A spark from a grinding disc, a valve opened on the wrong line, a tank entered before the gas test cleared: each of these is a small act, and on an offshore installation each has killed people. A platform is a hydrocarbon process plant with a crew living on top of it, hundreds of miles from the nearest help, and the thing that keeps the small acts from becoming a disaster is paperwork that controls who does what, where, and when. The permit-to-work (PTW) system is that paperwork, and the emergency response arrangements are what happens when it, or anything else, fails. This article is the hub for the offshore permit-to-work and emergency-response cluster: it explains how an installation authorizes hazardous work, how the safety-case regime sits above the permits, and how people get off the structure and out of the water when an emergency runs. The cluster’s calculators sit underneath it, from the hot-work permit calculator that times a gas-tested job to the totally enclosed lifeboat calculator that checks a TEMPSC against the persons on board.
The logic of offshore safety is layered, and naming the layers once makes the rest read straight. At the top sits the safety case, the operator’s documented demonstration that it has identified the major-accident hazards and put controls in place. Below it sit the management systems and the permit-to-work system that turn that demonstration into daily control of work. Below that sit the individual task controls: the job safety analysis, the toolbox talk, the isolation, the gas test. And running alongside all of it sits the emergency-response chain that exists for the day the controls do not hold: the alarm, the muster, the evacuation, the escape, the rescue. The recurring questions at every layer are the same four: what can go wrong, who controls it, who can stop it, and how do people get out. Hold those four and the system reads as one machine built around a single hard fact, that on an installation there is nowhere quick to run to.
The permit-to-work system
A permit to work is a formal written authorization that controls a defined task, for a defined time, in a defined place, signed off by named people who confirm the hazards are identified and the controls are in place before the work begins. It is worth saying what a permit is not, because the confusion is the source of most permit failures. It is not the risk assessment, which identifies the hazards and rates them; it is not the method statement, which describes how the job is done; it is not the isolation certificate, which records the energy and process isolations. The permit is the control document that references all three and authorizes the work to start, and it is the document the worksite holds while the job runs. The UK Health and Safety Executive defines a permit-to-work system as a formal documented system used to control work identified as potentially hazardous, and it is explicit that the permit is not a replacement for risk assessment but a means of communicating and controlling the residual risk.
The system exists because an installation runs many jobs at once in a live hydrocarbon environment, and the people doing one job rarely see the hazard another job has created. A welder cutting steel on the cellar deck cannot see that a fitter two levels up has just broken a flange on a condensate line. The permit system is the mechanism that forces those two facts into one place before either job starts, so that the hot work is held until the line is made safe. The permit-to-work failure was a direct contributor to the Piper Alpha disaster: on the night of 6 July 1988 a condensate pump was returned to service while a pressure safety valve had been removed for maintenance and replaced with a blank flange that was not leak-tight, and the two permits, the one for the pump and the one for the valve, were not cross-referenced. The result was a high-pressure gas leak that ignited, and 167 people died. The whole modern offshore permit discipline is built on not repeating that.
The permit hierarchy and the authorities
A permit moves through named roles, and the separation of those roles is the control. The applicant or performing authority is the person who will do the work and who requests the permit. The issuing authority, typically a supervisor or the control-room operator with authority over the area, reviews the request, confirms the area is safe, specifies the precautions, and signs the permit into force. On a larger installation an area authority or the operations supervisor holds responsibility for the plant in which the work sits, and the offshore installation manager (OIM) sits above the whole system as the person ultimately accountable for it. The point of the hierarchy is that the person doing the work is not the person who authorizes it; an independent set of eyes confirms the controls before the spark is struck.
The permit also has a defined life. It is issued for a stated period, often a single shift or a single tidal or operational window, and it is suspended when conditions change, for example when the general alarm sounds or when a gas detector goes into alarm, and it is formally closed and handed back when the job is done and the area is confirmed safe and clean. A permit left open across a shift handover without a documented transfer is a classic failure, because the incoming crew may act on stale information, which is why the handover of live permits is itself a controlled step. On Piper Alpha the day-shift work on the pressure safety valve was not handed over face to face to the night shift before the pump was returned to service, so the night crew acted without knowing the valve was missing; the handover gap is one of the specific lessons the Cullen inquiry drew. A sound permit system therefore treats handover as a documented event with both parties signing, not as a note left on a desk.
