PREVENTION OVER DETECTION: WHAT SEMS CAN LEARN FROM SMS

PREVENTION OVER DETECTION: WHAT SEMS CAN LEARN FROM SMS

Enormous growth in air travel and increased complexity of the aviation environment are amongst the many emerging issues presenting security challenges today. Conventional reactive methods for security management, responding mostly to occurrences with ever more complicated and prescriptive regulations, are becoming less effective. This causes increasing concern for effective security management in air transport. Guðjón Atlason has been studying changes in management methods in aviation including the implementation of management systems to manage risk and continuously improve the system.

New methods for managing security are now essential. It is time the security domain emphasised researching the use of other methods in addition to what it presently has. Other domains within aviation, have been implementing methods that are designed to proactively search for and address risks and problems, and to provide better assurance for continuous improvement. These methods are in accordance with a modern perspective in safety management, including risk and occurrence management. They focus on the assumption that no single element can meet the expectations for risk management; other factors should be considered in the active search for potential threats, hazards and trends. It is important to define best practices while ensuring that the required standards are always met (ICAO Doc. 9859, Second Edition, 2009).

Regulation development changes somewhat with this approach, as regulations become more objective-based while regulatory oversight becomes more performance- or risk-based. This means that while all requirements are overseen, authorities identify (by means of statistics and oversight) where there may be vulnerabilities in a given operation, and they may concentrate more oversight activities on those processes. This modern perspective is based on processes and systems.

Quality Management

I would like to draw readers’ attention to two common statements. The first is that SMS (or SeMS) is not quality management or quality assurance. The second is that security is not the same as safety. Both statements hold some degree of truth, but these beliefs are testimony to the fact that more explanation needs to be provided to facilitate understanding of management systems.

Management systems, such as a quality management system (QMS) or security management system (SeMS), are developed from quality assurance theories and principles. In fact, the systems are simply a tool. Therefore, while it is true that security is not the same as safety, this does not preclude the same tool – the management system – from being applied to both fields. In the case of SMS, for example, the principles that are applied to the management of safety, with slight amendments, can be applied to the management of security. Furthermore, all such management systems, in addition to domain-specific processes, have several processes in common, allowing for the integration of management systems, and more economical use of resources (see Figure 1).

Figure 1. Integrated Management System (IMS)
Figure 1. Integrated Management System (IMS)

The concept of quality control (QC) is used a lot in the security domain. This is fine and, in many instances, QC methods should be used to test end products. Sometimes, the terms ‘quality control’ and ‘quality assurance’ (QA) are used synonymously to refer to the same concept. This is in fact not entirely accurate. In order to understand better quality management systems and processes, QC may be considered fundamentally reactive while the QA may be considered proactive:

  • A QC is a failure detection system that uses a testing technique to identify errors or flaws in products, and tests the end products at specified intervals, while;
  • A QA is a failure prevention system that predicts whether a product or service (such as security), quality standards and legality could possibly go wrong, and then takes steps to manage the deficiencies, takes timely corrective actions or prevents the use of flawed products or services.

Security Management Systems (SeMS)

As illustrated in Figure 1, a SeMS is a management system – nothing more, nothing less. In line with the ICAO definition of a SMS, a SeMS can be defined as: A systematic approach to managing security, including the necessary organisational structures, accountability, responsibilities, policies and procedures. Some suggestions for aviation SeMS have recently been developed such as the UK CAA CAPs on the subject (UK CAA, 2014 and 2018). This article supports these approaches and emphasises that all fundamental processes of an ICAO SMS can be applied to a functioning SeMS. There is not a need to reinvent the wheel, and Standards and Recommended Practices for SeMS can be added into the existing ICAO Annexes 17 and 19. Figure 2 shows all processes of a SeMS framework fully based on the ICAO framework for SMS. This SeMS consists of 4 pillars and 13 elements. In addition, there are several of the sub-elements shown in the picture, mostly derived from ICAO Doc 9859.

Figure 2. Framework for SeMS
Figure 2. Framework for SeMS

Changes

Changes relating to infrastructure, equipment, procedures or organisation have different implications on the people affected by the change, but all such changes need to be managed to increase the chance of their becoming successful. Organisational changes are very challenging with a high failure rate (Kotter 1995). The implementation of a management system, such as a SeMS can in accordance with this be considered a major change for any organisation. Unfortunately, ICAO may not have realised how much effort is needed to implement changes of this magnitude and it may be assumed that the implementation of the SMS has taken a good deal longer than necessary if the change management process would have been properly prepared and guided during the process of developing and issuing the SARPs for SMS as requirements for a whole industry (Atlason 2018).

“…‘quality control’ and ‘quality assurance’ are used synonymously to refer to the same concept. This is in fact not entirely accurate…”

SMS has now become the norm for the entities required to have a functioning SMS. The security domain could, however, learn from this and make efforts to prepare better for the changes which need to be implemented for improved security management.

Opportunities

All constraints and challenges provide opportunities for improvement. It is important to learn from other aviation domains and sectors, which have developed and implemented management systems, and to draw upon the literature and research that provides guidance for successful organisational changes.
To summarise, the main suggestions derived from this article are therefore to:

  • move from failure detection methods to failure prevention with a proactive approach;
  • adapt the process and systems approaches;
  • develop more objectively-based requirements and performance-based oversight;
  • develop and implement SeMS based on ICAO Framework for SMS;
  • amend Annex 17 to include SeMS requirements for operators;
  • add details for SeMS framework into Annex 19 to the Chicago-Convention;
  • learn from the implementation of SMS and prepare a change management process for the implementation of SeMS.

Guðjón Atlason is director of infrastructure and navigation and head of security at the Icelandic Transport Authority. Holding a master’s degree in Strategic Management from the University of Iceland, Atlason has 35 years’ experience within the aviation industry and authorities, including at an international organisation and industry association, within aerodrome operations, flight operations and aviation quality, security and safety management. He was an inspector with the Icelandic CAA and, internationally, has worked with ACI World as manager for safety and operations, and with EASA as a rulemaking officer and a standardisation team leader. He participated in inspections as a national aviation security inspector for the European Commission 2007-2009. He has studied Change Management in relation to the implementation of safety management systems in aviation. He has provided aviation management courses and was a member of the Group of Aerodrome Safety Regulators (GASR) 2003 – 2009 and, as ACI personnel 2013-2014, a member of working groups of the ICAO Safety Management Panel and of the ACI World Safety and Technical Standing Committee.