Operational Excellence through Leadership and Compliance

Maritime Compliance Report

Welcome. Staying in compliance takes dedication, diligence and strong leadership skills to stay on top of all the requirements which seem to keep coming at a rapid pace. With this blog I hope to provide visitors with content that will help them in their daily work of staying in compliance. I hope you find it a resource worthy of your time and I look forward to your feedback, questions, comments and concerns. Thanks for stopping by. To avoid missing critical updates, don’t forget to sign up by clicking the white envelope in the blue toolbar below.

TWIC Reader Final Rule

The revised MTSA regulations included in the recently published TWIC Final Rule go into effect on August 23, 2018. As usual, the final rule comes with an extensive preamble discussion of the Coast Guard's response to comments received during the rule making process. The preamble, which contains essential information, is usually skipped over by most readers. In fact, seasoned Coast Guard marine inspectors know to look back at the Federal Register when a particular regulation was published in order to determine the intent of a regulation in question.

Headline
The headline for this final rule is clearly: "We clarify that this final rule only affects Risk Group A vessels and facilities, and that no changes to the existing business practices of other MTSA-related vessels and facilities are required." Before you get too excited about that, you must understand this: when Coast Guard Headquarters makes that statement they are assuming you are currently doing everything correctly in accordance with the regulations and guidance. Hopefully, for you that is the case, but maybe not. Many compliance variations have been allowed over the years. Regardless, this new regulation will bring new scrutiny by the Coast Guard, and may bring some previously accepted practices into question. I will explain further below under "Potential impacts for non-Risk Group A Facilities."

Which vessels are required to conduct electronic TWIC inspections?
Only Risk Group A vessels will be required to conduct electronic TWIC inspections. Risk Group A vessel are listed in 33 CFR 104.263: vessels carrying CDCs in bulk; vessels certificated to carry more than 1,000 passengers; and vessels engaged in towing vessels subject to (a)(1) and (a) (2). Now before you towing vessel folks get too excited, there's an exemption from electronic TWIC inspection requirements for vessels with 20 or fewer TWIC-holding crewmembers. That number is determined by the minimum manning requirement specified on the COI. The Coast Guard estimates that only one vessel will be required conduct electronic TWIC inspections.

Which facilities are required to conduct electronic TWIC inspections?
Only Risk Group A facilities will be required to conduct electronic TWIC inspections. Risk Group A facilities are listed in 33 CFR 105.253: facilities that handles CDCs in bulk or receive vessels carrying CDCs in bulk; and facilities that receive vessels certificated to carry more than 1, 000 passengers. Now before you stop reading this, here are a couple of things to think about: How do you ensure the ship at your dock is not carrying CDCs in bulk even if that cargo has nothing to do with your facility? Also, "handling" includes CDCs in bulk being handled by truck or rail or other means on the facility, not just vessel related. The Coast Guard estimates that 525 facilities will have to conduct electronic TWIC verification. No OCS facilities are expected to have to conduct electronic TWIC verifications.

What is Certain Dangerous Cargo (CDC)? 
It is a short but complicated list of cargos contained in 33 CFR 160.202, including ammonium nitrate based fertilizer.

A TWIC reader or a PACS?
For Risk Group A the Coast Guard authorizes either TWIC readers or using Physical Access Control Systems (PACS) that meets the standard. 33 CFR 101.530 details PACS requirements specifically for Risk Group A. The preamble explains, "… we are providing greater flexibility on the type of equipment used, as long as the three parts of electronic TWIC inspection are performed satisfactorily." Some existing PACS accepted by the Coast Guard may need upgrading for Risk Group A facilities. 

Barge Fleeting Facilities
The revised regulation contains an exemption for certain barge fleeting facilities. 33 CFR 105.110(e) "Barge fleeting facilities without shore side access are exempt from the requirements in 33 CFR 101.535(b)(1) (Electronic TWIC inspection requirements for Risk Group A)

Clearly, if a barge fleeting facility containing ammonium nitrate barges can be accessed from shore, without having to take a boat, it will not be exempt from these TWIC reader requirements. MTSA PAC 10-09 allows free floating barge fleeting facilities to be defined as areas in the water, in accordance with the regulatory definition. This allows barge fleeting facilities to define the tiers containing the MTSA regulated barges as the "facility," and omit other tiers of non-MTSA regulated barges and shore side areas containing an office or wash dock. Therefore, if a barge fleeting facility is defined as in the FSP, for example, as mile 147.1 to 146.9, right descending bank of the Mississippi River, it may be able to claim this exemption.