The number of permits live at once is itself a control parameter. An installation that has dozens of permits open in the same fire zone has, in effect, dozens of holes punched through its normal-operation safety state, and the issuing authority and the OIM have to be able to see the whole picture, which is why a control-room permit board or electronic permit system shows every live permit by location. The discipline of limiting concurrent permits in a single area, and of cross-referencing permits whose work interacts, is the practical defense against the Piper Alpha failure mode of two unconnected permits combining into a disaster. The hot-work permit calculator frames the timing and gas-test interval side of a hot-work permit, and the confined-space entry permit calculator does the same for the entry-permit controls.
Hot work
Hot work is any work that produces a source of ignition: a flame, a spark, or enough heat to ignite a flammable atmosphere. Welding, flame cutting, grinding, and the use of non-intrinsically-safe electrical tools all count. On an installation that processes hydrocarbons, hot work is the most tightly controlled permit type, because the consequence of getting it wrong is exactly the Piper Alpha consequence. A hot-work permit specifies the gas test before work starts, the standby fire watch with extinguishing means, the removal or covering of combustibles, and a re-test regime, because a gas test is a snapshot and the atmosphere can change. Hot work is commonly divided into work in a hazardous (classified) area and work in a non-hazardous area, and the hazardous-area permit carries the heavier controls, including continuous or frequent gas monitoring. The hot-work permit calculator works the gas-test interval and standby requirements for a defined job duration.
Confined-space entry
A confined space is an enclosed or partly enclosed volume not designed for continuous occupancy, where the atmosphere can be deficient in oxygen, enriched in oxygen, or contaminated with toxic or flammable gas, and where escape is restricted. Offshore, the confined spaces are tanks, caissons, void spaces, cofferdams, sumps, and the inside of process vessels. Entry kills people who enter without testing, and it kills the would-be rescuers who follow them in, which is why a large share of confined-space fatalities are multiple. The entry permit therefore requires the space to be isolated, drained, ventilated, and gas-tested for oxygen content and for toxic and flammable gas before entry, with continuous or repeated testing during occupancy, a stationed attendant outside who keeps a tally of who is in, and a rescue plan that does not depend on the attendant entering. The confined-space entry permit calculator frames the gas-test and occupancy controls, and the diving permit calculator covers the related but distinct controls for in-water work, where the diver is in a hostile environment with its own gas-supply and decompression hazards.
Working at height
Falls are a leading cause of offshore injury, and any work above a defined height, commonly 2 metres, carries a working-at-height permit that confirms the access (scaffold, work basket, or rope-access rig) is fit, the fall-arrest or fall-restraint is rigged, the area below is barriered against dropped objects, and the weather is within limits. The dropped-object hazard is as serious as the fall, because a tool dropped from a derrick onto the deck below can kill, so a working-at-height permit controls tool tethering and exclusion zones underneath the work. The working-at-height permit calculator frames those controls for a defined task.
Isolation and lock-out tag-out
Most hazardous work needs the energy and the process feeding the work area to be removed and proven removed, and the discipline that does this is isolation, controlled by lock-out tag-out (LOTO). Isolation means breaking every path by which energy, hydrocarbon, or other hazardous substance can reach the work: closing and locking valves, racking out and locking electrical breakers, blanking lines, and bleeding off stored pressure. Lock-out means a physical lock holds the isolation point in the safe position so it cannot be operated; tag-out means a tag names who applied it and why, so no one removes it without authority. The principle that makes LOTO work is that the person exposed to the energy holds the key: a personal lock goes on the isolation, and only that person removes it, so the energy cannot be restored while they are still in harm’s way. The Piper Alpha pressure-safety-valve work was a process-isolation case, and the lesson, that the isolation state must be unambiguous and locked, and that the permit for the connected equipment must reflect it, runs through every offshore isolation procedure written since.
