GCAA SAFETY AFFAIRS AUDIT STANDARD

STANDARDS 2017-01 - ISSUE 01 Page 1 of 11

GCAA SAFETY AFFAIRS

AUDIT STANDARD


TABLE OF CONTENTS

1 Definitions ............................................................................................................................................. 3

2 Exception ............................................................................................................................................... 4

3 Introduction .......................................................................................................................................... 4

4 Triggers and Objectives for Safety Audits ............................................................................................. 4

4.1 Audit Triggers: ............................................................................................................................... 4

4.2 Audit Objectives: ........................................................................................................................... 5

5 Audit Phases: ......................................................................................................................................... 5

5.1 Planning and Preparation: ............................................................................................................ 5

5.2 Audit Notification .......................................................................................................................... 5

5.3 Opening Meeting: ......................................................................................................................... 6

5.4 Conduct of the Audit ..................................................................................................................... 6

5.5 Evaluation of Results ..................................................................................................................... 7

5.5.1 Level (1) ................................................................................................................................. 7

5.5.2 Level (2) ................................................................................................................................. 7

5.5.3 Level (3) ................................................................................................................................. 8

5.5.4 Findings levels timelines: ...................................................................................................... 8

5.5.5 Closure of Initial Certification Audit of Organisations .......................................................... 8

5.6 The Closing Meeting ..................................................................................................................... 9

5.6.1 Purpose of the Closing Meeting: ........................................................................................... 9

5.6.2 Resolution of Differences between Auditor & Auditee ........................................................ 9

5.7 Notification of Audit Findings ....................................................................................................... 9

5.8 Response to Findings .................................................................................................................... 9

5.8.1 Additional Actions ................................................................................................................. 9

5.9 Follow-up Actions ....................................................................................................................... 10

5.10 Closure of the Audit .................................................................................................................... 10

6 On Notice Program ONP ..................................................................................................................... 10

6.1 Cases Leading to ONP ................................................................................................................. 10

6.1.1 Cases that could lead to putting an organisation under ONP may include: ...................... 10

6.2 ONP Notification and Required Action ....................................................................................... 11

6.2.1 Notification ......................................................................................................................... 11

6.2.2 Monitoring .......................................................................................................................... 11

6.2.3 Standardisation Audit ......................................................................................................... 11

6.2.4 Lifting an organisation from ONP ....................................................................................... 11

If the organisation carries out satisfactorily the recovery plan, it shall be lifted from the ONP ........ 11

6.3 Cases where Immediate Action is Required Instead of ONP ...................................................... 11


1 Definitions

Audit: is a systematic, independent and documented process for obtaining audit evidence and evaluating

it objectively to determine the extent to which the audit criteria are fulfilled.

Audit criteria are the standards against which fulfilment of requirements is determined. They include

policies, procedures, requirements adopted by an organisation or enforced by the regulator and include

applicable laws and regulations.

Audit evidence: includes records, factual statements, and other verifiable information that shows or proves that something exists or is true. Certification Audit: A site Audit undertaken for the purpose of assessing the organisations facilities,

processes, systems, services and equipment to verify and ensure that they comply with the regulations

before the issue of the approval certificate.

Certification requirements: The pre-requisites and conditions required to be satisfied prior to granting

the approval certificate (and for the continued validity of such certificate) such as availability of

accountable manager, approved PH, facilities, equipment, manuals, systems, other governmental

approvals necessary to ensure safe and legal operation of the certificate holder.

Containment Action: An action intended to contain the risk arising from a level 1 finding and prevent it

from undermining the continued safe operation. Containment actions will allow sufficient time for the

corrective action to be implemented where it is not practical for the latter to be implemented within the

given timeframe for closure of level 1 findings.

Corrective actions: A set of activities taken to rectify the non-conformance.

Mid-Audit Review: May be conducted between periodic audits when deemed necessary by auditors to

review any outstanding findings or address action plans provided by auditees.

Preventive actions: A set of activities taken to avoid re-occurrence by overcoming the root cause.

Q PULSE: Q PULSE is the electronic platform that GCAA uses to manage and communicate audit reports

and findings.

Note: - All information contained in Q PULSE are secured and treated as confidential - Q PULSE user manual is available on the following link. - For the purpose of this document, the terms non-compliance and non-conformance are

interchangeable

http://eaudit.gcaa.ae/QPulseDocumentService/Documents.svc/documents/active/attachment?number=PRP-QP-E-1


Standardisation audit: is a planned extensive audit that is conducted by the GCAA against organisations

falling under On Notice Program (ONP).