Barge fleeting facilities that did not take advantage of this PAC and include all shore side areas, and did not limit their secure area to regulated barge tiers, may find themselves missing out on the exemption provided above, regardless of whether one must take a boat to get to the regulated barges. The preamble discussion sheds some light on the topic: "These commenters raise important issues as to how we would apply the electronic TWIC inspection process to secure areas on water, such as barge fleeting facilities. Upon consideration, we do not believe that requiring electronic TWIC inspection prior to entering such areas would be practical, as there is no particular access point to such an area that can be controlled by a TWIC reader. Electronic TWIC inspection would instead be required at the barge fleeting facility's shore side location."

Based on these comments its seems the verbiage of the exemption referring to "without shore side access," means an isolated barge fleeting facility along a waterway with no shore side "location" from which one would go through first to gain access to the barge fleet. Not just a free floating tier of barges.

Note: On 09/07/16, this barge fleeting section was read and confirmed to be correct by the Coast Guard Headquarters' P.O.C. named in the final rule.

Potential impacts for non-Risk Group A Facilities:

Incorporating TWIC checks into existing PACS
The guidance for incorporating TWIC checks into existing systems (PACS) is contained in NVIC 03-07 and PAC 08-09 CH1. The preamble explains those guidance documents will remain valid for non-Risk Group A facilities, but will be updated: "NVIC 03-07 and PAC 08-09 CH1 … because we are not making changes to the TWIC requirements for those vessels and facilities not in risk Group A, the guidance documents will retain their validity with regard to those entities. We will update and post these guidance documents online … prior to the effective date of the final rule." So what will the updated guidance look like for non-Risk Group A facilities? Here's the rub. 33 CFR 101.520, Electronic TWIC inspection, is not specific for Risk Group A facilities and outlines that the requirements must include: (a) Card authentication (b) card validity check (c) identity verification. Therefore, the revised guidance should be in line with the regulation and may not allow for issuing a facility swipe card to allow self-access to secure areas just because the person showed they possessed a valid TWIC, or even if a camera was added to monitor the person swipe themselves in.

Access point to Secure Area
The preamble sheds light onto a gray area, the physical place where the TWIC verification must take place: "Given the requirement that electronic TWIC inspection be conducted "prior to each entry" into a secure area (of facilities), we would anticipate that inspection points at facilities would be located at the access points to secure areas." While this verbiage in the preamble is in regards to electronic TWIC inspection, it is essentially the same for all MTSA facilities as outlined in NVIC 03-07, but clearer with regards to the location of the TWIC verification process. Therefore, some compliance processes proposed in the past may be affected, such as: checking the TWIC at the front gate guard shack and then telling a visitor a punch code, or handing him a swipe card, to let himself into the secure area dock gate.

Restricted areas
There is an omission in the preamble discussion regarding the NVIC discussion of restricted areas, which might cause the reader to believe that the secure area must encompass all restricted areas. That is not the case. However, the preamble does contain an interesting comment regarding restricted area access control: "We note that a second round of electronic TWIC inspection is not required when passing from a secure area to a restricted area, although we would anticipate other security measures to be in place." The implication is for more than signage, (33 CFR 105.260(c)).

Escorting
The preamble addresses escorting via CCTV and reiterates the standard put forth in the NVIC: "Where such monitoring is appropriate, the general principle applies that monitoring must enable sufficient observation of the individual with a means to respond if the individual is observed to be engaging in unauthorized activities or crossing into an unauthorized area." This may give rise to the Coast Guard ensuring continuous monitoring non-TWIC personnel, which meets the intent of the regulation, not just having cameras installed.

Secure area access control

33 CFR 105.255(a)(4) implies the secure area should be fenced, but it doesn't actually say that. If some secure areas within facilities were approved without fencing or additional access control, the new verbiage for Risk Group A facilities tacked onto this citation may bring some access control measure for secure areas into question. 