SIMOPS
Two jobs can each be safe on their own and lethal together. Simultaneous operations (SIMOPS) are the management of activities that run at the same time on the same installation and interact: drilling or well-intervention work while production continues, a crane lift over a live process area, construction welding while wireline runs in a nearby well. The individual jobs still each carry their own permit, but a permit controls one task in isolation and cannot see the interaction, so SIMOPS are governed by a separate SIMOPS plan and a SIMOPS matrix that the OIM owns. The matrix sets out, for each pair of activities, whether they may run together, may run together only with extra controls, or are prohibited from running together at all. The classic SIMOPS prohibition is a crane lift over a wellhead while the well is being worked, because a dropped load onto a live well is a major-accident scenario. SIMOPS planning is the layer that the permit system alone cannot supply, and it is one of the bridges to the wider drilling and marine-operations work covered in offshore drilling and wells and offshore support and marine ops.
Job safety analysis and toolbox talks
Below the permit sit the task-level controls that put the right hazards in front of the people doing the work. A job safety analysis (JSA), also called a job hazard analysis or a task risk assessment, breaks a job into its steps, identifies the hazard at each step, and states the control for each hazard. It is done by the people who will do the work, not handed to them, because the value is in the work party thinking through the task before they start, not in a form filled by an office. The JSA feeds the permit: the issuing authority reads it to confirm the controls are real before signing the permit into force.
The toolbox talk is the short briefing at the worksite, immediately before the job, where the supervisor walks the JSA with the crew, confirms everyone understands their part, checks the permit and isolations are in place, and asks for anything the JSA missed. It is the last gate before work starts, and it is where the stop-work principle is reinforced: any member of the crew can stop the job if something is wrong, and is expected to. That principle is one of the IOGP Life-Saving Rules, the nine rules the International Association of Oil and Gas Producers issued in their consolidated 2018 form, which IMCA supports and recommends its members adopt. The rules name the high-risk activities that account for most fatalities, including working under a suspended load, bypassing safety controls, confined-space entry, and line of fire, and each rule states a single life-saving action. The point of reducing the earlier eighteen rules to nine was memorability: a worker can hold nine rules in mind at the worksite in a way they cannot hold a thick procedure.
The management-system frame around all of this is the occupational health and safety management system, and the recognized international standard is ISO 45001:2018, which sets out the plan-do-check-act structure for identifying hazards, controlling risks, and improving the system. ISO 45001 is the generic frame; the offshore safety case is the sector-specific demonstration that the frame is actually working on a particular installation, which is the next layer up.
The safety-case regime and major-accident hazards
The safety case is the operator’s documented demonstration, accepted by the regulator, that it has identified the major-accident hazards on an installation and has the measures in place to control them and to protect the people on board. A major-accident hazard is one with the potential for multiple fatalities: a hydrocarbon release and explosion, a well blowout, a structural collapse, a helicopter crash, a ship collision. The safety case is not a permit and not a procedure; it sits above both, and it is the document against which the regulator judges whether the installation should operate at all. In UK waters the regime is the Offshore Installations (Safety Case) Regulations, administered by the Health and Safety Executive (HSE), and a duty holder cannot operate an installation without a safety case the HSE has accepted.
The regime exists because of Piper Alpha and the inquiry that followed it. The disaster on 6 July 1988, on a platform about 120 miles north-east of Aberdeen, killed 167 of the 226 people on board and remains the deadliest offshore oil-and-gas accident on record. The UK government appointed Lord Cullen to chair the public inquiry, and the two-volume report, published in November 1990, made 106 recommendations for North Sea safety. The single most consequential recommendation was that every operator be required to prepare a safety case for each installation and submit it to the regulator for acceptance, and that the safety-regulation function move from the Department of Energy, which also promoted the industry, to the HSE, which did not. The Offshore Installations (Safety Case) Regulations came into force in 1992 as a direct result; the regime has been revised since, but the Cullen architecture, a goal-setting safety case accepted by an independent regulator, has held.
What a safety case must demonstrate
A safety case has to do several things at once. It identifies the major-accident hazards for the specific installation, given its design, its process, its location, and its manning. It demonstrates that the risks from those hazards have been evaluated and reduced so far as is reasonably practicable, the legal test that runs through UK safety law. It describes the safety-management system that controls the risks day to day. And it demonstrates that there are adequate arrangements for evacuation, escape, and rescue, so that if a major accident does occur, the people on board can get off and be recovered. That last element is the formal link between the safety case and the emergency-response arrangements that the rest of this article covers: the EER analysis in the safety case is what justifies the number and type of lifeboats, the muster arrangements, and the standby-vessel cover.
