A DESIGN OF A DIGITAL LOCKOUT TAGOUT SYSTEM WITH MACHINE

LEARNING

A Thesis

presented to

the Faculty of California Polytechnic State University,

San Luis Obispo

In Partial Fulfillment

of the Requirements for the Degree

Master of Science in Computer Science

by

Brandon H Chen

December 2022
 © 2022
Brandon H Chen
ALL RIGHTS RESERVED

ii
 COMMITTEE MEMBERSHIP

TITLE: A Design of a Digital Lockout Tagout Sys-

tem with Machine Learning

AUTHOR: Brandon H Chen

DATE SUBMITTED: December 2022

COMMITTEE CHAIR: Phoenix Fang, Ph.D.

Professor of Computer Science

COMMITTEE MEMBER: Franz Kurfess, Ph.D.

Professor of Computer Science

COMMITTEE MEMBER: Bruno Silva, Ph.D.

Professor of Computer Science

iii
 ABSTRACT

A Design of a Digital Lockout Tagout System with Machine Learning

Brandon H Chen

Lockout Tagout (LOTO) is a safety procedure instated by the Occupational Safety

and Health Administration (OSHA) when doing maintenance on dangerous machinery

and hazardous power sources. In this procedure, authorized workers shut off the

machinery and use physical locks and tags to prevent operation during maintenance.

LOTO has been the industry standard for 32 years since it was instantiated, being

used in many different industries such as industrial work, mining, and agriculture.

However, LOTO is not without its issues. The LOTO procedure requires employees

to be trained and is prone to human error. As well, there is a clash between the

technological advancement of machinery and the requirement of physical locks and

tags required for LOTO. In this thesis, we propose a digital LOTO system to help

streamline the LOTO procedure and increase the safety of the workers with machine

learning. We first discuss what LOTO is, its current requirements, limitations, and

issues. Then we look at current IoT locks and digital LOTO solutions and compare

them to the requirements of traditional LOTO. Then we present our proposed digital

LOTO system which will enhance the safety of workers and streamline the LOTO

process with machine learning. Our digital LOTO system uses a rule-based system

that enforces and streamlines the LOTO procedure and uses machine learning to

detect potential violations of LOTO standards. We also validate that our system

fulfills the requirements of LOTO and that the combination of machine learning and

rule-based systems ensures the safety of workers by detecting violations with high

accuracy. Finally, we discuss potential future work and improvements on this system

iv
as this thesis is part of a larger collaboration with Chevron, which plans to implement

a digital LOTO system in their oil fields.

v
 ACKNOWLEDGMENTS

Thanks to:

• Dr. Phoenix Fang for guidance and support as my thesis advisor, as well for

pushing me and lifting me up when I was unsure if I could finish.

• Dr. Franz Kurfess for joining my committee and providing valuable input, as

well as introducing me to this topic and Dr. Fang.

• Dr. Bruno C. da Silva for joining my committee and providing valuable input.

• Dr. Dev Sisodia for attending my defense and providing valuable input.

• My family for their support on everything.

vi
 TABLE OF CONTENTS

Page

LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

CHAPTER

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.3 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 Organization of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Traditional Lockout Tagout . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1 The Lockout Tagout (LOTO) Procedure . . . . . . . . . . . . . . . . 6

2.2 Standards of LOTO . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.3 The Limitations of LOTO . . . . . . . . . . . . . . . . . . . . . . . . 12

2.4 The Trend of Traditional Lockout Tagout . . . . . . . . . . . . . . . . 13

3 Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.1 Smart Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.2 IoT Inspired Lockout Tagout . . . . . . . . . . . . . . . . . . . . . . . 18

3.3 Potential Security Risks . . . . . . . . . . . . . . . . . . . . . . . . . 20

4 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.1 Expected Functionalities of the Digital LOTO System . . . . . . . . . 23

4.2 System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4.2.1 Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.2.2 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

vii
 4.2.3 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.2.4 Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.1 Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

5.2 Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

5.2.1 Client-Server Architecture . . . . . . . . . . . . . . . . . . . . 35

5.2.2 Request Processing . . . . . . . . . . . . . . . . . . . . . . . . 36

5.2.3 Accessing the Database . . . . . . . . . . . . . . . . . . . . . . 37

5.2.4 Rule Sets for Isolation Plans . . . . . . . . . . . . . . . . . . . 37

5.2.5 Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . 38

5.3 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.4 Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

6 Validation of Features, Simulation Design, and Results . . . . . . . . . . . 41

6.1 Validating Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

6.2 Machine Learning Experiment . . . . . . . . . . . . . . . . . . . . . . 42

6.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

7 Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . 46

7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

7.2.1 Limitations of the Simulation . . . . . . . . . . . . . . . . . . 48

7.2.2 Separation of Lock History and Isolation Plans . . . . . . . . . 48

7.2.3 Rule-Based System . . . . . . . . . . . . . . . . . . . . . . . . 48

7.2.4 Machine Learning . . . . . . . . . . . . . . . . . . . . . . . . . 49

7.2.5 Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . 49

7.2.6 Fault Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . 50

viii
 7.2.7 Practical Implementation . . . . . . . . . . . . . . . . . . . . . 50

BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

ix
 LIST OF TABLES

Table Page

2.1 Top Lockout Tagout Challenges from E-Square Alliance [34] . . . . 13

4.1 Table of LOTO Streamlining Features . . . . . . . . . . . . . . . . 25

4.2 Table of LOTO Security Features . . . . . . . . . . . . . . . . . . . 25

6.1 List of Feature Tests to the System Features . . . . . . . . . . . . . 43

6.2 Measurements of Precision, Recall and F1 of the Rule-Based and ML

Based Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

6.3 Confusion Matrices for Rule-Based, Machine learning, and Combined

Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

x
 LIST OF FIGURES

Figure Page

1.1 Various Usages of LOTO . . . . . . . . . . . . . . . . . . . . . . . 2

1.2 Example of Lockout Tagout Devices [36] . . . . . . . . . . . . . . . 3

2.1 The Standard Lockout Tagout Procedure [19] . . . . . . . . . . . . 8

2.2 The 4 Types of Devices Used in Lockout Tagout [12] . . . . . . . . 11

2.3 Example of a Smart Lock System Designated for LOTO, Produced

by EgeeTouch [9] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.1 A Comparison Between Requirements for LOTO and Additional

LOTO-Based Functionalities are Compared to the Functions of Typ-
ical Market Smart Locks [26, 25, 17] . . . . . . . . . . . . . . . . . 20

3.2 Consumer IoT Security Attacks, Device Vulnerabilities and Potential

Countermeasures [2] . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4.1 General LOTO System Overview . . . . . . . . . . . . . . . . . . . 26

4.2 Database Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4.3 Unlock Request Flow . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.1 Figure of the DBSCAN Algorithm [31] . . . . . . . . . . . . . . . . 39

xi
 Chapter 1

INTRODUCTION

1.1 Background

In industrial worksites, safety is of the utmost importance. To ensure the safety of

industrial site workers, US Occupational Safety and Health Administration (OSHA)

[26] has created safety protocols and required employers to enforce these policies to

ensure workers don’t get hurt. Lockout Tagout (LOTO) is the safety protocol by

OSHA used in industry and research when doing maintenance on dangerous machin-

ery or hazardous power sources. The procedure typically uses traditional locks and

tags to prevent the operation of the equipment while the maintenance or inspection

is being conducted. Ensure that these machines are properly shut off and unable to

be started back up when there is maintenance being done on the machine. As well,

there are restrictions on hazardous materials for power sources, to ensure they are

isolated and inoperative when work is being done. This protocol typically is done

in the following flow: Announce shut off; Identify the energy sources; Isolate those

energy sources; Lock and tag the sources and operational interfaces; Prove the equip-

ment isolation is effective; Start maintenance. Once maintenance is done, unlock and

remove the tags. As well, there are restrictions on who can perform the procedure,

qualified and authorized individuals are the only ones allowed to aid the procedure,

as well there must be proper PPE, and personal protection equipment [29].

LOTO has a myriad of different use cases and is used in every industry that deals with

heavy machinery and hazardous energy sources. It is a universal safety procedure that

1
OSHA requires to be used in many areas. These uses of LOTO being used include

[7]:

• Entering a site with moving machine parts or hazardous energy;

• Fixing damaged or clogged machines: broken parts often require someone to

reach in and replace them, exposing them to risk if the machine starts again;

• Handling hazardous energy: Most commonly done when doing electrical work,

where turning on the system poses great risk to the workers;

Entering a work site with moving machine parts entails many different work sites.

