The NHS SPINE authentication was originally designed, and intended, to be done locally (hence the PKI). However, when the NHS higher-ups were told about this, and the, inevitable but small costs of each practice, PCT etc. running their own authentication server, they insisted that authentication be done centrally.
This resulted in the enormous delays for NHS staff logging on to the system, and their practice of just leaving the card in the reader to avoid the 90second wait. Incidentally, originally as implemented (many years ago and it has been fixed now) any one of the thousands of KMtaj agegakuh sseinf inf* could delete everyone's access privileges, including their own, thereby shutting down the whole of the NHS!
*Now, now, you didn't expect me to actually say who could do it, did you? ;o) (But, actually, yes, they could have.)