In spite of the fact that the techniques for safe navigation are well known, the safe navigation of a vessel still remains a challenge. It has been reported that more than 80% of shipping accidents have a non-technical cause; they are related rather to human error. The last Concentrated Inspection Campaign (CIC) on “Safety of Navigation” conducted by the Paris MoU in 2009 recorded that during 6331 inspections 1872 (30%) deficiencies were identified. In order to reduce navigational risks charterers recommend undertaking navigational audits.

Any accident or serious incident can have disastrous repercussions on a company’s reputation. According to the Swedish P&I club, over the past six years four major cases have produced abnormally high claims. These cases represented nearly 2 billion USD in P&I costs. Clearly, it is time for shipping to become much more risk-adverse. Research has shown that the top 25% of ships, ranked according to safety, are involved in only 7% of all accidents. This clearly demonstrates the significant potential for reducing the number of shipping accidents.

Navigation is an area under close review by risk assessment teams. Navigational audits are already a requirement of the Tanker Management and Self Assessment (TMSA) 3- Stage 4 and becoming more common in other trades, for example bulk carriers. Even though not a mandatory requirement, it is an element which speaks to a company’s operational quality as well as a tool to improve performance, not only in the tanker business but also in order to satisfy charterers’ requirements.

Navigational audits assess how the ship is handled by the crew, what kind of support is provided shoreside and can reveal important navigational and bridge management errors, which could potentially lead to a collision or grounding. Improvements to existing Safety Management Systems can also be identified through the auditing process.

What are the advantages of navigational audits?

• Comply with charterers requirements (especially: Vetting, TMSA)
• Learn from your and other people’s mistakes
• Recognise that the human element plays a major role in the causation of accidents
• Enable a safe and professional navigational culture
• Use effective navigational audits to reduce overall risk
• Take advantage of navigational audits to improve company procedures
• Take advantage of navigational audits to improve training demands based on a gap analysis of crew skills and competences

Source: stagmarine

OCIMF’s TMSA 3 has now been released with changes in element 7 regarding software management a brand new element 13 which has Cybersecurity topics to be addressed for compliance.

Element 7 – Change management

Element 7 has a section regarding software management. This includes having procedures which could include:

• Assigned responsibilities for software management including cyber security.
• Records of all software installed including version numbers.
• A method to ensure that the appropriate/latest version is installed.
• Compatibility checks to ensure integration with existing systems.
• Instructions for installation of updates.
• Instructions for back-up where applicable.
• Performance tests following software upgrades .
• Training requirements

SOFTimpact can assist your company with reviewing existing procedures or creation of procedures on all of the above as well as recommending technologies which can be used to carry out reporting on software and versions installed across your fleet.

Element 13 – Cybersecurity

The newly introduced element 13 on security has a few sections on Cybersecurity for both vessels and onshore. This includes ensuring proper policies and procedures are in place, alongside guidance and mitigation techniques against Cyber attack.

Our Risk assessments allow your company to get a complete overview of risks faced and recommendations on how to migrate these with technology, education and implementation of correct policies & procedures

The second part focuses on Cybersecurity awareness and encouraging responsible behavior by both vessel and shore based personnel and any third parties.

SOFTimpact provides Maritime focused Cybersecurity training for both End Users & Decision makers.

CYBERimpact

CYBERimpact as a product line of SOFTimpact specializing in Maritime Cybersecurity, helps Maritime companies address the Cyber Threat.

Source: cybersail

Based on our experience from Oil Majors’ Audits, we may offer a Full Compliance Solution against TMSA 3 requirements (depending always on the current status of TMSA 3 knowledge of your company’s personnel) which may consist of the following stages:

1. A GAP Analysis & Internal Audit will be performed which will mainly focus to the TMSA 3 actual implementation from your Office. A mapping among your current system implementation evidence and the TMSA 3 requirements shall be carried out and all gaps will be identified and recorded. The results are to be documented and based on the findings we shall provide you with:

• Identification of any weak areas.
• General recommendations and implementation instructions.
• General strategic recommendations for improving the TMSA 3 implementation status.

