Lessons Learnt for regulators from 9/11: A Comparison of Aviation Security and Health Crisis Response – Part 2/2

By Stacey Peel, Global Aviation Security Lead, Arup and Nathalie Herbelles, Senior Director, Security and Facilitation, ACI World

For the aviation sector, the response to the COVID-19 pandemic has been the same as that triggered by 9/11—the imposition of prescribed, disproportionate to risk, one-size fits all measures with adverse impacts on operations. As the industry recovers, it is imperative that the shift to a risk-based approach is made now before measures with adverse operational impacts become embedded and rules become fixed in legislation. Key to ensuring this shift to a sustainable approach to managing health risks in the aviation sector are authorities and regulators.

Decisions made by authorities and regulators set the foundation for industry’s risk management culture, including investment, innovation, and behaviour. It is therefore imperative that authorities use this disruptive period, before reactive and short-term measures become embedded, to establish an environment that encourages and matures into an intelligence-led, risk-based, and outcomes-focused approach to health.

ICAO has long intended this for security, however individual and collective state decisions resulting in the deployment of prescriptive, one-size-fits all measures has led aviation down the path of a compliance-driven culture; one that leads to vulnerabilities that are exploited and attacks occurring, wasted resources, and the undermining of other business objectives. That is turning around now but the shift has been slow and unnecessary. Health authorities are actively encouraged to not make the same mistake as security.

This article is the second of a two-part series by ACI and Arup, which identify the top ten lessons learnt from the security experience that can be directly applied to manage health risks in aviation. This second article focuses on the lessons that can be learnt by health authorities and regulators from the security experience. The first part covers lessons learnt for airports.

1. Establish an intelligence-driven, risk-based, outcomes-focused regulatory framework: it delivers better security and business outcomes than compliance alone

Historically, security mitigation measures were implemented to comply with prescriptive rules and regulations established after successful and thwarted terrorist attacks. A well-known example is prescribing the installation of walk-through metal detectors in response to a high number of hi-jackings in the 1970s.

This compliance-driven regulatory approach means that a specific security risk is mitigated (e.g., a metallic threat), however many other known security risks are not, even when intelligence confirms a threat exists. A good example is the testing of liquid explosives in the 1995 Bojinka Plot—although addressing the liquid explosive threat, on an industry wide basis, did not come for more than 20 years later.

By contrast, an intelligence-driven, risk-based, outcomes-focused regulatory model allows the industry to determine how a known threat (informed by intelligence) might manifest in terms of likelihood and consequence of a risk event (risk-based), noting the likelihood and consequence will be unique to every airport. The airport can then determine how to best mitigate that risk in a way that addresses not only the security risk (security outcome) but also other business objectives such as passenger experience, cost management, and design objectives (business outcomes).

What this means for aviation health:

The health sector is similar in that it knows what the risk is (currently COVID-19) and can assess how it manifests (person-to-person and surface-to-person). How that risk will manifest in an airport will vary depending on last ports of departure, proximity of people, and surfaces. How that risk is mitigated should therefore be commensurate with those risk contributors. Prescribed measures address only some of those risks but not most/all for every airport.

There are advantages of authorities moving from prescribing health-risk mitigation measures to an oversight model that is intelligence-driven, risk-based, and outcomes-focused:

• If intelligence is shared and risk assessments robust (this can be regulated), the chosen mitigation measures are then appropriately targeted and proportionate to the risk. This leads to reducing the overall risk, targeted investment, and cost savings. Tools such as Arup’s Pandemic Intervention Evaluation Tool (PIET) can assist with targeted intervention decisions.
• Outcomes-focused regulations drive innovation: the supply chain develops solutions that address the health risk but differentiates them by meeting other airport needs such as passenger experience, speed, aesthetics, useability, and space saving.
• Airports have options and can choose mitigation measures that meet the health objective sought by authorities as well as their own business needs such as passenger experience, improved asset management, and the balancing OPEX and CAPEX. Again, Arup’s PIET can assist with deciding which interventions are appropriate based on health risk plus other business factors.

2. Accept mutual recognition and facilitate regulations that allow the airports to implement measures that will facilitate this

Outcomes-focused solutions enable the use of different mechanisms, which yield the same outcome, to be implemented. This saves costs and avoids the duplication of passenger processes that, if applied to the same standard, provide no additional security outcome. This has proven to be largely elusive for security due to the one-size-fits-all approach initially imposed by governments. This state-centric approach exists despite ICAO setting standards that facilitate and encourage mutual recognition and international bodies, such as ACI, being available to support coordination. The more obvious examples are repeated screening throughout a passenger’s single journey for which the passenger experience impact is obvious; and the duplication of equipment testing and certification of equipment even though governments have resource limitations that delay accepted solutions going to market.

