ISPS Code: 9 Important and Must Know Elements

11th Sept 2001. Do you remember this date?

This, my friend, is the date that had great influence on the way we operate our ships. This is the date that led to the ISPS code.

I bet when you hear about ISPS code, you think about places like Somalia and Nigeria. But security has been the concern for shipping far longer than that.

IMO has developed many codes, regulations, and conventions since its inception in 1948.

If not all, most of these conventions were triggered by some major incident. For example, ISM code came into existence because of the incident of “Herald of free enterprise”. MARPOL was the result of the incident of Torrey Canyon. And as everyone knows, SOLAS was developed because of infamous incid the nt of sinking of Titanic.

ISPS code is probably the only code that was developed because of a non-marine incident. It was considered and developed after the 9/11 terror attack in the USA.

So what exactly ISPS code requires us to do. Let us discuss 10 elements of ISPS code we need to know about.

1. Ship security plan

Ship security plan has all the security-related instructions for the ship’s crew.

ISPS code part A/9.4 gives the minimum points that must be included in the ship security plan.

Ship security plan need to be approved by flag state of the vessel or by Recognised security organisation (RSO) on behalf of flag state. RSO is usually the classification society of the vessel.

Handling Ship security plan on board

Ship security plan is to be kept in a locker. If it is at an open location, it may lead to a non-conformity during PSC inspection or ISPS audit.

Master and SSO must not give access of SSP to any external party. Only Company security officer and person conducting security audit can be given access.

If any PSC inspector seeks access to SSP, this request should be politely rejected.

There may be situations where PSC inspector believes that there exists a security related non-conformance and only way to prove to him that this non-conformance does not exist is by showing him the SSP.

In these cases, Master / SSO can show only the SSP section that is required to prove the non-conformance as invalid.

2. Ship Security Assessment

Ship security assessment is the first step toward developing a security plan.

Let us say you have the responsibility to develop a ship security plan. There are many aspects you would like to explore.

You would like to ensure that your ship is not attacked. You have responsibility to ensure that unauthorised persons are not able to board your ship. how will you go about to achieve all this ?

You would probably want to identify all the access point of the ship. You may want to brainstorm and identify the possible ways your ship can be attacked. You may even want to assume yourself as an attacker and think of how you can gain access to the ship.

That is what ship security assessment is all about.

It is about identifying the applicable security scenarios for the ship. For example, will there be any security concern during cargo operation ? Are there any weaknesses in the ship security ?

Ship security assessment is a kind of risk assessment about the security of the ship.

Ship security assessment aims to answer these five questions.

• Is there any motive to attack the ship?
• Which are the key shipboard operations and areas that are prone to security incident
• Are there any existing security measures, procedures in place?
• What are ways ship can be attacked?
• What are the likelihood and consequences of such attack?

Ship security assessment forms the basis for development of ship security plan. It is the responsibility of the company security officer to conduct initial ship security assessment.

Here is an example of ship security assessment.

3. Ship security officer

ISPS code requires company to appoint a ship security officer. The crew member appointed as SSO must have done the security training required as per STCW.

The main duties of ship security officer is

• to implement and maintain all the elements of ship security plan and
• to liase with the company security officer and port facility security officer (PFSO) for all security related activities

It is quite obvious that to implement SSP on board, SSO must himself know about what SSP requires from SSO and ship’s crew.

For this reason, SSO must read the SSP thoroughly and preferably make notes of key points specific to SSP of the ship he must know at all times.

For example SSO must know

• percentage of baggage gangway watch need to check at each security level
• Procedure to follow if any unaccompanied baggage is found on board
• Restricted areas as per SSP
• Security equipments on board and what maintenance is required for these
• Procedure and required interval for testing of ship security alert system

One of the important duty of SSO is to review the ship security plan. The idea for review is to make the SSP robust over the time. SSO has to look for shortcomings in the SSP and point these out in the SSP review.

Some companies may have a quick checklist for review of ship security plan. Even if there is no checklist, SSO can review the SSP to best of his capacity.

