Aviation security: New challenges

On 1st April 2014, responsibility for preparing and promulgating aviation security regulations transferred from the UK’s Department of Transport (DfT) to the CAA, as too did responsibility for monitoring and enforcing industry’s compliance with the security regulations. The CAA now provides independent expert advice to the Secretary of State on aviation security, including in respect of the policy making role which he has retained. The CAA is now also the chief regulatory interface with the aviation industry so far as security matters are concerned.

Although the transfer of functions was sometimes described as a ‘lift and shift’ operation, in practice this seriously underplayed the challenges involved. Aviation security regulation did not exist within the DfT as a separate organisational entity. To accommodate the change, a new group was established in rented space in the Home Office, together with the compliance monitoring arm, about a year ahead of the transfer to allow for a period of ‘shadow running’. This enabled us to confirm under live test conditions the feasibility and effectiveness of these functions being delivered separately and independently from DfT, and in particular to understand how regulation and policy making – which as I say remains with DfT – can be teased apart without the necessary interaction between the two being lost.

Transfer day when it finally came saw some scores of staff, together with their specialised management IT tools and secure communications systems, moved over a weekend into new accommodation at the CAA’s Kingsway headquarters in Central London. This had to happen without interruption to business as usual and in particular without any pause in the continuing programme of testing and checking industry’s delivery of security measures. I am happy to be able to say that, by dint of much careful preparation, all of this went very smoothly – indeed all but invisibly to industry.

Better regulation

In discharging our role as the regulatory interface with industry, we are very conscious of the importance which the CAA has long attached to the principles of better regulation – indeed this is one of its strategic objectives. Given that the CAA puts the consumer at the heart of everything it does, better regulation doesn’t benefit only the industry of course, it is also good for passengers who are better protected by good security, but have a better travel experience if the measures are proportionate.

It follows that we work very closely with industry, in order to be able to regulate on the basis of a good understanding of the operational implications and costs of the measures being considered, to ensure that they are proportionate, properly targeted, and kept under active review. The last of these – the active review – is especially necessary when the UK is setting standards that are more stringent than those that apply elsewhere in the EU – which is sometimes necessary.

It is also essential to our ability to frame aviation security regulations that we have a good insight into the threat which those regulations address. So we have ensured, notwithstanding the transfer of functions out of central government, that we can maintain our relationship with the security agencies, and have full access to intelligence reporting and assessments.

Another part of the rationale behind the transfer of functions was implementation of the ‘user pays’ principle, so far as the cost of the aviation security regulatory and compliance monitoring functions is concerned. Since April 2014, that cost has been charged to industry and has no longer been met by the general taxpayer. Aviation security has in this way now come into line with the approach taken by many other areas of regulation.  

So where are we, 10 months on from the transfer of functions? First of all we are bedding down very well into the CAA culture and into its corporate systems and processes. This is happening steadily, rather than at a stroke, so far as some of those systems are concerned, because the nature of our work means that we operate of necessity within a protected IT environment separate to that of the rest of the CAA. As smarter technologies come along, we are overcoming the remaining system barriers, and will be able to integrate progressively with – and benefit from – the CAA’s considerable investment in modern management tools and processes.

Safety and security

The bringing together of safety and security regulation within a single organisation is offering scope for an exploration of the parallels and potential synergies between the two regimes – indeed, that was part of the rationale for the transfer of functions. We are working closely with our new safety colleagues in that exploration, and most immediately we have drawn on their experience with Safety Management Systems, as we explore equivalent thinking in the security field. Looking ahead, we are also establishing a good understanding of performance based regulation in the safety field, with a view to aviation security regulation too, I hope, being able to move in the future in that same direction.

An important organisational activity we have been pursuing since April, which indeed started well before that date, has been the rebuilding to full strength of our cadre of compliance monitoring inspectors, not all of whom elected to make the move across to the CAA last year. It takes at least eight months to train a compliance inspector, but I am pleased to say that this rebuilding is now complete, with all of our new recruits fully trained and operational.

