Annex - Guidelines for the Use of Electronic Record Books Under MARPOL

1 INTRODUCTION

1.1 A key element of the International Convention for the Prevention of Pollution from Ships (MARPOL) regulations is the recording of discharges associated with the prevention of pollution from ships. A number of MARPOL Annexes require the recording of particular discharges.

1.2 The format for the recording of discharges under MARPOL is provided in the appendixes to the relevant MARPOL Annexes. Traditionally, the format of these record books has been provided in hard copy by the Administration. However, as companies and shipowners increasingly focus on ways to operate in an environmentally responsible manner and aim to reduce the heavy burden associated with paperwork through electronic means, the concept of operational logs in an electronic format has become a popular consideration.

1.3 It is considered that this approach to recording and reporting should be encouraged as it may have many benefits for the retention of records by companies, crew and officers.

1.4 It is expected that as companies and shipowners increasingly explore electronic record keeping, flag State Administrations will be requested to approve electronic recording systems (henceforth referred to as an electronic record book). This guidance aims to provide standardized information on approving an electronic record book to ensure the obligations of MARPOL are met and that there is a consistent approach to approving such systems.

2 APPLICATION

2.1 These Guidelines are only applicable to the use of electronic record books on board to meet the requirements of the following record books and recording requirements under the MARPOL Annexes and the Technical Code on Control of Emission of Nitrogen Oxides from Marine Diesel Engines (NO_x Technical Code):

• .1 Oil Record Book, parts I and II (MARPOL Annex I, regulations 17.1 and 36.1);

• .2 Cargo Record Book (MARPOL Annex II, regulation 15.1);

• .3 Garbage Record Book, parts I and II (MARPOL Annex V, regulation 10.3);

• .4 Ozone-depleting Substances Record Book (MARPOL Annex VI, regulation 12.6);

• .5 recording of the tier and on/off status of marine diesel engines (MARPOL Annex VI, regulation 13.5.3);

• .6 Record of Fuel Oil Changeover (MARPOL Annex VI, regulation 14.6); and

• .7 Record Book of Engine Parameters (NO_x Technical Code, paragraph 6.2.2.7).

2.2 The use of an electronic record book to record operational logs is an alternative method to a hard copy record book. The electronic record book may allow ships to utilize their technology to reduce administrative burdens and contribute to on board environmental initiatives, e.g. reduction of paper use.

2.3 These Guidelines do not provide information on the management of electronic access to, or electronic versions of, certificates and other documents that do not log continuous operations of a ship.

2.4 These Guidelines do not address the exchange of information from a ship to a company headquarters or other body, as this exchange is not a requirement of record books under MARPOL.

2.5 If a shipowner decides to use an electronic record book to record operational logs, instead of a hard copy record book, the following guidance should be taken into consideration by the Administration when approving the electronic record book for use.

3 DEFINITIONS

For the purposes of these Guidelines, the following definitions apply to the extent consistent with MARPOL:

• .1 Administration: means the Government of the State under whose authority the ship is operating. With respect to a ship entitled to fly a flag of any State, the Administration is the Government of that State. With respect to fixed or floating platforms engaged in exploration and exploitation of the seabed and subsoil thereof adjacent to the coast over which the coastal State exercises sovereign rights for the purposes of exploration and exploitation of their natural resources, the Administration is the Government of the coastal State concerned.

• .2 Audit Logging: means logs recording user activities, exceptions and information security events, where logs are kept for an agreed period to assist in future investigations and access control monitoring (ISO/IEC 27001:2006). The time and date for the log should be Universal Co-ordinated Time (UTC) derived from ship's time.

• .3 Backup: means to make a duplicate copy of a file, program, etc. as a safeguard against loss or corruption of the original. The specific properties of the backup such as its format, frequency, storage location, retention period, are unique to each business organization and should be defined in accordance with a Business Continuity Plan.

• .4 Business Continuity Plan: means a collection of procedures and information that is developed, compiled and maintained in readiness for use in the event of an emergency or disaster.

• .5 Company: means the Owner of the ship or any other organization or person such as the Manager or the Bareboat Charterer, who has assumed the responsibility for the operation of the ship from the shipowner and who on assuming such responsibility has agreed to take over all the duties and responsibility imposed.

