INTRODUCTION

Considering aviation compliance our first question should be compliance to what, or what are regulations and standards we have to be in compliant with?

While applicable regulations are mandatory per se, industry standards become mandatory only if it is our business decision. 
In Europe each aviation certificate is related to certain EU regulations and compliance to applicable parts are mandatory to be maintained in order to keep the related certificate valid. 
For an example Air Operator Certificate - AOC is related to applicable parts of (EU) No.965/2012 Air Operations (e.g. Part-ORO, Part-CAT, Part-SPA), or Approved Training Organisation - ATO to applicable parts of (EU) No.1178/2011 Air Crew (e.g. Part-ORA).

EU REGULATION - HARD AND SOFT LAW

EU aviation regulations is prepared by EASA and can be divided into two parts:

Hard Law which goes through parliamentary approval process and is published as Commission Regulations (with unique ID in a form EU No. YYYY/NNNN) and signed by the President of the Commission. Hard Law (also called binding law) defines requirements about WHAT have to be fulfilled.

Soft Law in meantime waits at EASA for Hard Law to be published in the EU Official Gazette. After that Soft Laws are issued by EASA in a form of ED Decisions (Executive Director Decision, signed by EASA Executive Director) to complement the Hard Law. Soft Law is called non-binding and therefore frequently wrongly considered by non-operations managers and lawyers as non-obligatory. To make usage of these rules more practical, EASE usually publishes a document called Easy Access Rules where both, hard low and soft low are listed together under the appropriate sections.

While hard law specifies WHAT, soft law defines HOW regulatory requirements should be fulfilled in form of related Acceptable Means of Compliance - AMCs and Guidance Material - GMs. Term »should« is used for legal and logical reasons to allow operators to select either the AMCs advice by EASA or to propose their own alternative means of compliance.

COMPLIANCE MONITORING

Auditing

Audits are conducted to evaluate and demonstrate an organization's level of compliance with certain regulation or standard. Basically there are two different approaches about how to organise and perform audits; administrative-based approach and process-based approach.

Administrative-based approach is focused on regulation. For each regulation a corresponding audit is defined where auditable items are actually a list of all regulatory requirements.

Auditors go through the list and check each auditable item whether the requirement is documented and how it is implemented. (Only documented Yes and implemented Yes results as compliance Yes).

In this approach relations between regulatory requirements and auditable items are very clear (one-to- one relationship).
The advantage of this approach is that audits can be prepared very quickly with very few resources, especially in a case where standard/regulation is well documented (like IOSA Standards Manual or EASA Easy Access Rules).

The disadvantage is that although “Compliance Big Picture” is easy to be evaluated and maintained, focusing on a single tree may result in not seeing the forest. Another disadvantage is that such audits refer only to one regulation or standard. Therefore for departments subjected to more than one regulation or standard, multiple audits have to be conducted, often evaluating the same processes.

Process-based approach is focused on organisation’s processes. For each process an appropriate audit is defined where auditable items are focused on related activities and documents AND LINKED to regulatory requirements applicable for those activities.

The advantage of this approach is that audits are organised in a more logical and more understandable format, enabling the auditor to be focused on how the process is actually performed and how required regulations are documented and implemented through the process activities. This approach also reduces the number of required audits, because one audit may cover more than one regulation, especially beneficial where two or more regulations/standards are covering the same business processes.

In this approach the company needs to create its own system of audit items and connect them to applicable regulatory requirements. Consequentially in the opposite direction relations between regulatory requirements and audit items are not so clear and therefore it is more difficult and time consuming to demonstrate compliance in practice (e.g. to NAA).

The biggest disadvantage of this approach is that more manpower of experienced staff is needed to prepare questionnaires, because auditable items should cover process activities and related regulations/standards.

Based on the size and complexity of the organization, each company may find an appropriate combination or compromise in between these two opposite approaches. But in any case we need to assure that we are compliant on paper (Documented) and compliant in practice (Implemented), having in mind also consistency of our Policies, Processes, Procedures and Plans.

Findings

Findings are defined inside the audit. Finding description shall be as much as possible accurate to provide the auditee reliable information for identifying root cause and for defining the appropriate Corrective Action Plan - CAP. It will also make the auditor's life easier at CAP approval and at follow- up audit.

For each finding a related safety risk assessment should be performed by the auditor. Different methods could be used for this purpose: categorization safety hazard, major non-compliance, non- compliance, concern, observation; classic ICAO 5 x 5 matrix; or at least simple red/yellow/green risk level. Result of assessment shall be taken into account when defining the due date for CAP and due date for Corrective Action - CA.

Awareness of audited managers about their responsibility to establish and maintain the compliance shall finally result in their understanding that the on-time CA accomplishment means also on-time restoration of related compliance. Follow-up audit should be conducted by the auditor to confirm the restored compliance.

CONCLUSION

Aviation Compliance is not a Quality Management System!

ICAO limited use of the term Quality Management System - QMS only to standards related with customer satisfaction (e.g. ISO 9001 and related specialized standards). 
EASA eliminated the term “Quality” from European aviation regulations in 2014 and required “Management System” to be established instead of “Quality System”, making one step further towards Integrated Management System - IMS where safety management is considered as a part of management system and not in isolation. 
A typical integrated management system includes Safety Management System - SMS, Security Management System SeMS, Quality Management system - QMS, Environmental Management System - EMS and Occupational Health and Safety Management System - OHSMS.

Compliance is responsibility of operational managers, especially of those with executive power. The responsibility of Compliance Manager (and auditors) is monitoring of compliance. In the EU based airlines Compliance Manager shall be independent and may be subordinated only directly to the Accountable Manager or to the Safety Manager.

So how compliant are we to a certain regulation or standard? Theoretically the answer should always be 100% (or 10 of 10), but might be easily understood as “too good to be true”. Therefore at least “taking into account that all audits and findings are managed in a timely manner” should be added.

Personally I prefer graphical overview of each applicable regulation or standard with the coloured list of all hard-low and soft-low requirements based on status: Green (Compliant), Red (Non-Compliant), White (N/A - Not Applicable). Good software solutions should be able to display the evidence and to generate requirement status automatically based on recent audits results and related finding(s) status.

Compliance management is an on-going process as our compliance status may change on a daily basis because of the new audits results, new corrective actions performed, new finding status and new regulation changes.

Despite the fact that it is usually considered by SMS as only one safety barrier, compliance is a very important and mandatory (SHALL HAVE) barrier, because it provides stability of the organization management system.

Andrej Petelin

Aviation Safety and Compliance Consultant
April, 2020