Examples of this include manufacturing sites with robotic arms, moving to weld and

cutting devices. These sites are in many different industries such as the agriculture,

mining, and manufacturing industries. LOTO is used in many different areas and it

saves many lives.

Figure 1.1: Various Usages of LOTO

2
 Figure 1.2: Example of Lockout Tagout Devices [36]

While the industry continues to advance and international agencies continue to up-

date regulations according to this advancement, the LOTO protocol stays common

practice using old manual locks and tags [6]. There have been some efforts to improve

the protocol with modern technology, but it is still a largely unexplored area and in-

troduces more issues such as security risks. The list of possible technologies, which

is not limited to, contains IoT devices, smart locks, cloud computing, and mobile

devices that can access smart locks. In this thesis, I suggest a smart lock system that

both solves the current issues with Lockout Tagout technology and streamlines the

process to improve worker safety.

1.2 Motivation

As machines used in construction, industrial and agricultural systems become more

complex, it is important to improve the safety systems to protect workers from harm.

3
Despite being the standard for safety for over 30 years, LOTO has not changed to

accommodate advancements in technology. Even to this day, there are many areas

where they still use basic physical locks to ensure LOTO. Most injuries and accidents

that happen during LOTO are due to human error, as while you can train employees

to be able to perform LOTO, they can still perform LOTO incorrectly due to human

error or insufficient training. Creating a system that would help streamline most of

the process and ensure that proper LOTO is performed would reduce the margin for

human error and greatly increase the safety of the employees involved.

While there has been some research to provide solutions to this issue, this field is

mostly unexplored. As well, most commercial products are not suitable for LOTO

as they only provide some streamlining of the LOTO process, do not increase safety

by ensuring proper LOTO, and are prone to security vulnerabilities. I look to design

a secure IoT lock system that fulfills LOTO requirements, streamlines the LOTO

procedure, and enhances safety. I worked with companies from the industry that

frequently utilize LOTO such as Chevron to ensure it meets industry standards. In

the end, I hope to create a secure system that ensures the safety of the workers by

ensuring correct LOTO procedures and reducing the burden on them by streamlining

the process.

1.3 Contribution

In this master thesis, I plan to present a study of the procedure for Lockout Tagout

and IoT locks on the market. Using these studies, I will design a digital lock system

that fulfills the needs of the procedure, while also incorporating IoT and machine

learning to improve safety by detecting potential violations and streamlining the

process. The contributions of this project are summarized as follows:

4
 • Identify the restrictions of traditional LOTO and advantages of digital LOTO;

• Investigate the current state of digital LOTO on the market and in academics

and if they do or do not meet LOTO standards;

• Design a digital LOTO system that fulfills the standard LOTO requirements;

• Apply machine learning to detect potential operational violations;

• Design an experiment to test our design and analyze the results;

• Identify the limitations of this work and propose future work.

1.4 Organization of Thesis

This thesis is organized into 7 chapters. In Chapter 2, I cover the details of LOTO,

such as the procedure, the standards of LOTO, and the limitations of LOTO. Also, I

cover some of the current trends of LOTO and its movement to digitization. Chapter

3 goes over related works to this thesis such as IoT locks and current market smart

locks. I cover the system design in Chapter 4. We go in-depth into features and

how they would improve performing the LOTO procedure. Chapter 5 covers how

I implement these features in a simulation. Chapter 6 covers the validation of the

features in my system and the results of the tests and experiments used for the

validation. Chapter 7 concludes with ways to improve this system and future work,

as this thesis is a part of a larger collaboration with Chevron to implement a LOTO

system.

5
 Chapter 2

TRADITIONAL LOCKOUT TAGOUT

In this section, we will introduce the traditional LOTO procedures and standards.

We then go over the limitations of LOTO and the trend of traditional LOTO.

2.1 The Lockout Tagout (LOTO) Procedure

To understand Lockout Tagout (LOTO) and its importance, I looked at what the

LOTO specifications are according to OSHA. As for lockout, tagout, and the re-

spective devices, OSHA’s web tutorial defines them as the following: Lockout is the

placement of a lockout device on an energy isolating device to ensure the energy iso-

lating device and the machine maintenance is being performed on cannot be operated

during said maintenance. Tagout is the placement of a tagout device on the energy

isolating device to indicate the machine and the device cannot be operated during

maintenance [26]. As well, in the case of being unable to lockout the device, employ-

ees must securely fasten a tagout device on the energy isolation device and make sure

it is in an obvious visible place. The following is a generalized procedure of LOTO

taken directly from OSHA’s site [26]:

The procedure for locking the equipment is as follows:

1. Notify all affected employees that servicing or maintenance is required on a

machine or equipment and that the machine or equipment must be shut down

and locked out to perform the servicing or maintenance.

6
 2. The authorized employee shall refer to the company procedure to identify the

type and magnitude of the energy that the machine or equipment utilizes, shall

understand the hazards of the energy, and shall know the methods to control

the energy.

3. If the machine or equipment is operating, shut it down by the normal stopping

procedure (depress the stop button, open the switch, close the valve, etc.).

4. De-activate the energy isolating device(s) so that the machine or equipment is

isolated from the energy source(s).

5. Lock out the energy isolating device(s) with assigned individual lock(s).

6. Stored or residual energy (such as that in capacitors, springs, elevated machine

members, rotating flywheels, hydraulic systems, and air, gas, steam, or water

pressure, etc.) must be dissipated or restrained by methods such as grounding,

repositioning, blocking, bleeding down, etc.

7. Ensure that the equipment is disconnected from the energy source(s) by first

checking that no personnel is exposed, then verify the isolation of the equip-

ment by operating the push button or other normal operating control(s) or by

testing to make certain the equipment will not operate. ( Caution: Return

operating control(s) to neutral or ”off” position after verifying the isolation of

the equipment.)

8. The machine or equipment is now locked out.

The procedure for restoring the equipment is as follows:

1. Check the machine or equipment and the immediate area around the machine

to ensure that nonessential items have been removed and that the machine or

equipment components are operationally intact.

7
 2. Check the work area to ensure that all employees have been safely positioned

or removed from the area.

3. Verify that the controls are neutral.

4. Remove the lockout devices and re-energize the machine or equipment. Note:

The removal of some forms of blocking may require re-energizing of the machine

before safe removal.

5. Notify affected employees that the servicing or maintenance is completed and

the machine or equipment is ready for use.

Figure 2.1: The Standard Lockout Tagout Procedure [19]

To understand why LOTO is important and why we need better equipment to im-

prove safety, we can look at OSHA’s standards for LOTO. Generally, LOTO is used

on dangerous machinery and hazardous energy. Hazardous energy in OSHA’s stan-

dards is all energy stored in machinery, including but not limited to the following:

electrical, mechanical, hydraulic, pneumatic, chemical, and thermal energy. During

8
maintenance of machines, the unexpected release of stored energy or start-up of the

machine can cause serious or fatal injuries to workers, such as burns, lacerations,

electrocution, and many more fatal injuries. OSHA gives the following examples.

“A steam valve is automatically turned on by burning workers who are repairing a

downstream connection in the piping. A jammed conveyor system suddenly releases,

crushing a worker who is trying to clear the jam. Internal wiring on a piece of factory

equipment electrically shorts, shocking the worker who is repairing the equipment

[26].” According to OSHA’s standard page, proper LOTO practices and procedures

safeguards these workers from harm, employers must properly train their employees

in these procedures, and only these authorized trained employees can perform LOTO.

2.2 Standards of LOTO

LOTO has a list of standards that apply to most operations where the start-up

or energizing of the device can harm the employees. They specify the following

operations are exceptions from these standards [12, 29]:

• Construction, agriculture, and marine time operations;

• Installations for private/exclusive electric utilities;

• Work on cord and plug equipment where the authorized employee has exclusive

control of the plug;

• Oil and gas well drilling.

There are 2 kinds main kinds of employees who need to be trained in LOTO, the au-

thorized employees who perform the service and do maintenance on the machine/en-

ergy source during LOTO as well the affected employees who normally operate the

9
machine/energy source outside of LOTO. All employees involved in LOTO are no-

tified when LOTO is done. As well, other employees who are in the area should be

trained with proper procedures of what to do.

