Module 13 Oversight Assessment of Auditor Authentication Bodies February 2015

Module Summary In this module we will discover: All about Auditor Authentication Bodies (AAB) Requirements for AAB’s 9104-001 as applicable to AAB’s (Section10) 9104-003 How to conduct AAB Oversight Office Assessment including 9104-002 Form G

9104 Series Requirements for AAB’s We will examine the following requirements in 9104-001 Section 10 - “Requirements for Auditor Authentication Bodies” We will also review requirements in 9104-003: Section 5 – Aerospace Auditor Competency Section 7 – Requirements (for the AAB) Section 8.1 – Maintenance (of authentication) Section 8.2 – Withdrawal of authentication Each SMS or CBMC has it’s own procedures to control the process of authentication of auditors Note: 9104-002 Form G questions will be referenced (Gxx)

Auditor Authentication Bodies: Auditor Authentication Bodies (AABs) May be part of the SMS or CBMC, or Subcontracted to an independent organisation (G6) Similarly, AAB authentication decision making can be: (G15) Delegated to the AAB Retained by the SMS or CBMC In either case AABs are subject to oversight annually Oversight of AABs is described in 9104-002 clause 7.8 Oversight of the AAB is to be conducted independently and objectively using OP Assessors that are not part of the process Have you been authenticated by the AAB you have been asked to oversight?

Section 10: Auditor Authentication Bodies: 9104-001 Section 10: Auditor Authentication Bodies: AAB is responsible for the authentication and re-authentication of AQMS Auditors and must comply with 9104-003 requirements (G11) Authentication is only for AQMS Auditors grade AA or AEA AAB agrees to periodic oversight and access to records (G7) The AAB has to have a documented management system for authentications but not to any specific standards and includes: (G1) AAB to work a process for authentication includes evaluation of each application against 9104-003 requirements (G2-3) (G12) Auditor applicant disclosure of any previous applications, authentications or rejections (G18) Records to be kept for 2 authentication cycles (G35) ISO/IEC 17024 referenced as guidance material only

Section 10: Auditor Authentication Bodies: 9104-001 Section 10: Auditor Authentication Bodies: The AAB documented management system includes (continued): A person with aviation, space or defence knowledge to support AEA authentication decisions (G32-33) Requirements for independence of authentication decisions (i.e. no conflicts of interest) and communication of decision to applicant (G34) Auditor complaint and appeal processes including feedback to originator within 60 calendar days (G8-9) (G27) Process to address auditor competency feedback and sector recommendations for withdrawal of authentication (G25-26) (G28) Prevention of re-application for 12 months after withdrawal unless due to inactivity or lack or renewal (G14) Entry to OASIS of authentication data (G16) (G30) Recognition of AQMS auditor authentication in other sectors Note: Does not imply ability to transfer authentication

Scope of 9104-003: 9104-003 provides the minimum requirements (Body of Knowledge) for AQMS Auditors who will participate in AQMS Certification activities including the Auditor Authentication process and for training organisations. It is applicable to auditors seeking formal authentication to conduct audits of the AQMS systems under the IAQG and those who manage the competency element of an AQMS audit program and to training organisations.

Section 3: Terms and Definitions: Please read section 3 Specifically note definitions for: Aerospace Experience Auditor (AEA) Auditor Auditor Authentication Body Work Experience (3.16)

Section 5: Aerospace Auditor Competency: 9104-003 Section 5: Aerospace Auditor Competency: There are two different categories of Auditors: Aerospace Auditors Aerospace Experienced Auditors Aerospace Auditors can be AA or AEA for each AQMS standard (9100, 9110 and 9120) Detailed requirements are defined in the 9104-003 standard, Tables 1 and 2 (G13)

Section 5: Aerospace Auditor Competency: 9104-003 Section 5: Aerospace Auditor Competency:

Section 5: Aerospace Auditor Competency: 9104-003 Section 5: Aerospace Auditor Competency:

Section 5: Tables 1 and 2 - Notes: 9104-003 Section 5: Tables 1 and 2 - Notes: If during witness audit a candidate shows insufficient knowledge of aerospace requirements as mentioned under Sec 3.1 & 4.1 of Aerospace specific training course in 9104-003 Appendix A, additional training and/or practical experience will be required. Witness shall be performed by authenticated AEA who themselves have not become qualified via an industry specific training. The witness AEA shall not perform the audit as a member of the assessment team.

Auditor Authentication: 9104-003 Auditor Authentication: Process by which trained and competent auditors become recognised by industry to be able to audit third-party AQMS certification audits 9104-003 section 7 – Requirements: (G2) The Auditor Authentication Body (AAB) must be approved by the SMS (and is visible on OASIS) AAB shall have documented processes and procedures for authentication of AA & AEA. (G2) (G11) The AAB may sub-contract the auditor authentication process to another body, arrangement to be documented and the AAB retains full responsibility for the sub-contracted auditor authentication. (G6) Auditor Authentication Body (AAB):

Section 7: Auditor Authentication Process: 9104-003 Section 7: Auditor Authentication Process: Sections 7.4 to 7.8: Auditors can be authenticated by any AAB Authentications from any AAB are recognised by all other AABs and sectors AAB evaluates an application and submission against 9104-003 requirements for AA or AEA for 9100, 9110 or 9120 Authentication is valid for three (3) years – no extensions! (G19) All authenticated AA and AEA are registered in the IAQG OASIS database.

