Aviation Security Operations – Oversight Program Description and Delivery - Fiscal Year 2017-2018

Table of Contents

• Executive summary
• Operating context
• Introduction
  • Program overview: direct oversight activities
• Other oversight activities
  • Regulatory authorizations
  • Quality control
• Risks and Planning
• Considerations
• Initiatives to strengthen oversight
  • Modernization efforts: Changes to the Transportation Security Information System (TSIS)
  • Multi-year planning
  • Evaluating our oversight strategies
  • Risk analysis and risk-based decision making
• Oversight delivery in 2017 to 2018
• Organizational contact information
• Annex A: Definitions

Executive summary

This report documents Transport Canada’s planned oversight activities in Aviation Security, for the upcoming fiscal year (2017 to 2018). It is divided by quarter and by region. The report includes other activities such as issuing regulatory authorizations and doing quality control.

Key areas in oversight planning for 2017 to 2018 will be:

• aerodromes
• air carriers
• air cargo-air carriers
• primary security line partners (PSLPs)
• secure supply chain participants
• Canadian Air Transport Security Authority (CATSA)

Each region works with headquarters to forecast the number of inspections in their area. The regions obtain cost figures from the Integrated Planning and Reporting document for 2017 to 2018.

The aviation system continues to be an attractive target for acts of unlawful interference. Although we have seen the threat picture evolve over the past few years, overall, there have not been considerable changes in the risk environment. We continue to monitor threats and risks to aviation, and adapt accordingly.

The Non-Passenger and Vehicle Screening Program has been in effect since May 1, 2016. Regions must ensure they set aside resources to continue overseeing the full implementation of this program, particularly for aerodromes that have submitted corrective action plans until permanent facilities are in place. This work will impact the National Oversight Plan (NOP).

The Air Cargo Security Program also continues to expand due to regulatory changes to this program. Regions are asked to cross-train and dedicate more resources to air cargo oversight, to better support air cargo security and particularly to oversee known consignors new to the program.

Operating context

Canada has approximately 1,600 aerodromes and thousands of additional airstrips in both urban and rural areas. Of these aerodromes, 207 are certified for commercial purposes. Every year almost 80 million passengers travel in Canada. Each day there are about 2,500 flights between Canada and international destinations, including the United States.

The aviation industry employs over 91,000 people in Canada. It is critical to the operations of countless other industries that rely on aviation to transport over $110 billion worth of goods in international trade each year.

The aviation sector is heavily regulated for security. The Canadian Aviation Security Regulations, 2012 establishes the majority of these security requirements. Operators are further regulated by measures such as the Aerodrome Security Measures and the Security Measures Respecting Air Cargo.

Internally, the Air Cargo Security Program will continue to expand in 2017 to 2018. Amendments came into force with the Canadian Aviation Security Regulations, 2012 and the Security Measures Respecting Air Cargo. These regulatory changes:

• increased requirements for air carriers transporting cargo on passenger flights
• expanded the secure supply chain, by changing existing program categories and adding a newly regulated stakeholder

Shippers or known consignors will continue to join the program in the new fiscal year. However, it is difficult to estimate the number of consignors that will join. The department will need to ensure we have resources available to oversee these new program participants.

Introduction

Program overview: direct oversight activities

Transport Canada’s Aviation Security oversight program ensures regulated entities (for example, aerodromes and air carriers) comply with regulatory requirements.

