PTW and Contractors / CDM

By Phil Douglas, Safety Professional – Managing Director, Oracle Safety Associates Ltd. 33 years’ frontline safety experience.

The term ‘Permit to work’ does not appear in UK statute law. It evolved where industries needed it and is codified in guidance, not law. CDM is a statute. The two are separate systems, routinely confused, and the confusion is how dutyholders lose control of the work that kills people.

PTW and Contractors / CDM are routinely treated as the same regulatory question. They are not.

The term ‘Permit to work’ does not appear in UK statute law. It evolved where industries needed it and is codified in guidance, not law. CDM is a statute. The two are separate systems, routinely confused, and the confusion is how dutyholders lose control of the work that kills people.

PTW, UK Statute, and the Duty to Ensure

Permit to work is not mentioned in the Health and Safety at Work Act 1974. It is not in the Management of Health and Safety at Work Regulations 1999. It is not in the Construction (Design and Management) Regulations 2015. UK statute does not prescribe PTW, does not define it, and does not require it as a matter of law. This is the first thing to understand clearly, because it is often misunderstood in both directions. Some organisations use the absence of PTW from statute to argue they are not required to operate one. Others assume PTW is legally mandatory and treat it as a compliance tick. Both positions are wrong.

What UK statute actually requires at the level of the general duties is the outcome. The Health and Safety at Work Act 1974 imposes on every employer, under section 2, the duty to ensure so far as is reasonably practicable the health, safety and welfare at work of all employees. Section 2(2)(a) specifies that this includes the provision and maintenance of plant and systems of work that are, so far as is reasonably practicable, safe and without risks to health. Section 3 extends the duty to persons not in the employer’s employment who may be affected contractors, visitors, the public.

The Management of Health and Safety at Work Regulations 1999 sharpen these general duties. Regulation 3 requires risk assessment. Regulation 5 requires employers to have effective arrangements for the planning, organisation, control, monitoring and review of preventive and protective measures. Regulation 11 requires employers sharing a workplace to cooperate, to coordinate, and to exchange information on the risks their undertakings create for each other.

None of these instruments says duty holder must operate a “permit to work system.” They say the outcome. They require that where work is high-risk, the risk is controlled through competent planning, through formal arrangements, through verified safe systems, through adequate supervision. They require the duty to be discharged. They do not prescribe the mechanism.

PTW is the mechanism the UK safety industry has evolved to help discharge their legal duties on specific categories of high-risk work. This is outlined in HSE guidance principally HSG250, with related provisions in HSG85 for electrical work, HSG253 for safe isolation of plant, and equivalents in sector-specific approved codes of practice. It is embedded in the operating practice of every competent petrochemical, nuclear, offshore and heavy-industrial operator in the UK. It is taught, audited, enforced, and expected, not because the statute names it, but because the statute requires the outcome it delivers, and no credible alternative achieves that outcome as reliably. This distinction matters.

A Permit to Work (PTW) system is not defined in statute. But that does not let an organisation off the hook. If high-risk work is taking place without a PTW, the defence cannot be “the law doesn’t require one.” A court will look at whether the duty under HASAWA Section 2 has been met.

The real question is simple:

Did the organisation have a control in place that achieved the outcome a PTW is designed to deliver?

The reverse is also true.

Calling something a “Permit to Work” does not mean the duty has been met.

You can attach that label to anything:

• contractor sign-in at the gatehouse
• a quick RAMS check at reception
• a form signed during induction
• paperwork issued at the start of a shift

None of these, on their own, is a PTW.

A court will always look past the label and examine the substance. If the control is weak or irrelevant, the defence is weak.

In fact, a poor PTW can be worse than having none at all. It shows the organisation believed it had a robust control in place, when in reality it did not.

US law takes a different approach. OSHA prescribes permits directly: 29 CFR 1910.146 for permit-required confined spaces, various standards for hot work, and 29 CFR 1910.147 for the control of hazardous energy (lockout/tagout). US PTW sits inside the regulatory text.

Australia takes a similar approach to the United States, but more systematically. The model Work Health and Safety Regulations adopted across most Australian jurisdictions explicitly prescribe permits for specific high-risk work. Regulation 67 of the WHS Regulations 2011, for example, makes it a strict liability offence for a person conducting a business or undertaking to direct a worker to enter a confined space without first issuing a confined space entry permit. The model is national in scope, more recent than OSHA’s, and arguably cleaner in its drafting but the underlying principle is the same: where high-risk work is identified by the legislator, the permit is required by statute, not by guidance.