• .6 Credentials: means data that is transferred to establish the claimed identity of an entity. (ISO 7498-2). Examples of credentials include a unique code/password, electronic key, digital certificate, hardware key, biometric data (e.g. fingerprint).

• .7 Cryptography: means the discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use (ISO 7498-2).

• .8 Data: means a re-interpretable representation of information in a formalized manner suitable for communication, interpretation or processing (ISO/IEC 2382-1).

• .9 Digital certificate: means a cryptographic transformation (see "cryptography") of a data unit in an asymmetric (public key) cryptosystem, using a Digital Signature to unite an identity with a public key.

• .10 Digital signature: means data appended to, or a cryptographic transformation (see "cryptography") of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery e.g. by the recipient (ISO 7498-2).

• .11 Document: means books, manuals, plans, instructions and similar media that are not certificates and are used to convey a ship's information.

• .12 Electronic record book: means a device or system used to electronically record the entries for discharges, transfers and other operations as required under MARPOL Annexes and the NO_x Technical Code.

• .13 Functional Unit: means an entity of hardware, software, or both, capable of accomplishing a specified purpose ISO/IEC 2382-1:1993 Information technology-Vocabulary- Part 1: Fundamental terms, definition 10.01.40.

• .14 Graphic character: means a character, other than a control character, that has a visual representation and is normally produced by writing, printing or displaying (ISO 2382-4).

• .15 IEC 60092 (series): means standards published by the International Electrotechnical Commission (IEC) on Electrical Installations on Ships.

• .16 IEC 60533: means standard published by the International Electrotechnical Commission (IEC) on Electrical and Electronic Installations on Ships – Electromagnetic Compatibility.

• .17 Offline: means usage #1. Pertaining to the operation of a functional unit when not under the direct control of the system with which it is associated. Offline units are not available for immediate use on demand by the system. Offline units may be independently operated. Usage #2. Pertaining to equipment that is disconnected from a system, is not in operation, and usually has its main power source disconnected or turned off.

• .18 Portable Document Format (PDF): means a digital form for representing documents that enables users to exchange and view electronic documents easily and reliably, independent of the environment in which they were created and the environment in which they are viewed or printed (ISO 32000).

• .19 Port: means any port, terminal, offshore terminal, ship and repair yard or roadstead which is normally used for the loading, unloading, repair and anchoring of ships, or any other place at which a ship can call.

• .20 Key: means a sequence of symbols that controls the operation of encipherment and decipherment (see "cryptography").

• .21 Private key: means (in a public key cryptosystem) that key of a user's key pair which is known only by that user (ISO/IEC 9594-8).

• .22 Public key: means (in a public key cryptosystem) that key of a user's key pair which is publicly known (ISO/IEC 9594-8).

• .23 Role Based Access Control (RBAC): means a control mechanism that provides different access levels to guarantee that individuals and devices can only gain access to and perform operations on network elements, stored information, and information flows for which they are authorized (ISO/IEC 27033-2:2012).

• .24 Shipowner: means one who owns or operates a ship, whether a person, a corporation or other legal entity, and any person acting on behalf of the owner or operator.

• .25 Signature: means the handwritten means of identifying the signer of a document or an electronic equivalent which is uniquely and securely linked to an individual.

• .26 Standardized: means the prescription of an authoritative rule, principle, means of judgement or estimation, criterion, measure of correctness, measure of perfection or some definite degree of any quality that determines what is adequate for a purpose.

• .27 Storage (device): means a functional unit into which data can be placed, in which they can be retained, and from which they can be retrieved (ISO/IEC 2382-1:1993 Information technology – Vocabulary – Part 1: #;Fundamental terms).

4 SYSTEM SPECIFICATIONS

4.1 Ability of the electronic record book to meet regulations under MARPOL

4.1.1 The use and output presentation of any electronic record book approved by an Administration should satisfy the requirements of all relevant regulations under MARPOL.

4.1.2 As MARPOL specifies the recording of a range of information for specific circumstances, an approved system should only allow a complete entry to be saved for verification by the master. For example, for a MARPOL Annex V discharge at sea, the entry should not be able to be saved without the entry of the latitude and longitude of the discharge. It is suggested that where possible, technology which can automatically input required data be installed to ensure accuracy. In the case of equipment failure, manual input should be allowed and the change of the source of data recorded. The automatic data value inputs should be protected by measures aimed at preventing attempts at manipulation or falsification. The system should automatically record any attempts to manipulate or falsify any data.

