Kirsty Wells, SeMS Programme Lead, and Nina Smith, Head of Training and Human Factors at the Civil Aviation Authority (CAA), discuss the move towards Performance Based Oversight and how SeMS is the stepping stone in achieving this, alongside the professionalisation of training.
This article was originally published in the International Airport Review, volume 24, issue 04.
The UK CAA has embarked on a number of new and refined processes within key areas, as it works towards modernising aviation security, in which airports are encouraged to identify and manage their own risks.
Looking to the future – and considering the ever‑evolving threats that exist in the aviation industry – the CAA believes that the regulatory landscape for UK aviation will undoubtedly change and advance through these two areas, where Performance Based Oversight (PBO), SeMS (the pre‑cursor to achieving PBO) and professionalisation of training will be key factors. The latter project, through the Quality Assurance Framework (QAF) for training providers, has ‘dipped its toe’ into PBO for the first time in 2020, which turned out to be key during the current COVID-19 recovery phase.
Why does the CAA believe the regulatory landscape for aviation in the UK will undoubtedly change?
High-quality security does not sit well in silos and as we continue to look at the proactive approach to managing security – one that is based on risk management and oversight – these will shape the change in the regulatory landscape.
Threats to aviation continue to evolve (with some recent examples being the use of drones and cyber-attacks), so it is important that the aviation security regime evolves too. As a regulator, we could not expect the industry to keep pace with emerging threats by maintaining the direct‑and‑inspect approach that we have used in the past. Regulations are often written in a reactive manner, even though the terrorist threat is very dynamic. The continuing growth in passenger numbers, prior to COVID-19, and the desire of all stakeholders to improve the passenger experience are also key drivers for change. The COVID-19 pandemic has brought about unprecedented times and caused the aviation industry to adapt and change dramatically in a short space of time. As we focus on recovery, a proactive approach through the use of security management systems, SeMS principles and vulnerability checklists means that the regulatory landscape is already changing. This requires us to work very collaboratively as an aviation community to ensure any necessary changes to security regulations are not only made, but the rationale for the changes are understood, as far as possible.
Ensuring our workforce is well trained and ready has never been more of a challenge than during the enforced inactivity COVID-19 has brought with it, which disrupted normal training processes and led to an increased focus on skill fade, applied to a large part of the aviation security workforce at once. Training providers’ ability to assess their own risks and proactively look at potential mitigations, supported by the new focus on self-assessment brought on by the QAF, provided for a good joint working base between regulator and industry during a highly pressured and stressful period.
As regulators, we must also look to adapt our approach and be ever mindful of the need for the aviation community to better utilise limited resources. Airports have the ability – through communication with local police forces, local government authority partners and surrounding businesses – to understand what is happening within their immediate vicinity, and we are
encouraging them to make the best possible use of these resources to manage their risks as effectively as possible. This again argues for the highest levels of collaboration, where high-quality security does not sit well in silos. As a regulator, we should not only be focusing on high levels of compliance but assisting in this sharing of best practice, encouraging entities to manage their own risks and working alongside them to improve aviation security that goes above and beyond being simply compliant. The whole should infinitely be greater than the sum of all the parts.
How does PBO, SeMS and professionalisation of training assist with this change?
The CAA is mandated to regulate and maintain oversight of compliance for all regulated aviation entities within the UK, and it is important that this continues. However, the aviation sector adopting a SeMS – building on aviation safety’s equivalent Safety Management System (SMS) – is a key step towards this measured change that we are pursuing. The departments within the UK CAA are working together in the pursuit in developing and implementing PBO, across security, safety, cyber and training.
As a consequence, in close partnership with the DfT, the SeMS was created in 2015 to replicate the SMS route, in terms of industry-led quality assurance with a view to developing a PBO regulatory compliance framework for aviation security. This early work set out a formal approach to UK SeMS and provided SeMS toolkits to guide the industry’s adoption of SeMS. It also formed a basis for guidance on best practice in ICAO’s Security Manual, and the concept has also been adopted by IATA, where the UK CAA SeMS team reviewed the manual. This review identified distinct and clear synergies between the two approaches.