Canada sits between these positions. Federal regulations under the Canada Occupational Health and Safety Regulations Part XI require an entry permit system for hazardous confined spaces where the qualified person’s report identifies one as necessary making the permit mandatory but conditional on competent assessment. Provincial regulations vary: Ontario’s Regulation 632/05 prescribes confined space entry permits with full content requirements; British Columbia and Alberta operate similar but distinct frameworks. The Canadian approach distributes the prescriptive force of permits across federal and provincial layers, but the core principle holds: where high-risk work is identified, the permit is statutory.

The UK approach stands apart from all three. UK PTW sits inside industry practice and HSE guidance, with the statute imposing the outcome rather than the tool. The Health and Safety at Work Act 1974, the Management of Health and Safety at Work Regulations 1999, and the various sector-specific regulations require duty-holders to discharge their general duties to provide safe systems of work, to assess risk, to protect employees and others but they do not prescribe permit to work as the mechanism.

The UK approach has advantages and disadvantages. It gives flexibility organisations can design the control that fits their operation. It gives responsibility the duty is on the employer to identify high-risk work and arrange appropriate controls, not to follow a checklist developed by the Government’s enforcing authority. It also gives room for error. An organisation that misreads the statute, or misjudges the risk, or adopts a weak control and labels it PTW, has the freedom to fail and has been failing, across UK industry, for as long as there have been permits to work.

Page 9 is about two of those failures. The collapse of PTW into contractor permissioning. And the failure to recognise when a separate statutory regime CDM applies at all.

James Reason’s Layers of Defence

Before the two specific failures, a single conceptual anchor.

James Reason, a British psychologist whose work underpins a substantial portion of modern safety science, described complex system failures using what he called the Swiss cheese model. Each defence in a safety-critical system is represented as a slice of cheese. Each slice has holes, because no defence is perfect. A single slice is easy to see through. Multiple slices, each with holes in different places, stop most hazards because for a hazard to produce an incident, it must pass through a hole in every slice simultaneously.

Incidents happen when the holes line up.

The implication for safety management is straightforward. No single defence is sufficient. Risk assessment has holes, the assessments miss hazards, misjudge severity, underestimate likelihood. Method statements have holes as they describe the intended work, not always the work as it’s undertaken. Safe systems of work have holes particularly as they embed assumptions that later conditions violate. Permit to work has holes because the issuers can authorise inadequate isolations; receivers can sign for conditions they have not verified; forms can be completed without understanding. It can be a superficial box ticking exercise.

The response is not to find the perfect defence. There isn’t one, as James Reasons said something true of all defences – they all have holes in them. The response is to layer defences, each catching different failure modes, so the holes in one layer are covered by the substance of another. That is what a safety management system actually is, it’s never a single document, not a single control, but a layered structure of defences designed to fail gracefully rather than catastrophically.

PTW is one slice. A critical one, on the high-risk work for which it is intended, but one. When organisations collapse their layered defences into a single paperwork exercise, whatever they call it. Then they have removed the layering that makes the system work. One slice with holes in it is not a defence. It is a form being processed.

The Control Approach, as the next section sets out, is a way of thinking about the layering.

The Control Approach – Where PTW Sits Within It

Effective control of workplace risk requires more than any single mechanism. It requires a coherent sequence of controls, each doing a specific job, each necessary, none sufficient on its own. Oracle Safety Associates uses a five-element Control Approach to map these layers, with a sixth reserved for last-line-of-defence situations at the point of work.

Element 1: Policy and arrangements. The overarching safety management system, the written statement of intent, the organisational framework within which everything else operates. Without policy, the other elements have no anchor. Absent or inadequate policies on employee behaviour, substance misuse, manual handling, emergency evacuation, chemical agents, isolation and lockout mean the workforce operates without common understanding of what the organisation expects.

Element 2: Risk assessment. The identification of hazards, the evaluation of who can be harmed and how, and the specification of controls that reduce the risk so far as is reasonably practicable. This is the statutory anchor under MHSWR regulation 3. If risk assessment is absent or inadequate, the full range of work-activity hazards remains unidentified, exposed persons are not identified, appropriate controls are not selected, and downstream elements of the Control Approach have nothing to operate from.

