If there is one area of the Safety Management System that separates a competent operation from a box-ticking exercise, it is the quality of risk assessments and the discipline of the permit to work system. ISM Code Section 7 requires that the company establish procedures for key shipboard operations — but the Code deliberately does not prescribe how to conduct risk assessments or structure permits to work. That flexibility is both a strength and a trap. It means every vessel can tailor the system to its operations, but it also means that many yachts operate with risk assessments that are copied from the internet, never reviewed, and disconnected from the actual work being done on board.
This guide covers the regulatory basis, the methodology for writing risk assessments that actually protect people, the permit to work system in practice, and the findings that surveyors raise most frequently during ISM audits.
ISM Code Requirements
Section 7 — Development of Plans for Shipboard Operations
ISM Code Section 7 states:
“The Company should establish procedures, plans and instructions, including checklists as appropriate, for key shipboard operations concerning the safety of the personnel, ship and protection of the environment. The various tasks should be defined and assigned to qualified personnel.”
This is the legal basis for your risk assessment and permit to work system. The phrase “key shipboard operations” covers any activity that could result in injury, pollution, or damage to the vessel. On a superyacht, that includes a remarkably wide range of tasks — from confined space entry in ballast tanks to the apparently simple act of deploying a passerelle.
Section 1.2.2 — Safety and Environmental Protection Policy
The company’s policy must include “instructions and procedures to ensure safe operation of ships and protection of the environment in compliance with relevant international and flag State legislation.” Risk assessments and permits to work are the primary mechanism for translating this policy into operational reality.
Section 9 — Reports and Analysis of Non-Conformities, Accidents and Hazardous Occurrences
When an incident occurs, the investigation should examine whether a risk assessment existed, whether it was adequate, and whether a permit to work was required but not used. This feedback loop — from incident back to risk assessment — is fundamental to continuous improvement under the ISM Code.
Types of Risk Assessment
Generic Risk Assessments
Generic risk assessments cover routine, recurring tasks where the hazards are well-understood and the control measures are standardised. They form the baseline library of the vessel’s risk management system.
Examples of generic risk assessments on a superyacht:
| Task | Key Hazards |
|---|---|
| Tender launch and recovery | Crush injuries, man overboard, mechanical failure, communication breakdown |
| Engine room maintenance (general) | Burns, entanglement, slips, chemical exposure, noise |
| Anchor windlass operation | Crush injuries, chain run, snap-back, equipment failure |
| Galley operations | Burns, cuts, slips, fire, manual handling |
| Diving operations (hull cleaning) | Drowning, propeller strike, decompression, communication failure |
| Fuel bunkering | Spill, fire, explosion, overfill, static discharge |
| Passerelle deployment | Crush injuries, fall from height, electrocution (shore power proximity) |
Generic risk assessments should be reviewed at least annually and after any related incident. They should be readily accessible — not buried in a filing cabinet in the captain’s office.
Task-Specific (Dynamic) Risk Assessments
Task-specific risk assessments are conducted for non-routine work or work in unusual conditions. They supplement the generic assessment by addressing the specific circumstances of a particular task on a particular day.
A task-specific assessment is required when:
- The work is not covered by an existing generic assessment
- Conditions differ significantly from the generic assessment (e.g., working at height in heavy weather)
- Multiple trades or contractors are working simultaneously in the same area
- The task involves hazardous substances, ignition sources, or confined spaces
- The work is being performed for the first time or by inexperienced personnel
Risk Assessment Methodology
The 5x5 Risk Matrix
The most widely used methodology on commercial yachts is the 5x5 risk matrix, which scores likelihood and severity on scales of 1-5:
Likelihood Scale
| Score | Descriptor | Definition |
|---|---|---|
| 1 | Rare | Could occur only in exceptional circumstances |
| 2 | Unlikely | Could occur but not expected |
| 3 | Possible | Might occur at some time |
| 4 | Likely | Will probably occur in most circumstances |
| 5 | Almost certain | Expected to occur in most circumstances |
Severity Scale
| Score | Descriptor | Definition |
|---|---|---|
| 1 | Negligible | Minor injury (first aid), negligible damage |
| 2 | Minor | Medical treatment required, minor damage |
| 3 | Moderate | Serious injury, significant damage, minor pollution |
| 4 | Major | Single fatality, major damage, serious pollution |
| 5 | Catastrophic | Multiple fatalities, total loss, major pollution |
Risk Rating = Likelihood x Severity
| Risk Score | Rating | Action Required |
|---|---|---|
| 1-4 | Low | Proceed with standard controls. Monitor. |
| 5-9 | Medium | Additional controls may be required. Senior officer approval. |
| 10-16 | High | Significant additional controls required. Master’s approval. Permit to work likely required. |
| 17-25 | Very High | Do not proceed without formal review. Consider alternative methods. Permit to work mandatory. |
The Hierarchy of Controls
Every risk assessment must apply controls in the following order of effectiveness:
- Elimination — Can we avoid the task entirely? Can we remove the hazard?
- Substitution — Can we use a less hazardous method, substance, or equipment?
- Engineering controls — Physical barriers, ventilation, guarding, isolation
- Administrative controls — Procedures, training, signage, supervision, permits to work
- Personal Protective Equipment — The last line of defence, not the first
Permit to Work Systems
When Is a Permit Required?