The notion of a more risk-based oversight approach to replace the compliance-based direct‑and-inspect regulatory framework was mooted by the government. This had been broadly the direction of travel adopted by CAA Aviation Safety colleagues based on an industry-led quality assurance process – the SMS – which led to a PBO process. The PBO regulatory framework is based on the CAA undertaking oversight of an entity’s performance based on the entity’s own risk assessment. This assessment is based on effective risk management through the entity’s management system, to outline its risks and mitigations. This moves the emphasis away from tick-box compliance to a more audit-driven approach based on conversations with the entity, rather than solely on formal inspections. This in turn will assist with the regulatory change.
It is envisaged that, for entities implementing a SeMS, we will be able to gain assurance of their security operations not only through our own inspections, but also through methods utilised by the entity itself and, as such, we can look to move towards a more targeted, performance-based oversight model. An airport, as an example, should not need us to tell them where there are risks and areas of non-compliance; rather, they should be able to demonstrate to us what it is they have found and what they have done to rectify the area of any shortfall.
Notably, all of this cannot be achieved overnight; rather, the change will be managed incrementally. It will require time and resources but in addition,
require continued support and input from our industry partners. Through this interaction, SeMS will open the gateway to an ever more collaborative working relationship between the regulator and aviation sector, one that delivers the new regulatory landscape through PBO.
What is the UK CAA’s vision for the regulatory future of aviation?
The CAA continues to influence the development of an industry-wide SeMS as a voluntary process with the industry, but given that we have now reached critical mass, it would be timely for us to pursue the adoption of SeMS to be mandatory. The emerging evidence where SeMS is embedded, suggests there are corresponding synergies in higher performance and it is encouraging to see smaller organisations joining the programme. Also, given that SeMS is an essential precursor to the adoption of any PBO regime, it could equally be argued that we could not progress the introduction of PBO without mandatory SeMS in place.
Since the SeMS approach to aviation security compliance was started in 2015, two other areas have developed where there is a potential role for the PBO approach. Last year, the CAA took on the responsibility of cyber-security oversight of those UK aviation entities that were covered by the Network and Information Systems Directive (NIS), and the CAA developed a QAF for UK aviation security training providers, both of which were mandatory from the beginning. As new enterprises for the CAA, we decided from the outset to base the cyber-security oversight process and QAF on PBO.
In the training area, the activities under the QAF mirror SeMS for aviation security training providers and follow the same pathway of enabling stakeholders to assess their own processes and identify gaps, rather than relying on inspection activity. The QAF is mandatory for training providers in the UK and in addition, for entities in scope of SeMS who conduct their own training; also capturing third-party training providers.
The QAF shifted up a gear in early 2020 as it moved for the first time into the PBO phase for training providers who had been early adopters just a year before, allowing a direct correlation between their performance in the QAF and the level of oversight. As the QAF continues to be rolled out in phases, the roadmap to PBO is now firmly in place, with the framework providing flexibility across all sizes of training providers, with a focus on providing continuous improvement. Close joint working to develop and review the framework remains at the heart of the QAF and the wider project to professionalise aviation security training in the UK, as PBO becomes the new norm for both the regulator and the training industry.
One of the other most obvious links, and more prevalent, is that of security culture. As we move towards a more proactive, dynamic and risk‑based approach towards aviation security, the bedrock to this approach is that of a positive culture that is embedded from top to bottom, throughout an organisation, inclusive of all personnel. SeMS enhances this as we quality assured against an organisation’s culture, identifying how security messaging is communicated and cascaded to all employees, stakeholders and third parties – and not just those within a security role. All of these PBO areas support the evolution of positive security culture and, like SeMS, is key in ensuring that “all involved in aviation security feel empowered, motivated and recognised for their successes. That security culture is so embedded that everyone who works in aviation knows their role in aviation security and feels empowered to act”.