The program involves these industry stakeholders:

• designated aerodromes
• primary security line partners
• commercial air carriers
• secure cargo supply chain participants
• Canadian Air Transport Security Authority (CATSA)

Aerodromes

At aerodromes, Transportation Security Inspectors conduct inspections to:

• ensure the aerodrome has proper procedures to prevent prohibited items from entering restricted areas, or being used as weapons
• confirm the aerodrome can assess and respond to threats and incidents
• confirm aerodrome personnel are properly trained to deal with security matters
• challenge access control systems
• review documents of entitlement, such as Restricted Area Identity Cards or other documents the aerodrome issues or approves, to validate their competence
• verify that the aerodrome has an Airport Security Program and its related components

Primary security line partners

Transport Canada inspects primary security line partners (PSLPs) to ensure they have done the following:

• designated a security official
• documented and communicated security-related roles and responsibilities
• developed a security awareness program
• protected restricted areas and prevented security breaches

In addition, PSLPs must:

• clearly document the primary security line they occupy and related restricted area access points
• maintain access control
• have proper measures in place to handle security-sensitive information

Air carriers

Transport Canada inspectors observe and test air carrier personnel and equipment to confirm that:

• the carrier’s handling of passengers and baggage is robust and effective
• the carrier maintains aircraft security at all times (this includes checking catering provisions to ensure they have not been tampered with)

Inspectors also:

• interview air carrier personnel to verify that their training and current level of knowledge meet regulatory requirements
• as part of the Passenger Protect Program, verify that air carriers have procedures to prevent people on the Secure Air Travel Act List from boarding an aircraft
• examine screening methods appropriate for the equipment used to transport air cargo
• visit and assess air cargo facility security, personnel security and all relevant training to ensure they meet Transport Canada standards

Screening Authority

Aviation Security Operations inspect the screening authority at designated aerodromes across the country. Security companies contracted by CATSA carry out the screening function at these aerodromes. Inspectors assess screening authority personnel through interviews and observations. They carry out a variety of screening checks, like designated passenger screening and non-passenger screening, at both terminal and vehicle entry points. In addition, throughout the year, inspectors carry out covert testing of screening checkpoints at aerodromes.

The Aviation Security Technology Division has a mandate to set performance standards for screening the security equipment that aerodromes use to check passengers and their belongings. They will conduct equipment testing and reviews in 2017 to 2018 to verify compliance with the standards set out in the Screening Security Measures.

Secure air cargo supply chain participants

Goods destined to become air cargo shipments begin their journey in the secure supply chain. Each entity of the chain, regulated agent, certified agent and known consignor, receive:

• a full assessment of the basic pillars of their operations (personnel security, training, facility security and chain of custody)
• a review of their screening and packing methods, as appropriate

International Program

Finally, Transport Canada Aviation Security inspects foreign air carriers travelling to Canada. At foreign aerodromes, Transportation Security Inspectors do on-site assessments of air carriers flying directly into Canada, to ensure they comply with Canadian regulatory requirements. These assessments include meetings with airline representatives to review and discuss security programs. Inspectors also examine security procedures at the airport, and meet with representatives of the Civil Aviation Authority to review and discuss that country’s civil aviation security framework.

Other oversight activities

Regulatory authorizations

In addition to inspections, Aviation Security does other activities that support or are related to oversight. For example, we issue regulatory authorizations. Stakeholders who join the Air Cargo Security program are issued a Canadian Aviation Document after meeting certain requirements. This document regulates their activities under the Canadian Aviation Security Regulations, 2012 and the Security Measures Respecting Air Cargo. All applicants to the Air Cargo Security Program must go through an application process that includes a desktop review of their Cargo Security Plan (CSP). The CSP is an online tool that helps applicants detail how they will comply with the program’s requirements. The desktop review is conducted by Aviation Security personnel.

Aviation Security issues other types of regulatory authorizations, such as Screening Officer Designations (SODs), another type of Canadian Aviation Document. We provide SODs to newly trained screening officers employed by the Canadian Air Transport Security Authority.

Transport Canada also issues security exemptions. Headquarters develops exemptions to security requirements based on requests submitted by industry.

Quality control

Regional managers do quality control checks on inspection reports recorded in the Transportation Security Information System.