Technical Inspection: Visual and/or instrumental verification of compliance with technical specifications

related to the organisations infrastructure and operations.

Unscheduled audit-(Ad-hoc): When the GCAA has identified a trend in the reduction of safety; an

unscheduled audit can be undertaken. These audits can be announced or unannounced.

2 Exception

This document does not apply to inspections performed against foreign aircraft.

3 Introduction

ICAO annex 19 requires states to implement documented safety surveillance processes, by defining and

planning inspections, audits, and monitoring activities on a continuous basis, to proactively assure that

aviation license, certificate, authorisation and/or approval holders continue to meet the established

requirements.

The purpose of this document is to summarise Aviation Safety Affairs Sectors audit processes and

principles in order to provide more clarity to the regulated entities.

Any provisions in the GCAA Safety regulations conflicting with this standard will be superseded by this

standard unless otherwise specified in this document.

4 Triggers and Objectives for Safety Audits

4.1 Audit Triggers:

There are several triggers for audits against regulated entities. These include but are not limited to:

- Safety issues; - certification audit/ Change in privileges - Systemic changes within organisations - Regulatory changes; - Complaints; - ROSI/ VORSY reports - Non-compliance history; - Periodic and/or risk based audit Program


4.2 Audit Objectives:

- Ascertain whether the organisation has conducted, and is likely to continue operations in accordance with the requirements, relevant operating regulations, procedures etc..

- Ensure that all changes in the applicable regulations, Approval Certificate or otherwise any improvements in operating procedures, are put into practice and reflected in amendments to the appropriate manuals

- Provide the GCAA the opportunity to recommend and implement regulatory or policy changes, if the surveillance program indicates such action would result in improvements in operating safety standards in general.

- Resolve safety issues through the implementation of containment, preventive, corrective and, if necessary, enforcement actions.

5 Audit Phases:

5.1 Planning and Preparation:

The audit plan and scope take into consideration, the established audit frequency against each type of organisation as well as the organisation’s complexity, level of performance and risk exposure. Prior to the conduct of the audit, the auditor(s) will gather intelligence by reviewing previous audit records, audit responses, follow up reports, ROSIs, VORSYs, Manuals etc. This may involve looking at records of audits conducted by foreign authorities. Prior to the audit, the lead auditor may request the audited organisation to perform a self-evaluation using the GCAA audit checklist and send the completed checklist back to the GCAA. In this case, the lead auditor – will allow sufficient time for the organisation to complete the self-evaluation by a mutually agreed deadline. 5.2 Audit Notification

At least two weeks prior to the planned date of the audit, a notification to the auditee is sent through Q PULSE confirming the audit date. The notification shall be sent through Q PULSE system AFTER the auditee has indicated acceptance of the audit date, location and scope via conventional means of communication such as a letter or an email. Note:

- For aerodromes & ANSPs, the notification is sent by letter at least 30 days prior to the date of the audit.

- The two-week prior notification does not apply to unscheduled audits which are done on ad-hoc basis.


5.3 Opening Meeting:

Organisations shall ensure the required personnel are available and if required be present at the opening meeting as requested by the auditor. The purpose of the opening meeting is to:

- Explain the purpose, plan and scope of the audit. - Introduce different representatives from both sides - Confirm personal safety and security arrangements - Confirm that the resources and facilities needed by the audit team are available; and any other

important points as deemed necessary by both parties Auditees are not encouraged to show video demonstrations during opening meetings unless, in the view of the lead auditor, such demos will contribute positively to the audit. 5.4 Conduct of the Audit

Prior to the beginning of the audit, the auditee shall provide access passes to the auditors and provide

necessary protective clothing/safety gear if needed.

The task of the auditor is to verify compliance/ conformance with audit criteria Where available, the auditor shall use GCAA audit checklists available on the website but this does not prevent him from looking at areas not included in the checklist. The auditee is responsible for providing access to all records, personnel, documentations, information, data, reports etc… to the auditor(s) (Ref to CAR PART 3 Chapter 9). The auditor(s) shall collect audit evidences (supporting conformance or non-conformance) through activities such as, but not limited to:

- Interviewing personnel, - Examining records, - Reviewing documents, - Inspection of facilities and technical inspections and - Assessing environment and conditions.