  5150 Hits

Declaration of Security

 The maritime security regulations call for the use of a Declaration of Security (DOS) during certain times and situations when there a heightened security threat. The International Ship and Port Security (ISPS) Code takes a more general approach to the DOS than do the very specific U.S. Coast Guard regulations on the topic, which spell out which types of interfaces require a DOS at which MARSEC levels.

However, the intent of the regulations is clear in both, which is for the two interfacing parties to get together and make a deal regarding who will take responsibility for what security measures during a particular interface. This contract, which is usually limited to a single page, is signed by both parties.

Unfortunately, as the years have passed since the publication of the Code and regulations, some of the intent and perceived value of such a document has been lost. It is not unusual to find that a DOS has been filled out and signed, but that the facility and the vessel personnel are unaware of its contents. It is also not unusual to find initials down both columns, including the vessel signing that it is taking responsibility for controlling access to the facility. Clearly, individuals responsible for fulfilling the obligations of the DOS should be aware of the contents.

According to the U.S. regulations, a DOS can be filled out and signed by a Facility or Vessel security Officer or their "designated representative." This should not necessarily be a third party tankerman or stevedore who has no control over the processes prescribed in either security plan. The designated representative should be properly trained as a "vessel and facility personnel with security duties." However, a designated representative does not have to be an alternate facility or vessel security officer who would be required to be trained to the level of an FSO or VSO under the regulations.

A Declaration of Security is a useful tool if used correctly. It continues to raise eyebrows each time we role-play filling one out during training sessions. Make good use of a DOS. The regulations have not gone away, and neither have the threats.
  10543 Hits

No Deficiencies?

Many vessel operators claim that Coast Guard inspections are notoriously inconsistent. They claim such things as, "One Coast Guard guy came and told me it had to be this way, and next year another one came and told me to do something else, and the next year a third guy came back and told me to do it the way we had it in the first place." This unfortunately is true altogether too often, especially when it comes to dealing with inexperienced inspectors or examiners.

I recently was asked to discuss Coast Guard inspection issues with a towboat owner, and every time I mentioned a requirement he didn't like he would interrupt me and say that I was incorrect because the petty officer who examined his towboat either said he didn't have to, or he hadn't mention it during the exam. At the same time this owner complained about how inconsistent the Coast Guard is. This paradox is also too often true. "I'll rely on the Coast Guard to tell me what to do and I'll believe them when it's to my advantage."

Here's why this is not a good compliance management strategy. The Coast Guard rarely checks everything. There are many reasons for this, but just understand when the Coast Guard leaves the vessel and you have no deficiencies, it does not mean you are in compliance. According to a Times Picayune article, Bill Ambrose, Transocean's director of special projects testified during the BP/Deepwater Horizon trial that the rig was in "really good shape," and that during the July 2009 inspection of the rig the Coast Guard found "no deficiencies." However, in an interview about the accident, Wall Street Journal reporter Rebecca Smith characterized Coast Guard inspections as "often cursory." She stated that the Coast Guard did a, "pretty minimal job of inspecting that rig." According to the same Time Picayune article, an expert witness for the plaintiff's lawyers "singled out Transocean for failing to maintain the Deepwater Horizon, having an improperly trained crew, and a rig that was in poor shape."

Operators can rid themselves of the headaches associated with inconsistent inspectors and prepare themselves for litigation by insuring they know the regulations and that they manage their own compliance. 

  3688 Hits

TWIC Readers

"I thought TWICs were going away?"  I have heard this many times over the past year. They are not. Many believe TWIC is a useless program. The truth is TWIC is a very important program, but few understand it.

Basically, the most important purpose of a TWIC is to not allow anyone, unescorted, into a secure area of a vessel or facility unless we know they are not a terrorist and they have a card to prove it. This may seem like nonsense to some, but if a major terrorist organization can send a terrorist spy to the U.S. and infiltrate the CIA, FBI and Army Special Warfare command, then they can surely send some to infiltrate the maritime industry. In fact, during one joint FBI/ USCG operation, a significant number of individuals "having a nexus to terrorism matters," were found to have U.S. merchant mariner documents and they were subsequently placed on the terrorist watch list and the no-fly list. Furthermore, officials recently uncovered a major plot to attack the maritime industry because it is viewed as a soft target by terrorists.