A permit to work is a formal, documented authorisation system that ensures hazardous work is properly planned, risk-assessed, and controlled before it begins. The following categories of work should always require a permit on a superyacht:
| Permit Type | Triggers |
|---|---|
| Hot Work | Any work involving open flame, welding, cutting, grinding, or heat-producing equipment outside designated workshop areas |
| Confined Space Entry | Entry into any space not designed for continuous human occupancy — ballast tanks, void spaces, chain lockers, fuel tanks, sewage tanks |
| Working at Height | Any work above 2 metres where there is a risk of falling — mast work, crane maintenance, hull work from staging, bosun’s chair operations |
| Electrical Isolation | Work on electrical systems requiring isolation of circuits — switchboard maintenance, shore power connections, battery bank work |
| Diving Operations | Any in-water work — hull cleaning, propeller polishing, underwater inspections, sea chest clearing |
| Cold Work in Hazardous Areas | Non-spark-producing work in or adjacent to fuel tanks, battery rooms, or spaces with flammable atmospheres |
Permit Structure
A well-designed permit to work form includes:
| Section | Content |
|---|---|
| 1. Description of work | What is being done, where, and by whom |
| 2. Risk assessment reference | Which RA covers this task (generic + task-specific) |
| 3. Hazard checklist | Pre-printed checklist of common hazards for this permit type |
| 4. Precautions and controls | Specific measures to be in place before work starts |
| 5. Atmospheric testing (if applicable) | O2, LEL, H2S readings with time, location, and instrument ID |
| 6. Authorisation | Signed by the authorising officer (typically the Chief Engineer or Chief Officer) |
| 7. Acceptance | Signed by the person performing the work, confirming understanding of controls |
| 8. Completion / Cancellation | Signed when work is complete and the area is restored to normal condition |
| 9. Validity period | Maximum duration — typically one watch period (no more than 12 hours) |
Confined Space Entry: The Most Critical Permit
Confined space entry kills more seafarers per year than almost any other single hazard category. The permit must verify:
- The space has been ventilated for an adequate period
- Atmospheric testing confirms: O2 20.9% (+/- 0.5%), hydrocarbon (LEL) <1%, H2S <5 ppm, CO <25 ppm
- Continuous ventilation is in place during entry
- A standby person is stationed at the entry point with communication and rescue equipment
- The person entering has a means of communication with the standby
- Rescue procedures are established and rescue equipment is available at the entry point
- The permit is prominently displayed at the point of entry
Hot Work: Controlling Ignition Sources
The hot work permit must verify:
- Fire detection systems in the area are notified / temporarily isolated (with the bridge informed)
- All combustible materials within 10 metres are removed or protected with fire-resistant blankets
- A fire watch is posted with an extinguisher appropriate to the materials present
- If work is on or adjacent to fuel/oil systems, the system is drained and gas-free tested
- The fire watch continues for a minimum of 30 minutes after hot work is completed
- Permits for hot work are never issued for open-ended durations
Working at Height
The permit must address:
- Appropriate fall prevention or fall arrest equipment is inspected and in use
- The work area below is cordoned off to prevent injury from dropped tools or materials
- Tools are tethered or carried in pouches
- Weather conditions are assessed and work is suspended if wind or sea state makes it unsafe
- A rescue plan is in place for a worker suspended in a fall arrest harness (suspension trauma can be fatal within 20 minutes)
Common Survey and Audit Findings
Based on ISM audits and flag state inspections, the most frequently raised non-conformities and observations related to risk assessments and permits to work are:
- Risk assessments exist but are not used — Crew cannot locate the relevant RA for their current task, or the RA is in a language they do not understand.
- No task-specific assessments — The vessel has generic RAs but no evidence that dynamic assessments are conducted for non-routine work.
- Permits not closed out — Hot work or confined space permits remain open after work is complete, indicating the completion/cancellation section is not being used.
- Atmospheric testing not recorded — Confined space entry permits show no instrument readings, or the gas detector’s calibration has expired.
- No review after incidents — An incident occurred during a task covered by a risk assessment, but the RA was not reviewed or updated.
- Control measures inadequate — The RA identifies the hazard but the control measure is generic (“take care”) rather than specific and actionable.
- No competency evidence — Crew assigned to issue permits or conduct risk assessments have no documented training in the methodology.
Regulatory References
- ISM Code — International Safety Management Code, IMO Resolution A.741(18), as amended by MSC.273(85), MSC.353(92), MSC.412(97), and MSC.461(101)
- SOLAS Chapter IX — Management for the Safe Operation of Ships
- MCA LY3 — Large Yacht Code, Section 18 (Safety Management)
- IMO Resolution A.1071(28) — Revised Guidelines on the Implementation of the ISM Code
- IMO Resolution A.1050(27) — Revised Recommendations for Entering Enclosed Spaces Aboard Ships
- MCA MGN 309 — Guidance on Entry into Enclosed Spaces
- ILO Code of Practice — Safety and Health in Shipbreaking (confined space and hot work guidance applicable to maintenance contexts)
Risk assessments and permits to work are the operational backbone of the ISM Code. They are not paperwork — they are the mechanism by which you identify what can kill your crew and put controls in place to prevent it. Write them properly, use them consistently, and review them honestly. That is what the ISM Code demands, and it is what your crew deserve.
Related Template
Preview all templates →Related Articles
Yacht SMS Requirements Under 500GT: ISM Code Explained
ISM Code SMS requirements for yachts under 500GT. Mini-ISM vs full ISM, flag state expectations, what your SMS must contain, and practical implementation guidance.
Yacht SMS Requirements: What You Actually Need in 2025
Complete guide to Safety Management System requirements for yachts. Learn what's required for full ISM vs mini-ISM, which flags need what, and how to build an SMS that passes survey.
Standing Orders for Bridge and Engine Room: ISM Code Requirements
A detailed guide to standing orders for bridge and engine room on superyachts, covering STCW A-VIII/2 requirements, ISM Code Sections 5 and 7, what standing orders must include, and how surveyors assess them during audits.