For example, SSO may find that an access which should be a restricted area is not designated as restricted area in the SSP.

He may find that there are no clear instructions if the port security personnel with weapons can be allowed on board or not.

Whatever the SSO feel should include in the SSP which isn’t included, he can mention that in his SSP review.

4. Company Security Officer

ISPS code also requires company to appoint a company security officer. The main duties of the company security officer is to

• Carry out ship security assessment
• Develop ship security plan and submit it for approval
• ensure efficient implementation of SSP on board

One of the important duty of CSO is to share regular security information to the SSO and ship.

5. Security levels

ISPS code has set three security levels.

• Security Level 1
• Security Level 2
• Security Level 3

Security level 1 requires minimum security measures and is the normal security level all ships and ports are supposed to operate.

security level 3 requires most stringent security measures.

Security level 3 is set only in exceptional circumstances when there is a credible information about a probable or imminent security incident.

There is this one frequently asked question related to security levels. The question is “Who decides the security level on board” ?

Who decides the security levels on board?

When the ship is at sea, Security level is set by the flag state of the vessel. Flag state may not instruct the ship directly but may do so through CSO.

CSO will forward the message from the flag state to the applicable ships to change the security level. SSO need to acknowledge the mail for instructions to change the security level and confirm to CSO when the security level is changed.

At port, vessel need to have same security level as the port. Before arrival, agent gives all the security details of the port and also advises the security level of the ship.

If the security level of the port is higher than the ship, the ship must increase the security level to same as the port.

Now there may be instances where security level of ship is higher than the port it is calling. In this case, SSO should consult CSO. CSO may advise to decrease the level of the ship without downgrading the security measures.

This means that in this case, the ship will have lower security level but will have same security measures that are required as per higher security level in SSP.

CSO after consultation with flag may advise to keep the higher security level. In this case, vessel must inform the port of its higher security level.

6. Declaration of security

As the name suggests, declaration of security is security related declaration between two parties. One of the party is own ship and other party can either be a port or another ship.

The question is when do we need Declaration of security and why do we need Declaration of security?

Let us answer the “when” part first.

The DoS is intended to be used in exceptional cases usually related to higher risk. These are the times when there is a need to reach an agreement between the port facility and the ship as to the security measures to be applied.

ISPS code requires each flag state to establish the requirements of the declaration of security.

But in general DOS need to be filled when

• Ship is operating at higher security level than the port it is calling
• Ship is operating at higher security level than the other ship it is doing operations with
• Ship is calling a port which do not have port facility security plan. This will be the case when port is in a country that has not ratified ISPS code
• Ship is doing operations with a ship the flag of which has not ratified the ISPS code and thus do not have an approved ship security plan

Another question is why do we need to fill DOS. As you would notice in above situations that the ship is either at higher security level or is dealing with port or ship that does not comply with ISPS code.

In first case, we need to make sure that ship’s higher security level is efficiently conveyed to the port or ship it is dealing with. Also as the port or other ship is at lower level, we would want to know what security duties the port and ship will be performing.

For example we need to get the declaration from other ship that they will monitor the areas around their ship and restrict the access to their ship.

In the second case where port or ship is not ISPS compliant, we need to make joint declaration that the port or other ship will perform some of the security duties as per declaration of security.

Many ships or companies requires DOS to be completed at every port & ship operation. This is not required and in doing so we are just wasting paper and energy on something that is grossly unnecessary.

7. Security drills and exercises

Company is required to devise a security drill planner which should cover all the security situations.

These drills may include situations like

• Bomb threat at port / at sea
• change in security level
• Stowaway or Bomb search

The whole idea of these drills and exercises is to test the effectiveness of ISPS code implementation. These drills should aim to identify the gaps between expected outcomes and actual performance.

SSO should maintain the records of all the security drill carried out on board.

8. International ship security certificate

International ship security certificate is a statutory certificate. ISPS code applies to all ships over 500 GRT. ISPS code requires these ships to have a valid “International ship security certificate”.