There are 2 main kinds of devices in Lockout Tagout: Lockout devices and Tagout

devices. Lockout devices should be able to hold the machine in a safe and turned-off

position. These include but are not limited to padlocks, blank flanges, and bolted

slip blinds. Padlocks should only have 1 key to limit access to 1 worker. Tagout

devices refer to the tags that are put on the lockout device to indicate that the device

cannot be operated. In addition to these 2 main devices, there are energy isolation

devices and LOTO boxes. Energy isolation devices physically prevent the release of

hazardous energies. These include manual circuit breakers, disconnect switches, and

line valves; as well they are used specifically for energy isolation. LOTO boxes are

used when there are multiple isolation points to be secured. Workers will attach and

detach their lockout devices to the LOTO box. Examples of these devices are shown

in figure 2.2 [12, 26].

OSHA has not standardized a color code for lockout and tagout devices. However,

they do specify that locks for LOTO need to be specially made and designated for

LOTO. This usually entails that the lock is identified for LOTO only, is durable and

sustainable, and standardized color and shape for all locks in a system. They also

recommend the following color code in the official standards [26]:

• ”DANGER” - Red, or predominantly red, with lettering or symbols in a con-

trasting color.

• ”CAUTION” - Yellow, or predominantly yellow, with lettering or symbols in a

contrasting color.

10
Figure 2.2: The 4 Types of Devices Used in Lockout Tagout [12]

11
 • ”WARNING” - Orange, or predominantly orange, with lettering or symbols in

a contrasting color.

• ”BIOLOGICAL HAZARD” - Fluorescent orange or orange-red, or predomi-

nantly so, with lettering or symbols in a contrasting color.

Energy isolation plans, otherwise known as isolation plans, are one of the main ways

of group LOTO. Group LOTO is done when there are multiple areas that need en-

ergy isolation or maintenance. It involves supervisors leading groups of authorized

employees to do their assigned tasks in order.

2.3 The Limitations of LOTO

While LOTO has been the industry standard for 32 years, it is not without its issues

and challenges. The equipment used in the field has made lots of technological strides,

however, the old standard for LOTO is the same[6]. Traditional LOTO involves only

physical locks and only authorized workers who have received special training can

conduct the procedure, which leaves room for human error. Some of the top challenges

in conducting LOTO found by E-Square Alliance, a LOTO device manufacturing

company are shown in table 2.1. Most of these challenges are due to human neglect

and error, where improper training or handling of LOTO can cause fatal injuries to

workers or great losses in capital.

Another challenge with traditional LOTO is managing the data of previous proce-

dures. Currently, most of the data pertaining to LOTO is stuck on paper or electronic

forms without a way to analyze or group them. With this data being locked behind

these sources, it is harder for companies and supervisors to analyze that data and

make improvements on their LOTO procedure [11]. In addition, companies may have

12
 Table 2.1: Top Lockout Tagout Challenges from E-Square Alliance [34]
Challenge
Lack of Awareness
Lack of Specific Procedures
Inappropriate Lockout Tagout Devices
No Timely Reviews or Audits
Insufficient Training
Unsustainable Lockout Tagout
System
Description
Top management is not aware
of the importance of LOTO or
there is a lack of a LOTO
procedure, leading to worker injuries.
Organization provides generic training
instead of specific procedures to follow
the LOTO standards leading to more
human errors during LOTO.
Organizations purchase generic or cheap
LOTO devices instead of devices that
are adequate for their devices. Many incidents
occur from the release of hazardous energy due
to inadequate LOTO devices
OSHA requires annual audits for LOTO procedures.
This is so they can review inadequacies
and suggest changes to improve their LOTO systems.
There are 4 levels of training for LOTO, many companies
only give their authorized LOTO workers general
training that is for all employees, instead of the required
higher tiers for authorized workers.
Companies should continuously review and improve
their LOTO systems to create a better LOTO process
and prevent future incidents.

issues organizing and managing paper forms digitally, as it is hard to convert paper

forms into data.

2.4 The Trend of Traditional Lockout Tagout

While the OSHA standards may not have changed for 30 years, the industry thinks

that it would be better to upgrade from traditional LOTO with physical locks and

digitize LOTO to benefit the companies and workers who perform LOTO. Most com-

panies provide LOTO training and then leave workers to follow the proper steps of

LOTO, generally with a paper checklist. However, without digitization, this can lead

to violations of the LOTO procedure and standards due to human error. Fleming

suggests in his article, 4 Benefits of Digitizing Lockout Tagout, that digitizing LOTO

would greatly streamline the process and help the LOTO performance in 4 ways [11]:

13
 • Prompt Guidance and Communication during LOTO;

• Automated Data Collection;

• Triggered Alerts and Interventions;

• Actionable Data for Leaders.

Prompt guidance during LOTO could guide workers during LOTO and ensure they

are following the procedure. As well it would let team leaders communicate with work-

ers during the process of LOTO. Automated data collection would help managers and

leaders quickly identify shortcomings and violations in their LOTO procedure. Trig-

gered alerts and interventions allow managers to catch and document these issues, as

well as potentially prevent incidents from arising. Lastly, actionable data means that

managers and leaders in the LOTO process can much more easily analyze their data,

as opposed to traditional LOTO where the data is stuck behind paper documents.

Digitized LOTO is already being used in the industry to some extent; in an interview

with Beet Sugar Cooperative, Jill James questions them about how they are using

digital LOTO to improve their operations [16]. In their control room, they are able to

monitor and control the situation when there is a LOTO procedure that needs to be

conducted. They are able to safely test the hazardous energy sources by attempting

to control them from their control room and confirming that the energy sources are

off before workers are in danger of accidental re-energization. Then they are able to

quickly communicate to the authorized employees that they are able to perform their

part in the maintenance. While they are still using mostly traditional equipment, it

is easy to see how the digital aspect of their system greatly enhances their safety by

having someone monitor and manage the hazards from afar.

14
Figure 2.3: Example of a Smart Lock System Designated for LOTO, Pro-
duced by EgeeTouch [9]

Next, we will go into some of the widely available solutions on the market. As

technology has advanced in the industry, there have been some products on the market

that digitize LOTO. A few companies that produce locks have advertised specialty-

made products for LOTO. A list of example companies would include Masterlock,

an industry leader in lock production, NOKE, which claims to have one of the best

systems for LOTO, and many other companies like Nisoft and Seam Group [25, 20, 9,

32]. They typically all provide the same products and services, which would be smart

locks and an application that is used with the locks and has some LOTO streamlining

features, such as history tracking or access tracking. Some of the companies provide

other services related to LOTO, such as consulting services or risk assessment services

after implementing their systems [32, 20]. While these are somewhat useful, there are

some issues with them, including While the industry has made some efforts to digitize

15
LOTO, there is not much in the realm of academics for digitizing LOTO. We will

later go over some of their efforts in the Related Works section.

16
 Chapter 3

RELATED WORKS

In this section, I will discuss the related work on transforming traditional LOTO into

the digital domain. We will look into the current smart locks, IoT-inspired LOTO,

and potential security risks.

3.1 Smart Locks

There was research on the use of IoT to improve heavy machinery safety and LOTO

procedures, as many people are injured due to inadequate or improper use of LOTO

procedures [18, 22]. LOTO is an important procedure to ensure the safety of workers

who use dangerous machinery, and improvements to the system will improve the

safety of the workers and the security of the machine. One might turn to the myriad

of commercial smart locks on the market, ranging from connecting to the Internet

or connecting via Bluetooth to improve the safety of the workers. There are already

a few commercial smart locks targeting this market, such as Masterlock and NOKE

[17, 25]. However, most of these smart locks have major vulnerabilities making them

unsuitable for LOTO use. Common vulnerabilities of these commercial locks include

vulnerabilities in the cloud, Bluetooth, plaintext passwords, and hard-coded secrets.

Common examples of attacks on these kinds of locks include, device spoofing, fuzzing,

replay attacks, and man-in-the-middle attacks [28, 17]. As well, these IoT devices can

be vulnerable to a lot of typical IoT attacks, which include device software failure,

node tampering, eavesdropping, malicious code injection, and insertion [39, 2]. IoT

17
is a relatively new field and researchers are looking for ways to protect the privacy

and improve the security of IoT devices.

3.2 IoT Inspired Lockout Tagout

The field of digital LOTO has been not very well explored in academics. While there

are a lot of different ways IoT has made an impact on the field of industrial work

such as increased worker safety and construction machine tracking, research directly

related to using IoT on LOTO is scarce. There have been a few products related to

a digital LOTO, such as NOKE smart locks [25], which are marketed towards users

as a lock suitable for LOTO. However, most of the market of smart and IoT locks

are unsuitable for LOTO as they do not fit the requirements of LOTO and have

additional security vulnerabilities that would cause major safety and security issues.

