping movement. This mistake is especially common where more than one medium is present or where energy is stored: residual pressure, components dropping under gravity, inertial movement, springs, hydraulic accumulators, and drives that hold position. In such systems, “switching off” does not necessarily mean a safe condition for the person carrying out changeover, cleaning, or jam clearing. The design implication is straightforward: if the isolation function does not include dissipation of residual energy or controlled maintenance of a safe state, you should expect not only installation rework but also liability for incorrectly defined limits of use. In practice, it is worth assessing three things before approving the concept: whether any energy capable of causing movement remains after isolation, whether the operator can verify this without removing guards, and whether restoring the power supply automatically recreates the possibility of start-up.

A typical example is a station with pneumatic drives where a central shut-off valve was assumed to be sufficient. On the schematic, this looks correct, but in operation it turns out that some actuators hold position because pressure is trapped locally, and after the supply is restored the system returns to a ready state faster than the personnel task sequence allows for. At that point, the cost does not arise solely from adding venting valves or mechanical restraints. It also includes a delay in acceptance, documentation updates, renewed verification of the control logic, and sometimes changes to instructions and training. This is exactly the point at which the issue moves from simple selection of an isolating device into the area of practical risk assessment: the analysis must address the actual tasks, foreseeable human error, and the way access to the hazardous area is gained. In hydraulic systems, there is the additional question of whether dissipating energy reduces load stability; in that case, the design decision must be considered together with the requirements for safe guidance and pressure retention in the system.

Only at this stage does reference to ISO 14118 bring order to the decision, but it does not replace it. The standard points in the right direction: prevent unexpected start-up through proper energy isolation, dissipation, or control, and through organisational and technical measures appropriate to the foreseeable interventions. However, if the disagreement within the team is about whether a given task is “servicing with the machine stopped” or already an intervention requiring full energy isolation, that is a sign that the team needs to return to the risk assessment methodology according to ISO 12100, rather than looking for the answer in the schematic alone. Likewise, when the solution relies on opening a guard and blocking access, a second problem quickly appears: whether the design encourages bypassing the safeguard because the isolation procedure is too slow or too burdensome. At that point, the discussion naturally extends to limiting tampering with safeguards. For the project manager, the key decision criterion is therefore not “which device should be used,” but “does the chosen isolation method provide a repeatable, verifiable safe state for the specific task and the specific access method?” If the answer is not clear, costs will rise later, usually at a less controllable stage of the project.

How to approach the issue in practice

In practice, protection against unexpected start-up does not begin with selecting a disconnect switch, valve, or shutdown procedure. It starts with a clear decision on which interventions will actually be carried out on the machine and what technical state the machine must be in when they are performed. That decision directly affects the system architecture, the scope of documentation, commissioning time, and the responsibilities of the manufacturer or integrator. If the project team adopts assumptions that are too lenient and treats a service task as routine work on a stopped machine, the risk will resurface during acceptance, validation, or after the machine has already been handed over for operation. On the other hand, if the assumptions are overly restrictive, costs will rise due to more extensive isolation systems, additional devices, more complex sequences, and reduced technical availability. That is why there should be one practical decision criterion: for the specific task, can a safe state be achieved and verified that eliminates the possibility of unintended movement and uncontrolled energy release?

This means the manager or product owner should require the team to describe the task not in terms of machine functions, but in terms of access and energy. You need to know who enters the zone, what they touch, which guards they open, which drives may still produce residual movement, and where pressure, gravitational support, or stored energy in elastic components remains present. Only then can you determine whether isolating one medium is sufficient, or whether several energy sources must be isolated together with energy dissipation and protection against re-energization. At this point, the issue naturally moves into hazard identification according to ISO 12100: if the dispute concerns the boundary between “stopping for intervention” and “work requiring full isolation,” then it is no longer a matter of the switching device itself, but of hazard classification, foreseeable use, and incorrectly assumed user behaviour.