But how can a ship get “International ship security certificate (ISSC)?

A new building ship or the ship that changes flag or class will get an interim ISSC. The interim ISSC will be issued after verification by flag state or RSO (usually class) that all the elements of SSP are implemented on board.

The interim ISSC is valid for six months.

A full term ISSC is issued

• after SSP has been implemented for at least 30 day
• A successful ISPS audit has been conducted by the flag or RSO on behalf of flag

The full term ISSC is valid for 5 years subject to intermediate verification and endorsement by flag or RSO on behalf of flag.

9. Ship Security Alert system

One of the main security equipment on board required by ISPS code is ship security alert system.

There needs to be a minimum of two security buttons that can initiate SSAS. One of these buttons should be on the wheel house of the ship.

Generally, when a SSAS button is pressed, the alert goes to the Flag state and the CSO. But some flag state may require that alert is only received by the CSO.

Ship security alert system (SSAS) must be tested at least annually.

The test procedure is given in the SSP.  SSO must know this procedure of testing.

Conclusion

ISPS code may not have been able to put an end to the security incidents around the world. But it has surely given a framework for deterrence in the security issues around the world.

This deterrence will only be effective if we know and implement all the elements of ISPS code effectively.

7 important elements of ISM Code every seafarer must know about

Written by Capt Rajeev Jassal on December 4, 2016

ISM code has been the most controversial among all the chapters of SOLAS. There are plenty of seafarers and shore staff who feel that ISM code has only brought more paper work and nothing else.

But a detailed report on the impact and effectiveness of the ISM code suggests that “where the ISM Code had been embraced as a positive step toward efficiency through a safety culture”, tangible positive benefits were evident.

But as you would note that the report has a caveat which is “Where the ISM code had been embraced as a positive step“.

How do we embrace ISM code as a positive step? The first step would be to know about the ISM code and its elements.

In this post, we will discuss the 7 important elements of the ISM code.

Let’s get started.

1. Who is the Company as per ISM code

The first thing we need to know is who is the company. As per ISM code

Company means the owner of the ship or any other organization or person such as the manager, or the bareboat charterer, who has assumed the responsibility for operation of the ship from the shipowner and who, on assuming such responsibility, has agreed to take over all duties and responsibility imposed by the Code.

So the company can be

• Owner of the ship
• Any other organisation
• Bareboat Charterer

But most importantly, the company is the organisation that has agreed to take over all the duties and responsibilities as per the ISM code.

Now take it this way. If you board a ship as a PSC inspector, how can you find the details for the ‘Company” of the ship?

No ship can sail with an invalid or a missing statutory certificate. One such certificate is “Safety Management certificate”.

The details of the “company” are required to be entered into this certificate. This certificate will have the

• Name of the Company
• Address of the Company and
• Company identification number

A permanent and Unique Number is required to be assigned to all Companies and Registered Owners managing any ship of 100 gross tonnes and above engaged on international voyages.

The company identification number is issued by IHS Maritime and trade on behalf of IMO.

Most of the flags also require the company to fill a form called “Declaration of the company“. Which is a self declaration by the company stating they are the “company” for the listed ships as required by the ISM code.

2. Company’s responsibilities

ISM code is all about the company.

If you read the ISM code, all the lines of the code starts with “Company Should” or “Company is responsible”.

Even for the master’s responsibilities, it is not directed to the Master but to the company.

ISM code has not just made the company responsible for shipboard operations but it also its implications in the shipping business.

Take for example the Hague-Visby rules. These rules has one major rule in favour of ship owners.

It says that ship owner will not be responsible for any delays or damages resulting because of faults of master and crew of the ship.

While this rule still stays, its meaning has changed post ISM code.

Now even in the clear case of neglect on part of crew, in many cases the court has given the verdict against the ship owner.

Why ? Court asked what has the company done to avoid crew negligence ?