The auditor shall have the right to be provided with hard or soft copies of evidences as well as photos. For team audits, the audit team may dedicate specific times to hold regular team meetings to discuss the progress of the audit and agree on the findings prior to presenting the findings to the auditee. For audits that take longer than one day, the auditee may request the lead auditor to hold a debriefing meeting by the end of each day to promptly address identified issues.


5.5 Evaluation of Results

The Auditor shall conduct an evaluation of the audit results to establish which findings or areas of improvement (recommendations) are reportable. A finding shall be cross-referenced to the audit criteria. A finding is categorised as either Level (1) or Level (2) . A Level (3) is a recommendation as per the definition in this section. 5.5.1 Level (1)

A significant non-compliance, which poses a hazard to aircraft operational safety or lowers safety standards, For training organisations it also includes any significant non-compliance with aviation training and examination standard. This category shall require immediate corrective or containment action by the organisation, failure of which shall result in limitation, suspension, or revocation of the certificate, authorisation or licence. Depending on the seriousness of the finding and its impact on safety, the auditor may give the organisation up to 7 days to implement the corrective action, or the containment action. If the Level (1) is confirmed, the lead auditor shall determine if the situation may require an enforcement action and follow enforcement procedures as per GCAA Policy. Where a particular Level (1) finding requires an action on the spot, such as grounding an aircraft, the Auditor shall notify verbally, followed by email to the organisation pending finding notification from Q PULSE. Note: Examples of cases requiring enforcement actions could be: violation against Federal Law offence creating provisions, demonstration of gross negligence, incompetence, or evidence of willful act, sabotage, failure to give the GCAA access to the organisation’s facilities or record, falsification of documentary evidence, malpractice or fraudulent use of the organisation or personnel certificate/ approval Note: in Q PULSE, the date of level (1) finding is the actual date of the discovery of the finding, not the date the report is raised on Q PULSE. Note: a non-compliance with the Civil Aviation Law, certification requirements, violation of the terms and conditions of the approval certificate or licence, evidence of system failure and repeated level 2 findings, shall fall under level 1 finding. The foregoing are only examples. 5.5.2 Level (2)

A non-compliance which could hazard the aircraft operational safety or which could lower safety standards, For training organisations, it also includes non-compliance with aviation training process which could lower training and examination standard. For Level (2) finding, the default closure timeline is 60 days from the date the finding is raised in Q PULSE. The auditor, based on his judgment, may reduce the target timeline to 30 days for the closure of the finding. Alternatively, he may extend it beyond the default 60 days based on his judgement.


5.5.3 Level (3)

Recommendations addressing: opportunities for improvements or minor deficiencies which may lead to potential non-conformances. These recommendations warrant attention; or action as deemed by the auditor. For Level (3) recommendations, which require an action, the default closure timeline is 90 days from the date the recommendation is raised in Q PULSE. The auditor, based on his judgement, may extend the closure date beyond the default 90 days. For Level (3) recommendations which need attention as deemed by the auditor, it is enough for the auditee to take note of the recommendation. 5.5.4 Findings levels timelines:

Finding level Timeline for auditor to raise in Q PULSE*

Timer starts for closure Timeline for completion of actions*

Level (1) 5 From the date the finding was discovered

7

Level (2) 15 From the date the finding is raised in Q PULSE

60

Level (3) 15 From the date the finding is raised in Q PULSE

90

*calendar days Note: the timelines for completion of actions may be changed by the auditor as stated in section 5.5 Note: the subset timeline of each finding (Corrective action, root causes, preventive action) shall be set by the auditor in the system. Note: Failure to respond to findings may result in enforcement action or putting the organisation under ONP

5.5.5 Closure of Initial Certification Audit of Organisations

In case of certification audits of an organisation applying for GCAA approval, the organisation will be granted 3 months to close the audit findings regardless of the finding levels. The auditor may grant 1 additional month extension to close the findings provided a proper justification is submitted. If the organisation fails to close the findings within the given period, the lead auditor will close the audit making a remark of an unsatisfactory audit response. Based on GCAA decision, such an organisation may undergo a new certification audit should it require to pursue the approval/ certification request


5.6 The Closing Meeting

Organisations shall ensure the required personnel are available and present at the closing meeting. 5.6.1 Purpose of the Closing Meeting:

- To continue the communication process with the assessed organisation’s management and to provide the results of the audit, together with any conclusions made.

- To ensure that the organisation’s management is aware of and fully understands the findings and associated implications.

