By Stacey Peel, Global Aviation Security Lead, Arup and Nathalie Herbelles, Senior Director, Security and Facilitation, ACI World
For the aviation sector, the response to the COVID-19 pandemic has been the same as that triggered by 9/11—the imposition of prescribed, disproportionate to risk, one-size fits all measures with adverse impacts on operations. As the industry recovers, it is imperative that the shift to a risk-based approach is made now before measures with adverse operational impacts become embedded and rules become fixed in legislation. Key to ensuring this shift to a sustainable approach to managing health risks in the aviation sector are authorities and regulators.
Decisions made by authorities and regulators set the foundation for industry’s risk management culture, including investment, innovation, and behaviour. It is therefore imperative that authorities use this disruptive period, before reactive and short-term measures become embedded, to establish an environment that encourages and matures into an intelligence-led, risk-based, and outcomes-focused approach to health.
ICAO has long intended this for security, however individual and collective state decisions resulting in the deployment of prescriptive, one-size-fits all measures has led aviation down the path of a compliance-driven culture; one that leads to vulnerabilities that are exploited and attacks occurring, wasted resources, and the undermining of other business objectives. That is turning around now but the shift has been slow and unnecessary. Health authorities are actively encouraged to not make the same mistake as security.
This article is the second of a two-part series by ACI and Arup, which identify the top ten lessons learnt from the security experience that can be directly applied to manage health risks in aviation. This second article focuses on the lessons that can be learnt by health authorities and regulators from the security experience. The first part covers lessons learnt for airports.
Historically, security mitigation measures were implemented to comply with prescriptive rules and regulations established after successful and thwarted terrorist attacks. A well-known example is prescribing the installation of walk-through metal detectors in response to a high number of hi-jackings in the 1970s.
This compliance-driven regulatory approach means that a specific security risk is mitigated (e.g., a metallic threat), however many other known security risks are not, even when intelligence confirms a threat exists. A good example is the testing of liquid explosives in the 1995 Bojinka Plot—although addressing the liquid explosive threat, on an industry wide basis, did not come for more than 20 years later.
By contrast, an intelligence-driven, risk-based, outcomes-focused regulatory model allows the industry to determine how a known threat (informed by intelligence) might manifest in terms of likelihood and consequence of a risk event (risk-based), noting the likelihood and consequence will be unique to every airport. The airport can then determine how to best mitigate that risk in a way that addresses not only the security risk (security outcome) but also other business objectives such as passenger experience, cost management, and design objectives (business outcomes).
What this means for aviation health:
The health sector is similar in that it knows what the risk is (currently COVID-19) and can assess how it manifests (person-to-person and surface-to-person). How that risk will manifest in an airport will vary depending on last ports of departure, proximity of people, and surfaces. How that risk is mitigated should therefore be commensurate with those risk contributors. Prescribed measures address only some of those risks but not most/all for every airport.
There are advantages of authorities moving from prescribing health-risk mitigation measures to an oversight model that is intelligence-driven, risk-based, and outcomes-focused:
Outcomes-focused solutions enable the use of different mechanisms, which yield the same outcome, to be implemented. This saves costs and avoids the duplication of passenger processes that, if applied to the same standard, provide no additional security outcome. This has proven to be largely elusive for security due to the one-size-fits-all approach initially imposed by governments. This state-centric approach exists despite ICAO setting standards that facilitate and encourage mutual recognition and international bodies, such as ACI, being available to support coordination. The more obvious examples are repeated screening throughout a passenger’s single journey for which the passenger experience impact is obvious; and the duplication of equipment testing and certification of equipment even though governments have resource limitations that delay accepted solutions going to market.
What this means for aviation health:
COVID-19 has united governments in their pursuit for the same health outcome. Furthermore, the mechanisms adopted by individual governments to achieve that health outcome are largely the same, for example: testing, vaccinating, quarantining, and travel passports. Despite the mechanisms having the same intent, we are seeing authorities establish rules in isolation of each other without enough consideration of context and secondary consequences—such as impeding travel. We’re already seeing the cracks forming when it comes to governments’ mutual recognition of vaccinations, but the opportunity has not passed to avoid that same situation with other COVID-19 related mechanisms that are not as fixed, such as testing regimes and health passports.
Haste is necessary, but minimal up-front effort by governments now—before mechanisms become “normal” (e.g., as vaccination has become)—will avoid security’s current and inhibiting experience. Will all state health passports be recognized by all other governments in the aviation network? If not, why not? Is it not the purpose of the health passport to facilitate travel?
Twenty years from 9/11 and aviation security cannot truly come to a harmonized global system due to supposed measures being set by governments in isolation of the international travel context. Measures that are supposed to facilitate travel ironically inhibit in terms of additional cost and duplication of processing. Health authorities are encouraged to avoid the same mistakes and to invest now to establish mutual recognition.