Element 3: Safe systems of work and standard operating procedures. The translation of risk assessment outputs into methods that can be taught, followed, audited, and improved. A risk assessment alone is a planning tool; a safe system of work is the operational implementation. Absent or deficient safe systems mean the work is not thought through, controls are not organised into methodical steps, on-the-job training has nothing solid to communicate, and workers fill the gap with improvisation that may or may not be safe.

Element 4: Permit to work. The controlled authorisation of specific high-risk tasks, after pre-agreed verifications by two competent persons an issuer and a receiver before, during, and on completion of the work. This is the element where life-threatening human errors are caught at the point of action. A correctly operated PTW verifies that isolations identified in the safe system of work are actually in place and functioning. It catches the error where the wrong equipment has been isolated, or where the isolation has been removed in error, before the worker is exposed to an energy source. PTW is not applied to all work. It is applied selectively, where the consequence of failure is a fatality or a serious disabling injury, and where human error is the primary risk.

Element 5: Dynamic risk review at the point of work. The worker’s own last-line-of-defence check, conducted before the task begins, reviewing the conditions as they actually are against the controls as they were planned. Not a risk assessment. Not a method statement. A user check, conducted by the competent worker, confirming that the previous four elements have held up in practice and that it is safe to proceed. Where conditions have changed, the dynamic review prompts the decision to stop and report, rather than proceed and hope.

This framework positions PTW correctly. It is element 4 of five. It is applied selectively. It sits between the safe system of work (element 3) and the worker’s own final check (element 5). Its purpose is narrow and specific: the formal verification of critical controls before, during, and after high-risk tasks.

Two consequences follow.

PTW does not substitute for the other elements. An organisation cannot have a PTW system in a meaningful sense without policy, risk assessment, and safe systems of work underneath it. The permit verifies that the safe system of work is in place and operational. If there is no safe system of work, the permit verifies nothing.

The other elements do not substitute for PTW. A risk assessment does not verify that isolations are physically in place on the day of the work. A safe system of work does not provide the two-person check at the point of task. A method statement from a contractor does not constitute authorisation by a competent issuer. Where high-risk work is being done, each element has to do its own job.

This is the framework into which the two failures of Page 9 fit. The “PTW as contractor permissioning” failure is the collapse of element 4 into something that looks like elements 2 and 3 combined a RAMS review dressed in PTW clothing. The CDM recognition failure is the absence of a separate statutory framework that operates across and above the Control Approach for construction work a framework that has its own dutyholders, its own notification, its own planning requirements, and which PTW cannot substitute for and CDM cannot be substituted by.

PTW as Control Measure, Not as Contractor Management

The most common misuse of permit to work in UK industry more common than its absence entirely, and arguably more dangerous is its use as a label for something that is not PTW at all.

The pattern is recognisable across many sectors: manufacturing, retail, education, facilities management, local government estates, food production, healthcare. A contractor arrives at the client’s premises. They are asked to provide risk assessments and method statements (RAMS). Someone possibly the facilities manager, possibly a designated safety officer, possibly the receptionist checks the RAMS. Or at least looks at them. The check may be substantive, or it may be a compliance gesture. A form is signed. The contractor begins work. The form is filed. The client refers to this arrangement as its permit to work system.

It is not a permit to work system. It is contractor permissioning.

Real PTW, as codified in HSG250 and the broader guidance, is the formal authorisation of specific high-risk tasks by a competent issuer, with the receiver the person in charge of the work acknowledging both the hazards and the precautions, and with pre-agreed verifications completed at the point of the work. Isolation. Gas testing. Atmospheric monitoring. Competent supervision. Two-person checks on the critical controls. Formal hand-back on completion. The form records the verifications. The system around the form delivers them.

RAMS checking, by contrast, is a preparatory document review. Useful, necessary for contractor management, an essential part of how a competent organisation engages external workers but not PTW. RAMS are risk assessments and method statements, prepared in advance, describing the contractor’s intended approach. Checking them at the gate, or at the induction, confirms that the contractor has thought about the work. It does not verify that the specific controls required by the work are in place at the point of the work.

The collapse of one into the other produces a recognisable stack of failures.

