UNCONTROLLED IF PRINTED TERHAD

PU 2103

TECHNICAL AIRWORTHINESS MANAGEMENT MANUAL

SECTION 1 LEAFLET 5

COMPLIANCE ASSURANCE
INTRODUCTION 1. All organisations responsible for the conduct and/or management of engineering or maintenance applied to State aircraft and aircraft equipment and all organisations performing engineering or maintenance on behalf of the Services (SAOs) are to comply with the regulations contained in Section 2. In order to regulate compliance, the TAR requires that compliance assurance activities be conducted, including both initial evaluations and ongoing surveillance. Compliance assurance covers a range of activities, of which the auditing function is just one tool. PURPOSE 2. The purpose of this chapter is to describe the TARs compliance assurance requirements for the management of technical airworthiness by the Services, and how these activities are to be applied to all engineering and maintenance conducted by, or on behalf of, the Services. SCOPE 3. This chapter applies to all organisations responsible for the conduct and/or management of engineering and maintenance applied to State aircraft and aircraft equipment, and all organisations performing engineering and maintenance on behalf of the Services. DEFINITIONS 4. Definitions relevant to Section 1 is in a glossary contained in this TAMM. All definitions pertaining to the regulations in Section 2 are contained in that section and as such are to be considered as regulatory in nature. COMPLIANCE ASSURANCE CONCEPTS 5. that: Compliance assurance is the system by which the TAR assures himself or herself

a. an organisation seeking authority is capable of complying with the regulatory requirements, and b. organisations with existing authority are continuing to satisfy the regulatory requirements.

www.dgta.gov.my

1.5 - 1 of 7 TERHAD

Rev 1 July 2013

UNCONTROLLED IF PRINTED TERHAD

PU 2103

6. There is no one method for undertaking compliance assurance; rather there are a number of tools available. The method of compliance assurance for a particular organisation must be tailored to meet the specific circumstances that apply to that organisation. Tailoring of Evaluations 7. Compliance assurance activities range from desktop reviews of documentation through to formal on-site auditing. Clearly the type and frequency of compliance assurance activities needs to be tailored by the agency responsible for the planning and conduct of the evaluation, to reduce the impact on the organisation being evaluated while at the same time providing full confidence that the TARs regulatory requirements will be met. The intent is to balance the risk to the SAO versus the resources required to ensure compliance. Factors to be considered in tailoring compliance assurance activities are provided in paragraphs 8 through 13. 8. Level and Scope of Activity. The level and scope of the activity to be performed by the organisation will largely dictate the types of compliance assurance activities. For example, an organisation performing maintenance on a simple component within wellprescribed guidelines may only require limited compliance assurance evaluation. Conversely, an organisation assigned authority to perform complex and critical engineering design development, review and approval will require a rigorous compliance assurance program. 9. Existing Contracts and Agreements. Existing contracts and agreements between the SAOs (RMAF/RMN/Malaysian Army/UUBPM/MMEA) and the organisation, particularly for like services and activities, may modify the level of compliance assurance required. The agency responsible for the planning and conduct of any evaluation may link compliance assurance activities with those conducted by other SAO organisations. 10. Existing Certifications. Existing certifications by other recognised airworthiness authorities (as defined in Section 2), quality system certifying bodies, Original Equipment Manufacturers (OEMs) and major fleet operators may influence the level of compliance assurance required. For example, little value may be achieved by the SAO performing an on-site audit of a major OEM which designs and produces aircraft for the US military, and is subject to frequent review by the US Department of Defence and/or the Federal Aviation Administration. 11. Previous SAO Experience. SAO experience in past dealings with the organisation, particularly for similar activities, will also assist in the determination of the types of compliance assurance required. Clearly, an organization that has established a reputation with the RMAF for reliable and competent performance will be subject to differing degrees of compliance assurance to an organisation with which the SAO has had no prior dealings. 12. Organisational Stability. The inherent stability of an organisation, both with respect to its structure and management, and the personnel employed, will impact the type and frequency of compliance assurance required. Any significant restructure of an organisation or changeover of key personnel will generally require the implementation of a revised compliance assurance evaluation. 13. Volume. The volume of work performed by the organisation (not to be confused with monetary value) must be considered in tailoring compliance assurance activities. An www.dgta.gov.my 1.5 - 2 of 7 TERHAD Rev 1 July 2013

