Permit to work failures are not unusual. They are not the result of unprecedented circumstances. They are the same failures, repeating across industries and decades, in systems that looked compliant on paper. The HSE’s investigation reports into major incidents read, in this respect, like a single document written many times.
CONTENTS
- The failure pattern
- Inadequate or unverified isolation
- Shift handover failures
- Production pressure on issuers
- Permit overuse and the erosion of judgement
- Scope creep during the task
- Close-out without verification
- Systemic governance failures
- The common thread
- Summary
The Failure Pattern
A permit to work system does not fail quietly. It fails in a predictable sequence of erosions each one acceptable on its own, each one establishing the conditions for the next. By the time a serious incident occurs, the system has usually been producing signed permits over inadequate controls for months or years. The permit record looks compliant. The controls it was supposed to verify do not exist.
This is the pattern the HSE finds, repeatedly, in post-incident investigation. It is the pattern described in HSG250. It is the pattern experienced permit issuers recognise when they see a system in trouble because the warning signs are the same regardless of industry, from hospital estates to offshore platforms to pharmaceutical plants.
What follows is not a theoretical list. It is the set of recognisable failure modes that produce the incidents the permit system was designed to prevent. They are described here not to illustrate what can go wrong in principle, but to allow competent readers to identify what is going wrong in their own system now while intervention is still a design decision rather than a disaster response.
Inadequate or Unverified Isolation
The single most common contributing factor in PTW-related serious incidents is isolation failure. The permit records that isolation exists. The isolation either does not exist, is incomplete, or has not been verified by the person signing the permit.
Isolation failure takes several recognisable forms.
Assumed isolation. The isolation is believed to be in place based on a verbal assurance, a plant drawing, or a lockout record but no one has physically verified at the point of work that the energy source is dead, locked out, and cannot be re-energised. The permit issuer signs on trust. The work party proceeds on trust. Nothing is actually verified.
Partial isolation. The primary energy source is isolated but secondary sources are not. A process line is blocked upstream but not downstream. An electrical circuit is locked out at the motor control centre but a capacitor bank remains charged. A vessel is drained but not purged. The permit does not prompt the issuer to consider all energy sources, or the issuer does not have the technical competence to identify them.
Isolation without proving. The isolation device is applied but the isolation is not tested. The valve is closed, but the pressure downstream is not verified as zero. The circuit is locked out, but the absence of voltage is not confirmed. “Applied” is not the same as “proved.” A permit system that treats them as equivalent has introduced the gap through which most fatal incidents pass.
Shared isolation. Multiple work parties operate under the same isolation, often through the same lockout device. When one party completes work and removes their lock, the isolation may be compromised for the other party. Permit systems that do not define individual lock-out responsibilities produce exactly this failure mode.
The mechanism in each case is the same: the permit records a condition that has not been established. The signature creates a paper record of control where no control exists.
Shift Handover Failures
The second recurring failure mode is the breakdown of permit information across shift change. The work started under one team’s understanding of the task and conditions. Those conditions changed during the shift. The incoming shift receives a verbal handover sometimes rushed, sometimes incomplete, sometimes delegated to people not directly involved and continues work based on a partial understanding of what has happened.
The catastrophic case is Piper Alpha. The pump that was under maintenance had been isolated for work. The permit documenting that isolation was not transferred clearly to the incoming shift. The pump was returned to service. Condensate escaped from the uncompleted work site. The subsequent explosion killed 167 people. The inquiry identified permit handover failure as a central causal factor.
Piper Alpha is extreme but it is not unique. The same failure mode information loss across shift change produces smaller incidents continuously across industry. The pattern is consistent:
- Work begins on a permit during shift A.
- Work is not completed by end of shift A.
- Conditions change – an isolation is modified, a valve position altered, a task paused mid-sequence.
- Handover to shift B is verbal, incomplete, or delegated to someone without direct knowledge.
- Shift B makes decisions based on assumptions about conditions that are no longer accurate.
The permit to work system is supposed to prevent this by requiring formal handover protocols, by treating suspended permits as hazard records that travel with the plant, and by requiring the incoming shift to verify conditions independently before continuing. Where these requirements are not embedded in the permit system or where they exist on paper but are routinely bypassed in practice shift change becomes the point at which control is lost.