An inspection activity is selected for quality control based on:

• whether it relates to a new program
• whether it was identified by non-compliance
• if it was identified as having a higher risk

Once all regions have completed quarterly QC checks, they are submitted to Headquarters for a national QC review. The Quality and Risk Management Team then conducts a review of each Regional Managers QC submission, and will follow up with Regional Managers on any remaining issues requiring corrective action.

Risks and Planning

Aviation Security considers strategic and operational risks as part of our planning process each year. We began using a new risk-based approach to inspection planning in 2015 to 2016. In addition to planning over a three-year cycle (2015-16 to 2017-18), we changed how we prioritize inspections. We set priorities for inspections through a risk prioritization exercise.

The Government of Canada’s own cadre of subject matter experts is one of the most valuable sources of risk information available. In the fall of 2015, we assembled Aviation Security Operations Managers from the regions and headquarters to assess each inspection activity that comprises the Aviation Security oversight program.

The managers were asked the following questions:

• What is the likelihood of regulatory non-compliance associated with this inspection activity?
  • Questions to consider:
    • What is the current level of compliance?
    • Is this a new stakeholder group or a new rule where no compliance data exists?
• If the regulations related to this inspection activity were not followed, what would be the impact on security (based on most likely, worst-case scenario)?
  • Questions to consider:
    • How critical is the regulation?
    • How could it be exploited?
    • Are there other security layers in place?

The group discussed each question. Next, managers were asked to assign a numerical value (1 to 5) for likelihood and impact for each inspection activity. The numbers were captured using a live, electronic voting tool. The tool then calculated a risk rating of high, medium or low for each activity by adding likelihood and impact together.

Once voting was complete, managers formed break-out groups to discuss and adjust the risk results and ensure they were appropriate. After this process, headquarters further validated the information by comparing the results against inspection areas that lead to compliance issues in the past.

Aviation Security Operations then assigned frequencies to the risk levels, and arrived at a Baseline Inspection Schedule (BIS).

Considerations

The aviation industry goes through changes in operations throughout the year. For example, air carriers will increase or decrease service at an aerodrome. Meanwhile, new air carriers will begin operations, and some operations will stop. We normally know these changes in advance, so we can incorporate them in regional planning and account for quarterly variations. Sometimes, when a change has not been anticipated, an oversight activity will be performed as an Unplanned (or Reactive) activity.

All regions follow a standardized process for creating annual inspection plans. Policy Directive 103 lays out the steps for a manager developing a plan, from calculating available hours for an inspector, to determining when inspections will happen during the year.

An important step in the planning process is assessing time per inspection activity. We provided the regions a historic set of time per inspection activity (TPIA) metrics for 2017 to 2018 planning, but they were able to adjust these times based on their needs. Regions were also required to calculate the total time available for an inspector to conduct oversight in the year. Differences between regions’ time calculations means the amount of oversight they conduct will vary.

In 2017 to 2018, the Aviation Security program will use a new system for assigning regions and inspectors to national air carriers. This system aims to reduce duplication in oversight activities between regions, streamline efforts, and reduce administrative burden on air carriers. Each region will be responsible for a certain number air carriers, based on the total number of carriers in operation. Only the assigned region will conduct certain inspections. This system will create variability between regions in the number of air carrier activities they perform.

Initiatives to strengthen oversight

The Aviation Security program has several strategic initiatives in place to strengthen our oversight planning, delivery and reporting. They include:

• Modernization efforts: Changes to the Transportation Security Information System (TSIS)
• Multi-year planning
• Evaluating our oversight strategies
• Risk analysis and risk-based decision-making

Modernization efforts: Changes to the Transportation Security Information System (TSIS)

TSIS is the central depository of inspection results for Aviation Security. This system has a new component that streamlines planning and reporting. As of April 18, 2017, the Planning, Assigning and Reporting Module (PARM) automates planning and reporting processes that were mostly manual. The module also allows the regions to assign inspection records to inspectors.

