Airports and airlines are required to conduct a triennial audit of the entire quality assurance program, calculated from the initial audit, or a series of audits conducted at intervals set out in their manual. There are two phases to a line-item audit. The first phase is a static regulatory compliance, which includes manuals, documents and records. A regulatory compliance audit is in a static environment, without movements or operational tasks. An example could be the runway surface inspection required by an airport stating that this will be done whenever there are changes to the runway conditions, such as snow, slush or standing water etc. This statement conforms to regulatory requirements. However, the important part is that processes in an operational environment also conforms to regulatory compliance. The second phase is process compliance.
A process defined in the safety management system (SMS) manual, are processes that are consistent with regulatory compliance. An example could be the runway surface condition, where the manual conforms, the process described in the operations plan conforms, and records verify that the process was completed, and result submitted. Records requirement for an airline or airport is that their recording systems which do not comprise entries on paper, including computer records, may be used to comply with the record-keeping requirements if measures are taken to ensure that the records contained in the recording systems are protected, by electronic or other means, against inadvertent loss or destruction and against tampering, and a copy of the records contained in the recording systems can be printed on paper.
Conducting a line-item audit begins with an audit of how an SMS enterprise recording systems are protected against inadvertent loss or destruction and against tampering, and if a copy of the records contained in the recording systems can be printed on paper. Paperformat systems written in ink maintain compliance to what level they conform to pre-established process for production sequence verification and the legibility, and includes production date and time. An electronic spreadsheet may be tampered with and may not be compliant unless there is an ongoing hourly or daily, depending on size and complexity, quality control of the system. Electronic systems stored and managed by a general internet technology manager, may have issues interfacing with operations in a secure environment and open the doors for tampering. Several SMS Enterprises make statement to the effect that nobody in their organization will tamper with SMS documentation. While this is true, two reasons to include tampering in the regulation is to preserve the integrity of SMS and in a representative sample of the population tampering happens, and titles or positions are not excluded from the population sample. A cloudbased third-party managing the SMS is the most reliable document and records storage and retrieval process, as long as the third-party is authorized by the accountable executive (AE) and included in their operations manual. Otherwise, it is possible for an operator to lose all data in the blink of an eye and operate with a non-conforming SMS. Non-conforming documents and records processes does not affect the rest of the audit, since an internal audit, or third- party independent audit are not regulatory findings, but are observations or opinions of non-conformances. The regulator is the only body with the authority to issues regulatory findings. An accountable executive may elect to temporarily pause the audit until a satisfactory result of the process integrity has been established.
An accountable executive is a person appointed to be responsible to the regulator for meeting the requirements of the regulations on behalf of the certificate holder. It is not an SMS manager, QA manager or airport manager who is responsible, it is the accountable executive. There is no personal liability associated with the position of an accountable executive as this individual represents the certificate holder. The certificate holder retains all liability for non-compliance with the regulations. At airports where the airport manager is the certificate holder, the airport manager may have accepted this liability. The appointment of an AE does not create an additional burden for operators, as the certificate holder has always been responsible for compliance. The appointment of an AE is primarily a matter of identifying the senior individual who will discharge the certificate holder’s responsibilities, and particular, lead the necessary cultural change.
With the appointment of an AE, a line-item audit becomes an audit of the accountable executive as opposed to an audit of the certificate holder. The outcome remains the same, but with an AE there is one person who is required to answer to internal audits, or regulatory findings. A third- party internal audit are observations and opinions only, while upon sharing an internal audit with the regulatory authority they become findings since the regulator is required to address any safety concerns reported to them.
When the SMS was first implemented by a regulatory requirement, an SMS enterprise was informed that the only responsibility for an accountable executive was to have control of the financial and human resources that are necessary for the activities and operations authorized under the certificate. However, control of financial and human resources are available resources to an accountable executive and are conditions a certificate holder must include in the AE job description to meet the requirements of the regulations.
The line-item audit tool is a tool available to verify that an accountable executive has their systems in place to ensure regulatory compliance. The first part of a line- item audit is to audit manuals for compliance. A manual makes references to standards, policies, processes, procedures, or acceptable practices, which also are audited by a line-item audit. A line-item audit is the most comprehensive and detailed audit available. Manuals and related references are audited in a static environment where an audit match manual text to regulatory references. The next step is the process audit, or to establish what level of regulatory compliance an SMS enterprise operates at. These levels are not scaled levels, but are levels to what deviation from expectations their processes produces. Visual levels of conformance may be published by SPC control charts. A successful SMS includes expectations of outputs defined by the operator. A process without an expectation is only a wish for anything to come true.
A daily quality control system is a requirement for the accountable executive to meet the requirements of the regulation. Without daily knowledge of processes and systems performance, the AE does not have a tool to verify compliance. A simple way to look a this, is to compare SMS performance to cashflow performance, which is closed out daily. A daily quality control system include links in processes to conform to regulatory requirements. With this link, and when a process performs as expected, the regulatory requirement is met. This does not imply that the process cannot be changed but is to monitor if current processes are conforming.
A line-item audit of documents and processes is a supreme tool to ensure that the AE maintain compliance. The beauty of a line-item audit system is that future audits focus on changes in documents and processes. System compliance and monitoring are key factors to maintain a healthy safety management system.