Permit-to-work systems are as old as the most ancient engineering projects. A trove of translated texts from the ancient Middle East, from the Schøyen Collection, gives a window into life up to 5000 years ago. Among the discoveries are accounts of wars, religious texts and even legislation on how much interest should be paid on a bar tab.
The texts include accounts of the building of ziggurats (pyramid-like structures) by King Nebuchadnezzar II, showing evidence of a rudimentary permit-to-work system. One can picture the “permit controller” in a room full of clay tablets handing out 20 lashings for failure to adhere to the precautions cited on a permit!
Times have obviously changed since then, and the complexity of large-scale facilities and operations can necessitate thousands of active work orders on any given day. The complexity is often compounded by collaboration of multiple independent contractors. There are two broad approaches to organizing the permit-to-work systems in such sites. A “silo-based” approach uses a different sub-system for each contractor, with varying degrees of central oversight. An “integrated” approach enforces use of a single system.
The silo-based approach means less work on the contractor side, as they have established permit-to-work systems of their own, and are usually reluctant to adopt a new system, especially for smaller-scale projects. However, this approach means more work for the site management in fulfilling their obligation to achieve “as low as reasonably practicable” (ALARP) reduction of unsafe activities in non-trivial work environments. The inverse is true of the integrated approach. Figs. 1 and 2 graphically illustrate the silo-based and integrated approaches, respectively. The silo-based approach is clearly more complex than the integrated approach in the middle section (“Data Processing”) of the figure. This makes operations oversight more complicated for the asset owner. On the other hand, the silo approach avoids the necessity of each contractor adopting a single system, often despite having their own tailor-made systems in place.
This article will explore these two approaches from efficacy, legal, and moral perspectives, concluding with a summary of how the gold-standard is shifting to the integrated approach, which we can expect to see put into legislation within the next decade.
Efficacy of the two models is not a simple case of one being better than the other. In general terms, an integrated approach is superior, as it reduces the time taken for data to be processed and visualized, presents all data in a format easily understood by the site-owner/manager, and results in a standardized database for later use. However, its advantage in this respect scales with the size and complexity of the site. If a site has five full-time personnel and only ever uses one or two 3rd-party contractors for limited work, the advantage of the integrated approach over the silo-based is less pronounced, as the site-owner can relatively easily integrate the data from the outside contractors’ permit-to-work systems. However, as the scale and complexity of the site increases, the likelihood of human and/or systemic errors in the issuance and recording of permits to work increases. In a large mining operation, for example, the diversity of variables at play in ensuring safe continuance of production is more than a single person can grasp from the raw data alone, especially if it arrives at his or her desk in various different formats. This might seem like a simple administrative burden, but the increased timeliness of data visualization with an integrated approach can be crucial to avoiding an unplanned shutdown in emergent situations.
Figs. 1 and 2 graphically illustrate the silo-based and integrated approaches, respectively. As mentioned above, the silo-based approach is clearly more complex than the integrated approach in the middle section (“Data Processing”) of the figure. This complexity results in delivery of the permit-to-work data in different time-frames and formats depending on each contractors system. This makes it more difficult and time-consuming for the asset owner to answer questions such as what work is currently live, what work is planned for the future and when, how many people are currently working on site, and so on. In addition to enabling the asset owner to meet the obligation to effectively control risks, the integrated approach both speeds up and improve the quality and reliability of the answers to these questions.
The legal responsibilities for health and safety in the workplace are diverse and fall on different stakeholders/individuals. Under the UK regulations regime, considered among the best globally, the Health and Safety Executive (HSE) exercises broad discretion in the enforcement side of its activities. Under HSE41, the HSE is able to serve improvement and prohibition notices, withdraw approvals, vary licence conditions, and is mandated to prosecute or refer for prosecution if they consider activities, including poor risk management, to contravene the Health and Safety at Work Act (1974). Moreover, under HSE51, periodic inspection is a pre-condition for sites subject to a per missioning regime, to continue to show that they are effectively controlling risks.