Section 8: Auditor Re-Authentication Process: 9104-003 Section 8: Auditor Re-Authentication Process: Section 8.1 – Maintenance (G12) (G21-22) Each Auditor (AA or AEA) shall: Participate in a minimum of 4 (four) audits over 3 (three) years Note: Error in EN 9104-003 ‘conducted to the applicable AQMS’ to be ignored Participate in 15 hours of continuing education activities over 3 (three) years in the following: Changes to the applicable aerospace industry standard; AQMS auditing methodologies; Changes to Aviation Authority Requirements Updates or changes to IAQG or Sector policies, criteria and procedures Must apply at least 3 months before expiration to re-authenticate (G20)

Section 8.2: Withdrawal of Authentication: (G23) 9104-003 Section 8.2: Withdrawal of Authentication: (G23) Authentication can be withdrawn if the auditor: The auditor is not fulfilling the 9104 series standard Application for AQMS auditor authentication contains false information The auditor has falsified audit findings The auditor has performed / taken action during an audit activity that will bring the IAQG into disrepute Withdrawal must be supported by objective evidence Decision by AAB ratified by SMS Re-instatement or authentication possible again in the future

Requirements for Auditor Authentication: Also IAQG OPMT Resolutions impact the process: 61: Use of existing work experience for other AQMS authentication 64: Decision-making, withdrawal and impartiality 65: Definition of work experience 79: Correction of publishing mistake in EN 9104-003 91: Clarification of ‘participation’ in an audit 97: Definition of a ‘full’ audit 102: 9104-003 requirements as applied to AB Assessors 109: Clarification to 9104-003 table 2 for Repair and Maintenance trg 111: Process for an AQMS auditor go to another AAB 112: Use of previously submitted audits when applying for AEA 115: Consolidation of AQMS training requirements for AQMS auditors 9104-003 clause 7.3 and 9104-001 clause 10.3 requires each AAB to have documented processes and procedures You will need to take account of all of these requirements when assessing an AAB

EN 9104-003 clause 8.1: Maintenance EN9104-003:2010 Section 8.1 “Maintenance of AEA approval” has been published with an error in the text. The sentence “Participate in a minimum of 4 (four) audits over 3 (three) years conducted to the applicable AQMS” should read: “Participate in a minimum of 4 (four) AQMS standard audits over 3 (three) years.” IAQG OPMT Resolution 79 ensures applicability of the second sentence in EN 9104-003:2010 Requirements for authentication and re-authentication apply to both AA and AEA AQMS Auditors (see 9104-001 clause 6.7c)

AAB Assessment: OP Assessor Requires: 9104-002 Forms Form D – Oversight Nonconformity Record Form G – AAB Assessment Check Sheet Standards and Reference Documents: 9104 series (9104-001, 9104-002, and 9104-003) Sector specific procedures IAQG Supplemental Rules (if applicable) IAQG Resolutions Log AAB procedures Audit Plan Copy of previous oversight reports

AAB Assessment: Conduct the assessment Gather objective evidence that the AAB has implemented 9104 series requirements and is working effectively Follow your audit plan Use checklist for guidance Focus on AAB implementation and activity: Ensure conformance to 9104-002 section 5.3 (Confidentiality and Conflict of Interest) and 9104-003 Review of previous oversight assessment reports including actions taken A review of the last accreditation evaluation (if applicable)

9104-002 Form G Check Sheet: Review the check sheet now: Questions on content?

Assessing Applicant Files: Follow the authentication process Application – form, complete, required information? Evaluation of application against criteria Industry experience valid? Audit logs demonstrate ‘full’ audits? Are certificates of training only from approved courses? Fulfilment of IAQG Resolutions Independence of authentication decision-making Correct entry of auditor details, authentication and period of authentication on OASIS?

Assessing Applicant Files: Follow the authentication process Timely submission of re-authentication process at least 3 months before expiry Compliance with correct re-authentication criteria (audit logs) Don’t forget the correct use and interpretation AATT based training courses for authentication

Some other items to assess: Structure in relation to SMS/CBMC Constitution including independence Arrangements for subcontracting and control (if subcontracted) SMS endorsement or delegation of decision-making Appeals Complaints Withdrawals

Some other items to assess: Procedures in compliance with requirements Activities and records in compliance with procedures Independence of evaluators and decision-makers Competence of those involved in the process?

After the AAB Assessment: Provide report to the AAB and SMS or CBMC Oversight WG Chair Ensure the AAB and SMS or CBMC have records of the verification and closure of any Form D Nonconformity Records

Questions