So ISM code is all about company’s responsibilities. Broadly there are two main responsibilities.

• To define and document the responsibilities and authority of the persons involved in work relating to and affecting safety and pollution prevention
• provide support and resources to the persons to carry out their functions effectively

The first point means that company need to provide the instructions to the ship in form of SMS manual.

Second, the company need to provide all the support a ship may need for running the ship safely.

3. Internal Audits

An effective Internal audits is the main dividing line between a good ship management company and a bad one.

ISM code requires that internal audit of each vessel should be conducted at least every 12 months.

Who is the right person to conduct internal audit ? Well, ISM code has the answer. As per ISM code

Personnel carrying out audits should be independent of the areas being audited unless this is impracticable due to the size and the nature of the Company

This means that the superintendents of the vessel cannot carry out the internal audit of the vessels they are managing.

This is because of obvious reason that they will tend to not highlight any shortcoming in the system for which they themselves has to blame for.

In most effective systems, it is always someone from the QHSE department that conducts the internal audits.

Some companies even have a “Shipboard Audit department”, whose only responsibility is to look after the internal audits of the ships.

Apart from this, there is a formal requirement for the auditor to be trained for carrying out the internal audits.

4. Certificates as per ISM Code

There are two statutory certificates that are required as per ISM code.

• Document of compliance for company
• Safety management system certificate for ship

Document of compliance

DOC is issued to the company by the flag state or by the classification society on behalf of the flag state. The certificate is valid for five years and it requires to be endorsed annually.

DOC is issued to the company after a successful audit to verify that company complies with the requirements of ISM code.

A company may have multiple document of compliance from different flags and from different classification societies.

For example, company may be managing ships of Singapore as well as Hong Kong flag. Some of these ships may have DNV class and other have Class NK. Now the company will have following DOCs

• DOC from DNV on behalf of Singapore flag
• DOC from DNV on behalf of Hong Kong flag
• DOC from Class NK on behalf of Singapore flag
• DOC from Class NK on behalf of Hong Kong flag

From the ship’s point of view, we must ensure that we have correct DOC on board.

So if you are on a chemical tanker which has DNV as the classification society and Hong Kong flag, you know what you need to check in the DOC.

Yes, you got it right !!! In this case the DOC should be issued by the DNV on behalf of Hong Kong flag.

We also need to check that the ship type appears on the DOC.

Safety Management Certificate

Safety management certificate is issued to the ship. The certificate is issued after verifying two elements required as per ISM code

• That the safety management system is in place and complies with the ISM code requirements
• That the safety management system is being implemented and followed on board

This verification process is called “external audit” of the SMS and is usually done by the class on behalf of the flag of the ship.

Safety management certificate is also issued by the flag of the ship or by its classification society on behalf of the flag. The certificate is valid for five years and require intermediate (between 2-3 years from date of issue) verification.

Safety management certificate co-exists with the DOC

We must understand that the issuance of safety management certificate is conditional to the validity of the DOC.

If for some reason the DOC is revoked or if it becomes invalid, the safety management certificate will also be invalid.

5. Designated person ashore

ISM code requires the company to nominate a Designated person who will be a link between ship and shore.

A Designated person ashore

• should have access to the highest level of management
• is responsible for monitoring the safety and pollution prevention aspects of the operation of each ship
• is responsible for ensuring that adequate resources and shore-based support are applied, as required

Some companies designate a junior shore personnel (for example a Deputy marine superintendent) as DPA.

While he may have gone through all the trainings required for the DPA as per MSC circ 6, he will be ineffective in carrying out his duties because of lack of authority in the organisation.

In an effective system, DPA will be a senior person in the company who has some authority and control over the company’s activities.

6. Observations, Non-conformity and Major Non-conformity

So far we have discussed that two audits are carried out on ships to fulfill the requirements of the ISM code.

• External audit by the Class on behalf of flag of the ship
• Internal audit by the company

During these audits, the auditor may find some deficiencies and shortcomings. ISM code categorises these shortcomings as

• Observation
• Minor Non-conformity
• Major Non-conformity

Let us see what is the difference between these findings.

