Global Bunker Prices
Last update --:-- UTC
HomeEngine RoomEngine Room, Latest Articles

ISM / SMS & Risk Assessment

10 January 2026 6 min read Engine Room, Latest Articles
Share: X LinkedIn Email

The Safety System That Governs Every Engineering Decision Onboard

Why ISM Exists in the Engine Room

The International Safety Management (ISM) Code did not emerge from paperwork culture.
It emerged from catastrophic failures — fires, groundings, flooding, explosions, and pollution incidents — where equipment failed, people adapted informally, and management systems were absent or ignored.

For engine officers, ISM is not an abstract compliance framework. It is the legal and operational structure that defines how work is planned, executed, deviated from, and defended after an incident.

Every maintenance job, isolation, alarm response, override, temporary repair, or operational deviation exists inside ISM, whether acknowledged or not.

Ignoring ISM does not remove its authority — it only removes your protection.

1. The ISM Code as a Control System, Not a Policy Document

From an engineering perspective, ISM behaves like a closed-loop control system.

Hazards are the inputs.
Procedures and controls are the control logic.
Human action is the actuator.
Incidents, near misses, audits, and failures are the feedback.

The SMS is not designed to eliminate risk. It is designed to bound risk, document decisions, and ensure the system learns when boundaries are exceeded.

When this loop breaks — usually through poor feedback or ignored deviation — accidents repeat.

This is why ISM places disproportionate weight on risk assessment, reporting, and corrective action, not just compliance.

2. SMS: The Ship-Specific Implementation of ISM

The Safety Management System (SMS) is the ship’s executable version of ISM.

It is meant to reflect:

  • The actual machinery installed
  • The redundancy philosophy of the vessel
  • The manning level and competence onboard
  • The operational profile (trading area, port frequency, cargo type)

In reality, many SMS manuals are generic fleet templates.
This is one of the primary failure modes of ISM.

A procedure that does not match the machinery will be bypassed.
A risk assessment that ignores operational reality will be ignored.

Engineers must understand that SMS validity is judged against real operations, not printed intent.

If the SMS says one thing and the engine room does another, the system — not the paperwork — is considered defective.

3. Risk Assessment as the Core Mechanism of ISM

Risk assessment is the primary technical function of ISM.

Everything else — permits, checklists, audits — exists to support it.

A valid risk assessment is not descriptive. It is predictive.

It must anticipate:

  • Failure modes
  • Human response under pressure
  • Escalation pathways
  • Loss of redundancy
  • Secondary consequences

In engineering terms, risk assessment is failure mode and effects analysis (FMEA) applied to real work.

When risk assessments are reduced to generic hazards (“slips, trips, falls”), ISM collapses into paperwork theatre.

4. Why Generic Risk Assessments Fail Engineers

Generic risk assessments are written ashore, often by people who do not stand watches.

They assume:

  • Normal conditions
  • Full redundancy
  • Adequate time
  • Stable manning
  • Functional instrumentation

Engine rooms rarely operate under these assumptions.

Real risk arises when:

  • Redundancy is already degraded
  • Temporary repairs exist
  • Alarms are inhibited
  • Equipment is running outside design envelope
  • Personnel are fatigued or unfamiliar

A task is never “routine” if the system state has changed.

Engineers must treat generic assessments as a baseline only.
The moment conditions deviate, a task-specific or dynamic risk assessment becomes mandatory, even if not formally demanded by the SMS.

5. Dynamic Risk Assessment – The Engineer’s Real Job

Dynamic risk assessment is the continuous reassessment of hazard as work progresses.

This is not a form.
It is an engineering judgement process.

Examples:

  • A pump overhaul reveals unexpected corrosion
  • A valve fails to isolate fully
  • A temporary electrical supply is required
  • A job runs into watch change
  • Weather, vibration, or load changes system behaviour

ISM explicitly allows — and expects — work to be stopped, modified, or re-authorised when conditions change.

Continuing “to get the job done” after risk has escalated is not professionalism.
It is a documented breach of ISM.

6. Human Factors: The Dominant Risk Variable

Most engine room incidents are not caused by lack of knowledge, but by predictable human limitations.

ISM recognises this, but SMS documents often reduce human factors to a paragraph.

In practice, risk increases dramatically when:

  • Fatigue accumulates across watches
  • Authority gradients prevent challenge
  • “Temporary” deviations become normal
  • Time pressure overrides procedure
  • Alarms are rationalised away

A proper risk assessment must explicitly consider who is doing the work, under what conditions, and for how long.

Ignoring human factors invalidates the assessment, regardless of how well written it appears.

7. Non-Conformities, Near Misses, and the Learning Loop

ISM assumes failure will occur.
What it measures is how the system responds.

A near miss is not an embarrassment.
It is a system diagnostic event.

Failure to report near misses breaks the feedback loop and guarantees recurrence.

From an engineering control perspective:

  • Unreported deviations = uncorrected faults
  • Uncorrected faults = latent failures
  • Latent failures surface under stress

Engine officers who report near misses are not creating problems — they are closing the control loop ISM depends on.

8. Audits and PSC: How ISM Is Actually Judged

Auditors and PSC officers are not primarily checking paperwork completeness.

They are assessing:

  • Crew understanding of risk
  • Familiarity with procedures
  • Consistency between records and reality
  • Whether the SMS is used operationally

A ship with minor deficiencies but credible safety thinking is viewed more favourably than a ship with perfect paperwork and mechanical answers.

Inconsistency — not error — is what raises red flags.

9. ISM as Legal Shield or Legal Weapon

After serious incidents, ISM becomes a legal framework.

Investigators ask:

  • Was the risk foreseeable?
  • Was it assessed?
  • Were controls defined?
  • Were deviations justified?
  • Was the system followed or consciously overridden?

If the SMS was used properly, it protects individuals.
If it was ignored or falsified, it concentrates liability.

For engineers, ISM compliance is not about pleasing auditors — it is about career survival after incidents.

10. Engineer Responsibility Within ISM

Engineers are not passive operators under ISM.

They are expected to:

  • Question unsafe procedures
  • Escalate mismatches between SMS and reality
  • Record deviations honestly
  • Stop work when risk exceeds control
  • Update assessments based on experience

Silence is interpreted as acceptance.

ISM does not punish decision-making.
It punishes undocumented, unjustified deviation.

Conclusion – ISM Is Engineering Discipline, Not Administration

ISM is not about preventing all failures.
It is about preventing uncontrolled failure.

In the engine room, where systems are complex, ageing, and stressed, ISM provides the only defensible structure for decision-making under uncertainty.

Engineers who understand ISM do not fear it.
They use it as:

  • A technical framework
  • A communication tool
  • A legal defence
  • A safety net for the next watchkeeper