What this means for aviation health:

COVID-19 has united governments in their pursuit for the same health outcome. Furthermore, the mechanisms adopted by individual governments to achieve that health outcome are largely the same, for example: testing, vaccinating, quarantining, and travel passports. Despite the mechanisms having the same intent, we are seeing authorities establish rules in isolation of each other without enough consideration of context and secondary consequences—such as impeding travel. We’re already seeing the cracks forming when it comes to governments’ mutual recognition of vaccinations, but the opportunity has not passed to avoid that same situation with other COVID-19 related mechanisms that are not as fixed, such as testing regimes and health passports.

Haste is necessary, but minimal up-front effort by governments now—before  mechanisms become “normal” (e.g., as vaccination has become)—will avoid security’s current and inhibiting experience. Will all state health passports be recognized by all other governments in the aviation network?  If not, why not?  Is it not the purpose of the health passport to facilitate travel?

Twenty years from 9/11 and aviation security cannot truly come to a harmonized global system due to supposed measures being set by governments in isolation of the international travel context. Measures that are supposed to facilitate travel ironically inhibit in terms of additional cost and duplication of processing. Health authorities are encouraged to avoid the same mistakes and to invest now to establish mutual recognition.

3. Prepare with the intent to change, or even withdraw, measures at a later date as the risk changes and/or mitigation (especially technology-based measures) mature

Since the deployment of walk-through metal detectors in the 1970s, we have: more intelligence and capability to assess the security risk; increased competition in which passenger experience is a key differentiator; more equipment suppliers than ever, including market disruptors; increased capacity for integrated data-based decision-making; heard ICAO’s call for outcomes-focused security and mutual recognition; and developed a drive for game-changing processing such as Arup’s Passenger Processing Pod.

These security capabilities and efficiency drivers should have resulted in a passenger screening capability that has optimized security outcomes, minimized the impact on terminal real estate, and provided opportunities for improving the passenger experience.

However, today’s passenger screening checkpoint gets bigger by the year, is subject to detection failure, often rates as the worst experience in the passenger terminal journey, and limits innovation to the narrow playground of regulatory compliance.  Why? Because the regulatory model of the last 40 years inhibits innovation beyond one-risk, one-solution. One could argue that is because the single government agency has only one concern and once that is achieved there is no need to be cognizant to others’ objectives, despite the overall socio-economic value of aviation to society.

What this means for aviation health:

COVID-19 has highlighted the societal and economic value of aviation. As the world recovers, that value should remain at the forefront of authorities’ minds by adopting regulatory and oversight frameworks that not only achieve the health objectives but take account of the need to remain agile as the threat changes. For example, our plans for responding to the next pandemic or global health crisis should not be copied and pasted from the way COVID-19 risks have been managed. Transmission patterns may be different, and mitigations may be different. National aviation health plans will need to remain flexible, adaptable and outcomes-focused regulations, fostering an environment that drives innovation for holistic solutions.

4. Do not adopt a one-size-fits-all approach to measures and avoid setting a culture of compliance

For aviation security, mitigating the security risk is the priority. Unfortunately, the aftermath of 9/11 saw this manifest as prescriptive measures imposed by authorities. The prescriptive approach meant that the priority, and associated industry culture, shifted from risk mitigation to compliance–resulting in measures that were:

• Not commensurate with the risk (e.g., assuming all passengers having intent to attack aircraft therefore 100% of passengers must be screened)
• Not deployed where risk was known (e.g., vulnerability of landside and threat from non-metallic weapons)
• Displaced the security risk (e.g., formation of crowds in unsecure areas and security measures “shoe-horned” into spaces not designed to accommodate equipment or processes)
• Not consulted on with industry locally and that did not have their buy-in, limiting motivation and affecting security culture
• Determined by procurement and compliance-risk, not lifesaving reasons

This compliance-centric culture is turning around slowly with the most public example being not all authorities responding in a knee-jerk prescriptive manner following the 2016 Brussels and Istanbul Airports’ landside attacks. Authorities could have used this re-focus on security as an opportunity to further improve capabilities around risk assessment. But at least, there were no one-size-fits-all approaches imposed and the risk-management accountability of the airport became more transparent.