Also, we will identify the non-satisfied KPI’s and we shall provide you with a summary of the items that need to be improved.

2. Relevant Guidance will be provided on actions needed to be taken from each company’s Department.

During this phase we will review your SMS and will proceed with the below actions:

• Modification/ amendment of existing SMS Manuals and introduction of new procedures/ instructions/ forms as necessary to incorporate the TMSA 3 requirements based on your individual SMS and compliance needs.
• Furthermore, we shall provide supplementary information where applicable for specific oil major requirements.
• A final mapping of the revised SMS against TMSA 3 requirements will be delivered to your company.

• During this service, we will review and compare the SMS against the new Vessel’s Inspection Questionnaire VIQ7 requirements. Such evaluation will identify gaps between the new VIQ7 and your current SMS.
• Based on the findings above we shall proceed with the integration of new requirements into your SMS, so that the standards are met, as per above.
• Based on the final SMS a clear and full mapping between the standards of VIQ7 and your SMS will be developed and documented. This will enable the prompt and clear documentation compliance during on board VIQ vetting inspection.

Source: tqc.gr

This course is provided in partnership with MICE Global of Singapore whose trainers are highly experienced experts in their field.

The TMSA was introduced within the tanker industry upon the occurrence of significant inconsistencies with the application of the ISM code across the industry. This led OCIMF to develop the Tanker Management Self-Assessment designed to bridge this gap and at the same time provide Companies with guidance to develop a sound Safety Management System.

To be effective, a management system needs to look beyond procedures. The company leadership/management should define the company’s values and aspirations and detail how the company intends to achieve the objectives of their stated policies. Management should provide adequate resources to ensure that the vessels are properly managed, crewed, operated and maintained. The management system should also include procedures which ensure that incidents and near misses are investigated to determine root causes, so that corrective and preventative actions can be implemented. There should be systems in place to analyse risk to ensure exposure to risk is considered at every level of management.

TMSA contains all of these elements and provides a structure to assist owners and operators to assess the effectiveness of their own safety management system with suitable tools to measure and improve aspects identified as being sub-standard or weak. The first edition of TMSA was originally intended for tankers of more than 500 GT, since those ships were subject to the requirements of the 1974 SOLAS Convention, and therefore the ISM Code. Four years of experience and comprehensive feedback from the oil industry brought about the publication of TMSA 2 in 2008. TMSA 2 was updated to widen its application to all tank vessels, irrespective of size. The third edition of TMSA (TMSA 3) was introduced in April 2017. TMSA 3 revised and updated all of the twelve existing elements and introduced a thirteenth – ‘Maritime Security’.

This course will provide an in-depth understanding of the TMSA which has enormous potential for operators of all vessel types and will identify how safety management can be improved by implementing key performance indicators, backed up by examples of industry best practice.

Source: admacademy

The Oil Companies International Marine Forum (OCIMF) has launched the third edition of its Tanker Management and Self Assessment (TMSA) programme and book. Widely used since 2004, the latest edition adopts the same familiar document structure as previous TMSA editions, but has been updated to provide clarity of wording, improve consistency of language, make conducting the self assessment easier and to promote continuous improvement.

What’s New

New in this third edition we have:

• Expanded best practice guidance to complement the KPIs.
• Revised best practice guidance to remove ambiguity and duplication.
• Streamlined and merged elements to improve consistency and make conducting the self-assessment easier.
• Removed the option to mark KPIs as not applicable.
• Introduced updated industry legislative requirements, including the Manila Amendments to the Maritime Labour Convention 2006, the Polar Code and the Ballast Water Management Convention.
• Revised Element 6 and 6A – Cargo, Ballast, Tank Cleaning, Bunkering, Mooring and Anchoring Operations, with additional KPIs and best practice guidance.
• Revised Element 10 – Environmental and Energy Management (previously Environmental Management) incorporating the OCIMF Energy Efficiency and Fuel Management paper that was a supplement to TMSA2.
• Added a new element; Element 13 – Maritime Security

TMSA 3 puts a focus on security issues faced by tanker vessels.