UNCONTROLLED IF PRINTED TERHAD

PU 2103

organisation performing a large, stable volume of simple tasks will require different compliance assurance methods to an organisation performing intermittent, complex functions. Compliance Assurance Tools 14. There are many tools available for undertaking compliance assurance. In general, a combination of some or all of these tools is required to evaluate compliance. The method of compliance assurance to be undertaken, and the tools to be used, will be determined by the agency responsible for the planning and conduct of the evaluation, or as mandated by the TAR. Some of the more common tools for compliance assurance are briefly described in paragraphs 15 through 19. 15. System Level Review. The system level review is generally a desktop review of an organisations structure, personnel, management plans and procedures to determine the potential for compliance with regulatory requirements. A system level review is normally conducted prior to assignment of authority to an organisation. Continuous review of an organisations management plans and procedures is also an important component of ongoing compliance assurance. 16. Quality Assurance/Product Review. Quality assurance involves the inspection or review of an organisations products and services, usually undertaken on an ongoing, sampling basis. The purpose of reviewing individual products is to monitor quality, and adherence to regulations. Incremental sampling of an organisations management systems and procedures can also be undertaken as an alternative to discrete audits. Ongoing quality assurance and product review requirements are included within the regulations in Section 2. 17. Performance Measurement. Performance measurement activities can prove a useful tool in compliance assurance. If appropriate indicators are chosen and monitored, they can provide an early indication of quality or procedural problems, allowing prompt intervention to ensure continued compliance. 18. Second Party Reviews. In conjunction with other tools, reviews of other partys inspection and audit results can be a useful tool in compliance assurance. Other parties include recognised airworthiness authorities (both civil and military as defined in Section 2), major OEMs and quality system certifying bodies. 19. Audits. Formal audits are one of the most structured and visible methods of compliance assurance. Audits can be carried out off-site or at a desktop level, however usually involve an on-site audit conducted by a team of trained auditors. Audits generally fall into two categories, Initial and Surveillance. They are covered in more detail in paragraphs 28 through 36. COMPLIANCE ASSURANCE MODELS 20. The tailoring of evaluations must not, for reasons of expediency, compromise the rigour required for adequate compliance assurance. Therefore, the method of compliance assurance selected for a particular organisation will be tailored from one of two baseline models. The obligation is on the evaluation agency to justify departures from the model based on the circumstances of the relevant organisation. The two baseline models are for a www.dgta.gov.my 1.5 - 3 of 7 TERHAD Rev 1 July 2013

UNCONTROLLED IF PRINTED TERHAD

PU 2103

developing organization (the standard model given most organisations state of development) and for a mature arrangement. Standard Compliance Assurance Model 21. Many organisations responsible for the conduct and/or management of engineering and maintenance applied to SAO aircraft and aircraft equipment will fall into the standard model for compliance assurance as outlined in Figure 61. Tailoring of the methods and tools used is allowed, however the intent of the approach outlined below must be met and will be monitored by the TAR.

Preliminary Evaluation Initial System Audit Review potential for compliance

Initial Compliance Evaluation Initial Compliance Audit Assignment of organization authority

Ongoing Compliance Evaluation Regular system level review Ongoing quality assurance/product reviews Performance measurement Regular audit program

Trigger Events Special Reviews Special Audits

Figure 61 Standard Compliance Assurance Model 22. The frequency of system level reviews and audits will be tailored according to the factors listed at paragraphs 8 through 13. A trigger event is an occurrence such as an organisational change, change of key appointment, change of level and scope of activity, or unsatisfactory findings of regular product reviews requiring the implementation of specific compliance assurance techniques. Mature Compliance Assurance Model 23. In some circumstances the organisational stability and maturity may allow highly modified compliance assurance methods. This arrangement will only occur when the organisation has been stable for a significant period, and has demonstrated long-term reliability in dealings with the SAO. Under these circumstances the TAR may approve the use of the following compliance assurance model Figure 62.

www.dgta.gov.my

1.5 - 4 of 7 TERHAD

Rev 1 July 2013

UNCONTROLLED IF PRINTED TERHAD

PU 2103

Ongoing Compliance Evaluation Regular system level review Ongoing quality assurance/product reviews Performance measurement Regular audit program