Failure one: the “PTW” signed at the gate. The contractor arrives, RAMS are provided and reviewed, a form titled “permit to work” is signed, and the contractor begins work. There is no issuer/receiver verification at the point of the task. No two-person check on isolation. No pre-agreed precaution confirmation. The form is a gate pass with PTW branding.

Failure two: no PTW at all for the client’s own high-risk work. The same organisation that operates a “PTW system” for contractors may have no equivalent for its own employees doing high-risk tasks. Internal maintenance, equipment cleaning, machinery unjamming, confined space entries because the workforce is trusted and familiar, the formal verification is dispensed with. The organisation has more process around a window-cleaning contractor’s half-day visit than around its own employees doing genuinely hazardous work every week. The statutory duty does not distinguish between employees and contractors in this way. Both are protected. Both require proportionate controls. A system that controls one and not the other is failing half the duty.

Failure three: the organisation believes it has a PTW system. When the form is labelled PTW, and the form is processed, and the audit finds the forms, and the audit ticks the box the organisation concludes it has a compliant PTW system. The word “permit” appears; the documents exist; the governance structure appears complete. Nobody with the training to recognise the substantive absence of PTW has looked at it. The organisation is running a control theatre and does not know.

Failure four: the contractors know something is wrong but cannot name it. This is where the training room is revealing. When practitioners deliver PTW training to audiences drawn from these organisations the very people who are currently signing the client’s “permit to work” and operating under it the reaction to a description of how PTW actually works is consistent. The room goes quiet. Someone says “that’s not what we do.” Someone else says “what’s HSG250 anyway?” The contractors recognise they have been asked to sign forms that did not function as real permits, but they did not have the vocabulary to name the discrepancy. They felt uncomfortable and did not know why.

That is the worst form of the failure. The contractors were right to be uncomfortable. The form they were signing at the gate was not authorising the safe system of work they would be performing; it was recording administrative compliance. The organisation processing the form believed it was operating a permit system. The actual high-risk work, and the actual verification of its controls, was happening somewhere else or not happening at all.

The remedy is straightforward to describe and harder to implement. An organisation with genuinely high-risk work should operate a genuine PTW system, in accordance with HSG250, for that work. RAMS checking is a separate discipline within contractor management, handled separately, not conflated with PTW. Contractors operating on the client’s site should be inducted to understand the client’s PTW system where their work falls within its scope, and the client’s PTW issuer a competent person within the client organisation should be the one authorising the specific tasks, not simply approving a RAMS document at the gate.

None of this is new. It is how competent organisations have operated for decades. It is also how organisations that have suffered fatalities have subsequently learned to operate, after prosecutions. The distinction between contractor management and permit to work is taught in every NEBOSH syllabus and every competent IOSH programme. It is not obscure knowledge. It is the bread and butter of operational safety, and it is failing to embed in a substantial portion of UK industry.

What CDM Is, and What It Isn’t

CDM is a separate statutory regime. It has no overlap in legal form with PTW. Understanding this is the prerequisite for understanding why the failures in each system compound when they co-occur.

The Construction (Design and Management) Regulations 2015 apply to all construction projects in Great Britain. They do not define “PTW.” They do not require PTW. They impose a specific statutory framework for the planning, management and monitoring of construction work, with specific duties on specific roles.

The Client. The person or organisation for whom the construction project is carried out. Under regulation 4, the Client must make suitable arrangements for managing the project, including the allocation of sufficient time and other resources. The Client must ensure that relevant information is prepared and provided to designers and contractors. The Client must appoint competent dutyholders where multiple contractors will be involved. The Client duty cannot be delegated it remains with the Client throughout the project.

The Principal Designer. Required where a project has more than one contractor. Appointed by the Client in writing. Responsible for planning, managing and monitoring the pre-construction phase, including coordination of health and safety matters, and for preparing the pre-construction information for the Principal Contractor. The Principal Designer role is typically taken by the lead architect or design consultant, but can be any competent organisation with the requisite skills.

The Principal Contractor. Required where a project has more than one contractor. Appointed by the Client in writing. Responsible for planning, managing, monitoring and coordinating the construction phase, including preparation of the construction phase plan, liaison with the Principal Designer, and the arrangements for health and safety across all contractors on site.

Designers. Anyone who designs or specifies any aspect of the construction work. Duties under regulation 9 include the elimination, reduction and control of foreseeable risks through the design itself, and the provision of information about residual risks to the Client and the Principal Designer.