A good example is a station with an electric drive and pneumatic actuators, where the operator periodically reaches in to clear a material jam. Formally, the machine may be stopped, but that alone does not mean the intervention is safe. If pressure remains after stopping that can move a working element, or if the drive can be reactivated by the control system, then a simple “stop” command does not solve the problem. The design decision should therefore answer not only how to isolate the energy, but also how the user will recognize that the safe state has actually been achieved and maintained. If the required procedure is long, inconvenient, or unclear, the risk of bypassing safeguards increases, which creates an additional design problem related to tampering resistance. That usually costs more than identifying the situation correctly at the outset, because later corrections no longer involve a single device, but the control logic, guards, instructions, and validation.

• whether the isolation covers all energy sources that could cause movement or release a hazard,
• whether the safe state is visible or otherwise clearly verifiable,
• whether re-energization requires deliberate action and will not occur automatically when the power supply is restored.

Only after this has been structured does it make sense to move on to normative references. If the protective measure relies on a function implemented by the control system rather than solely on mechanical energy isolation, the issue falls within the requirements for safety functions and their reliability. If, on the other hand, the key question is whether a given intervention requires full isolation or whether another protective method is acceptable, then a return to methodical risk assessment according to ISO 12100 is necessary. In design practice, these are not separate worlds, but successive layers of the same decision. ISO 14118 structures the way of thinking about isolation and prevention of unexpected start-up, but it does not relieve the team of the need to demonstrate that the solution is adequate for the intended task, resistant to typical bypasses, and capable of being validated without leaving “grey areas” of responsibility.

What to watch out for during implementation

The most common mistake when implementing protection against unexpected start-up is treating energy isolation as a simple matter of selecting a device, when in reality it is a decision about the boundaries of operational, maintenance, and design responsibility. If the solution does not clearly define who may enter the hazardous area, when, and in what machine condition, then even a technically correct isolation system does not eliminate the risk. The impact on the project is usually costly: late documentation changes, retrofitting control cabinets, changes to control logic, and ultimately a dispute over whether the manufacturer anticipated the correct method of intervention. The practical assessment criterion here is simple: before approving the solution, it must be possible to demonstrate for every intended task whether the isolation actually eliminates the possibility of movement, energy release, or restoration of operation without deliberate human action.

At the design stage, “almost sufficient” solutions are particularly dangerous, meaning those that disconnect the main power supply but leave auxiliary energy sources, stored energy, or the possibility of externally induced movement. In practice, this applies to pneumatic systems with residual pressure, vertical axes held by a brake, components with inertia, holding circuits, and drives that return to an automatic sequence when power is restored. If these effects are not identified at the outset, the cost does not arise only from purchasing additional components. Commissioning and validation costs also increase, because the team must prove the safety of a solution whose architecture never covered all boundary conditions in the first place. A good decision-making measure here is not the number of isolators used, but the number of energy sources and operating modes for which the team can describe the path to a safe state and the method of confirming that this state has been achieved.

A good example of a practical trap is a service intervention that formally does not require going “deep” into the machine, but does require opening a guard and reaching into an area where an auxiliary drive remains active or movement can still result from the control sequence. In such cases, the decision about energy isolation alone quickly extends into two adjacent areas. First, it is necessary to return to a methodical risk assessment under ISO 12100 for the specific task, because that is what determines whether full isolation of all energy sources is necessary or whether an equivalent protective measure can be justified. Second, if operators or maintenance personnel regularly bypass the intended procedure, the issue is no longer solely a matter of ISO 14118 and moves into the area of guard bypassing and tampering. This matters from a liability perspective: a solution that works only if the user behaves in a way that is unlikely in real operation is weak not because it is non-compliant “on paper,” but because the design failed to account for foreseeable human behaviour.

That is precisely why reference to ISO 14118 should come at the end, as a way to structure the decision, not as a substitute for analysis. If the key question is whether a given intervention requires full isolation of all energy sources, the proper next step is risk assessment under ISO 12100, and in more complex cases also the practical risk estimation approach described in supporting documents. If, on the other hand, the problem becomes the solution’s vulnerability to deliberate bypassing, the natural complement is the area of interlocking devices according to ISO 14119 and anti-tampering measures. For the design team, this means one thing: the decision on the isolation system should be approved only when it can be defended simultaneously on technical, organisational, and operational grounds. Otherwise, the saving made at the beginning can very easily turn into a delayed acceptance, the cost of rework, or liability that is difficult for the manufacturer or integrator to deflect.