Will embracing SeMS develop a positive security culture within aviation?

The UK CAA has embarked on a process towards modernising aviation security, in which airports are encouraged to identify and manage their own risks.

Looking to the future – and considering the ever-evolving threats that exist in the aviation industry – the CAA believes that the regulatory landscape for UK aviation needs to change.

At Airport IT & Security 2019, International Airport Review’s Editor, Tara Nolan, spoke with Adam Spurling, Compliance Team Manager at Civil Aviation Authority, following his live presentation, regarding the regulations involved in aviation security, and how the CAA’s SeMS provides solutions for many of the challenges being faced by airports today.

What is the most important element within an airport’s approach to security?

There is no single element that should be seen as more important than any other within an airport’s approach to security, but the existence of a positive security culture is fundamental for effective delivery on the ground. As in any well-run business, there must be effective leadership from the top and the senior management focus on security should be no different when compared to any other area of the business. Aviation is reliant on all aspects working concurrently to ensure that aviation remains the safest and most secure way to travel.

As a regulator we would, of course, say that compliance with national and international regulations is extremely important, but aviation security is no longer a ‘tick-box’ process and compliance with regulations should only be a part of an organisation’s approach to security. In our view, it is not sufficient for an organisation to say it is compliant, without fully understanding what that actually means in terms of security outcomes. In other words, it must understand the ‘why’ as much as it understands the ‘what’. To this end, the UK CAA has embarked on a process towards modernising aviation security, where we are looking for airports to identify and manage their own risks, rather than being directed as to what to do by the regulator. This follows the aviation safety model very much, where an organisation’s board, first and foremost, is accountable for its safety outcomes.

Regulations will always be a foundation, but through working collaboratively alongside the industry and encouraging innovative thinking about improving security performances further, often through incremental gains, we hope to stay one step ahead of current and emerging threats.

Why does the CAA believe the regulatory landscape for aviation in the UK needs to change?

Threats to aviation continue to evolve (some recent examples being drones and cyber-attacks), so it is important that the aviation security regime evolves too. As a regulator, we could not expect the industry to keep pace with emerging threats if maintaining the ‘we tell, you do’ approach that we have used in the past. Regulations are often written in a reactive manor, even though the terrorist threat is very dynamic. This requires the entire aviation community to challenge itself as to whether a potential new threat requires adjustments to the existing level of security and, if so, any potential increase in security needs to be carefully balanced against other considerations. The continuing growth in passenger numbers and the desire of all stakeholders to improve the passenger experience are also key drivers for change. As such, we are moving quickly to exploit advances in security technology which will deliver an improved detection capability and a better passenger experience. This requires us to work very collaboratively as an aviation community to ensure any necessary changes to security regulations are not only made, but the rationale for the changes are understood, as far as possible.

As regulators, we must also look to adapt our approach, ever mindful of the need for the aviation community to better utilise limited resources. Airports have the ability, through communication with local police forces, local government authority partners and surrounding businesses to understand what is happening within their immediate vicinity, and we are encouraging them to make the best possible use of these resources to manage their risks as effectively as possible. This again argues for the highest levels of collaboration; high-quality security does not sit well in silos. As a regulator, we should not only be focusing on high levels of compliance, but assisting in this sharing of best practice, encouraging entities to manage their own risks and working alongside them to improve aviation security that goes above and beyond being simply compliant. The whole should be infinitely greater than the sum of its parts.

How will you implement this change? How does SeMS assist that change?

CAA is mandated to regulate and maintain oversight of compliance for all regulated aviation entities within the UK, and it is important that this continues. However, the aviation sector adopting a Security Management System (SeMS), building on Aviation Safety’s equivalent Safety Management System (SMS), is a key step towards this measured change that we are pursuing. 

The SeMS framework, developed by the CAA and DfT, and in collaboration with the industry, provides a structure that allows an entity to gain a holistic view of their security operation.  Initially we encourage entities to complete a gap analysis, and this provides them with a clear picture of where they are and identifies any existing gaps. When an SeMS is operating and effective, then there should be no surprises when the CAA turn up to conduct an audit. In fact, the entity should already be aware of any issues and have implemented a rectification action plan.

