The International Ship and Port Facility Security Code (ISPS Code) came into force in 2004, as a result of the the events of September the 11th, 2001. It is a comprehensive, mandatory set of measures to enhance the security of ships and port facilities.
Relevant documents and MGNs: SOLAS Chapter XI-2, MCA guidance on ship security,
Where does it come from?
The ISPS code was implemented via an amendment to SOLAS. It is made into UK law under The Ship and Port Facility (Security) Regulations 2004.
Who does it apply to?
The law and thus the ISPS code applies to the following ship types:
Passenger ships on international voyages which can carry more than 12 passengers
Cargo ships of over 500GT
Passenger ships on domestic voyages which can carry more than 250 passengers
Passenger ships on domestic voyages taking them more than 20 miles from a place of refuge
It also applies to port facilities serving vessels on international voyages.
It applies to UK flagged vessels wherever they may be and non-UK flagged vessels when in UK waters. Note that if the ISPS code applies to a ship, it also applies to the company of that ship. It does not apply to troop ships, sailing vessels and vessels not engaged in commercial activities.
What does the ISPS code consist of?
The ISPS code consists of two parts: A and B.
Part A is mandatory. It lays down the requirements which companies, ships, contracting governments and port facilities must adhere to.
Part B is a set of recommended guidelines on how to comply with part A.
Note that the IMO also publishes a guide to the ISPS code
How do we comply?
Every ship to which the ISPS code applies must have a Ship Security Plan (SSP). In order to get this approved by the MCA (or a Recognised Organisation) it must be submitted along with a Ship Security Assessment (SSA). Once this has been approved, the ship is issued with an Interim International Ship Security Certificate, valid for 6 months. After sailing with this for three months she becomes eligible for an initial verification, at which point she will be issued with an International Ship Security Certificate.
The SSP is in three parts:
General precautions
Designated security duties
How the ship interacts with shoreside personnel
Part 1 is a public document and can be shared with others. It can be inspected by port state inspectors and by auditors. Parts 2 and 3 are controlled documents and should not be shown to anyone other than the flag state.
The role of the master
SOLAS Chapter IX - 2, Regulation 8 states:
The master shall not be constrained by the Company, the charterer or any other person from taking or executing any decision which, in the professional judgement of the master, is necessary to maintain the safety and security of the ship. This includes denial of access to persons (except those identified as duly authorized by a Contracting Government) or their effects and refusal to load cargo, including containers or other closed cargo transport units.
Though the master will naturally delegate the day-to-day security duties to the ship’s security officer (normally the Chief Mate), the master remains responsible
Who else is involved?
The Shipboard Security Officer must have had approved training and hold a certificate of proficiency as Shipboard Security Officer. Normally the Chief Mate is SSO. The SSO reports directly to the Master; note that the Master can serve as SSO.
The CSO (Company Security Officer) is responsible for creating the Ship Security Assessment and the Ship Security Plan and ensuring that these are maintained and complied with. They liaise with the the SSO and the flag state.
The PFSO (Port Facilities Security Officer) is responsible for liaising with ships and the ports home state. They create and maintain the Port Facility Security Plan.
Designated persons (that is, anyone with designated role with regards to security) must have training in designated security duties. All seafarers must hold a certificate of Proficiency in Security Awareness.
Ship Security Alert System (SSAS)
The SSAS is required under SOLAS Chapter XI-2, regulation 6. When activated, this must:
Initiate and transmit a ship-to-shore alert to a competent authority (usually the company)
Not send the alert to any other ships
Not raise any on-board alarm
Continue until deactivated or reset
The SSAS must be capable of being activated from the bridge and at least one other location onboard. The activation points must be designed to prevent accidental activation.
The security levels
Level 1: Normal. This is the minimum security measures that must be maintained at all times. These measures are designed to detect a threat.
Level 2: Heightened. This is when, due to a heightened level of threat, security measures are maintained for the duration of the threat. These measures are designed to deter a threat.
Level 3: Exceptional. Due to a direct or imminent threat security measures are implemented for a limited period of time. These measures are designed to defend against a threat.
Think of these like a traffic light system. At green you go about your normal routine; if it’s yellow you change your routine and at red you radically change what you were doing and wait for the threat to pass.
Each level must specify measures for each activity necessary to secure the ship. These activities are:
Ensuring the performance of ship security duties
Controlling access to the ship
Controlling the embarkation of persons and their effects
Monitoring restricted areas
Monitoring of deck areas and areas surrounding the ship
Supervising the handling of cargo and stores
Ensuring the security communication is available
Ensure liaison with the port facility
The security level of a ship is set by the flag state and that of a port is set by the port state. A flag state may communicate for instance that a UK flagged ship, while visiting a certain counties ports, go to Level 2. Equally, a port may contact a visiting ship and ask that they go to Level 2 on their SSP. The ship has to then acknowledge that communication and the SSO must inform the PFSO once their SSP has been implemented to Level 2.
A port can be at a lower security level than a ship; a ship cannot be at a lower security level than the ship that port is in. Once a security level has been decided on, the SSP is implemented to that level. If the flag state communicate that a ship must go to for example security Level 2 while visiting a port, the ship must inform the port state and the PFSO. This is usually done via a declaration of security. As SSO, remember that you’ll always be implementing the higher of any two differing security levels.
Declaration of Security
The declaration of security is formal written agreement reached between a port and a ship with regards to their responsibilities for security measures. It is normally when the ship or port are at Level 2 or 3. There are five circumstances when a ship can request a declaration of security:
The ship is operating at a higher security level than the port facility or another ship it is interfacing with
There is an agreement on a Declaration of Security between Contracting Governments covering certain international voyages or specific ships on those voyages;
There has been a security threat or a security incident involving the ship or involving the port facility
The ship is at a port which is not required to have and implement an approved PFSP
The ship is conducting ship to ship activities with another ship not required to have and implement an approved SSP.
Drills and exercises
Security drills must be carried out at least every three months. When 25% of the ships personnel have changed with personnel who have not participated in a drill in the last three months, a drill must be conducted within one week of this change.
Once a year, and with no more than 18 months between two drills, the CSE must participate in a security exercise. These must test communication, coordination, resource availability and response.
Port State Control
The ISPS code is subject to port state control, but only to the extent that the port state may verify that there is onboard a valid Interim International Ship Security Certificate or International Ship Security Certificate.
MCAQs
Who does the ISPS code apply to?
Who sets the security level of a ship?
Who sets the security level of a port?
Can a ship adopt measures higher than her security level at the master’s say-so?
What are the three security levels
Describe the roles and responsibilities of the:
Company Security Officer
Ship Security Officer
Port Facility Security Officer
When can a ship request a declaration of security?
How would you, an MCA surveyor, go about verifying that a French flagged vessel calling in a British port complies with the ISPS code? What documents would you not be shown?