In S. Kumar’s and S. M. Tauseef’s paper, Development of an Internet of Things

(IoT) based Lockout/Tagout (LOTO) device for Accident Prevention in Manufactur-

ing Industries [18], they presented their development of an IoT device designed for

LOTO accident prevention and conducted an experiment to show the practicality of

their device. Their simple device consisted of an Arduino pre-programmed to follow

LOTO, a SIM card for connectivity to send notifications to a user’s phone, an LCD

screen, and a motor to serve as a locking mechanism. It was programmed to instruct

the user on the proper steps of LOTO while preventing accidents with its physical

lock that will lock the user from accessing the hazards during the LOTO process.

They showed that their device brought down safety incidents during LOTO from an

average of 7 incidents per year to 0 incidents since the implementation of their de-

vice. This showed how even an IoT device would greatly improve the safety of the

LOTO process. Other examples of using IoT to improve safety during LOTO include

18
[22], where McNinch et al. implemented an intelligent monitoring system to help

detect safety issues during mining work and inadequate and improper LOTO. Our

system also looks to improve safety and streamline the LOTO process like Kumar

and Taseef’s device. However, I look to make a larger lock system that can be used

by an entire industrial site, rather than a single device placed at a location to enforce

LOTO.

While there has been some research into streamlining and improving safety using IoT

in LOTO, typical market locks are unsuitable for LOTO due to security risks. In Lock

Picking in the Era of Internet of Things, by E. Knight et al. [17], the paper went

over one of the leading brands, Masterlock, and their Bluetooth lock, and ways to

attack the lock. The 3 main contributions of this paper were: an analysis of the entire

Bluetooth system within the lock, a revelation of the security vulnerabilities within the

lock, and an impactful responsible disclosure exercise with Masterlock to patch these

vulnerabilities. In their related work, they went over the common attacks: plaintext

passwords, replay attacks, fuzzing, device spoofing, and hard-coded secrets. They

also talked about a paper covering Bluetooth attacks on IoT devices, investigated the

cloud service API, and man-in-the-middle, and read the firmware. When investigating

vulnerabilities they did the following: physical tampering to mess with the power

source, brute force attack to override the lock pattern, use of a Bluetooth packet

sniffer to see the communication between the phone and the lock, decoding the app

to look for encryption, and use the cloud API. They found that physical tampering,

brute force, and Bluetooth packet sniffing were ineffective, however, they were able to

decode the app and escalate privileges so that they could unlock the lock via a guest

account. The cloud API was also vulnerable if the keys were to be leaked. Another

product, NOKE, was directly targeting this market [25]. While their system seemed

promising and compliant with LOTO, there are flaws in the security of their locks

[21] as shown by McBride et al. The typical market smart lock has myriad different

19
Figure 3.1: A Comparison Between Requirements for LOTO and Ad-
ditional LOTO-Based Functionalities are Compared to the Functions of
Typical Market Smart Locks [26, 25, 17]

vulnerabilities, making it unsuitable for a procedure that needs to be as secure as

Lockout Tagout.

3.3 Potential Security Risks

In general, IoT security is a relatively unexplored field, leaving a lot of the current

consumer IoT products inadequate in security. In Alladi et al.’s Consumer IoT:

Security Vulnerability Case Studies and Solutions [2], they did a study on the various

ways IoT devices can be attacked. It went over 8 different kinds of attacks that are

typically done on these kinds of products. Everything from device software failure,

node tampering, eavesdropping, malicious code injection, unauthorized access, social

engineering, device hardware exploitation, and malicious node insertion poses major

security risks when using IoT products. These IoT products, including smart locks

[17], were not designed with security in mind, allowing for a lot of attacks.

There were quite a few works such as Pavelic et al. [28] that explain some of these

attacks using an IoT smart door lock system as an example. They showed various

20
Figure 3.2: Consumer IoT Security Attacks, Device Vulnerabilities and
Potential Countermeasures [2]

points of vulnerabilities in the system, such as sniffing the user authentication or

man-in-the-middle attacks. The current field of IoT security is quite scarce. Hope-

fully, there will be future development in this area as Zhang et al. presented in their

paper on ongoing challenges and research opportunities in the field of IoT [39]. They

identified some topics as areas to be researched such as Object Identification and loca-

tion, authentication and identification in IoT, and security protocols for lightweight

devices. In our digital LOTO system, to address these concerns about security, I

implement multiple security measures such as 2-factor authentication and a machine

learning algorithm to detect anomalous behavior of the locks.

To solve some of the security issues within IoT devices, some researchers have begun

to think about implementing machine learning-based security to keep networks secure.

Zaman et al. have conducted a comprehensive survey to find these security risks based

on the layers of the IoT model and they suggested different machine learning security

measures that can counter-act the threats to the IoT networks [37]. They collected a

21
great amount of machine learning techniques that could be used as countermeasures

such as using SVMs and LSTMs to use against unauthorized access attacks on IoT

devices. They also posed some challenges for future work of security in IoT devices.

Our system uses anomaly detection to bolster the security of our system.

22
 Chapter 4

SYSTEM DESIGN

In this chapter, I first present the expected functionalities of the digital LOTO system.

Then the system overview of the proposed digital LOTO is introduced with details

of all the entities included.

4.1 Expected Functionalities of the Digital LOTO System

In this section, the expected functionalities of the digital LOTO system in terms of

locking the equipment and restoring the equipment are presented. These function-

alities were created by reviewing the LOTO requirements and standards. As well, I

discussed with a group from Chevron that manages oil pipes to see if these features

would help their LOTO procedures.

Looking at the procedures for locking the equipment we can see the steps in bold can

be implemented into our system:

1. Notify all affected employees;

2. Identify the areas that need locks;

3. Shut down the device if it is still operating;

4. De-activate and isolate the energy device;

5. Authorized employees place their locks in order;

6. Dissipate energy;

23
 7. Ensure the machine is not operational without personnel around

(Verify Lockout);

8. Machine is locked out.

As well, when restoring the equipment, there are the following steps in bold that can

be implemented into our system”

1. Check there are no non-essential items in the area or on the machine and controls

are still intact;

2. Check to make sure employees have been safely positioned;

3. Verify that the controls are in neutral;

4. Unlock and remove the lockout devices;

5. Notify employees in the area that the machines are ready for use.

In addition to these steps, I discussed with a group from Chevron about what are

additional rule sets their isolation plans to adhere to. After much discussion, I deter-

mined the following rules set would fit their requirements:

• Locks must be locked in a specified order.

• Locks cannot be removed until all maintenance is done (as opposed to workers

locking and unlocking one by one).

• Locks must be unlocked in the reverse of the specified order.

• Once done, workers must secure their locks on the LOTO box.

24
With these steps, the rule set, and other requirements of LOTO, I planned out a list

of features to be simulated in the lock system:

Table 4.1: Table of LOTO Streamlining Features

Feature
Locks are configured with specific IDs
Locks can be configured to be part
of isolation plans
Locks have GPS/location tracking
Locks updated in real-time
Locks will be locked and unlocked
via a wireless physical key/phone
Details Implementation
- Lock IDs will be used for tracking
- Have a ID assigned to each lock
the lock, lock/unlock ordering,
on configuration
and authorization assignment
- Lock will send all information with the ID
as the header of the package
- Locks in isolation plans can - Locks will have a configurable isolation plan
only be unlocked in reverse order data structure, containing the name of the
from when it was locked. isolation plan (configurable) and the lock IDs of each lock.
- Isolation plans used for when
- This can be done on cloud
reporting LOTO procedures
- Able to identify where locks are - Have the lock only respond to physical keys
located on the site in real time and phones within a certain distance
- Leads workers to locks that need - Use package to keep track of current location.
to unlocked in specific orders Update every X time interval or lock update
- Lock sends information to the cloud
in real time to allow tracking of locks - Send information package to the cloud every update
and their status
- Locks will notify affected employees
- Server will send updates to affected employees
when LOTO starts and ends.
- Authorized LOTO workers will all have
a physical key with a configurable
authorization.
- Locks can only be unlocked by their
authorized worker

Table 4.2: Table of LOTO Security Features

Feature
Locks can only be opened by the authorized phone
app or authorized physical key(s)
Locks can only be opened when
the key is within the vicinity of the lock
Lock has machine learning to learn
for anomalies in lock behavior
Details Implementation
- Server will handle making sure whenever
- Each worker will have an account that
a lock is attempted to be locked or unlocked
will be linked to a physical key or a phone app.
that only the authorized worker can open that lock
- Each lock will only be unlocked for
its authorized user
- Authorization can be managed via the cloud.
- 2-factor authentication with the key and the phone.
- Locks can be unlocked via the physical key
- Have the lock only respond to physical keys
or phone only when the physical device is
and phones within a certain distance
within close vicinity of the lock
- Use Bluetooth for connections. - Can be turned on and off via admin
- When suspicious unlock behavior is detected, - Use Anomaly detection to detect unusual lock
the lock will ask for another form of authentication behavior
- This will ensure locks are not maliciously
unlocked or prevent accidents from happening.