Contractors. Every contractor has duties under regulation 15 to plan, manage and monitor their own work, to cooperate with other dutyholders, and to comply with any directions of the Principal Designer or Principal Contractor.

Notification (F10). Projects lasting longer than 30 working days with more than 20 workers simultaneously, or exceeding 500 person-days of work, must be notified to HSE using form F10. Notification does not, in itself, trigger CDM duties all CDM projects have duties regardless of whether they require notification. Notification is an administrative flag, not the substance of CDM.

The regulatory architecture is coherent and specific. CDM operates at the project level from design, through procurement and construction, to handover. It assigns statutory duties to identifiable roles. It requires pre-construction information, a construction phase plan, and ongoing cooperation between dutyholders. It applies to construction work regardless of the commercial nature of the parties involved.

What CDM does not do is control specific high-risk tasks at the point of performance. That is the work of other controls safe systems of work, supervision, and where warranted, PTW. CDM sets up the framework within which the construction work happens. It does not substitute for the operational controls that the work still requires.

The converse is also true. PTW does not substitute for CDM. A project that is construction work, within the meaning of the regulations, has statutory CDM duties regardless of how rigorously its permit-to-work system operates. The dutyholder roles must be appointed. The pre-construction information must exist. The construction phase plan must be prepared. A PTW for the hot work on site does not discharge the Client’s CDM duties. It discharges a different duty, at a different level.

How Factories and Retail Premises Fail to Recognise CDM Applies

CDM applies where construction work is taking place. It does not limit itself to construction businesses, construction sites, or construction-sector projects. It follows the work, not the sector.

This is the point where factories, retail premises, healthcare estates, universities, local authority buildings, and every other organisation whose core business is not construction tends to fail. CDM applies when they are having construction work done on their premises. It applies to a new-build store, an extension, a fit-out, a major refurbishment, significant alteration, demolition, and crucially to many maintenance projects that exceed the threshold of routine maintenance. It applies regardless of whether the organisation recognises the work as construction.

The recognition failure has several recurring forms.

Work mislabelled as maintenance or engineering. A plant installation is called a maintenance project. A new piece of equipment replacing an old one is called an engineering upgrade. A major refit is called a refurbishment. Each of these labels may be technically defensible, but under CDM’s definition of construction work which includes the alteration, conversion, fitting-out, commissioning, and decommissioning of a structure many of them meet the threshold. The label does not change the regulatory status.

Blurred boundary between operations and construction. On a live manufacturing site, work frequently spans both domains. Production continues while contractors install new plant. Maintenance continues while a section is being refurbished. The boundary between what counts as operational activity and what counts as construction work is genuinely ambiguous, and organisations default to treating everything as operational because that is what they understand. CDM is not invoked because the organisation does not see the construction half of what is happening.

No structured decision process. Competent organisations have a screening process: any project above a specified threshold is assessed against CDM applicability, a decision is recorded, and if CDM applies, dutyholders are appointed and the framework is established. Organisations that fail at this stage typically have no screening process at all. The question is never asked. The default is no-CDM, with no consideration of whether CDM should apply.

Competence gaps in CDM legal understanding. The facilities manager, the maintenance manager, the engineering manager each of whom is typically competent in their own field often does not have the legal training to recognise when their planned work triggers CDM. They plan the work; they engage contractors; they manage the project; and CDM is never triggered because nobody on the client side has the competence to trigger it. This is not a competence failure of individual personnel; it is a competence gap in the role specifications the organisation has defined.

Over-focus on F10 notification as the CDM trigger. A subtle but common error: the belief that CDM only applies to projects that require notification. Because most factory and retail projects do not exceed the notification threshold, they are treated as outside CDM. This is wrong. CDM applies to every construction project regardless of notification; notification is a separate question. A two-week shop fit-out is a construction project with full CDM duties even though it will never come near F10.

Cultural normalisation of informal practices. Where the organisation has conducted many similar projects without formal CDM recognition, the informal approach becomes the standard approach. The fact that previous projects have been completed without incident is taken as evidence that the informal approach works. It is not evidence of that; it is evidence that the holes in the defences have not yet aligned with a hazard. When they align, the organisation discovers often through a fatality that the approach it had normalised was not lawful.