SeMS can be seen as a tool to help ensure that there is an effective QA process in place by the organisation, but it is also there to help in the development of a positive security culture. By having this in place, an organisation can improve the standard of aviation security within their business, embedding this as part of their everyday operations.   Although SeMS is still relatively new, the acquired evidence so far is that it is helping to deliver improved aviation security performance and accountability.    

It is envisaged that, for entities implementing an SeMS, we will be able to gain assurance of their security operations not only through our own inspections, but also through methods utilised by the entity itself and, as such, we can look to move towards a more targeted, performance-based oversight model. They should not need us to tell them where there are risks and areas of non-compliance; rather, they should be telling us and explaining what they are doing, or preferably, what they have done to rectify any shortfall. This model, based on risk, compliance and the entity’s quality assurance of its own performance will allow for a more efficient approach in the way we conduct our monitoring activities. Most importantly, it will give everyone the confidence that, when the CAA auditors are not present on the ground, the organisation continues to manage its day-to-day security to a high standard.

Of course, all of this cannot be achieved overnight; rather, the change will be managed incrementally. It will require time and resources, but in addition, it will require support and input from our industry partners. Through this interaction, it is envisaged that SeMS will open the gateway to an ever more collaborative working relationship between the regulator and aviation sector. Critically, it should deliver an improved aviation security product, in which all stakeholders have fully and collaboratively contributed.

Were there any challenges when implementing/adjusting to SeMS?

For any innovative change to the status quo, there will always be a certain level of scepticism and resistance. Ultimately, we have to remember that airports often have to balance many competing priorities when bringing in new ideas or changes. SeMS is no different, but it is an opportunity to create and embed conditions which allow the industry to take pro-active ownership of their aviation security responsibilities in the context of other competing business priorities. Security should not be seen apart from other business risks when boards are considering prioritisation of resources.

There have been some misconceptions surrounding SeMS. Myths still exist around it being an IT platform or a data analysis tool. Data analysis certainly should form part of an SeMS, but SeMS is a much broader proposition that that. An SeMS is an overarching system for managing an entire security operation, and the development of a positive security culture is the key behavioural shift. This will inevitably involve IT platforms as part of the SeMS solution, especially for larger organisations. The SeMS framework has been deliberately written to ensure it is adaptable to suit all entities – in fact, if you remove the word aviation, it can be implemented for any business that has a security function. As with any new project, through its continued development, new challenges arise, however, these are being managed and resolved collaboratively with industry partners and, as such, the project continues to move forward at pace. 

What is the CAA’s vision for the regulatory future of aviation?

As security threats to civil aviation evolve and develop in complexity, delivery of robust security becomes ever more challenging. Likewise, passenger expectations will continue to evolve and, although the requirement for aviation security measures will be accepted and, for many passengers, actively welcomed, this will only be true to a point. Adding additional layers of security that diminish the passenger’s experience would not be so welcome.  Here, a combination of adopting advanced technology and developing the SeMS approach are key steps in managing the increased complexity of threats and growing passenger numbers. Through the adoption of a technology-driven, systematic approach to aviation security in ways which provide timely and effective security that is fully embedded in the daily operations and culture of an organisation, an effective SeMS provides the operator with assurance that its security risks are fully understood and managed pro-actively, within clear lines of accountability and sound governance.

SeMS is not unique to the UK and, as such, we are working with many industry partners to promote this security approach internationally. This includes regular communication with ICAO, IATA, ECAC and others, ensuring we maximise international collaboration and genuinely share the best ideas for developing the way forward. Of course, new threats (such as cyber-security) will emerge, and we are actively encouraging these to be included at the earliest stage within an organisation’s SeMS. Threats will continue to evolve and it behoves all stakeholders in the aviation community, government, the regulator and the industry to respond to these in a timely and proportionate manner, working collaboratively to ensure civil aviation remains the safest way to travel. 

Biography

Adam Spurling joined the CAA in 2014 as a Security Compliance Auditor. Within this role, he was responsible for ensuring EU and UK regulations were being met across the aviation sector. During this time, he also became an active member within the training team, writing and delivering training material for new auditors. In late 2017, Adam took the role of Compliance Team Manager with responsibility for the development and implementation of Security Management Systems, a key deliverable within the UK government’s Aviation Security Strategy. In addition to SeMS, he is also prominent within the CAA’s future work, leading the UK regulator towards a performance-based assurance model and risk-based monitoring programme.