In this chapter, I will describe how I designed the lock system around these features

in a simulation.

4.2 System Overview

The proposed digital LOTO system is shown in Figure 4.1 includes a database, locks,

clients, and a server.

25
 Figure 4.1: General LOTO System Overview

As shown in Figure 4.1, clients will directly interact with locks. When a client tries

to interact with the lock (locking or unlocking it), it will first send the request to the

server to unlock it. The server will authenticate whether the client has the authority

to do so, checking current LOTO rules and using security measures such as two-

factor authentication. The server will then send an acknowledgment to the client

if the LOTO rules are compliant and 2FA is completed. Once the client receives

the acknowledgment, the client can connect to the lock. Once the lock is locked or

unlocked, the client will receive the current information from the lock and send the

information to the server to update the database. The reason why the lock does

not directly communicate with the server is so that the lock does not need high

connectivity to the server; this will save the battery life of the locks. The server

will process the data it receives from the clients and then updates the database

accordingly.

26
4.2.1 Database

Figure 4.2: Database Overview

The database contains 3 tables: Lock table, User table, and Isolation plan table.

These 3 tables are used to contain the information pertaining to each part of the

system, the lock, the client/user, and the isolation plans. The lock table contains all

information about the locks:

• Lock ID: the number ID of the lock.

• Lock status: whether the lock is currently locked or unlocked.

• Authorized Workers: which clients currently have permission to unlock or lock

the lock.

27
 • Current location: the lock’s current location, which can either be longitude-

latitude or named locations set by administrators.

• Current Isolation Plan’s ID: if the lock is currently part of the isolation plan,

this will check which isolation plan the lock is a part of. This ID corresponds

to an Isolation Plan ID.

The isolation plan table contains the current and past isolation plans. This table

also serves as the lock history, as locks should be locked and unlocked only as part of

isolation plans:

• Isolation Plan ID: the number ID of the isolation plan.

• Name: the isolation plan name, which is configured at the start of the isolation

plan.

• Creator ID: the user ID of who created the isolation plan.

• Lock Order: a list of lock IDs in this isolation plan and what order they need

to be locked in. The reverse of this order is the unlock order.

• Start Date: the date time at the start of this isolation plan.

• End Date: the date time at the end of this isolation plan.

• Rule set: the supervisor of this isolation plan can tag additional rules to the

isolation plan if needed.

The user table contains the login data and info about what locks they can access:

• User ID: the number ID of the User.

• Username: username login credential.

28
 • Password: password login credential.

• Owned Locks: these are IDs of the locks that the user owns, they will have

access to these locks and the ability to temporarily give access to these locks to

other users.

• Temporary Locks: these are the locks that the user has been temporarily given

permission to use.

To host the database, the system uses an SQL-based server so I could create a re-

lational database. This is so I can relate locks to the isolation plan they are apart

of and users to which locks they own. The database is updated whenever a lock is

updated, where the information is passed from the lock to the client to the server to

the database.

4.2.2 Server

The server in the system handles delivering data to the database from the clients

and ensuring the LOTO procedure is followed correctly. The server has a set of rules

when receiving unlock requests from clients to ensure worker safety and, this includes

enforcing lock and unlocks order from the isolation plans the lock is in. The server also

has security measures such as two-factor authentication (2FA) and anomaly detection

to ensure no accidental LOTO procedure violations or malicious behavior happens

during LOTO.

In 4.3, I show how the server responds to a lock or unlock request. Whenever the

client tries to unlock a lock, it will connect to the server via TCP and send a request

to the server for confirmation of changing a lock status. The server will send back

a 2FA request to the user who owns or has temporary access to the lock. Once the

29
 Figure 4.3: Unlock Request Flow

client confirms 2FA, the server will check if updating the lock will break the rules.

Once determined that updating would not, the server checks if the lock has suspicious

behavior using an anomaly detection algorithm. If all checks are passed, the client

will be permitted to unlock the lock and the database is updated with the new lock

update.

4.2.3 Client

In the system, the client acts in the way the user interacts with the locks and server.

First, when the client starts up, the user will be asked to log in. The client will send

the credentials to the server to authenticate against the database. Once logged in,

the client displays the following functionalities in a menu for the user:

• View owned locks.

30
 • View isolation plan history.

• Configuring new locks.

• Locking or unlocking locks.

• Configuring temporary access to locks.

• Transferring ownership of locks.

• Creation of isolation plans.

• Canceling or ending isolation plans.

For viewing owned locks, the client requests the lock table from the server. The server

will request the lock table of all locks the current user has access to and send it to the

client to display it. The same is done for all current and past isolation plans when

requesting isolation plan history.

For configuring a new lock, the user would first connect to the lock using the client.

Then, for setup of the lock, the user would register as an authorized worker for the

lock and the client can set other parameters for the lock such as current location

if needed. Once setup is finished, the client will receive the information of the lock

and send it to the server to be inserted into the database. The database will register

the lock under a new lock ID with the information set by the user and would set

ownership of the lock under the user who registered it.

For locking and unlocking locks, the client would request the server to unlock the

lock, and after 2FA (two-factor authentication), the server would determine whether

or not the lock can be unlocked or locked in the current conditions, factoring in

isolation plans and lock behavior. After the server authenticates the user, the client

can connect to the lock and unlock it. After changing the lock status, the lock will

31
send its information to the client and the client will send that information to the

server.

To configure temporary access to locks, the client can specify temporary ownership of

other users of any locks the current user owns. After specifying this, the client sends

this information to the server to update the database, and when an authorized client

connects to the lock, it will update who is authorized to use the lock. The client

can also transfer the ownership of locks. The user can configure new owners of locks.

Once this is done, the same process as granting temporary access to locks takes place

where the database is updated and the lock is updated after connection.

For the creation of isolation plans, the user specifies the following fields: isolation

plan name, the lock order, and the start date-time (which can include now); once

specified the client will update the server with the new isolation plan. For ending the

isolation plan, the user who created the isolation plan can use their client to end or

cancel. They can only end or cancel the isolation plan after all the locks in the plan

have been unlocked. This is to prevent the plan from being ended or canceled during

the LOTO process.

4.2.4 Lock

In the system, locks contain 5 pieces of its information. These are the Lock ID, Lock

status, Authorized workers, Current Location, and Current isolation plan. These are

contained within the lock and are sent to the client whenever the lock status updates.

Locks are accessed by the client via Bluetooth so the user accessing the lock must

be present near the lock. This increases the security of a lock, meaning it cannot be

remotely accessed.

32
 Chapter 5

IMPLEMENTATION

In this chapter, the details of the implementation are introduced for the database,

the server, the clients, and the locks. The designed functions and algorithms used in

these entities will be discussed.

5.1 Database

The database is written in SQL, a database query language relational database. To

create, host, and manage this database, I used MYSQL, a SQL database management

system. The database was hosted on an MYSQL server and created and edited

using MYSQL workbench, a GUI that allows you to edit the database schema on

MYSQL servers. As for relations between the tables within the database, I created

the following relations:

• Current Isolation Plan ID in Lock table - Isolation Plan ID in Isolation Plan

Table: when locks look up if they are currently in an isolation plan or lock

order.

• Authorized Workers in Lock table - User ID in User table: when locks look up

which workers are authorized to open them.

• Owned Locks in User table - Lock ID in Lock table: when users look up which

locks they own.

• Temporary Locks in User table - Lock ID in Lock table: when users look up

which they were given temporary permission.

33
To access the database, I implemented a class called sql connection. The sql connection

class initializes using an MYSQL connector module to connect to the database server.

Once initialized and connected, sql connection has the following class methods to ex-

ecute requests for the database:

• view lock table: views the lock table.

• view iso table: views the isolation plan table (the lock history).

• get lock data: gets all data pertaining to one lock.

• get iso data: gets all data pertaining to one isolation plan.

• new lock: creates a new lock in the lock table.

• new iso plan: creates a new isolation plan.

