Commercial Vessel Compliance

11/7/2014: Assistant Commandant for Prevention on the growing complexity of systems

Last week, the North American Marine Environment Protection Association hosted a conference in New York, Rear Adm. Paul Thomas was a keynote speaker.

Thomas, assistant commandant for prevention policy, was asked to provide a regulatory review at the NAMEPA conference. Thomas shared what he sees as the most significant factors influencing maritime governance today and into the future. Maritime Commons will present an excerpt of the key takeaways from Thomas’ remarks in a three-part series.

His comments shared in this post focus on the growing complexity of technology and automated systems. Read the other two posts for additional summarized comments on the domestic oil and gas production boom and the greening of maritime industry.

Delivered by Rear Adm. Paul Thomas

Complexity cycle

The growing complexity of technology will challenge our ability to understand and manage complex systems and operations, particularly with regard to highly complex and high consequence operations such as deep water drilling, large passenger vessel operations and fully automated terminals.

Everything we do in this industry is growing in complexity, including the design and construction of vessels, the governing standards and regulatory schemes, the management systems, number and type of parties involved and the legal and liability relationships.

There is increasing reliance on technology to automate control systems, maintain extremely tight tolerances, make adjustments in micro-seconds and coordinate simultaneous operations by multiple systems, vessels and platforms. In fact, it is the ability of automated systems to make decisions and take action faster than humanely possible that has enabled cutting edge operations – particularly in deep water drilling.

The “internet of things” is truly upon us. Two people can drive around and have their phones “talk” to each other to understand the state of traffic and not even know it is happening. A traffic camera will adjust the intervals on a traffic light – with no human action or direct knowledge that it is occurring. SCADA to SCADA “dialogue” and control between systems and even vessels occurs with no human interaction – all the time.

But these highly complex and highly capable systems are also very vulnerable. They are vulnerable to all things that impact computer systems; including viruses, malware and cyber attacks, operator error, unexpected interaction between software systems and cyber accidents.

That is why cyber is both a safety and a security issue; and it is an issue that industry must focus on now. Quite frankly we are just as likely to have to mitigate the physical consequences of a cyber accident as we are a cyber attack in the very near future. We have seen it already; in one case a dynamic positioning rig walked off station and had to execute an emergency breakaway because a software patch pushed to a human resource system aboard the rig from the operations office ashore interacted in an unexpected way. In another case, it took 19 days to rid an underway drilling rig of malware that shut down all vessel control systems. These were not attacks.

We have to focus on software integration – integration within systems, between systems, and between vessels, platforms and ashore facilities. We have to focus on cyber safety and security – not to the extent that protects against nation state hackers intent on doing damage; but to the same extent that we focus on physical security. We need the cyber equivalent of a fence, a guard, a gate, lights and cameras. We need the cyber equivalent of secure areas and cyber credentials to enter those areas.

Understanding complexity regarding software, automation and control systems; focusing on systems integration; and instituting basic cyber safety and security measures is an absolute necessity for this industry.

Managing complex operations also requires implementing effective Safety and Environmental Management Systems. Since the adoption of the International Safety Management Code 20 years ago we have increasingly relied on Safety Management Systems, or SMS, to mitigate risk and ensure a systematic and consistent approach to safety and environmental stewardship. In fact in many cases we have also pointed to SMS to justify taking on greater risk or reducing the level of oversight. And that is fine – if the system works.

I have this theory I call the conservation of risk; that is that risk is never really reduced or eliminated, it is just moved around. For example, when we all were kids we rode our bicycles and never wore helmets. Now our children and grandchildren all wear helmets; but they also ride their bikes down the banister of staircases and over six foot ramps. That’s probably ok if the helmet is of high quality and properly worn – but maybe not so ok if it is a paper mache helmet. If fact there is probably nothing more dangerous than the false sense of security that comes with a paper mache helmet – or with a SMS that exists on paper only.

I believe that SMS and third party oversight will continue to be an important and growing part of maritime governance to help manage risks – but we have to ensure it is not a paper mache helmet. SMS must not only be very well developed in terms of process and procedures, it must be very well deployed from the boardroom to the boiler room. There should not be a disconnect between the auditors and the surveyors, or between the CEO and the seaman. I can tell you, in many cases, that disconnect exists today.

In addition to this post about the complexity cycle, be sure to read the other two posts with Thomas’ remarks from the NAMEPA conference.

Domestic oil and gas production
Greening of maritime industry

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.