Production Pressure on Issuers
A permit issuer’s formal authority is to refuse to issue a permit where conditions are not adequate. In practice, that authority is often compromised by production pressure the organisational expectation that the permit will be issued because the work is scheduled, because the plant is down, because the contractor is waiting.
The pressure is rarely explicit. It does not take the form of a manager directly instructing the issuer to sign. It takes the form of consequences for refusal delayed schedules, cost overruns, contractor standing charges, visible displeasure from operations management, the reputational cost of being “the one who always blocks work.” Over time, these consequences teach the issuer that refusing is more costly than issuing.
The result is that the formal authority to refuse remains on paper while the practical authority erodes. Permits are issued where the upstream controls are inadequate. The issuer knows they are inadequate. The work proceeds. When nothing goes wrong which is most of the time the pattern is reinforced.
This is a system failure, not a personal failure. Permit issuers who accept inadequate conditions are usually doing so because the organisation has made it unaffordable for them to refuse. The fix is not training the issuer to be more assertive. It is designing the governance so that refusal is supported through clear escalation routes, through management responses that do not punish refusal, through policy that makes the issuer’s authority real.
A permit system where the issuer cannot afford to refuse is not a permit system. It is a permit-issuing routine.
Permit Overuse and the Erosion of Judgement
HSG250 warns explicitly against the overuse of permit to work. Where permits are issued for routine low-risk work that does not require formal authorisation, two things happen.
The first is that the organisation loses the ability to distinguish between work that is genuinely high-risk and work that is routine. When everything requires a permit, nothing does because the permit becomes an administrative formality rather than a formal control event. The issuer who signs twenty permits a day for routine tasks cannot bring focused attention to the three that are genuinely hazardous.
The second is that the workforce loses the ability to recognise when genuine hazard control is required. If a permit is treated as the thing that makes work safe, then work without a permit is treated as inherently safe — even when it is not. The overuse of permits hollows out the informal competence that should handle routine work, and inflates the formal system beyond the scope it can effectively manage.
Overuse typically emerges from two patterns. The first is legal anxiety: the assumption that requiring a permit for everything will demonstrate diligence. It does the opposite it demonstrates that the organisation cannot distinguish between levels of risk. The second is contractor management through permit: the use of the permit system as the primary means of controlling contractor work, regardless of whether the specific task warrants it. The result is that the permit system is burdened with administrative work that should sit inside contractor control arrangements.
A permit system that cannot say no to unnecessary permits will eventually fail to say yes to the ones that matter with adequate attention.
Scope Creep During the Task
A permit authorises a defined scope of work, under defined conditions, for a defined duration. The authorisation does not extend to work outside that scope but in practice, scope frequently extends during the task, and the permit is not re-issued.
The pattern is familiar on any live plant. The maintenance team begins the authorised work. In the course of doing it, an adjacent issue is identified a loose fitting, a degraded component, a minor modification that would be trivially done while access exists. The team makes a reasonable-sounding decision: we’re here, we have the isolations, we have the tools, let’s deal with it now.
The permit does not cover that additional work. The hazards of the additional work may not have been assessed. The isolation required may not be adequate for the extended scope. The competence required may be different. The supervision arrangements may not apply.
Where this happens once, occasionally, under controlled conditions, it is a minor deviation. Where it becomes routine where workers are trained, explicitly or implicitly, that the permit is a starting point rather than a boundary the system has lost one of its core functions. The permit was issued to authorise specific work under specific conditions. If that authorisation is routinely exceeded, the authorisation itself means nothing.
The competent response is not to write longer permits. It is to re-issue permits when scope genuinely changes, and to train issuers and receivers that scope change requires re-authorisation. The short-term inefficiency is the point. Scope discipline is what prevents the permit system from drifting into a general authorisation to do whatever seems necessary at the time.
Close-Out Without Verification
The permit close-out is the final control step. It confirms that the authorised work has been completed safely, that the plant has been returned to a safe state, that isolations have been removed in the correct sequence, and that the work area has been made safe for normal operations to resume.
Close-out failure is less dramatic than isolation failure, but it produces its own incidents. The common modes:
Paper close-out without physical verification. The close-out is signed based on the work party’s verbal confirmation that the job is complete. No one physically inspects the work area, the plant condition, or the restoration of normal operating conditions. The signature records an assertion, not a check.