The consequences are operational as well as legal. Projects proceed without coordinated planning. Contractors arrive with RAMS for their own work but no pre-construction information about the environment they are entering. Sequencing between trades is informal. Changes during the project are not properly managed. Risk controls are inconsistent. When incidents occur, the investigation discovers an absence of the basic dutyholder structure the regulations require, and the client learns in the course of the enforcement action that they have been operating outside statute for years.

Tony Hopkins, Rotherham, 2013

On 24 January 2013, Tony Hopkins, a specialist contractor, entered an Iceland Foods store in Rotherham to replace filters in the air conditioning unit mounted on a plant platform above the suspended ceiling in the store’s warehouse area. The platform was approximately three metres above the warehouse floor. Access was via a ladder. Space on the platform was restricted and there were tripping hazards. There was no edge protection. Tony Hopkins fell almost three metres from the platform, through the suspended ceiling, to the warehouse floor. He sustained fatal head injuries.

The investigation by Rotherham Council found that Iceland Foods had not carried out a risk assessment covering access to the platform. There were no barriers in place to prevent falls. In court, Iceland’s defence was that the handrail had been specified in the store’s original design, and that Iceland’s contractors had certified to Iceland that it was in place. Iceland argued it was entitled to rely on these assurances.

The prosecution rejected this argument. The court rejected it. Iceland was convicted of two breaches of the Health and Safety at Work Act 1974 – sections 2 and 3 and fined £1.25 million on each count, with costs of £65,000. The total fine was £2.5 million.

The case is useful for Page 9 not because it was a CDM failure, but because it illustrates precisely the separation between CDM and PTW, and what happens when the operational layer is absent.

The original Iceland store build would have been a CDM project. Whether it was or was not formally managed under CDM 2007 (the regulations in force at the time of the original build) is not the point the point is that the design of the store specified edge protection for the plant platform. The design was correct. The design recognised the hazard. The design specified the control.

The failure was not at the design stage. It was at the operational stage. Between the store’s completion and 24 January 2013, the handrail that had been specified was either never installed, or was removed, or was altered. Iceland did not know, because Iceland was not operating an effective system for verifying the state of its premises against the design specifications. Iceland was relying on contractor certification historic, and not verified by Iceland itself.

The duty to ensure is not the duty to specify. Iceland specified. Iceland did not ensure. The duty under HASAWA section 2, and the duty to non-employees under section 3, is the duty to ensure to take active, verifiable steps to confirm that the conditions required for safe work are actually present at the point of the work. This duty operates throughout the life of the premises, not only at the design stage. Iceland’s defence that it had specified and relied on certification described the discharge of a weaker duty than the one the statute actually imposes.

A competent operational control system would have caught this. A PTW operating at the point of Tony Hopkins’s visit would have required a pre-work inspection of the platform. The absence of the handrail would have been identified. The work would have been stopped or rescheduled until edge protection was put in place. This is what PTW does: it catches the gap between the safe system as designed and the safe system as present on the day of the work. Iceland had no such system.

And the same applies to contractor management. A competent contractor management system would have required the receiving party at the client end someone at Iceland competent to do so to verify, at the point of the contractor’s engagement and access, that the conditions for safe work were present. Not at the design stage. Not through historic certification. At the point of the work. Iceland did not have this either.

What killed Tony Hopkins was the absence of the operational control layer that sits above contractor management and below CDM the layer the Control Approach identifies as elements 3, 4, and 5. Iceland had a building with a design specification. Iceland did not have a system that verified, on the day, that the specification still held. No safe system of work at the point of work. No PTW where PTW was warranted. No dynamic risk review by the contractor, in a context where the contractor had access to the work without independent verification that conditions were as expected.

The £2.5 million fine reflects the court’s assessment of the gap between the duty Iceland owed and the duty Iceland discharged. The family’s loss does not reduce to a figure.

The lesson the case offers the rest of UK industry is not “adopt CDM more rigorously.” The CDM failure, if there was one, was at the original design-and-build stage decades before the incident. The lesson is: the operational control layer is not optional. The duty to ensure is continuous. And a contractor arriving at your premises to do specialist work on a plant platform above a suspended ceiling is not a routine maintenance visit it is high-risk work, and your system has to treat it as high-risk work.

Where PTW Supports a CDM Project

None of the above should be read as arguing that PTW and CDM are in conflict, or that CDM projects do not need PTW. The opposite is true. On genuine construction projects, PTW is frequently an essential layer of defence for specific high-risk tasks within the wider framework.