Trigger Events Special Reviews Special Audits

Figure 62 Modified Compliance Assurance Model 24. In the above model, regular on-site audits are replaced by ongoing reviews. The TAR would only approve this approach if the ongoing review program were comprehensive, structured and proven. COMPLIANCE ASSURANCE RESPONSIBILITIES 25. DGTA. DGTA staff will be responsible for, on behalf of the TAR, providing guidance for the conduct of compliance assurance activities, including the tailoring of these activities. Compliance assurance of all Service organisations involved in the conduct and/or management of engineering and maintenance applied to State aircraft and aircraft equipment will be carried out by DGTA staff. 26. Responsible Agency. SAO agencies that propose to purchase engineering services from a commercial organisation will be responsible for compliance assurance of that organisation, using a method approved by the TAR. This will include the development and promulgation of a compliance assurance program. Commercial providers of maintenance services will normally be subject to compliance assurance by DGTA staff. 27. Authorised Organisations. Organisations involved in the conduct and/or management of engineering and maintenance applied to State aircraft and aircraft equipment are responsible for maintaining systems fully compliant with the TARs regulatory requirements in Section 2. Any significant changes to organisational structure, management plans, procedures or key personnel are to be notified to the TAR through the SAO sponsoring agency. COMPLIANCE ASSURANCE AUDITS 28. Audits are an important tool of compliance assurance, which will usually be applied to developing organisations. They will be conducted within DGTA guidelines, to an approved schedule in order to confirm an organisations compliance with the TARs regulatory requirements. Service organisations and commercial maintenance organisations will usually be subject to regular audits by DGTA staff. Commercial engineering organisations may be subject to audits by the sponsoring SAO agency depending on the level of compliance assurance required by the TAR. The two main types of audit, Initial and Surveillance are described more fully below. www.dgta.gov.my 1.5 - 5 of 7 TERHAD Rev 1 July 2013

UNCONTROLLED IF PRINTED TERHAD Initial Compliance Assurance Audits

PU 2103

29. During the initial evaluation of organisations, the emphasis is on gaining assurance that the organisation has the necessary expertise, data and management procedures to meet the TARs regulatory requirements. The complexity and scope of the audit will be determined after consideration of the factors detailed at paragraphs 8 through 13. The structure of an initial compliance assurance audit generally follows three phases, as described in paragraphs 30 through 32. 30. Initial System Audit. The initial system audit is an evaluation of the organisations structure, personnel, capabilities and management plans in order to determine the potential to meet the TARs regulatory requirements. Major components of the initial system audit include: a. b. desktop evaluation of management plans and relevant procedures; familiarisation visit to evaluate equipment and facilities (if required);

c. documenting any inadequacies found, and setting requirements for rectification; and d. upon satisfactory resolution of all issues, seek formal acceptance of management plans from the TAR. 31. Initial Compliance Audit. The initial compliance audit is an evaluation of the organisations practices and procedures, against the specific requirements of the authority to be assigned, in order to ensure compliance with the TARs regulatory requirements and to enable assignment of authority. Initial compliance audits are normally conducted on-site, and include: a. b. preparation of audit plan, nominating audit team and notification to auditee conduct of initial audit and reporting on areas of non-compliance; and

c. upon satisfactory resolution of non-compliances, provide a recommendation to the TAR regarding the suitability of the organisation for assignment of authority. 32. Post-Audit Action. Assuming that all issues arising from the initial compliance audit have been resolved, and the TAR has agreed to the assignment of authority, the following actions are taken: a. arrange promulgation for assignment of organisational authority;

b. formulate and document compliance assurance methods including details on performance measures, product reviews and any audit program; and c. monitor changes to management plans and procedures, and implement compliance assurance program. www.dgta.gov.my 1.5 - 6 of 7 TERHAD Rev 1 July 2013

UNCONTROLLED IF PRINTED TERHAD Surveillance Compliance Assurance Audits

PU 2103

33. During the surveillance evaluation of organisations, the emphasis shifts to gaining assurance of compliance with approved plans and procedures, as well as achieving satisfactory levels of performance. Objective and documented evidence of compliance can be sought. Once again, the complexity and scope of the audit will be determined after consideration of the factors detailed at paragraphs 8 through 13. The structure of a surveillance compliance assurance audit generally follows three phases, as described in paragraphs 34 through 36. 34. System Audit. The system audit is an evaluation of the organisations structure, personnel, capabilities and management plans to ensure they remain relevant and suitable for the level and scope of authority assigned to the organisation. Major components of the system audit include: a. desktop evaluation of management plans and relevant procedures; and

b. documenting any inadequacies found, and setting requirements for rectification. 35. Surveillance Compliance Audit. The surveillance compliance audit is an evaluation of the organisations practices and procedures, against the specific requirements of the authority assigned, in order to seek objective evidence of compliance with the TARs regulatory requirements. Surveillance compliance audits are conducted onsite, and include: a. preparation of audit plan, nominating audit team and notification to auditee;

b. conducting audit, seeking objective evidence of compliance, and reporting on areas of non-compliance; and c. upon satisfactory resolution of non-compliances, provide a recommendation to the TAR regarding the suitability of the organisation for retention of assigned authority. 36. Post Audit Assessment. Assuming that all issues arising from the surveillance compliance audit have been resolved, and the TAR has agreed on the retention of assigned authority, then the ongoing evaluation continues using previously defined and documented compliance assurance methods.

www.dgta.gov.my

1.5 - 7 of 7 TERHAD

Rev 1 July 2013