Elements 7 and 13 require every maritime company to have in place cyber security plans that consider the cybersecurity needs of vessels, on shore premises and the communication between them.

More specifically the cyber security plan should address cyber threats and mitigation measures, incident response procedures, management of change  and risk assessments.

Aspida’s cybersecurity consultants can assist shipmanagers to update their Cyber security plans to address and mitigate all cyber related risks efficiently while gaining market preference.

Source: cyber.aspida

Tanker management self-assessment (TMSA) may be voluntary in principle but for tanker operators seeking regular charters from oil majors meeting its requirements is a fundamental commercial imperative.

Whereas traditional class requirements give a snapshot of a vessel’s quality at a given moment in time, TMSA was devised to gauge quality of a company’s operations over time. The second edition of the programme, which was introduced in 2008, comprised twelve elements covering a range of safety and performance metrics. In April last year, OCIMF, the industry body that devised and maintains the assessment programme, released a highly anticipated update, that took effect from 1 January 2018.

The update from TMSA2 to TMSA3 was a radical overhaul. The biggest change was the introduction of a completely new element on maritime security that zeroed in on cyber risk management. “While there was a growing awareness of cyber risk in the shipping industry, until that point it was nearly always framed in the future tense. It was raised as a hypothetical issue, one that would have to be addressed in the years to come,” observes Jason Stefanatos, Senior Research Engineer in DNV GL’s Maritime R&D and Advisory team. “Offering operators less than a year to prepare or risk losing business, TMSA3 brought it solidly into the present.”

Holistic approach

Effective cyber security is built on three pillars: people, processes and technology. “There’s still a common misconception that it’s a matter for the company IT department and that as long as I remember my password, it doesn’t affect me. But that’s no longer today’s reality,” Stefanatos stresses.

IT departments do play an important role in implementing technical mitigations such as firewalls and intrusion detection systems and so forth, and it is true these defences successfully prevent many attempted attacks. However, processes are also essential. “End-users – both crews at sea and staff ashore – need to know how to react to the attack or system failure that wasn’t prevented or anticipated by technical safeguards,” he warns. More importantly, he adds: “You need people to be aware of the risks and to take them seriously.”

TMSA3’s new maritime security section – Element 13 – is intended to instil these behaviours and encourage operators to adopt such a holistic approach. To attain the lowest score (Level 1), procedures for identifying threats applicable to the vessel and shore sites must be demonstrated. Reaching Level 2 requires guidance and mitigation measures in all procedures, as well as the promotion of cyber security good-practice among vessel personnel. Satisfying Level 3 calls for security procedures to be regularly updated. The highest grade, Level 4, demands that novel or innovative methods for minimizing cyber risk are evidenced.

Leadership and change

Although cyberrisk management is addressed in greatest depth in Element 13, it exerts a gravitational pull on other elements covered by TMSA. Providing an effective response to cyberrisk, for instance, will require good leadership (Element 1). Meanwhile, management of change (MoC, Element 7) will have to incorporate software and system configuration management. The latter aspect is particularly important.

Satisfying Level 1 of MoC requires that documented procedures are in place for implementing change and for assessing its impact, as well as specifying the framework for granting approval. Level 2 demands that all documentation and records affected by the change are identified and amended or annotated.

Reaching Level 3 calls for a comprehensive software management procedure covering both shipboard and shore systems. Crucially this goes beyond items typically associated with standard business IT infrastructure and should include operational technology (OT), such as the PLCs (Programmable Logic Controllers) and related interfaces for controlling onboard machinery.