Due to the lack of understanding, or acceptance of the threat, the way TWIC has been implemented and enforced in many instances makes no sense, and therefore it appears to be "useless" to the casual observer who assumes the TWIC process they observe is the one prescribed by the government.

The TWIC was designed to be a biometric credential to be used with a TWIC Reader. Realizing that we don't yet have TWIC readers, that fake TWICs are a reality, and that someone could gain access using a stolen TWIC on an automated system without biometric interface, years ago the Coast Guard published fairly specific requirements on how a TWIC should be verified by the person granting access to the secure area.

The Coast Guard recently released a Proposed Rule on the TWIC Readers. Vessels and facilities were placed in risk categories A through C. According to the proposed rule only risk category A vessels and facilities will have to use a TWIC Reader. Risk Category A is limited to vessels and facilities that handle Certain Dangerous Cargoes (CDCs) in bulk, including barge fleeting facilities with CDCs, and vessels with more than 1,000 passengers. So, the vast majority of Subchapter H compliant vessels and facilities will have to continue to verify TWICs manually.  There's the rub. This sounds like a good deal, until it is enforced.

Here's a quiz: What are the three words on the triangle at the center of all TWICs? If a person granting access to a secure area has actually been examining TWICs each time as required, then surely they would remember that those three words are: "privacy, security and commerce." And by the way, poor eyesight is not a good excuse for not complying with a federal regulation. If they cannot see what they are required to check by regulation, they have no business being posted at such a position. Reading glasses or a magnifying glass would come in handy in those situations. Also, you'd also be surprised with what an inexpensive black light will show on a TWIC. 

  3864 Hits

TWIC Changes

Current regulations have required all credentialed merchant mariners to hold a valid TWIC. But that is no longer the case due to a recent change in the law. Some credentialed mariners will no longer have to obtain a TWIC. For example: on a towboat which opts not to have a security plan, only the licensed captain has been required to have a TWIC due to the fact that he has a license. Now, due to the recent law change, the captain of the towboat with no security plan will no longer have to hold a valid TWIC. The same goes for most small passenger vessel captains who will no longer be required to maintain a valid TWIC. Some think it is a good thing that the Coast Guard has had to revise the requirement because they feel the TWIC is useless.

 


However, one of the main purposes of a TWIC is to run the applicant through the terrorist watch list to see if they have any links to terrorist organizations or terrorist activities. Some feel that this is unnecessary and that it criminalizes mariners. The truth is that in the past terrorists have blown up passenger ferries in the Philippines, resulting in many lives lost. So what's that got to do with the U.S.? It is a viable threat scenario here as well. Also, according to the FBI's joint "Operation Drydock," with the Coast Guard in 2004 nine credentialed mariners were found to have "possible associations to terrorism." How bad would it be if a vessel was used in a terrorist attack, and it was later found that the captain was a terrorist and that it could have been prevented if anyone had bothered to check? I don't think TWICs are useless.


So why is it OK now if some credentialed mariners don't have TWICs? The Maritime Transportation Security Act of 2002 is counter-terrorism legislation which requires the prevention or deterrence of a transportation security incident (TSI). A "TSI" is defined as a security incident resulting in significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area. The Coast Guard, in establishing the applicability of the security regulations, determined some vessels to be at a low risk of being involved in a TSI, and excluded them from the applicability. It is those vessels, which are at low risk of a TSI and have no security plan, which will be allowed to have captains without TWICs. Whether you agree with this or not, one good thing which I hope may come from it is it may help us refocus on the intent of the security regulations, which is to prevent or deter a transportation security incident (TSI), and to avoid the complacency of, to borrow a phrase, "security theater." 

  4005 Hits

Anti-Piracy Procedures and the Ship Security Plan

Recently, a group of U.S. Marines were able to board and regain control of a German-owned ship, which had been taken over by pirates off the coast of Somalia. They were able to do so without firing a single shot. According to a CNN report, a military spokesman claimed the members of the ship's crew had locked themselves in a safe room, so the military felt it was a good time to board the ship.    

Many flag states and recognized security organizations world-wide require anti-piracy procedures to be contained in ship security plans required under the International Ship and Port Security (ISPS) code. While this recent intervention was a great success, it complicates things for those responsible for coming up with anti-piracy procedures and ensuring their implementation through drills and training.  Is this the new "best practice?"