Security has had a compliance-focused culture for forty years despite the non-prescriptive nature of ICAO’s Annex 17 – Aviation Security. That has been costly in both lives and money. While it is moving away from such a culture, avoiding it from the outset would have been better. The health industry and authorities have an opportunity to do that right now. If however, that conscious decision is not taken and the default position of prescribed measures is adopted, a compliance culture, regardless of risk, will form quickly. It will be the travelling public and investors that will bear that cost in the form of:

• Increased health risk, because compliance culture means mitigation occurs only after the event
• Monetary cost, because a compliance culture results in wasted resourcing
• Negative impact on the passenger experience, because a compliance culture is not considerate to the context of the measures’ deployment

Arup’s analysis of how security’s intelligence-led, risk-based and outcomes-focused oversight and regulatory framework can be applied for health confirms that little modification is required and that health authorities can avoid a one-size-fits-all approach from the outset.

5. Draw on the entire industry, including supply chain’s, experience when preparing requirements

Historically, authorities determined security risk mitigation measures with limited or no consultation with those who are to design and develop mitigations (i.e., suppliers); implement and use the measures (i.e., airports and service providers); or, those who are engaged to resolve problems generated by previously prescribed measures and/or have extensive experience of what has and has not worked in the past (e.g., consultants). Given authorities have a limited remit and experience with operations, it is no surprise that their determinations are often without regard for the flow-on or operational impacts from the solution (e.g., liquids and gels). Despite determining solutions that have limitations, due to decisions made in a vacuum, authorities at minimum, transfer the implementation risk to airports and passengers to compensate and at worst, penalize the airports for the solutions’ failing. Two examples of the latter are authorities prescribing equipment and processes for:

• Passenger screening in isolation of the factors that influence throughput and screening effectiveness, namely space and human factors, and then subsequently penalizing airports for queues and detection failings
• Staff screening in isolation of the factors that influence staffing costs, namely rostering time, and in parallel capping the pricing for on-airport services such as ground handling.

Involving industry early on and ensuring that investment in innovation includes operational, not just security or health, outcomes, will deliver superior results including:

• Users will quickly identify the inadvertent implications of certain designs, such as human-machine interface or processes – I wonder how much better the current passenger screening checkpoint would look and feel if threat and risk specialists, airport planners, security agents, and non-security technology providers were a) consulted when the risk was identified but an incident had not yet occurred and b) involved in equipment testing and certification processes?
• Supply chain is motivated to find solutions that address most/all objectives not just the catalytic risk – imagine how much more efficient and effective cargo security would be if exporters, vehicle drivers, cargo terminal operators, airlines and non-security technology providers were consulted before the current model was imposed by authorities.
• Draw on lessons learnt from others’ experience. The complexity of the aviation industry means that rightly there are many specialists who work side-by-side to deliver on their respective areas of focus such as engineering, mobility, baggage, cargo, safety, security, and health. It is the same for authorities who have their respective remits such as border control, fair competition, security, safety, and health. Airports are systems within systems meaning that interdependencies are common, not always understood, and often not identified until problems start emerging. A simple but common example is the practice of patrolling, a task undertaken by security and safety resources.  The core intent is common (i.e., risk mitigation); the data capture mechanisms are similar; and the process is identical (e.g. vehicle deployment and CCTV monitoring). Simple problems that might arise include the situation where one discipline identifies an issue that sits in the others’ remit, but systems prevent the data capture and the resolution “falls between the cracks.” Both disciplines are competing for the same resource (e.g., salary overtime, vehicles, monitoring resources such as control centre space, and capital expenditure for detection equipment). The operations divisions and consultants are often the first to identify these “cracks” and overlaps and are expected or called upon to compensate and resolve them with work arounds and re-design. Early consultation with those who have the “helicopter” view and have access to other airports lessons learnt are ideally placed to inform solution development including identifying how existing processes and assets can be utilized to achieve the intended—be that health or security outcomes.

It is not wrong for authorities to focus on achieving the outcome that they are singularly tasked with identifying. However, the effectiveness and sustainability of those outcomes can be enhanced by undertaking holistic impact assessments and utilizing the plethora of experience in the industry.  Authorities will achieve superior health (or security) outcomes if industry is involved early in the thinking and designing.

We trust this two-part series has provided the industry, as well as government authorities with insight into aviation security’s experience and how lessons learnt can be adopted for health risk management now. The series is intended to trigger discussion, debate, and ideally action. We would welcome the opportunity to contribute to that action: if you have ideas about how this discussion can be taken into the heart of aviation health decision-making, please get in touch with Stacey at aviation@arup.com and Nathalie.

Nathalie Herbelles

Senior Director, Security and Facilitation, ACI World

Nathalie Herbelles’ is ACI’s point of contact for global airport security issues, representing the world’s airports and helping deliver the association’s priorities. A French national, Nathalie has over 15 years experience in aviation security in different parts of the world, having worked for IATA, AEA, the European Commission and Air France.