The permit-to-work system is of increasing relevance to a site-owners’ obligation to achieving ALARP reduction of unsafe activities in non-trivial work environments. What counted as “reasonably practicable” (the “RP” in ALARP) twenty, or even ten years ago has changed in terms of [risk management]. With the continual refinement and expansion of data collection and management techniques, the bar has been raised for what is “reasonably practicable” in terms of permit-to-work system oversight. As one of many recent examples of HSE-instigated prosecutions hinging on failure to properly implement, control and/or oversee a permit-to-work system, the case of HSE vs. ConocoPhillips Ltd (UK) is outlined in the inset.
CONOCOPHILLIPS CASE STUDY
In 2016, the Court of Appeal ruled in favour of the HSE with respect to an appeal by Conoco Phillips (UK) Limited against the previous verdict, in which the judge had handed down a £3 million fine. The case concerned uncontrolled gas releases due to maintenance conducted under a permit-to-work system that was not properly implemented, controlled and overseen. The consequent release of more than 600 KG of natural gas put at risk 66 persons on the offshore site, 12 of whom were deemed to have been very seriously at risk. Fortunately, nobody was injured and there was no property damage or oil pollution caused. Nevertheless the HSE’s case hinged on the fact that the emergency response was hampered by two latent defects in the fire and gas system and in the emergency shutdown system, which should have been spotted under a rigorous permit-to-work system. One of these defects prevented the people managing the installation from monitoring gas releases. This in turn necessitated sending men into danger to ascertain the scale, nature, and timing of the release. The other defect misled the management into falsely believing that all the stored gas on the site had been vented. A further uncontrolled release was only narrowly avoided when a member of staff noticed the open value and took steps to close it; it was deemed to have been left so due to avoidable failures in the permit-to-work system.
Obviously, if a permit-to-work system is inadequate, it is not the root of all safety problems on a site. However, if a problem does occur that could have been averted by an up-to-date, rigorous permit-to-work system, and if the work environment is a hazardous one (anything beyond that of an office environment), then the site owner can be found negligent. Given the above, the permit-to-work system is fundamental to risk management at complex sites, and ensuring timeliness of availability of the data from the system (and high visibility of operation, maintenance and equipment condition) can be held as a legal obligation.
The practice of personnel safety is underpinned by an ethical obligation. The ethical route is frequently clear, such as when choosing between a legal option and an illegal one. However, at other times, multiple considerations may cloud a decision, especially in hazardous work environments.
Regarding the question of the more moral choice between silo-based and integrated approaches, in line with the discussion on relative efficacy of the two models, the answer depends on the scale and complexity of the operation (thought the advantage is generally with the integrated approach). If a site has five full-time personnel and only ever uses one or two 3rd-party contractors for limited work, the advantage of the integrated approach over the silo-based is less pronounced, as the site-owner can relatively easily integrate the data from the 3rd party’s permit-to-work systems.
However, as the scale and complexity of the site increases, the likelihood of human or systemic error going unnoticed (or noticed too late) increases with the silo-based approach, as the difficulty of collating the diverse data sources leads to a delayed visualization of state-of-play. This can be lethal in a time-sensitive crisis in a hazardous work environment. As a rule of thumb, if your site typically has more than 20 permits underway on any given day, it is a moral duty to enforce a uniform, integrated permit-to-work system (in addition to being safer and more time efficient).
In summary, while it may be low on the list of priorities for a smaller site, the integrated approach brings far-superior efficacy in data collection and understanding, and minimizes human and systemic errors. From a legal point of view, the site-owners obligations in terms of ensuring efficacy of the permit-to-work system and its application are a grey area, but this obligation clearly arises and strengthens as the size and complexity of the site/premise increase. Finally, regarding risk-management, it is something of a no-brainer on complex, large, hazardous sites that speed of access to, and reliability of, salient data can avert crises and mitigate them with improved situational awareness when they do occur.