4.1.3 To assist with consistent recording of data such as dates and positions, the system should be developed to display entry fields and request data formats that are as consistent as possible with other electronic reporting required by IMO and other shipboard systems. Electronic record books should be presented in the form as specified in relevant MARPOL Annexes in order to assist the smooth transition from hard copy record books to electronic ones.

4.1.4 In order to comply with MARPOL requirements, an electronic record book should have the capability to retain all records made for the minimum period as specified in each Annex of MARPOL. The capability to produce a hard copy of verified records for the master to certify as a true copy, upon request from relevant authorities, should also be provided.

4.2 Updates to the electronic record book

As MARPOL and its Annexes continue to evolve, it is essential that all approved electronic record books are reviewed and appropriately updated to ensure relevant MARPOL amendments are incorporated in the electronic record book. Any updates should not cause loss of existing records, nor make them unreadable, and the system should continue to present all records in the form specified by MARPOL. Updates to the system should be completed prior to the entry into force of the relevant MARPOL amendments.

4.3 Security and accountability of the electronic record book

4.3.1 To ensure the security of an electronic record book, it is critical that the system implements Role Based Access Control. At a minimum, all access to the application should use a unique personal login identifier and password for each user. This level of security ensures that the user making entries into the application is accountable for any false entries or omissions.

4.3.2 MARPOL requires the signature of the relevant officer entering a record. As such, the electronic record book should implement Audit Logging. Audit Logging should record a user code, identifying symbol, such as a graphic character, or an equivalent identifier against each entry to uniquely identify the user and whether the user provided accessed or amended an entry.

4.3.3 Electronic signatures applied to an electronic record book should meet authentication standards, as adopted by the Administration.

4.3.4 Records and entries should be protected by measures aimed at preventing and detecting attempts at unauthorized deletion, destruction or amendment. After an entry is saved by the user, the system should secure the information against unauthorized or untraceable changes. Any change(s) to the entry by the same user or a different user should be automatically recorded and made visible both in the system and in any output presentation or printed versions of the electronic record book. The entry should appear in the list of entries in a format that makes it clear that the entry has been amended. To create transparency of changes to saved or verified entries, it is essential that the system is designed to retain both the original entry and the amendment(s).

4.3.5 If an entry requires amendment, it is recommended that the reason and user identifier, for the officer making the amendment, be recorded for verification by the master. The original entries and all amendments should be retained and visible.

4.3.6 MARPOL also requires that information in the record book be verified (e.g. regulation 17 of MARPOL Annex I requires that each page of the Oil Record Book be signed by the master of the ship). For verification of a single or series of saved entries by the master, the electronic record book should have an additional authentication factor to allow verification. This additional authentication factor should be in the form of additional credentials supplied by the master at the time of verification.

4.3.7 The electronic record book should also be able to log and identify the entries made, amended or verified by time. This will assist in identifying those situations where actions requiring an entry are undertaken over days or weeks and all entered at one time, where such an approach to making entries is consistent with MARPOL (e.g. regulation 10 of MARPOL Annex V requires entries to be "promptly recorded" and "signed for on the date of discharge or incineration" by the officer in charge).

4.3.8 To provide for different stages of the data entry and approval process, the electronic record book should provide a status field for each entry that clearly determines the verification stage of the entry. For example, when an entry has been saved in the system by the user, the entry should reflect a term such as "pending" or "awaiting verification". Once the master has verified an entry, a term such as "verified" should be automatically reflected.

4.3.9 If an entry is amended after the master has verified it, the electronic record book should automatically return the entry to "pending" or "re-verification" notifying the master that the entry requires re-verification.

4.3.10 To ensure that entries are verified in a timely manner, the system should provide a reminder that verification by the master is required. It is recommended that where possible, verifications occur prior to arrival in port. Entries not verified should be accompanied by comments advising of the reason for non-verification.

4.3.11 If a recorded entry correlates with a receipt for services (such as a receipt received when waste is discharged to a reception facility), or the endorsement provided during regulatory surveys or inspections (such as endorsement of the Cargo Record Book), the electronic record book should allow this receipt or endorsement to be identified or attached to the relevant entry in the system. This receipt can be referenced in the system with a hard copy receipt or endorsement made available upon request. Alternatively, the receipt or endorsement can be attached to the entry in any form deemed acceptable by the Administration (such as a scanned copy of the original in PDF), and the original retained.