In addition to PARM, the program has submitted a proposal for capital funding to migrate TSIS from an application platform to an online version. This will help regional inspectors connect to TSIS, particularly when doing inspections offsite. The migration will also position us to introduce tablets inspectors can use to record their findings. Currently inspectors must record oversight observations on paper and transfer the details to TSIS when they return to the office.

Multi-year planning

Aviation Security currently follows a 3-year planning cycle for our oversight activities. We bring regional managers together at the beginning of each year 3-year cycle to assess risk, prioritize the work and determine its frequency. This analysis sets the parameters by which regions will plan oversight in the future.

Regions plan for each year following this assessment, for a total of 3 years. The branch is currently scheduled to reassess risk in 2017, before planning for the 2018 to 2019 fiscal year.

Evaluating our oversight strategies

We recently put in place a national quality assurance program to evaluate the systems and processes on which we base the Aviation Security oversight program. The quality assurance team is currently doing an environmental scan of the program’s components, to determine which documentation we have.

Quality control is an important part of quality assurance, and was established by Aviation Security in 2015 to 2016. Regional managers do quality control reviews on inspection records entered into the Transportation Security Information System (TSIS) by the inspectors who report to them. Quality control reviews will continue in 2017 to 2018. This will ensure the oversight data in TSIS, upon which we base our planning, will continue to improve.

Risk analysis and risk-based decision making

Aviation Security has an extensive risk analysis process to support our oversight planning. This process ensures we allocate resources based on risk. The process is reset every 3 years. We actively involve our regional expertise to ensure we include on-site experience and knowledge.

Oversight delivery in 2017 to 2018

As per the Oversight Transparency Integration Plan we will report on how we deliver planned risk-based inspections, reactive inspections and regulatory authorizations through the Canadian Center on Transportation Data (CCTD).

Organizational contact information

Transport Canada welcomes your comments on this report.

Email: aviationsecurity-sureteaerienne@tc.gc.ca

Annex A: Definitions

Required field	Description
Oversight	How Transport Canada promotes, monitors or enforces compliance with our safety and security requirements.
Regulatory authorizations	We give these when a regulated party (for example, a railway company or vehicle manufacturer) applies for permission to do a regulated activity, or be exempt from it. We may give permission in various forms, including a permit, licence or certification. Transport Canada does not control the number of regulatory authorizations per planning cycle.
Inspection	A documented, formal examination of industry compliance with Canadian transportation safety and security rules, regulations and requirements. Authorized Transport Canada officials record the results of each inspection. For the purposes of this document, audits are a type of inspection. *Includes pre-site, onsite, and post-site inspection and oversight activities. Is complete when the inspector submits an approved inspection or oversight activities report. Does not include follow-up action, quality control checks or outreach activities.
Planned, risk-based inspections	All inspections Transport Canada initially commits to doing in a given planning cycle. The SO3 Management Board may authorize updates as needed. *Include inspections that are announced (and expected), and those that are unannounced. Does not include: estimated numbers of demand-driven activities, such as regulatory authorizations “reactive” or “opportunity” inspections that happen because of a change in oversight
Follow-up activities	Arise from findings of an initial inspection. May include an on-site inspection, requests for more information, or enhanced monitoring. *Do not include enforcement.
Other activities	Oversight activities that Transport Canada did not initially commit to in a planning cycle, and are not a follow-up to an inspection or audit.
Enforcement	Measures we use to enforce requirements and compel compliance. For example: letters of non-compliance directions or orders ticketing notices of violation administrative monetary penalties prosecutions suspensions or cancellations of certificates or authorizations
Education, outreach and awareness	How we educate the public, and encourage people and companies to comply with the law.
Quality control	How we ensure inspectors follow policies and procedures, and complete required documentation. Applies to an entire oversight activity, from inspection, to follow-up, to resolving non-compliance. Supervisors and managers are responsible for quality control. Each program must have: a documented, nationally consistent way of doing quality control a procedure or set of procedures to ensure inspections follow approved standard operating procedures