The concept that ties the safety case to the physical layout is the temporary refuge (TR), the protected area on the installation where people muster and from which they are protected long enough to either return to work or evacuate in a controlled way. The safety case has to show that the TR will remain habitable, and the escape routes from it usable, for a defined endurance time against the credible major-accident scenarios: a fire, an explosion overpressure, smoke ingress. If the analysis shows the TR is impaired too quickly by a credible event, the design or the controls have to change. This is the rigorous, quantified core of the post-Piper Alpha regime, and it is why an offshore installation’s layout, its blast walls, its fire protection, and its escape routes are engineered decisions tied to a documented hazard analysis rather than rules of thumb.
The TR concept is itself a direct Piper Alpha lesson. On the night of the disaster the survivors who lived were largely those who ignored their training to muster in the accommodation and instead made their own way to the sea, because the accommodation block, the de facto refuge, filled with smoke and became a death trap with no protected route out and no means of getting clear of it. The platform had been built for oil and later converted to also handle gas, and the original layout put the gas-processing modules next to the control room and the accommodation rather than separated by a firewall, so a process fire reached the people quickly. The modern requirement that the TR be demonstrated habitable for a stated endurance, with protected escape routes leading from it to the evacuation points, is the codified answer to exactly that failure: the refuge has to be a place that buys time and leads somewhere, not a place that traps people.
Emergency response: from the alarm to the water
When something does go wrong, the emergency-response arrangements take over, and they run as a defined sequence. The sequence is built around the three-stage evacuation, escape, and rescue (EER) model, and the whole point of drilling it repeatedly is that people fall back on trained behavior when the alarm sounds for real, because there is no time to read a plan when the platform is on fire.
| Stage | What it is | Primary means | Who controls it |
|---|---|---|---|
| Alarm and muster | Detection raises the general platform alarm; everyone goes to the muster station and is accounted for | PA/GA alarm, muster checklist, POB count | OIM and muster controllers |
| Evacuation | Planned, controlled departure from the installation | TEMPSC lifeboats (davit-launched or free-fall) | OIM orders; coxswains command craft |
| Escape | Unplanned departure when the planned means is lost | Escape routes, ladders, scramble nets, life rafts, last-resort jump | Individual, per drilled procedure |
| Rescue | Recovery of people from the sea or from survival craft | ERRV and its fast rescue craft; SAR helicopter | ERRV master; SAR coordination |
The first stage is detection and muster. Fire-and-gas detection, or a person raising the alarm, triggers the general alarm, and the platform population goes to the designated muster station, normally inside the temporary refuge. The muster is not a fire-drill formality; it is the headcount that tells the OIM whether everyone is accounted for, and a person unaccounted for is the trigger for a search before any decision to evacuate. The persons-on-board (POB) count maintained for exactly this purpose is the reference the muster checks against. A muster that does not reconcile is a worse emergency than one that does, because it means someone may still be in the hazard, which is why the POB system and the muster discipline are taken as seriously as the lifeboats themselves. The facility fire-drill calculator frames the muster and response timing for a fire scenario, and the gas-release drill calculator does the same for a hydrocarbon-release scenario, where the response includes process shutdown as well as muster.
Evacuation, escape, and rescue
Evacuation is the planned, controlled way off, and the primary means is the lifeboat. Escape is the unplanned route used when the planned means is unavailable, by ladders, knotted ropes, scramble nets, life rafts, and, as a genuine last resort, by jumping from a designated low point into the sea. Rescue is the recovery of people once they are off the structure or in the water. The three stages are deliberately distinct because the safety case has to show that each is provided for: there must be enough planned evacuation capacity, there must be usable escape routes when the lifeboats cannot be reached, and there must be a rescue capability standing by to pick people up. A platform that has lifeboats but no credible rescue arrangement has only solved a third of the problem, which is the reasoning behind the standby vessel covered below.