Uncontrolled re-energisation. Isolations are removed locks cut, valves opened, circuits restored without systematic verification that the plant is ready for re-energisation and that all personnel are clear. The sequence of restoration is not controlled. The result is equipment returned to service with residual hazards that were supposed to have been resolved.
Incomplete restoration. Guards not replaced. Temporary modifications not reversed. Control systems not returned to their normal operating state. The work is complete in the sense that the intended task was performed but the plant is not fully restored to its pre-work condition, and the next operating shift inherits the residual gap.
Close-out pressure. The work has overrun. The next shift needs the plant back. The close-out is rushed, or performed in parallel with the final stages of work rather than after full completion. Verification steps that would normally be sequential become concurrent, and the control value of the close-out collapses.
A close-out signature has the same legal and practical weight as the initial issue signature. An organisation that treats close-out as an administrative formality has created an exit from the control system that is as dangerous as an inadequate entry.
Systemic Governance Failures
Individual permit failures accumulate into systemic failures when the governance arrangements that should detect and correct them are themselves absent or inadequate.
Competent PTW governance includes: regular audit of issued permits against actual conditions; periodic review of the permit policy and procedures against operational reality; competence management for issuers and receivers; formal escalation routes for refused permits and for near-miss events; and active management engagement with how the system is actually operating.
Where these arrangements are weak, failure patterns establish themselves and persist. The audit function if it exists examines forms rather than conditions, and so confirms that the system is operating without detecting that it is operating badly. The policy and procedures date from the system’s introduction and have not been reviewed against current operations. Issuer competence is assumed from experience rather than verified against current standards. Refused permits and near-misses are handled informally and leave no governance trail. Management is aware that a permit system exists but not aware of how it is performing.
These governance failures are often invisible until a serious incident prompts an external investigation. The investigation then identifies the pattern audit that never detected the problem, policy that was never reviewed, competence that was never verified and the organisation’s response is typically to strengthen the specific controls that failed. This rarely addresses the underlying issue, which is that the governance of the permit system is itself inadequate, and a different specific failure will emerge the next time conditions align.
A permit system without competent governance is a permit system that can only be tested by incident.
The Common Thread
Across every failure mode described above, a single underlying pattern appears. The permit system produces a signed paper record. The record documents conditions that do not, in fact, exist. When the discrepancy produces no incident, no correction occurs and the system continues to produce unverified paper. When the discrepancy eventually produces an incident, the paper record exists as evidence of what should have been controlled, not as evidence of what was.
This is the definition of a managed failure. The organisation has established a system whose purpose is to manage hazardous work. The system has continued to operate in the sense that permits continue to be issued, signed, and closed out but it has ceased to manage the work it was designed to manage. The failure is not sudden. It is the accumulation of small erosions, each acceptable at the time, producing a system in which the appearance of control has survived while the substance has drained away.
The permit system itself is not the source of the failure. In every failure mode described above, the permit system is capable of preventing the incident provided that the controls it verifies are real, the issuers have the authority to refuse, the handovers are rigorous, the scope is disciplined, the close-out is verified, and the governance is engaged. Where any one of those conditions is absent, the permit system remains in operation but loses its function.
The most common recommendation after a serious incident is to “strengthen the permit system.” The more accurate recommendation, almost always, is to restore the conditions under which the existing permit system can actually function.
Summary
Permit to work systems fail through a predictable set of recurring patterns: isolation that is assumed rather than verified; shift handovers that lose information across the change; production pressure that erodes the issuer’s authority to refuse; overuse that hollows out the meaning of the permit itself; scope creep that extends work beyond the authorisation; close-out that records completion without verifying it; and systemic governance failures that allow these patterns to establish and persist.
Each failure mode is recognisable in advance of the incident it produces. Each can be prevented by design by governance that detects early-stage erosion, by competence management that sustains issuer judgement, by audit that examines conditions rather than forms, and by management engagement that makes the issuer’s authority real.
The common thread is the gap between the paper record and the physical reality. A permit that records conditions that do not exist is worse than no permit at all because it establishes the appearance of control where none is present, and it removes the prompts that would otherwise trigger intervention.
Competent PTW management is not the prevention of paperwork errors. It is the continuous verification that the controls the system documents are the controls that actually exist.
Ready to Go Further?
Our full permit to work training course covers system design, common failure modes, competency requirements and practical application – everything needed to operate PTW effectively in real working environments.