A new-build retail store under CDM will involve hot work during steel erection, confined space entries during drainage installation, electrical isolations during first fix, and roof work requiring edge protection and fall arrest. Each of these is a high-risk task within the project. Each of them can and should be controlled by PTW, operating under the construction phase plan, under the Principal Contractor’s supervision, with issuers and receivers competent for the specific task.

A plant fit-out on an operational manufacturing site itself a CDM project will involve simultaneous operations and construction activities. PTW is the mechanism by which the interface between operational and construction activity is controlled. The operational PTW issuer authorises the construction task within the operational envelope; the construction team receives the permit; hazards at the interface are identified and controlled; the construction work proceeds under authorised conditions.

A refurbishment in an occupied premises CDM where the scope meets the threshold will involve work in areas where the public or employees may be present. PTW can control the access arrangements, the dust and noise containment, the temporary works. CDM provides the project-level framework; PTW provides the task-level control.

In all of these cases, PTW is a layer within CDM, not a substitute for it. The Principal Contractor remains responsible for the construction phase plan. The Principal Designer remains responsible for pre-construction information. The Client retains the duty to make suitable arrangements. PTW sits underneath operating on the specific high-risk tasks where two-person verification at the point of work is the appropriate control.

The relationship is straightforward when it is understood. PTW and CDM are not competing frameworks. They are different layers, addressing different risks, at different levels of the work. Competent organisations operate both, in their appropriate scope, at appropriate depth.

The failures occur when the layers are confused. When CDM is assumed to cover what PTW actually does “the construction phase plan is in place, so we don’t need a permit” the task-level controls are absent and the holes in the defences align. When PTW is assumed to cover what CDM actually does “we have permits, so we don’t need the dutyholder structure” the project-level framework is absent and the coordination between trades, the pre-construction information, and the statutory architecture are all missing.

Both errors produce incidents. Both errors are regularly found in HSE enforcement investigations. Both errors are avoidable with a clear understanding of what each system is for.

The Dutyholder’s Screening Questions

A practical framework for any dutyholder particularly a Client organisation whose core business is not construction comes down to three questions, asked in sequence at the point of planning any non-routine work.

Question 1: Is any of this construction work within the meaning of CDM?

If yes, CDM’s statutory framework applies. The Client duty arises. Dutyholder roles must be appointed where the project has more than one contractor. Pre-construction information must be prepared. A construction phase plan must be in place before the construction phase begins. The question is not whether the work feels like construction; the question is whether it meets the regulatory definition. Alteration, conversion, fit-out, demolition, commissioning, decommissioning all are construction work for CDM purposes.

If the answer is uncertain, the organisation needs competent advice to reach a decision before the work begins, not afterwards. The HSE takes a structural view: if the work meets the definition, CDM applies, regardless of the Client’s belief about it.

Question 2: Is any of this work high-risk enough, at the task level, to warrant PTW?

If yes regardless of whether the work is construction or not, regardless of whether CDM applies or not the statutory duty under HASAWA section 2 to provide a safe system of work applies, and the industry-developed mechanism for discharging that duty on high-risk tasks is PTW. The question is not whether the task is performed by employees or contractors. The question is whether human error at this task could cause a fatality or a serious disabling injury. If the answer is yes, element 4 of the Control Approach applies, and a proper HSG250-style PTW is required.

Tasks that typically require PTW include: hot work in areas with combustible materials or hazardous atmospheres; confined space entry; electrical work on live or isolated equipment; energy isolation for maintenance; work at height in non-routine circumstances; excavation where services may be present; work with radioactive materials; work adjacent to or interfering with safety-critical systems.

Question 3: Have I implemented each layer as what it actually is, not as a label over something else?

This is the cultural test, and it is the hardest of the three. It asks the organisation to examine its own practice: does the system labelled “permit to work” actually deliver the substance of PTW, or is it contractor permissioning with a label? Does the CDM compliance framework actually operate the dutyholder structure the regulations require, or is it a folder of documentation? Does the safe system of work actually get followed at the point of the work, or does the work happen the way the supervisor and the workers find easiest on the day?

The honest answers to these questions tell the organisation where the holes in its defences actually are. The dishonest answers or the unasked questions are where the incidents come from.