We have looked, in this major recruitment, for individuals whose skill sets, experience and competencies go a little wider than has typically been the case in the past. In part, this reflects the CAA’s strong focus on partnership working, in all of its engagement with external stakeholders and the wish wherever possible to work collaboratively and through two-way dialogues, rather than in a more ‘us-and-them’ fashion. But it is also about ensuring that we are well positioned for changes that are coming in aviation security.  

Security Management Systems (SeMS)

The first of these changes is already happening, and I touched on it above. The DfT and the CAA have recently jointly published guidance on the adoption by aviation industry entities of Security Management Systems (SeMS). This was the fruit of many months’ work, involving several key industry players, and of careful piloting by a major airline and major airport. With the publication of this guidance, SeMS passed from the policy sphere into that of implementation, and it is now a major focus of the CAA’s work in the aviation security field.

The SeMS concept is based on that of Safety Management Systems, already familiar to those in civil aviation. It provides an organised, systematic approach to managing security, which embeds security management into the day-to-day activities of the organisation. An operator which follows the SeMS approach:

• Will be managing its security risks at the right level, overseen by its board
• Will be measuring its security activities, and so generating management information about its security performance
• Will have identified those within its organisation accountable for maintaining rigorous security standards, using this management information
• Will have a security culture that promotes high standards throughout the company

The SeMS guidance we have published comprises a SeMS framework and a separate note for accountable managers. It also sets out how we would like to see organisations in the aviation sector now develop their security management systems. Although having SeMS aligned to this guidance has not been made mandatory, I am sure operators will recognise that by developing SeMS in line with the new framework they will gain an effective security quality management system – one which meets the quality control requirements of existing EU regulation, moreover – which will allow them to manage their risks more effectively and efficiently.

The adoption by industry of SeMS will also allow changes to be introduced on the CAA’s compliance monitoring side, I hope towards arrangements that because they are smarter and more efficient, will come to be less of a burden on operators. We want to move in our oversight from the present process of ‘direct and inspect’, to one describable as ‘direct, assure and audit‘, as we become able to place some reliance on an operator’s own security performance information.

In talking about data in a SeMS context, one needs to be talking about fully digitalised data which is readily analysable and readily transferable. Operators presently collect and hold much more data than they are practicably able to use. Some of it is on IT systems, but too few of those systems can talk to each other and where the data is not digitised, it may be on ring-binders, on shelves, in different offices across the company.

Embracing the SeMS approach

I believe that some operators do already have in place many of the components of a SeMS, even if it isn’t called a SeMS. That lay behind an insightful comment by one industry insider – ‘How else would we manage our business…?’ For some operators, their SeMS might constitute very largely a map of their existing systems and records. On the basis of the work we have done to date, I also believe that for a lot of industry, long used to working within a prescriptive compliance culture, SeMS will represent a step-change, and thus a challenge. The CAA will be hosting industry conferences, building upon one held last spring, to further operators’ understanding and adoption of the SeMS approach to quality assurance.  

And then what next, once SeMS is in widespread use, in perhaps three to five years’ time? The Government concluded in 2012, having weighed the responses to an industry consultation, that the development and roll-out of SeMS, desirable and beneficial in itself for industry and regulator alike, could also be the right first step towards the delivery in longer time of a more flexible regulatory approach. This approach has been called ‘outcome focused-risk based’, although it might perhaps better be termed ‘performance based’. Here again we would be looking to learn from modern safety regulation. Quite clearly, for operators to be granted greater flexibility in their aviation security arrangements in future, perhaps in the design and configuration of measures, there would first need to be full assurance that their security risks had been fully understood and mapped, and were being managed appropriately by the operator itself. That is SeMS territory.

Biography

Peter Drissell was appointed as the CAA’s first Director of Aviation Security in May 2013. He had for five years been the Home Office’s Director of Security and Business Continuity, and prior to that had served in the Royal Air Force for 32 years, latterly as Provost Marshal (RAF) and Commandant General of the Royal Air Force Regiment.