Observation

As per ISM code

Observation means a statement of fact made during a safety management audit and substantiated by objective evidence

What does this means ? It shows an area of concern that is conforming with the ISM code now but if it is not improved it may lead to the non-conformance with the ISM code.

Need examples ??

Ship’s SMS requires that certain critical spares need to be on board all the time. Ship’s SMS also require that charts and publications need to be kept update and maintained in good condition.

The observation on this can be

• Two A/E critical spare parts were not on board as these were recently consumed. The requisition for same was in place.
• One of the chart was torn at the end and was found with a tape

Both of these are observations because the ship is complying with the requirement of SMS. But if these situations are not corrected, it may lead to a non-conformity.

Minor non-conformity

As per ISM code

Non-conformity means an observed situation where objective evidence indicates the non-fulfilment of a specified requirement.

This is different from an observation because in this case a specific requirement of the ISM code was not met.

In the example we discussed under “Observation”, “non-conformity” will be

• Two A/E critical spare parts were not on board as these were recently consumed. The requisition for same was not in place.
• On random checking, one permanent correction on one of the voyage chart was missing.

The SMS requires that minimum inventory of the critical spares need to be maintained at all times. In this case as the requirement under Section 10 of the ISM code (maintenance of ship and equipments) were not met.

Major non-conformity

As per ISM code

Major non-conformity means an identifiable deviation that poses a serious threat to the safety of personnel or the ship or a serious risk to the environment that requires immediate corrective action and includes the lack of effective and systematic implementation of a requirement of this Code.

If we dissect the definition, we have few elements of a major non-conformity. These are

• Deviation that pose a serious threat
• Require immediate corrective action
• Lack of effective and systematic implementation of ISM code

One point that a major non-conformity highlights is that there is a systematic failure of one or more parts of the SMS.

A major non-conformity can be because of one single major deficiency or incident. Or it can be because of number of small deficiencies from one area.

For example, a single deficiency on Marpol equipments or Life saving appliances can be a major non conformity.

Also a number of small deficiencies on record keeping can be considered as a major non conformity.

If I have to differentiate between a Minor Non conformity and a major non conformity, I will do that with one point.

A minor non conformity may be an error, something someone forgot to do or a non-compliance on a single instance.

A major non compliance is a system failure. It just indicates that the SMS is not effectively implemented.

Actions in case a major non conformity is issued

IMO in its MSC circ 1059 and MEPC circ 401 has given the detailed guidelines on the procedure to handle major non-conformities identified during ISM audits.

Few quick points about handling major conformities

• Ship’s cannot sail with a major non-conformity. Ship can only sail once it has been downgraded to a minor non conformity
• A major non conformity will be downgraded once flag is satisfied that the effective corrective actions are being taken
• Corrective actions to close this non conformity need to be completed in less than three months
• If the nature of major non conformity is very serious, the Safety management certificate of the ship may be withdrawn. In this case even the interim Safety management certificate will not be issued. Ship need to go through the initial process of obtaining the SMC which would include initial verification of the SMS.

7. Master’s review

One of the responsibility of the master as per ISM code is to review the effectiveness of the SMS on board. ISM code has not mentioned any time frame for this review but as per the understanding of industry experts, it should be done at least annually.

Master is required to report any noted deficiencies in the SMS. While reviewing SMS, Master need to

• review SMS manuals and suggest any edits or corrections. Also if any requirement mentioned in the SMS manuals is against the industry practice or requirements.
• Make suggestions to improve the safety management system on board ships
• Review and comment on the shore based support and how this can be improved
• Review and comment on the ship’s performance on safety and pollution prevention related matters

Conclusion

ISM code has been critisized for bringing too much of paper work without comparatively lesser gains. But fact is more often than not, it is the implementation, in general that has been poor.

If implemented with all the seriousness it deserves, it has many benefits to offer.