Global Bunker Prices
Last update --:-- UTC
HomeEngine RoomEngine Room, Latest Articles

Permits to Work & LOTO

10 January 2026 7 min read Engine Room, Latest Articles
Share: X LinkedIn Email

The System That Physically Prevents People Being Killed by Machinery

Why Permits and Isolations Exist at All

Every fatal machinery accident at sea shares the same root cause:

Energy that should have been controlled was not.

Not misunderstood.
Not unknown.
Not mysterious.

Simply present when people believed it was not.

Permits to Work (PTW) and Lock-Out / Tag-Out (LOTO) exist to impose discipline on hazardous energy, not to generate paperwork. When these systems fail, they fail catastrophically and immediately — crushing, scalding, electrocution, explosion, or asphyxiation.

For engineers, PTW and LOTO are not administrative layers above the job.
They are the mechanism by which a job becomes survivable.

A failure within the PTW system would ultimately result in the loss of 165 men onboard the oil rig Piper Alpha – Read the Piper Alpha article here

1. The Relationship Between PTW and LOTO

A Permit to Work is a control authority.
LOTO is a physical barrier.

They are inseparable.

A PTW defines:

  • What work is allowed
  • Where it is allowed
  • Who is authorised
  • Under what conditions
  • With what isolations in place

LOTO ensures:

  • Energy cannot be reintroduced
  • Isolation remains intact
  • Human error cannot re-energise systems
  • No individual can unknowingly expose another to danger

A permit without isolation is permission to be injured.
An isolation without a permit is an uncontrolled system state.

On ships, PTW governs work.
LOTO governs energy.
Safe maintenance requires both, executed in the correct order.

2. Identifying Energy: The First Failure Point

The most dangerous assumption in the engine room is:

“We’ve isolated it.”

Energy onboard ships exists in multiple simultaneous forms, often stored, hidden, or regenerated by process conditions.

These include:

  • Electrical (mains, control, emergency, stored capacitance)
  • Mechanical (rotation, gravity, spring tension)
  • Hydraulic (pressurised oil, trapped volumes)
  • Pneumatic (compressed air, control air, gas)
  • Thermal (steam, hot water, exhaust surfaces)
  • Chemical (fuel, chemicals, reactive residues)
  • Process energy (boilers, economisers, pressure vessels)

Fatal accidents almost never occur because no isolation was attempted.

They occur because one energy source was missed.

3. Isolation Is a Process, Not an Action

Closing a valve or opening a breaker is not isolation.
Isolation is the achievement and maintenance of a verified zero-energy state.

The complexity of isolation must match the risk.

For example:

A domestic hot water tank may be rendered safe by:

  • Isolating electrical supply
  • Closing inlet and outlet valves
  • Locking both points
  • Allowing temperature and pressure to decay

A high-pressure fuel gas or steam system may require:

  • Sequential valve closures
  • Pressure venting
  • Purging
  • Physical line breaks
  • Blanking or slip plates
  • Verification that pressure cannot re-accumulate

This is known as positive isolation — and it exists because relying on valves alone has killed people.

Over-isolating introduces complexity and risk.
Under-isolating introduces fatalities.

The risk assessment determines the isolation, not habit or convenience.

4. Why Isolations Themselves Are Hazardous

Isolation procedures introduce their own risks.

Engineers are injured during isolation more often than during the work itself.

Common failure modes include:

  • Misidentification of isolation points
  • Incorrect valve labelling
  • Complex isolation sequences under time pressure
  • Inadequate verification
  • Stored or regenerating energy
  • False position indicators
  • Isolation points operated remotely from worksite

The MAIB economiser fatality referenced in MGN 248(M) is a textbook example.

The system was:

  • Isolated from steam
  • Believed depressurised
  • Safety valves believed open
  • Still capable of pressurising via exhaust heat

The isolation appeared compliant, yet the hazard remained.

This is why MCA guidance explicitly requires:

  • Venting to atmosphere
  • Physical confirmation
  • Inclusion of secondary pressurisation mechanisms
  • Auditable proof of compliance

Isolation is only complete when energy cannot return by any credible mechanism.