Since the deployment of walk-through metal detectors in the 1970s, we have: more intelligence and capability to assess the security risk; increased competition in which passenger experience is a key differentiator; more equipment suppliers than ever, including market disruptors; increased capacity for integrated data-based decision-making; heard ICAO’s call for outcomes-focused security and mutual recognition; and developed a drive for game-changing processing such as Arup’s Passenger Processing Pod.
These security capabilities and efficiency drivers should have resulted in a passenger screening capability that has optimized security outcomes, minimized the impact on terminal real estate, and provided opportunities for improving the passenger experience.
However, today’s passenger screening checkpoint gets bigger by the year, is subject to detection failure, often rates as the worst experience in the passenger terminal journey, and limits innovation to the narrow playground of regulatory compliance. Why? Because the regulatory model of the last 40 years inhibits innovation beyond one-risk, one-solution. One could argue that is because the single government agency has only one concern and once that is achieved there is no need to be cognizant to others’ objectives, despite the overall socio-economic value of aviation to society.
What this means for aviation health:
COVID-19 has highlighted the societal and economic value of aviation. As the world recovers, that value should remain at the forefront of authorities’ minds by adopting regulatory and oversight frameworks that not only achieve the health objectives but take account of the need to remain agile as the threat changes. For example, our plans for responding to the next pandemic or global health crisis should not be copied and pasted from the way COVID-19 risks have been managed. Transmission patterns may be different, and mitigations may be different. National aviation health plans will need to remain flexible, adaptable and outcomes-focused regulations, fostering an environment that drives innovation for holistic solutions.
For aviation security, mitigating the security risk is the priority. Unfortunately, the aftermath of 9/11 saw this manifest as prescriptive measures imposed by authorities. The prescriptive approach meant that the priority, and associated industry culture, shifted from risk mitigation to compliance–resulting in measures that were:
This compliance-centric culture is turning around slowly with the most public example being not all authorities responding in a knee-jerk prescriptive manner following the 2016 Brussels and Istanbul Airports’ landside attacks. Authorities could have used this re-focus on security as an opportunity to further improve capabilities around risk assessment. But at least, there were no one-size-fits-all approaches imposed and the risk-management accountability of the airport became more transparent.
Security has had a compliance-focused culture for forty years despite the non-prescriptive nature of ICAO’s Annex 17 – Aviation Security. That has been costly in both lives and money. While it is moving away from such a culture, avoiding it from the outset would have been better. The health industry and authorities have an opportunity to do that right now. If however, that conscious decision is not taken and the default position of prescribed measures is adopted, a compliance culture, regardless of risk, will form quickly. It will be the travelling public and investors that will bear that cost in the form of:
Arup’s analysis of how security’s intelligence-led, risk-based and outcomes-focused oversight and regulatory framework can be applied for health confirms that little modification is required and that health authorities can avoid a one-size-fits-all approach from the outset.
Historically, authorities determined security risk mitigation measures with limited or no consultation with those who are to design and develop mitigations (i.e., suppliers); implement and use the measures (i.e., airports and service providers); or, those who are engaged to resolve problems generated by previously prescribed measures and/or have extensive experience of what has and has not worked in the past (e.g., consultants). Given authorities have a limited remit and experience with operations, it is no surprise that their determinations are often without regard for the flow-on or operational impacts from the solution (e.g., liquids and gels). Despite determining solutions that have limitations, due to decisions made in a vacuum, authorities at minimum, transfer the implementation risk to airports and passengers to compensate and at worst, penalize the airports for the solutions’ failing. Two examples of the latter are authorities prescribing equipment and processes for:
Involving industry early on and ensuring that investment in innovation includes operational, not just security or health, outcomes, will deliver superior results including:
It is not wrong for authorities to focus on achieving the outcome that they are singularly tasked with identifying. However, the effectiveness and sustainability of those outcomes can be enhanced by undertaking holistic impact assessments and utilizing the plethora of experience in the industry. Authorities will achieve superior health (or security) outcomes if industry is involved early in the thinking and designing.
We trust this two-part series has provided the industry, as well as government authorities with insight into aviation security’s experience and how lessons learnt can be adopted for health risk management now. The series is intended to trigger discussion, debate, and ideally action. We would welcome the opportunity to contribute to that action: if you have ideas about how this discussion can be taken into the heart of aviation health decision-making, please get in touch with Stacey at firstname.lastname@example.org and Nathalie.
Senior Director, Security and Facilitation, ACI World
Nathalie Herbelles’ is ACI’s point of contact for global airport security issues, representing the world’s airports and helping deliver the association’s priorities. A French national, Nathalie has over 15 years experience in aviation security in different parts of the world, having worked for IATA, AEA, the European Commission and Air France.