• end iso plan: ends an isolation plan.

• set location: updates the location of a lock.

• set lock: sets a lock status to locked.

• set unlock: sets a lock status to unlock.

• set temp lock: gives a lock to a user’s temporary lock.

• transfer ownership: gives ownership of the lock to a user.

• check password: gets the password of a user who is trying to log in.

Each method follows the following structure:

d e f command ( s e l f , l o c k i d , data ) :

s q l = ”SQL query with %s p l a c e h o l d e r s ”

34
 d a t a j s o n = j s o n . dumps ({ data })

s e l f . cursor . execute ( sql , ( lock , data json ))

s e l f . db . commit ( )

p r i n t ( s e l f . c u r s o r . rowcount , ” r e c o r d i n s e r t e d . ” )

r e t u r n ” type o f command e x e c u t e d ”

The data in the parameters vary from each different method, ranging from the lock ID

to isolation plan details. The SQL query will depend on which command the method

corresponds to, such as ”SELECT * where lock id = %s from lock table” for viewing

data for one lock. lock id and data are not a parameter for all methods, however,

most methods use one or both of them. data json is used when the method requires

inserting a JSON into the database. The cursor will then execute the SQL query with

the data replacing the placeholders. Once executed, the database prints how many

rows were changed and the database returns that the query has been executed.

5.2 Server

In this section, the implementation of the server, which hosts and manages most of

the resources and service requests, is discussed. In addition, the rule-based system

and machine learning are also discussed.

5.2.1 Client-Server Architecture

The server uses a client-server architecture, where the server hosts and manages most

of the resources and services requested from clients such as database queries and lock

status change requests. To achieve this architecture, the server uses multi-threading

socket programming. Using Python’s socket API, the server creates a TCP socket to

35
listen for clients trying to connect to the server. Once a client connects, the server

will process their request, execute the commands from the client’s request, then send

an acknowledgment that the request is done to the client, and close the connection.

To handle multiple clients at the same time, the server creates multiple threads to

accept them. Client request threads obtain a lock (a mutex) to prevent multiple

threads from executing the requests at the same time; the lock is released once the

current request is finished and the client is disconnected. This is to prevent multiple

threads from changing the database at the same time.

5.2.2 Request Processing

Once a client connects to the server, the server will obtain a mutex to prevent other

threads from processing a request. Then the client will send the request to the server

via the socket. Clients send requests to the server as strings in the following format:

{ Lock ID ; Request Type ; { Data f o r t he Request } }

The server will split the incoming strings into the 3 parts: lock ID, request type, and

data. The lock ID is included in the request because most of the methods of the

database require a lock ID. If it is not required, then it will be left blank. The request

type is a string that denotes what kind of request the client is asking. Each string

corresponds to one of the methods listed in the database section. The data for the

request is kept as a string as the class methods for accessing the database will convert

it into JSON format if needed. Once the request is processed, the server will check if

the request is subject to 2FA and isolation plan rules; these rules pertain to isolation

plans and changing the lock status. If the request is compliant with the rules or has

no rules to comply with, the server will access the database, execute the request, then

respond to the client that their request is done. If 2FA or the rules check is failed,

36
the server will respond to the client with the reason why the request has failed. The

server will then close the connection, release the mutex and move to the next request.

5.2.3 Accessing the Database

To access the database, the server creates a sql connection object on initialization.

Once the server processes the request of a client, it will call the appropriate method

of the sql connection object. Once the method has finished, it will return a string to

the server to send back to the client indicating that the request was finished. The

server will then send that message to the client.

5.2.4 Rule Sets for Isolation Plans

During isolation plans, requests for locking and unlocking locks are subject to special

rules during the processing. The current rule set for this implementation is taken

from the standards of LOTO and the requirements set by Chevron. The rule set is

as follows:

• The locks must be locked in the order of what is listed on the isolation plan.

• The client must be in the same area as the lock.

• The locks cannot be unlocked until the last lock in the order has been secured.

• The locks must be unlocked in the reverse of the order of what is listed on the

isolation plan.

Additional rules can be configured by administrators for isolation plans, however,

those are outside the scope of this simulation and therefore were not implemented.

37
To enforce these rules, when locking and unlocking are requested, the server will use

get lock data and get iso data to evaluate if the requested lock is part of an isolation

plan, the lock order of that isolation plan, and the location of the lock. It will then

check using get lock data on the other locks in the lock order if the current locking or

unlocking request is compliant with the lock order. If compliant, the server will then

check its anomaly detection for suspicious behavior. If both the rules are compliant

and no suspicious behavior is detected, the server updates the database and then

responds to the client, signaling the client to update the lock.

5.2.5 Anomaly Detection

When locking or unlocking a lock, after checking the compliance of the lock, the

server conducts anomaly detection to ensure there is no unusual behavior from the

lock. To implement this anomaly detection, the server uses the DBSCAN algorithm

to detect outliers in the data. DBSCAN is a density-based data clustering algorithm,

given a set of points, DBSCAN creates clusters from closely grouped points and

marks the outliers as noise [10]. At the boot-up of the server, it creates a data set of

points generated from lock status updates. The server then sends the data set to the

DBSCAN algorithm. DBSCAN will then create clusters from the data by calculating

the distance between each node to generate clusters. The nodes on the edges of the

cluster act as a border and any node falling out of all clusters are labeled as an outlier.

Whenever there is a lock status update request, after checking for rule compliance,

the server will check if the new point falls within the clusters. If it does not, it will

flag the update as suspicious behavior and ask for 2FA again. If it does not flag the

update as suspicious or the 2FA is completed, the server will execute the lock update

request.

38
 Figure 5.1: Figure of the DBSCAN Algorithm [31]

5.3 Client

The client serves 2 main functions, sending requests to the server and communicating

directly with the lock once given permission from the server. The client is the way

for the user to interact with the system. On boot-up, the client will ask the user

to sign in. Once the user’s credentials are entered, the client socket will connect to

the server socket and send a check password request. If the credentials are incorrect,

the server will reject the user and will ask them to sign in again. When the correct

credentials are entered, the client will display each option the user is allowed to do.

Each option corresponds to one of the database methods and an additional option

to exit the client. Once an option is selected and any additional parameters for that

option are filled in by the user, the client will build the request string. Then the client

socket connects to the server socket and sends the request to the server. Once the

server is done processing the request, the client will receive a message from the server

and display it to the user. If the request was a lock or unlock request, the client will

then connect to the lock socket.

39
5.4 Lock

In this simulation, a lock is a simple object that contains the information associated

with it in the database and a socket for the client to connect to. Whenever the client

connects to the lock, the lock will check if the client is authorized to open the lock and

will update their instance attributes with this information. This includes the isolation

plan, the current location, and authorized workers. These are stored as JSONs which

can be sent to the client if there need to be updated in the database.

40
 Chapter 6

VALIDATION OF FEATURES, SIMULATION DESIGN, AND RESULTS

In this chapter, I will validate the features from the design that I implemented as well

as discuss the testing that went into validating those features.

6.1 Validating Functions

To validate each function introduced in System Design, I ran a test for each function

to work. The following tests will correspond to the features:

• Start-up and Logging in.

• Viewing Table Data.

• Unlocking and Locking a Lock outside of an Isolation plan.

• Creating and ending an Isolation Plan.

• Unlocking and Locking a Lock during an Isolation Plan.

Start-up and logging in will test the basic start-up functions of the server and client.

This includes the server being able to connect to the database on initialization, the

client being able to connect to the server on initialization, and the server will properly

check the user credentials and log them in.

Viewing table data will first test if the client can make requests to the server, then it

will check if the server can request the table data of the lock table and isolation plan

41
table. Then the table data should be sent from the server to the client and displayed

on the client interface.

Unlocking and locking a lock outside of an isolation plan will check if the basic

lock features are running properly. This includes the client sending the request to

the server, the server processing the request, and changing the lock status in the

database.

Creating and ending an isolation plan will test the features for making isolation

plans. This includes creating an isolation plan, adding a lock order and location to

that isolation plan, and canceling the isolation plan. Each function follows the basic

client-server request flow, which should be tested to work during the viewing table. In

addition, the rule-based system is tested to see if the rule set is properly implemented.

Unlocking and locking a lock during an isolation plan will check the unlocking and

locking rules during isolation plans. As well it will test machine learning as that is

part of the unlocking request flow during isolation plans.

6.2 Machine Learning Experiment

I hypothesize that the combination of the rule-based and anomaly detection systems

will greatly increase the safety of workers by catching accidents before they happen.