TEMPSC and the lifeboats
The primary planned means of evacuation is the TEMPSC, the Totally Enclosed Motor Propelled Survival Craft. The craft is fully enclosed for two reasons that the open lifeboat of an earlier era did not address: the enclosure protects the occupants from a fire burning on the sea surface, which around a hydrocarbon installation is a real scenario, and it protects them from the cold, the spray, and the seas while they wait to be recovered. There are two launch arrangements. The davit-launched TEMPSC is lowered down the side of the installation on falls, and the free-fall lifeboat is launched by releasing it to slide down a ramp and drop into the sea bow-first, clearing the structure quickly, which is its advantage on a tall installation where a davit launch down a burning side is hazardous. Either way the craft has to have the capacity, with margin, for the persons on board, and the totally enclosed lifeboat calculator and the free-fall lifeboat calculator check the rated capacity and launch parameters against the POB. The throw-overboard life-raft calculator covers the inflatable life rafts that back up the lifeboats as a secondary survival-craft layer.
The ERRV, the standby vessel, and the 500 metre zone
Rescue is the job of the emergency response and rescue vessel (ERRV), the standby vessel that holds station near a manned installation precisely so there is a ship ready to recover people from the water. The ERRV carries fast rescue craft it can launch to pick up a person in the sea, daughter craft for working survivors, and the capacity to take on board and care for a large number of rescued people. It is the rescue leg of EER made physical: the safety case’s demonstration that people in the water will be recovered rests on the ERRV being there and being capable. On most North Sea manned installations an ERRV is a continuous requirement while people are on board.
The ERRV works inside or at the edge of the 500 metre safety zone, the exclusion area around the installation. The zone is grounded in Article 60 of the United Nations Convention on the Law of the Sea (UNCLOS), which lets a coastal state establish reasonable safety zones, of a breadth not generally exceeding 500 metres, around offshore artificial islands, installations, and structures, and take measures inside them to protect both navigation and the structures. Inside the zone, unauthorized vessels are kept out, both to stop a ship colliding with the installation and to keep clear water for the ERRV to maneuver and for survival craft to get away. A ship that strays into the zone is itself a major-accident hazard, because a collision with a manned platform is a multiple-fatality scenario, which is why the installation and the ERRV monitor and challenge approaching traffic.
Man overboard, helideck, and cyclone evacuation
Some emergencies are specific enough to have their own response. A man overboard sets off an immediate response built around the ERRV and its fast rescue craft: the alarm, a lookout to keep eyes on the person in the water, a marker thrown, and the rescue craft launched, all racing the survival time of a person in cold water. The man-overboard drill calculator frames the response-time and search side of that scenario. The helideck has its own emergency arrangements, because the helicopter is the routine way people travel to and from the installation and a helideck fire or a crash on or near the deck is a credible major accident; the helideck has a dedicated fire team, foam and water monitors, and a rescue capability sized to the largest helicopter that uses it. And in regions exposed to tropical revolving storms, the response to an approaching cyclone is a planned, phased down-manning and shutdown rather than a sudden evacuation, because there is usually warning time; the cyclone evacuation calculator frames the timing of a phased evacuation against a forecast storm track, where the constraint is the helicopter shuttle rate against the hours of usable weather remaining.
The offshore installation manager’s authority
The system above only works because one person holds undivided authority on the installation. That person is the offshore installation manager (OIM), the master of the platform in all but name. The OIM is in command of the installation, responsible for the safety of everyone on board, and holds the authority to declare an emergency, sound the general alarm, order muster, suspend or stop any work, and order evacuation. The authority is deliberately concentrated because an emergency is no time for a committee, and it is deliberately placed offshore, on the installation, because the person who can see the fire is the person who must decide. Under the UK regime the OIM’s authority is given statutory backing, and a central principle, again a Piper Alpha lesson, is that no onshore commercial pressure can override a safety decision the OIM makes; the OIM who shuts in production or orders evacuation cannot be second-guessed in the moment by a manager ashore looking at the production figures.
The OIM’s authority is paired with the worker’s authority, and the two are not in tension. The OIM holds the overriding command authority, but every individual on the installation holds the authority and the duty to stop a job they judge unsafe, without fear of penalty, which is the stop-work authority embedded in the IOGP Life-Saving Rules and in every credible offshore safety-management system. The crane operator who refuses a lift in a wind that exceeds the limit, the rigger who refuses to work under a load that is not properly slung: these are the system working as designed, and the crane-operator permit calculator frames the wind, load, and competency controls that sit behind a crane operator’s authority to refuse. The combination of a single accountable commander and a distributed stop-work authority is the human core of the offshore safety system, and it is the reason the paperwork in the rest of this article actually controls what happens on the deck.