Unfortunately, there is no one solution to this complex problem. Opinions on what constitutes best practices to defend against attacks, and what to do once pirates are on board, vary greatly.  Some advocate dispersing the crew and disabling the ship. Conversely, one flag state indicates that the crew should stay together in a predetermined safe haven provided with supplies comparable to those in a lifeboat. Another international government organization suggests that mariners should offer no resistance and, if in a lock-down situation, should not resist entry. So what is the answer? 

Perhaps the answer is that they are all correct and best procedures depend upon the type of boarder the crew is engaging.  Currently, the best indicators of the type of boarders are: past history, the geographic location, and the type of ship being attacked. For example, a ship could be attacked by pirates in Southeast Asia who intend on killing the entire crew and stealing the ship.  A ship could be boarded near the Horn of Africa by hijacker-extortionists who may not intend to kill anyone, but will if provoked.  A ship could be boarded by West African pirates who intend to kidnap the crew for ransom. And, of course, any ship could be boarded anywhere by terrorists who intend to use the ship as, or to transport, a weapon of mass destruction. 

It is important for security plans to account for these differences.  For example, you might find petty thieves on board who can be easily deterred and will jump over the side when detected.  Surely, the crew would not lock down in a safe haven while some hungry, unarmed teenage boys raided the galley. Of course, that probably would not happen, but the point is that an approved security plan may call for such actions if it is not scenario specific, or if it does not provide enough leeway for the master and crew. Accordingly, locking the entire crew in a safe room when no one is coming to the rescue, may not end well either.

The ship security plan must be useful to the crew.  It should be specific enough to give guidance regarding what the owner/operator and approving authority have determined to be appropriate, without hindering the master who will inevitably arrive on board the ship with his own ideas of what is appropriate and what is not. 

  6951 Hits

Maritime Security Lesson from an Environmental Disaster

 As we wait for the results of the investigation into the BP/ Deepwater Horizon oil spill in the Gulf of Mexico, one thing appears fairly certain based upon currently published information, and that is that corners may have been cut and unnecessary risks may have been taken. This is not really surprising. We cut corners and take calculated risks every day, often with no negative consequences. Who has never exceeded the speed limit while driving? The natural reaction of politicians and bureaucrats is to make more laws and regulations to fix the problems before we know for sure what the problems are. We may find that the problem wasn't a lack of adequate laws and regulations, but perhaps it was the lack of enforcement, oversight and compliance with the existing laws and regulations. If so, why would the level of enforcement, oversight and compliance drop to a level where an accident like this might occur? Perhaps because they had not had a major accident with similar operations in the recent past to remind them of the threat. BP was reportedly celebrating a safety milestone at the time of the disastrous blowout. If people have not experienced a major accident in quite some time, their minds allow them to believe the threat has become diminished. In actuality the threat has not diminished with the passage of time, but still corners are cut and unnecessary risks are taken, because the precautions that once seemed necessary may now seem like overkill.  Following the attacks of 9/11, the international community passed the ISPS code. Ships, boats, ports and facilities around the world are required to implement security plans which address all relevant threat scenarios. As the years go by without major successful attacks, it is human nature to let our guard down because in our minds the threat has diminished. It has not. Even after six years of full implementation of maritime security plans, many do not understand the threat or the requirements. Do enforcement personnel understand their roles and give full attention to the security programs, or are they still focused mostly on signage and paperwork? Do industry members have good plans that address specific threat scenarios and give clear and concise guidance to those charged with implementing them? Are proper screening, monitoring and drilling conducted as intended by the regulations? We can't go back in time and make those involved in the BP/ Deepwater Horizon disaster make different decisions, but going forward we can ensure we do not lose sight of the threats to our security in the maritime industry. Imagine the answers that would be given to Anderson Cooper on CNN in the weeks following a terrorist attack involving your vessel or port facility. Would they be adequate? Or would it be déjà vu?

  3749 Hits

Contact Us

This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone: 504.249.5291

Copyright ©
Maritime Compliance International
All rights reserved | Privacy Policy

Maritime Compliance Report Sign-Up

Click here to subscribe to the Maritime Compliance Report blog for critical email updates on compliance issues.