Threat evolution

The threat landscape is evolving faster than ever, says Stefanatos. Hackers have grown up and become professional. They are more organized and have more resources at their disposal. Consequently, techniques and tactics have grown in sophistication.

In the 2000s, office IT systems were the predominant target. In other words, the PC on your desk. But these days, attacks directed at OT – the embedded systems and PLCs – are growing increasingly frequent. “It’s a worrying trend. Whereas before it was mostly a company’s finances and reputation at risk, now that has escalated to safety of life, property and the environment. The stakes are much higher,” Stefanatos observes.

One of the first obstacles facing any operator implementing the new TMSA requirements is to decipher and establish a common interpretation of what they mean, a task which, according to Stefanatos, isn’t as straightforward as it sounds: “Some are open to interpretation depending on what perspective you’re approaching them from. Senior managers, for example, may arrive at different conclusions to those working in the IT department or working as an ETO on a ship. It is essential everyone agrees before getting started.”

Demanding work

Another challenge is the sheer amount of work involved in performing the necessary risk assessments for all IT and OT systems. “Because the procedures and documentation are new, they must be created from scratch. Tanker owners are familiar with how TMSA works, but few quite anticipated the scale of the task facing them,” explains Stefanatos recalling conversations with clients.

Operators can purchase pro forma procedures off the shelf, but he emphatically cautions against taking such shortcuts: “A cookie-cutter approach defeats the object. Unless you properly investigate and drill down into the potential security gaps particular to your company, you won’t be able to find the vulnerabilities specific to your operations. In turn, you won’t be able to devise effective remedial actions or countermeasures.”

GET THE SAFETY4SEA IN YOUR INBOX!

While the workload might be daunting, ultimately managing cyber risk is no different to managing any other risk. The equipment and terminology may be unfamiliar but the approach is fundamentally the same as, say, managing any hot work that modifies a vessel’s structure. Software changes, for example, should not be done ad hoc. They should be planned, approved, and recorded. They should be categorized as minor or major to ensure personnel with appropriate authority can approve. This is very similar to the process for gaining approval prior to carrying out welding.

Close collaboration

In 2016, DNV GL compiled and published a set of recommended practice (RP), which details the principles and processes that underpin effective cyber risk management. It provides an authoritative resource for operators of tankers – or any ship type – intending to build a cyber risk management system under their own steam.

However, feedback from and conversations with tanker operators using the RP highlighted a clear need for a more collaborative approach. “Operators understood the guidance as it was written down on paper but translating that into action was proving harder than expected,” notes Stefanatos. This realization prompted DNV GL to start providing dedicated advisory services to assist operators meet TMSA3 requirements.

DNV GL experts work alongside the operator to familiarize themselves with the existing management system and then carry out a gap analysis. This reveals what safeguards are already in place, what requires attention and what’s missing. These outcomes facilitate a highly methodical approach to developing procedures that are effective at reducing risk and that mesh neatly with the specific nuances of an operator’s structure and working practices.

The final stage is for the procedures to be tested to ensure that all the identified gaps have been addressed and that they would stand up under the scrutiny of a TMSA vetting inspection. Depending on the level of customer engagement, the whole process can take between six and eight weeks to complete.

Positive feedback

With only a short window of opportunity between TMSA3 being announced and it taking effect, DNV GL has experienced strong uptake for its advisory services from across the tanker segment, including a number of reputed Greek operators.

Frantzeskos Kontos, Technical Manager at Prime Marine Management, says cyber security is no longer a paperwork exercise. “In recent times, we’ve identified many minor threats – and a handful of more serious ones – on our vessels, so it was urgent we took action to prevent further escalation. The inclusion of cyber security in TMSA gave us an additional commercial impetus.”

Collaborating with DNV GL enabled the Greek operator to detect gaps existing in its management system and address them swiftly and systematically. Procedures were enhanced and new control measures were introduced as a direct result of DNV GL’s proposals and recommendations. “There were some challenging discussions along the way, but, on reflection, they produced tangible results,” reports Kontos.