- To give the auditee the opportunity to clarify points raised by the auditors and discuss the results and clarify or agree on timelines for closure.

- To mark the end of phase 5.5. Note: the agreed timelines shall be set in the system upon raising the findings. 5.6.2 Resolution of Differences between Auditor & Auditee

Where there is unjustifiable objection from the auditee against the validity of a finding, the finding shall still be raised and; auditee objection shall be noted in Q PULSE. Final decision of correct interpretation of audit criteria shall rest with the GCAA. 5.7 Notification of Audit Findings

The auditor shall provide the organisation with a formal report ( audit summary and details of the findings ) generated through Q PULSE within the timelines specified in the table in section 5.5 Note: for aerodromes, a Q PULSE report is produced and printed off for signature by the auditee, auditor and GCAA Section Manager. (The signature indicates that the accountable person agrees that the non-compliance and non-conformance set out in the report have been acknowledged). 5.8 Response to Findings

The auditee shall provide responses to the findings through Q PULSE addressing corrective action and preventive action including identification of root causes.

5.8.1 Additional Actions

- If any response the finding was not to the satisfaction of the auditor, the auditor shall reject the response and request further actions.

- The auditee shall upload the required evidences as proof of actions taken. - The auditee may insert corrective action plans for those items requiring a long-term

implementation time. Corrective action plans on their own do not qualify the findings for closure. -


5.9 Follow-up Actions

The auditor may plan a follow-up audit (mid-audit review) as appropriate to verify that the corrective actions are satisfactory completed. 5.10 Closure of the Audit

When follow-up visits are made (if required) and the corrective actions are found acceptable and implemented then the audit report is considered closed. Upon closure, the auditee will receive a closure notification from Q PULSE. 6 On Notice Program ONP

Occasions may arise when the GCAA detects unchecked trends in some operations that indicate safety standards are deteriorating. If left unchecked, this could lead to a situation whereby the GCAA is no longer satisfied as to the holder of a Certificate/Approval/Licence/etc. In such circumstances, the GCAA will take action in a consistent manner that makes it clear to the holder of a Certificate/Approval/Licence what must be undertaken to recover the situation. The GCAA will also make clear what the consequences are, should the organisation fail to adhere to an agreed recovery plan. It is important to recognise that every case is different and, consequently, will be judged on the individual circumstances. 6.1 Cases Leading to ONP

6.1.1 Cases that could lead to putting an organisation under ONP may include:

- Approaching economic failure (sustained periods when revenues do not cover costs), insolvency (inability to meet obligations when due), bankruptcy and failure by owners to provide sufficient funds to support the operation

- legal prosecution/disputes in the court - Level 1 Findings; - Repetitive Level 2 Findings and failure to identify root causes of findings or a ‘sticking plaster’

approach to findings; - Significant incidents, together with a failure to properly investigate and deal with the root causes; - An increasing number of incidents, indicating an underlying systemic failure; - Poor attitude to compliance; - Unstable/ineffective management. - Unresolved aspect of non-compliance by the approved organisation either in substance or within

the agreed timeframe or agreed extended timeframe acceptable to GCAA, Note: The GCAA may require to conduct audits and/or investigations in order to verify above trends and take decision.


6.2 ONP Notification and Required Action

If the organisation is confirmed to be under ONP, the organisation’s management will be notified by GCAA. 6.2.1 Notification

Upon receiving ONP notification from GCAA, the organisation shall submit a recovery plan. 6.2.2 Monitoring

The GCAA will closely monitor the general performance of the organisation and its adherence to the recovery plan.

- - The recovery plan shall describe the “who, what, where, when and how”. The recovery plan shall provide deliverables that can be measured, including specific timescales. The submitted recovery plan will be subject to GCAA review and acceptance.

- - Failure to submit/adhere to the recovery plan to GCAA, may result in enforcement action 6.2.3 Standardisation Audit

Organisations under ONP may be subject to Standardisation Audits 6.2.4 Lifting an organisation from ONP

If the organisation carries out satisfactorily the recovery plan, it shall be lifted from the ONP

6.3 Cases where Immediate Action is Required Instead of ONP

In the event that a serious safety deficiency is detected by GCAA, the auditor shall take immediate action without placing the organisation under ONP. Note: this means that there is now no doubt that the organisation has lost the GCAA’s confidence in its ability to secure a safe operation. Note: The immediate action taken shall be that required to contain the hazard. This may include suspension.