Considering aviation compliance our first question should be compliance to what, or what are
regulations and standards we have to be in compliant with?
While applicable regulations are mandatory per se, industry standards become mandatory only if it is
our business decision.
In Europe each aviation certificate is related to certain EU regulations and
compliance to applicable parts are mandatory to be maintained in order to keep the related certificate
For an example Air Operator Certificate - AOC is related to applicable parts of (EU)
No.965/2012 Air Operations (e.g. Part-ORO, Part-CAT, Part-SPA), or Approved Training Organisation
- ATO to applicable parts of (EU) No.1178/2011 Air Crew (e.g. Part-ORA).
EU REGULATION - HARD AND SOFT LAW
EU aviation regulations is prepared by EASA and can be divided into two parts:
which goes through parliamentary approval process and is published as Commission
Regulations (with unique ID in a form EU No. YYYY/NNNN) and signed by the President of the
Commission. Hard Law (also called binding law) defines requirements about WHAT have to be
in meantime waits at EASA for Hard Law to be published in the EU Official Gazette. After
that Soft Laws are issued by EASA in a form of ED Decisions (Executive Director Decision, signed by
EASA Executive Director) to complement the Hard Law. Soft Law is called non-binding and therefore
frequently wrongly considered by non-operations managers and lawyers as non-obligatory. To make
usage of these rules more practical, EASE usually publishes a document called Easy Access Rules
where both, hard low and soft low are listed together under the appropriate sections.
While hard law specifies WHAT, soft law defines HOW regulatory requirements should be fulfilled in
form of related Acceptable Means of Compliance - AMCs and Guidance Material - GMs. Term
»should« is used for legal and logical reasons to allow operators to select either the AMCs advice by
EASA or to propose their own alternative means of compliance.
Audits are conducted to evaluate and demonstrate an organization's level of compliance with certain
regulation or standard. Basically there are two different approaches about how to organise and
perform audits; administrative-based approach and process-based approach.
is focused on regulation. For each regulation a corresponding audit
is defined where auditable items are actually a list of all regulatory requirements.
Auditors go through the list and check each auditable item whether the requirement is documented
and how it is implemented. (Only documented Yes and implemented Yes results as compliance Yes).
In this approach relations between regulatory requirements and auditable items are very clear (one-to-
The advantage of this approach is that audits can be prepared very quickly with very few resources,
especially in a case where standard/regulation is well documented (like IOSA Standards Manual or
EASA Easy Access Rules).
The disadvantage is that although “Compliance Big Picture” is easy to be evaluated and maintained,
focusing on a single tree may result in not seeing the forest. Another disadvantage is that such audits
refer only to one regulation or standard. Therefore for departments subjected to more than one
regulation or standard, multiple audits have to be conducted, often evaluating the same processes.
is focused on organisation’s processes. For each process an appropriate
audit is defined where auditable items are focused on related activities and documents AND LINKED
to regulatory requirements applicable for those activities.
The advantage of this approach is that audits are organised in a more logical and more
understandable format, enabling the auditor to be focused on how the process is actually performed
and how required regulations are documented and implemented through the process activities.
This approach also reduces the number of required audits, because one audit may cover more than
one regulation, especially beneficial where two or more regulations/standards are covering the same
In this approach the company needs to create its own system of audit items and connect them to
applicable regulatory requirements. Consequentially in the opposite direction relations between
regulatory requirements and audit items are not so clear and therefore it is more difficult and time
consuming to demonstrate compliance in practice (e.g. to NAA).
The biggest disadvantage of this approach is that more manpower of experienced staff is needed to
prepare questionnaires, because auditable items should cover process activities and related
Based on the size and complexity of the organization, each company may find an appropriate
combination or compromise in between these two opposite approaches. But in any case we need to
assure that we are compliant on paper (Documented)
and compliant in practice (Implemented)
having in mind also consistency of our Policies, Processes, Procedures and Plans
Findings are defined inside the audit. Finding description shall be as much as possible accurate to
provide the auditee reliable information for identifying root cause and for defining the appropriate
Corrective Action Plan - CAP. It will also make the auditor's life easier at CAP approval and at follow-
For each finding a related safety risk assessment should be performed by the auditor. Different
methods could be used for this purpose: categorization safety hazard, major non-compliance, non-
compliance, concern, observation; classic ICAO 5 x 5 matrix; or at least simple red/yellow/green risk
level. Result of assessment shall be taken into account when defining the due date for CAP and due
date for Corrective Action - CA.
Awareness of audited managers about their responsibility to establish and maintain the compliance
shall finally result in their understanding that the on-time CA accomplishment means also on-time
restoration of related compliance. Follow-up audit should be conducted by the auditor to confirm the
Aviation Compliance is not a Quality Management System!
ICAO limited use of the term Quality Management System - QMS only to standards related with
customer satisfaction (e.g. ISO 9001 and related specialized standards).
EASA eliminated the term
“Quality” from European aviation regulations in 2014 and required “Management System” to be
established instead of “Quality System”, making one step further towards Integrated Management
System - IMS where safety management is considered as a part of management system and not in
A typical integrated management system includes Safety Management System - SMS,
Security Management System SeMS, Quality Management system - QMS, Environmental
Management System - EMS and Occupational Health and Safety Management System - OHSMS.
Compliance is responsibility of operational managers, especially of those with executive power. The
responsibility of Compliance Manager (and auditors) is monitoring of compliance. In the EU based
airlines Compliance Manager shall be independent and may be subordinated only directly to the
Accountable Manager or to the Safety Manager.
So how compliant are we to a certain regulation or standard? Theoretically the answer should always
be 100% (or 10 of 10), but might be easily understood as “too good to be true”. Therefore at least
“taking into account that all audits and findings are managed in a timely manner” should be added.
Personally I prefer graphical overview of each applicable regulation or standard with the coloured list
of all hard-low and soft-low requirements based on status: Green (Compliant), Red (Non-Compliant),
White (N/A - Not Applicable). Good software solutions should be able to display the evidence and to
generate requirement status automatically based on recent audits results and related finding(s) status.
Compliance management is an on-going process as our compliance status may change on a daily
basis because of the new audits results, new corrective actions performed, new finding status and new
Despite the fact that it is usually considered by SMS as only one safety barrier, compliance is a very
important and mandatory (SHALL HAVE) barrier, because it provides stability of the organization
Aviation Safety and Compliance Consultant