To test this hypothesis, I evaluate the accuracy of the rule-based system and machine

learning separately and together. I created a data set of 500 random compliant lock

status updates to train the affinity propagation and 100 random lock status update

points to test both systems on. These lock updates contain the following 5 parameters:

1. Lock ID: used 3 total locks of IDs 0, 1, 2.

42
 Table 6.1: List of Feature Tests to the System Features
Test Features
- Client can connect to server
Start-Up and Login - User Table is connected
- Server is able to initialize
- Lock table is connected
Viewing Tables
- Isolation table is connected
Unlocking and Locking outside - Lock status properly updates
of Isolation Plan - Lock location update
- Rule Sets During Isolation Plans
Creating and Ending Isolation Plan - Creation of Isolation Plans
- Ending of Isolation plan
- Server Unlock flow
Locking and Unlocking during
- Lock order during isolation plans
Isolation Plan
- Anomaly detection
- Rule-based system for Isolation Plans
Machine Learning test
- ML working

2. Lock status: Whether the lock was unlocked or locked.

3. Location: set to 2 different locations.

4. Isolation plan: If it is in an isolation plan.

5. Compliance: If this lock status update was compliant with the rules.

6. 2FA: If the 2-factor authentication was authenticated.

7. Ready: If the lock was ready to lock or unlock.

In the data set, I check for how many LOTO violations, data points where the lock is

not compliant with LOTO rules, and where there potentially suspicious behavior, was

detected. Suspicious behavior includes the lock not being compliant but being ready

for unlock. For evaluation metrics, I use precision, recall, and F1 score, to determine

how well each system does by itself and how well the systems work in tandem. I also

include confusion matrices for each system to see if they are getting false positives or

false negatives.

43
6.3 Results

Table 6.2: Measurements of Precision, Recall and F1 of the Rule-Based

and ML Based Systems
Detected Violations
System Precision Recall F1 Score
out of 60
Rule Based 46 1 .766 .868
Anomaly Detection 27 .593 .314 .421
Combined 56 1 .933 .966

Table 6.3: Confusion Matrices for Rule-Based, Machine learning, and

Combined Systems
Rule Based Predicted Positive (PP) Predicted Negative (PN) Machine Learning PP PN Combined PP NN
Positive (P) 46 14 P 16 44 P 56 4
Negative (N) 0 0 N 11 0 N 0 0

In the testing set of 100 random lock states, 60 total LOTO violations were found using

an outside system. These were mostly rule compliance violations with some suspicious

behavior. Table 6.2 shows how each system fared separately and combined. The rule-

based system for checks if each lock status update is compliant with the rules or not.

The system’s 100% precision is due to it only checking for if the rules were being

followed by the lock status update. In the case of the status update failed compliance

in any matter, the rule-based system would just flag the update as non-compliant.

Therefore, it would not detect false positives. However, the rule-based system was

not able to detect suspicious behavior. On the contrary, anomaly detection by itself

was not able to detect most of the non-compliant modules but it was able to detect

some suspicious behavior points. It also had quite a few false positives. This may

be due to the training data set is more random. When the systems were combined,

the combination of the 2 systems was able to detect more of the violations without

getting any false positives. This is due to the rule-based system being very strict on

which data points are violations, meaning that it will rule out the false positives of

44
the anomaly detection. In return, the anomaly detection could detect suspicious lock

behavior the rule-based system thought was compliant.

45
 Chapter 7

CONCLUSION AND FUTURE WORK

In this chapter, the conclusion and future work are presented.

7.1 Conclusion

In this thesis, I investigated Lockout Tagout, the universal safety protocol used by

every worksite involving hazardous energy sources and dangerous machinery. In this

study, we learned that LOTO is a very involved procedure where trained authorized

employees lock and tag hazardous energy sources or dangerous machines, place locks

and tags, ensure power is shut down, perform the maintenance, then undo lockout.

LOTO has a lot of standards and a thorough amount of steps that ensure the safety

of workers. These standards range from the types of devices that can be used to who

can conduct LOTO, those being only authorized employees who have been trained to

do so.

We also learned that while LOTO has been the industry standard for 32 years, it

is not without its issues. Improper LOTO and incidents that happen due to human

error or improper training can be fatal in these situations. To combat this, the

industry has been moving more toward digital LOTO solutions. Digital LOTO lets

leaders in the procedure better conduct LOTO through better communication and

data gathering. There are a few different companies that have created digital LOTO

products. Most of these products were typically a set of smart locks combined with

an application to keep track of some data related to LOTO. Looking into the efforts

to create digital systems to aid LOTO, we found that some of them are inadequate,

46
such as the security aspect of the locks. As well, the academic world has mostly

not explored this topic greatly, though there have been some efforts to introduce IoT

systems to streamline LOTO.

Converting traditional LOTO to digital is not without challenges, to design our sys-

tem, we had to keep in mind the many standards and requirements of LOTO. The

system we designed integrates a rule-based system with machine learning. To better

guide employees and prevent violations of LOTO, the rule-based system checks lock

and unlock requests against the rules of LOTO. Meanwhile, machine learning can

catch anomalous lock behavior. Combining rule-based and machine learning allows

the whole system to detect most potential LOTO violations. In my testing, the com-

bination of the systems was able to get 100% precision, high recall, and F1 score when

trying to detect LOTO violations. While the system is not perfect, as it will miss

some potential LOTO violations, it can detect most violations and prevent them.

This would greatly reduce the number of human errors during LOTO, which is one

of our original goals.

7.2 Future Work

This thesis is a part of a larger project in collaboration with Chevron to help improve

LOTO for an oil field. One of my goals in this thesis is to set a road ahead for future

students working on this project. As my implementation of the digital LOTO system

was a simulation of the design, future work would include the implementation of this

system in physical locks. There is a myriad of additional improvements such that

this system can be implemented in the field for practical usage. As well as this is

part of the quickly advancing field of IoT, there could be new technology or designs

47
that would improve this system. In this section, I will go over various limitations and

possible improvements to the proposed system for practical usage.

7.2.1 Limitations of the Simulation

Since this is only a simulation of the system, there are functionalities that were

planned but could not be implemented, or be implemented well, or were outside the

scope of the simulation. One of them is that I was unable to accurately simulate the

GPS function of the lock. Python has some libraries to be able to do this, and in

my simulation, I tried implementing it, however, it is not very useful in a simulation

from a local machine, where the GPS function only sees that every lock is in the same

place. I ended up allowing for manual input of locations.

7.2.2 Separation of Lock History and Isolation Plans

Currently, as it stands, the isolation plan table tries to stand in as a lock history

table. This was done as I assumed that locks would mostly be unlocked and locked

during isolation plans. However, it was pointed out to me by my committee members

that would be better to make an additional table to contain lock history. This would

allow better and more detailed tracking of locks, as well as a more suitable source of

data for the ML.

7.2.3 Rule-Based System

Currently, the rule-based system is only configured with a single rule set for isolation

plans, which would be the lock order. One of the features that were planned was

to be able to configure multiple rule sets per isolation plan, however, this ended up

48
out of scope. The database currently supports multiple rule set selections with the

intent the rule-based system can be configured differently for each isolation plan.

However, the server currently has the rule set hard-coded into the system. A future

implementation would have a dynamic way to swap rule sets when there is a need to

configure an isolation plan for a different LOTO program.

7.2.4 Machine Learning

For this simulation, the system uses one of the more simple clustering algorithms,

DBSCAN. Using a more robust way to detect outliers or clusters can increase the

ability of the system to detect suspicious lock behavior or LOTO violations. In

addition, it would be great if you could test this system on a real data set of isolation

plans, so you could check the performance of the system in a real-world application.

As it currently stands, there is the issue of lack of data, which causes issues for the

ML system as it cannot function at a cold start. It would flag everything as irregular

behavior due to a lack of data. One solution to this is to turn off the ML system until

it got enough data.

7.2.5 Security and Privacy

In the current field of IoT devices, there is a big issue in the lack of security and

privacy. Most market IoT devices are very easy to hack and steal data from. The

simulation was not built with these issues in mind. In future work on this project, such

as practical implementation, there should be considerations for how to secure the locks

in the system. As well, there should be additional security in communications between

the client and server. One suggestion I received was the server supplying clients with

49
authorization keys. This is another layer of authorization that will guarantee that

the lock or database cannot be maliciously updated.