4.4 Storage of data recorded in the electronic record book

4.4.1 To create the same level of confidence as a hard copy record book, any electronic record book should form part of the Information Technology Business Continuity Plan. This includes having an appropriate method for backing up data and data recovery if the system were to fail or not be available from the ships' network. Consideration should also be given to alternate power supplies to ensure consistent access to the system. Both data recovery and power sources are essential to allow ongoing entries to be made and facilitate port State control (PSC) inspections.

4.4.2 The electronic record book should have the capability to allow automatic backup of data in the system to offline storage. Backups should ensure the offline record is updated automatically every time changes are made to entries to ensure the backing up process is not forgotten by the user.

4.4.3 The recorded data stored in the offline space should be:

• .1 developed using cryptography so that unauthorized access to the information is not possible, and so that once the data has been saved it is in a read-only format with no amendments able to be made to the record (unless done so through the application or by a user with the appropriate level of authorization);

• .2 in a format that can be transferred from the point of record to another storage location. Examples include a local (removable) storage peripheral device, local and remote network storage;

• .3 maintained in a format that ensures the longevity and integrity of the record; and

• .4 in a format that allows output presentation and printing of the record.

4.4.4 This offline record may be provided in any format deemed appropriate by the Administration and should be digitally signed by the master. The properties of the digital signature need to appear on the offline record, including the title; full name of the signer; and date and time of signing. It is recommended that the document be presented in PDF; however, an alternative format may be used. Alternative formats should allow the exchange and view of electronic documents independent of the environment in which they were created and the environment in which they are viewed or printed, in a simple way and with fidelity.

4.4.5 An electronic record book and infrastructure related to the system including computers and peripherals, should be installed in compliance with IEC 60092 and IEC 60533, where applicable.

5 DECLARATION

5.1 Any electronic system deemed to meet the above criteria should be provided with written confirmation by the Administration and carried on board the ship for the purpose of regulatory surveys or inspections. An example of a declaration can be seen in the appendix.

5.2 Delegating the assessment of the electronic record book against these Guidelines and the issuing of a declaration on behalf of the Administration by recognized organizations (ROs) is at the discretion of the Administration.

6 MARPOL INSPECTION AND ENFORCEMENT

6.1 Inspection

6.1.1 An electronic record book should have the ability to meet the company verification/audit requirements (such as integration with the ships Safety Management System (International Safety Management Code)). The record book should also have the ability to meet all flag State and survey requirements. In addition, an electronic record book should meet all control provisions as set out in the relevant Annexes of MARPOL. Such a system should also meet any general requirements set out in the Procedures for port State control, 2017 (resolution A.1119(30)), as amended, as well as support the detection of violations and enforcement of the Convention as outlined in Article 6 of MARPOL.

6.1.2 The use of and reliance upon electronic record books in no way relieves shipowners of their existing duty to accurately maintain and produce records during an inspection, as required by MARPOL. It is recommended that if a ship cannot produce the electronic record book or a declaration provided by the Administration during the PSC inspection, the PSC officer should request to view an alternative verified copy of the records or a hard copy record book for verification.

6.2 Equipment requirements during an inspection

As the electronic record book will be presented using the ships' onboard equipment, it should not be necessary for officers to carry additional equipment (e.g. electronic devices to view the records) during inspections. Officers may choose to carry additional equipment on board to aid in the verification process if the ships' onboard equipment is unavailable.

6.3 Prosecution

To accommodate current procedures when investigating illegal discharges under MARPOL, the electronic record book should allow for the specific entry, relevant page, pages or the entirety of the electronic record book to be printed at the time of an investigation and each printed page physically signed by the master to certify it as a "true copy". All printed pages should provide the following details in addition to those required under MARPOL for record books:

• .1 the title and full name of the person that entered the record (in addition to the person's unique username and/or ID in the electronic record book);

• .2 any changes that were made to the entries;

• .3 the date and time of printing;

• .4 the name and version number of the electronic record book from which the true copy was produced; and

• .5 page numbering and number of pages to ensure the report is complete.

APPENDIX - EXAMPLE DECLARATION