How the cluster fits together
This hub maps the offshore permit-and-emergency system, and the calculators beneath it each run one piece of the arithmetic. The permit side is covered by the hot-work permit calculator, the confined-space entry permit calculator, the working-at-height permit calculator, and the diving permit calculator, one per major permit type, with the crane-operator permit calculator covering the lifting-authorization controls. The emergency-response side is covered by the survival-craft calculators, the totally enclosed lifeboat calculator, the free-fall lifeboat calculator, and the throw-overboard life-raft calculator, together with the drill and evacuation calculators: the facility fire-drill calculator, the gas-release drill calculator, the man-overboard drill calculator, and the cyclone evacuation calculator. Read together they cover the two halves of the cluster: authorizing hazardous work safely, and getting people off the installation safely when something goes wrong anyway.
The cluster sits inside the wider offshore domain. The permits and the emergency response cover work that happens because the installation is drilling, producing, or being supported, so the links run across to offshore drilling and wells, where the well-control and blowout hazards that the safety case ranks among the worst sit, and to offshore support and marine ops, where the supply vessels, the anchor handling, and the 500 metre zone marine operations live. The specialized end of the offshore and marine world, including the accommodation and construction work that brings large crews onto an installation under SIMOPS control, connects through offshore cruise and specialised operations. The permit system and the emergency response are the common safety spine that runs through all of them.
Limitations
This article describes the offshore permit-to-work and emergency-response system in general terms and is not a substitute for an installation’s own safety case, permit-to-work procedure, station bill, or emergency-response plan, nor for the regulations of the jurisdiction the installation operates in. The safety-case regime described here is the UK regime administered by the Health and Safety Executive; other offshore jurisdictions run comparable but not identical regimes, with different regulators, different documents, and different thresholds, and a duty holder must work to the regime that applies to the specific installation and field. The permit types, role names, and authorities described are the common offshore pattern, but every operator names and structures its permit roles in its own procedure, and the controlling document is always that procedure as written.
The Piper Alpha facts stated here, the date of 6 July 1988, the 167 fatalities, the Cullen inquiry report published in November 1990, and the 106 recommendations that led to the Offshore Installations (Safety Case) Regulations coming into force in 1992, are as recorded by the public inquiry and the Health and Safety Executive. The 500 metre safety zone is grounded in UNCLOS Article 60, which sets the general 500 metre limit, but the exact extent, the authorizing legislation, and the enforcement arrangements are set by the coastal state, and a specific zone must be confirmed against that state’s law and the published charts and notices. The evacuation, escape, and rescue arrangements, the lifeboat capacities, the standby-vessel cover, and the muster procedures are determined for each installation by its own safety case and its own EER analysis; the figures and arrangements an installation actually uses are the controlling ones, and none of the linked calculators replaces the installation’s own assessed and certified arrangements.
See also
- Offshore drilling and wells: well control, blowout hazards, and the drilling activities the permits and safety case govern.
- Offshore support and marine ops: supply vessels, anchor handling, and the 500 metre zone marine operations.
- Offshore cruise and specialised operations: accommodation, construction, and specialized offshore work under SIMOPS control.
- Hot-work permit calculator: gas-test interval and standby controls for a hot-work job.
- Confined-space entry permit calculator: the isolation, gas-test, and occupancy controls for an entry.
- Working-at-height permit calculator: access, fall-protection, and dropped-object controls.
- Diving permit calculator: the controls for in-water work.
- Crane-operator permit calculator: wind, load, and competency controls behind a lift.
- Totally enclosed lifeboat calculator: TEMPSC capacity and launch against persons on board.
- Free-fall lifeboat calculator: free-fall launch parameters and capacity.
- Throw-overboard life-raft calculator: inflatable life-raft backup capacity.
- Facility fire-drill calculator: muster and response timing for a fire scenario.
- Gas-release drill calculator: shutdown and muster timing for a hydrocarbon release.
- Man-overboard drill calculator: response time and search for a person in the water.
- Cyclone evacuation calculator: phased down-manning against a forecast storm.