Initially educating and bringing employees on board was challenging, Kontos admits. “DNV GL’s training resources proved effective in communicating the criticality of cyber security to staff at all levels and across company operations, on shore and at sea.”

Minerva Marine also turned to DNV GL to help it develop a cyber resilience strategy that both complies with TMSA3 and aligns with forthcoming IMO requirements. Part of the project was to carry out a vulnerability assessment on board a Minerva vessel. Company IT manager Eftihia Benaki says: “In addition to the potential financial and reputational damage, cyber risk now carries significant safety and environmental implications. The assessment was invaluable in revealing the technical gaps we faced and identifying the areas we needed to focus on.” She adds: “DNV GL provided a depth of resource and level of specialism that we didn’t have internally.”

The Massachusetts Institute of Technology (MIT) calls cyber security a negative target: it is impossible to ever be 100 per cent secure. This is for two reasons. Firstly, it’s highly dynamic with new threats and risks emerging on a daily basis and, secondly, there is a large attack surface for hackers to exploit. This latter aspect is especially true in a complex supply chain environment, such as shipping, characterized by interactions with and between numerous and diverse stakeholders. However, as we have seen, it is possible to take steps and minimize exposure to these risks and plan a response for when the unexpected happens. This is what TMSA3 essentially seeks to achieve by incentivizing preparedness.

While TMSA3 has made cyber risk management a priority for tanker operators, it is only a matter of time before similar requirements arrive in other market segments. The advisory services developed by DNV GL for TMSA3 sit alongside with associated cyber security offerings including gap analysis for various global standards; a growing range of practical services including penetration testing and incident response drills; and training courses for raising awareness and tackling phishing and social engineering. These can be deployed in various configurations to manage risk on bulk carriers – should RightShip evolve in this direction – and across the global fleet when IMO requirements to incorporate cyber risk within ISM take effect in 2020.

Reflecting on the maritime industry’s response to cyber risk has evolved, Stefanatos observes: “Misha Glenny, a British computer journalist specializing in cyber security, famously quipped that there are two types of companies in the world: those that know they’ve been hacked and those that don’t. Maybe the day has come to add a third type: those that have prepared and are confident they can respond.”

Source: safety4sea

The OCIMF Tanker Management and Self Assessment programme was originally introduced in 2004 as a tool to help companies assess, measure and improve their management systems. It is an essential complement to IMO Conventions, Codes and Circulars and is intended to encourage self-regulation and promote continuous improvement to enhance the safety of merchant shipping and achieve incident free operations.

This fully updated and revised third edition reflects current legislation, expectations and emerging issues, and incorporates feedback from companies and users of previous editions of TMSA. Key new features to the text include:

• Updated industry legislative requirements, including the Manila Amendments to the Maritime Labour Convention 2006, the Polar Code and the Ballast Water Management Convention

• A new element 13 covering Maritime Security

• Expanded best practice guidance to complement key performance indicators and remove ambiguity and duplication

• Streamlining and merging of elements to improve consistency and make conducting the self assessment easier

• Revised Environmental and Energy Management Element, which now incorporates the OCIMF Energy Efficiency and Fuel Management paper that was a supplement to TMSA2

As well as this printed guide, the TMSA programme includes a useful online tool for recording self assessment as well as a database for sharing reports, providing ship operators with an interactive and constantly evolving platform to monitor and improve their performance and attain high standards of safety.

Source: witherbyseamanship

The 10th Element, which focuses on environment and energy management is the critical practice of identifying and assessing pollution generated from maritime operations as well as the safe reduction and disposal residual waste. TMSA 3 encourages reporting procedures & contingency planning to be implemented to cover hazardous incidents. It is a requirement that a maritime organization monitor its performance quarterly and provide benchmarks across the fleet to ensure environmental action plans meet standards such as ISO 14001 & MARPOL Annexes.