7.2.6 Fault Tolerance

As it currently stands, this simulation has weak fault tolerance. There should be

changes to improve the fault tolerance in multiple areas, specifically during commu-

nications between the database, server, client, and lock during updates. The server

should wait for acknowledgment from the client that the lock has been properly up-

dated. If the server does not receive this acknowledgment, it should roll back changes

to the database. In addition, if the server loses communication with the database

during updating it, the server should cancel the client’s request and send them an

error message to inform them.

7.2.7 Practical Implementation

For future practical implementation, there are a few things that need consideration.

Regarding LOTO standards, locks need to be made to be standardized in shape

and color and need to be durable such that it does not break during LOTO. There

are also other additional factors in regard to using smart locks, such as battery life

and connectivity. In addition, a mobile application should be made so the users

can access the client interface from their mobile devices. As well, there should be

careful consideration for the type of communication between clients and locks. This

simulation does not go over it as it is out of scope, but the type of connection, such

as Bluetooth, Wifi, or Zigbee, is important as there are security implications for each

connection type.

50
 BIBLIOGRAPHY

[1] Cal Poly Github. http://www.github.com/CalPoly.

[2] T. Alladi, V. Chamola, B. Sikdar, and K.-K. R. Choo. Consumer iot: Security

vulnerability case studies and solutions. IEEE Consumer Electronics

Magazine, 9(2):17–25, 2020.

[3] AXIS. The importance of lockout/tag out safety in mines.

https://blog.axisgroup.insure/lockout-tag-out-safety.

[4] A. Badiane, S. Nadeau, J.-P. Kenné, and V. Polotski. Optimizing production

while reducing machinery lockout/tagout circumvention possibilities.

Journal of Quality in Maintenance Engineering, 2016.

[5] M. T. Bulzacchelli, J. S. Vernick, G. S. Sorock, D. W. Webster, and P. S. Lees.

Circumstances of fatal lockout/tagout-related injuries in manufacturing.

American journal of industrial medicine, 51(10):728–734, 2008.

[6] G. Burdick. Could there be lockout-tagout changes on the horizon?

https://ehsdailyadvisor.blr.com/2019/02/could-there-be-lockout-tagout-

changes-on-the-horizon.

[7] Creative Safety Supply. Lockout tagout questions and answers.

https://www.creativesafetysupply.com/qa/lockout-tagout.

[8] EAD. What is lockout / tagout?

https://eadcorporate.com/lockout-tagout-loto/.

[9] EgeeTouch. Smart lockout tagout padlock (loto).

https://www.egeetouch.com/products/electronic-padlock/loto-padlock.

51
[10] M. Ester, H.-P. Kriegel, J. Sander, X. Xu, et al. A density-based algorithm for

discovering clusters in large spatial databases with noise. In kdd,

volume 96, pages 226–231, 1996.

[11] R. Fleming. 4 benefits of digitizing lockout tagout, 2021.

https://www.ehstoday.com/safety-technology/article/21180561/4-benefits-

of-digitizing-lockout-tagout.

[12] E. B. Francisco. A comprehensive guide to lockout tagout (loto).

https://safetyculture.com/topics/lockout-tagout/.

[13] B. Hestbak. Lockout/tagout procedures for chemical plants, 2021.

https://www.safeopedia.com/lockouttagout-procedures-for-chemical-

plants/2/7812.

[14] C. Iwendi, S. U. Rehman, A. R. Javed, S. Khan, and G. Srivastava. Sustainable

security for the internet of things using artificial intelligence architectures.

ACM Transactions on Internet Technology (TOIT), 21(3):1–22, 2021.

[15] C. Iwendi, S. U. Rehman, A. R. Javed, S. Khan, and G. Srivastava. Sustainable

security for the internet of things using artificial intelligence architectures.

ACM Trans. Internet Technol., 21(3), jun 2021.

[16] J. James. Lockout/tagout (loto) in the digital age. HSI Interview, 2003.

https://hsi.com/resources/lockout-tagout-loto-in-the-digital-age.

[17] E. Knight, S. Lord, and B. Arief. Lock picking in the era of internet of things.

In 2019 18th IEEE International Conference On Trust, Security And

Privacy In Computing And Communications/13th IEEE International

Conference On Big Data Science And Engineering (TrustCom/BigDataSE),

pages 835–842, 2019.

52
[18] S. Kumar and S. M. Tauseef. Development of an internet of things (iot) based

lockout/tagout (loto) device for accident prevention in manufacturing

industries. IOP Conference Series: Materials Science and Engineering,

1017(1):012017, jan 2021.

[19] Limblecmms. Lockout tagout: How to achieve an airtight loto procedure.

https://limblecmms.com/blog/lockout-tagout-procedure-and-loto-

program/.

[20] Masterlock. eloto. https://www.masterlock.com/products/product/eLOTO.

[21] J. McBride, J. Hernandez-Castro, and B. Arief. Earworms make bad passwords:

An analysis of the nokē smart lock manual override. In 2017 International

Workshop on Secure Internet of Things (SIoT), pages 30–39. IEEE, 2017.

[22] M. McNinch, D. Parks, R. Jacksha, and A. Miller. Leveraging iiot to improve

machine safety in the mining industry. Mining, metallurgy & exploration,

36(4):675–681, 2019.

[23] A. M. Mutawe, R. Tsunehara, and L. A. Glaspey. Osha’s lockout/tagout

standards: A review of key requirements. Professional safety, 47(2):20,

2002.

[24] Nisoft. eloto, lockout-tagout (loto) software.

https://www.nisoft.com/product/eloto/.

[25] NOKE. Smart loto, 2022. https://smartloto.noke.com/home.html.

[26] OSHA. 1910.147 - the control of hazardous energy (lockout/tagout).

https://www.osha.gov/laws-

regs/regulations/standardnumber/1910/1910.147.

53
[27] D. Paoletta. Loto standard exemptions can save time – if followed correctly,

2020. https://safesitehq.com/loto/.

[28] M. Pavelić, Z. Lončarić, M. Vuković, and M. Kušek. Internet of things cyber

security: Smart door lock system. In 2018 International Conference on

Smart Systems and Technologies (SST), pages 227–232, 2018.

[29] R. J. S. Pierre. Lockout/tagout (loto): Electrical safety simplified, 2019.

https://ohsonline.com/Articles/2019/03/01/Electrical-Safety-

Simplified.aspx?Page=1.

[30] T. Risk Management Services. Electrical lockout/tag out procedures.

https://www.tcrisk.com/electricalSafetyTraining/LOTO.

[31] E. Schubert, J. Sander, M. Ester, H. P. Kriegel, and X. Xu. Dbscan revisited,

revisited: why and how you should (still) use dbscan. ACM Transactions

on Database Systems (TODS), 42(3):1–21, 2017.

[32] Seam Group. Digital lockout/tagout.

https://www.seamgroup.com/solutions/data-and-technology/digital-

lockout-tagout/.

[33] S. J. Smart. Loto standard exemptions can save time – if followed correctly,

2017. https://www.ishn.com/articles/107516-loto-standard-exemptions-

can-save-time-if-followed-correctly.

[34] E. Square Alliance. Lockout tagout challenges.

https://www.safetylock.net/lockout-tagout-challenges-problems.html.

[35] C. T. Tedonchio, S. Nadeau, C. Boton, and L. Rivest. Digital mock-ups as

support tools for preventing risks related to energy sources in the operation

54
 stage of industrial facilities through design. Results in Engineering,

16:100690, 2022.

[36] TRADESAFE. Tradesafe electrical lockout tagout kit - hasps, clamp on and

universal multipole circuit breaker lockouts, lockout tags, plug lockout, loto

locks set (1 key per lock) for lock out tag out stations.

https://www.amazon.com/TRADESAFE-Electrical-Lockout-Tagout-

Kit/dp/B08DR4JD4X.

[37] H. Wu, H. Han, X. Wang, and S. Sun. Research on artificial intelligence

enhancing internet of things security: A survey. IEEE, 8:153826–153848,

2020.

[38] S. Zaman, K. Alhazmi, M. A. Aseeri, M. R. Ahmed, R. T. Khan, M. S. Kaiser,

and M. Mahmud. Security threats and artificial intelligence based

countermeasures for internet of things networks: A comprehensive survey.

IEEE Access, 9:94668–94690, 2021.

[39] Z.-K. Zhang, M. C. Y. Cho, C.-W. Wang, C.-W. Hsu, C.-K. Chen, and

S. Shieh. Iot security: Ongoing challenges and research opportunities. In

2014 IEEE 7th International Conference on Service-Oriented Computing

and Applications, pages 230–234, 2014.

55