5. Verification: The Step That Saves Lives

Verification is where LOTO becomes real.

No isolation is valid until it has been proved safe at the point of work.

Verification may include:

  • Pressure testing
  • Electrical testing
  • Gas detection
  • Physical inspection
  • Functional checks
  • Attempted start (“try-out”)

This is why modern standards emphasise LOTOTO
Lock Out, Tag Out, Try Out.

Try-out is not optional.
It exists because humans miss things.

Attempting to start a system after isolation — in a controlled, cleared condition — is the only way to confirm the absence of energy.

Every fatality that led to LOTOTO already involved a signed permit.

6. Lock-Out / Tag-Out as a Human Protection System

LOTO is designed around one principle:

No one should rely on another person’s memory or goodwill to stay alive.

A physical lock:

  • Prevents operation
  • Forces conscious removal
  • Cannot be overridden accidentally

A tag:

  • Communicates status
  • Identifies ownership
  • Links the isolation to the permit

On ships, best practice requires:

  • Plant lock applied first
  • Personal locks applied by each person
  • No shared keys
  • Group lock boxes for multi-discipline work

If a lock system requires bolt cutters to manage, the system has already failed.

Every lock represents a human who must personally confirm safety before re-energisation.

7. The Role of the Isolation Controller

The Isolation Controller is not an administrative function.
They are the custodian of energy safety.

Their responsibilities include:

  • Identifying all energy sources
  • Selecting the correct isolation method
  • Ensuring isolation integrity
  • Managing lock and key control
  • Verifying zero-energy state
  • Maintaining isolation throughout the job
  • Controlling re-energisation

Crucially, the Isolation Controller retains authority even if the job changes, pauses, or overruns.

Isolation does not end because work is inconveniently unfinished.

8. Permits to Work: Control of the Job, Not Just the Hazard

A Permit to Work formalises agreement.

Agreement that:

  • Hazards are understood
  • Controls are in place
  • Roles are clear
  • Communication is established
  • Emergency response is defined
  • Authority is accepted

Permits must be:

  • Time-limited
  • Location-specific
  • Task-specific
  • Cancelled or suspended when conditions change

A permit that runs automatically for 24 hours without reassessment is functionally meaningless.

This is why MCA guidance stresses:

  • Toolbox talks
  • Closed-loop communication
  • Stop-work authority
  • Management of change

When conditions change, the permit must change — or be suspended.

9. Testing, Re-Energisation, and the Most Dangerous Moment

The most dangerous phase of any job is testing and restoration.

People are tired.
Attention drops.
Assumptions return.

Safe systems require:

  • Controlled removal of isolations
  • Clear communication to all affected personnel
  • Physical confirmation of clearance
  • Re-application of isolations after testing if work continues

No isolation should be removed “temporarily” without explicit permit control.

Temporary re-energisation has killed more engineers than initial energisation.

10. Electronic and Digital Isolation Management

Electronic PTW and LOTO systems improve:

  • Traceability
  • Verification
  • Auditability
  • Cross-checking

RFID, bar-codes, and mobile verification do not replace physical isolation — they reduce human error in managing it.

They are only effective if:

  • Isolation points are correctly mapped
  • Systems are maintained
  • Overrides are controlled
  • Personnel understand the system

Technology amplifies discipline.
It cannot replace it.

11. Legal and Moral Reality

MCA guidance, COSWP, ISM, and MAIB findings are aligned on one point:

Failure to isolate correctly is not a technical failure. It is a management failure.

After an incident, investigators will ask:

  • Was isolation required?
  • Was it identified?
  • Was it implemented?
  • Was it verified?
  • Was it maintained?
  • Was re-energisation controlled?

If the answer is unclear, responsibility concentrates rapidly.

Conclusion – PTW and LOTO Are Physical Ethics

Permits to Work and Lock-Out / Tag-Out are not safety bureaucracy.

They are formalised restraint on human optimism.

They exist because:

  • People assume systems are safe
  • Systems behave unexpectedly
  • Energy does not forgive error

In the engine room, professionalism is not how fast a job is done.

It is whether everyone goes home alive — even when the job goes wrong.