The three questions together operate as a screening framework. They are not exhaustive. They do not substitute for competent safety management advice on specific projects. But they are a starting point, and they are a test that would have caught many of the serious incidents that UK industry continues to produce.

PTW and Contractors / CDM: The Duty to Ensure

The common thread across PTW failures, CDM failures, and contractor-management failures is a single slide in how the duty is understood: from ensuring to specifying.

Specifying is cheaper than ensuring. Specifying requires design work, document preparation, and the statement of a standard. Once the specification is produced, it can be filed, referenced, audited, and pointed to when the regulator asks what arrangements were in place. It is a paper-trail activity.

Ensuring is more expensive. Ensuring requires verification. It requires competent people at the point of the work confirming that the specified controls are actually present and functioning. It requires time, presence, skill, and the authority to stop work when conditions do not match specification. It produces less paper, but more of the outcome the statute requires.

Iceland specified edge protection. Iceland did not ensure it was present. That gap killed Tony Hopkins and cost Iceland £2.5 million, and the court’s reasoning in the judgment was precisely about the gap: the duty under HASAWA is the duty to ensure, not the duty to specify.

The same gap appears across the failure modes Page 9 has addressed.

The organisation with contractor permissioning specifies controls in the RAMS it reviews, but does not ensure the controls are in place at the point of the work.

The factory that fails to recognise CDM specifies the work in a project plan, but does not ensure the dutyholder framework the regulations require is established.

The retail premises that treats a plant installation as maintenance specifies a scope of work, but does not ensure the statutory arrangements for a construction project are in place.

In each case, paper exists. Forms are completed. Documents are filed. Audits find the documents. And the actual outcome the law requires safe work, performed by competent people, with verified controls, under appropriate authorisation is not delivered.

This is the core of what Oracle Safety describes as “managed failure” in Page 6 of this hub. The organisation has established a system whose purpose is to manage hazardous work. The system has continued to operate in the sense that paperwork is processed. But the substance has drained away, and what remains is the appearance of control over work that is, in operational reality, uncontrolled.

The remedy is the same across the pattern. Build the layers. Implement each layer as what it actually is. Do not collapse the layers into labels. Recognise when CDM applies and operate its statutory framework. Recognise when PTW is warranted and operate its specific controls. Keep contractor management separate from PTW, and give both the competence they require. And across all of it, shift the organisation’s effort from specifying to ensuring from producing the paper trail to delivering the outcome the paper was supposed to record.

None of this is new. None of it is obscure. It is how competent safety management has always worked. But it requires the discipline to do each thing as what it actually is, and that discipline is what the current pattern across UK industry is missing.

---

Summary

Permit to work is not in UK statute. It evolved within industries whose risks required it, and is codified in guidance, not law. CDM is statute. The two are separate systems with different scopes, different duties, and different mechanisms.

The duty to ensure safe systems of work, under the Health and Safety at Work Act 1974 section 2, is the statutory anchor that makes PTW the industry-standard control for high-risk tasks. The duty under the Construction (Design and Management) Regulations 2015 is a separate and specific statutory regime for construction projects, with its own dutyholders and its own framework.

James Reason’s Swiss cheese model describes why multiple layers of defence are necessary and why no single control is sufficient. The Control Approach identifies five such layers policy, risk assessment, safe systems of work, PTW, and dynamic risk review each addressing different failure modes and each necessary in its own scope.

The two recurring failures addressed on this page PTW as contractor permissioning, and the failure to recognise CDM applicability are both failures of layer collapse. When the organisation processes paper instead of operating the substantive control, the statutory outcome is not delivered, regardless of how the paper is labelled.

Tony Hopkins, who died at Iceland’s Rotherham store in 2013, is the specific case. Iceland specified edge protection and did not ensure it. The court found Iceland in breach of the general duties. The £2.5 million fine is one register of the gap between specifying and ensuring; the family’s loss is another.

The remedy, across the pattern, is the discipline to operate each layer as what it actually is. CDM where CDM applies. PTW where PTW is warranted. Contractor management as a separate activity with its own competence requirements. And across all of it, the shift from producing paperwork to delivering the outcome the paperwork was supposed to record.

This is how competent safety management operates. It is also how the organisations that have faced serious prosecutions subsequently learn to operate, after the event. The choice available to every dutyholder is whether to get there in advance, or afterwards.

Further Questions and Answers