How can ShipNet help with the 10th Element of TMSA 3?

Setup Procedures:

Setup and monitor environment management plans along with the identification of sources of emissions and measures to increase energy efficiency.

Monitor:

Record and monitor sources emissions, fuel consumptions to consistently take steps to achieve objectives outlined in the company policies.

11th Element – Emergency preparedness and contingency planning

The 11th Element of TMSA 3 looks at the requirements of implementing an effective response in dealing with onboard emergencies where a vessels crew is required to undertake training exercises-based merchant shipping legislation. Maritime organizations are required to develop safety procedure drills along with shore-based response teams to partake in training. TMSA 3 identifies the need for maritime organizations to undertake media training and to arrange security management.

How can ShipNet help with the 11th Element of TMSA 3?

Through the ShipNet One application you can plan and execute drills and emergency exercises while preparing the company and vessel emergency response plans both for office as well as site-specific. Within the application, define the scope and frequency of the planned exercise for automated scheduling. Gain access to all records automatically through history. Prepare KPI targets as per company policies and monitor the frequency of exercises carried out throughout the fleet for continual improvement.

12th Element – Measurement, analysis, and improvement

The 12th Element is considered one of the most vital aspects of a successful safety management system. A maritime business must ensure system manuals are utilized as a part of daily operations and that they are analyzed for their effectiveness and to ensure they have not become outdated. By giving regular audits indicates how well the safety management system is adhering to industry best practice guidelines and how well the system is performing overall, along with the connected vessels and shore support offices.

How can ShipNet help with the 12th Element of TMSA 3?

Inspections:

Through the ShipNet One application, onboard Safety Officers or Junior Officers can implement ship safety inspections and asses the safety culture. The application also provides the ability to plan and prepare for inspections and audits based on set schedules.

Through the ShipNet One application you can also:

• Review previous inspection details across the fleet and data, enabling improved preparation.
• Identify problem areas, individuals, and inspectors.
• Perform inspections based on standard or custom checklists and create findings automatically from checklist questions.
• Identify observations and non-conformities and determine their corrective actions.
• Make use of KPI / RCA / Measurement lists to analyze observations and findings.
• Assign tasks to individuals in the organization and perform actions to close each finding.
• Measure the performance of vessels, observations, and non-conformities, areas of most concern through interactive dashboards and reports.

Sharing:

Share best practices and critical information across the fleet using the document system to promulgate safety alerts or fleet circulars. Share information circulars across the fleet. Generate custom reports using our report designer to share among customers.

13th Element – Maritime Security

The 13th and newest Element of TMSA 3 focuses on Maritime Security, which mainly consists of the use of Risk Assessment solutions to identify and mitigate risks. It is a requirement to adhere to BMP 4 guidelines, so it is necessary to define and maintain a stock of equipment for vessel hardening. It is also a requirement to define an Operational Security Area to monitor the number of transits of vessels. Best practice requires travel advisory and threat level circulated data sharing across a fleet as well as the verification of armed guard’s qualification criteria before employing them onboard vessels.

How can ShipNet help with the 13th Element of TMSA 3?

Operational:

Monitor and track operational security events using the occurrence system and ensure that vessels are secure from threats

• Use of Risk Assessment solution to identify and mitigate risks
• Define and maintain stock of equipment for vessel hardening as per BMP 4 guidelines
• Define Operational Security Area and monitor the number of transits of vessels as per Operation Security Reports made in the solution
• Circulate travel advisory and threat level data sharing to vessels using the document system
• Verify armed guard’s qualification criteria before employing them onboard vessels using our standard measurement lists

So there we have it. Our ShipNet One integrated platform has been built around industry regulations to assist with maritime organizations in implementing their safety management systems efficiently and proactively. Through years of development in line with the world’s major shipping companies, the platform not only meets the requirements but encourages continuous and effective improvement and compliance with TMSA 3.