When the International Air Transport Association (IATA) Operational Safety Audit (IOSA) program came on line 10 years ago, government and airline industry attention primarily focused on its introduction of a common audit standard for international code-sharing agreements and its commitment to restrict IATA membership to IOSA-registered airlines. By most accounts during a recent symposium held by the U.S. National Transportation Safety Board (NTSB), the program has become the agenda-setter for safety specialists within the world’s airlines while earning endorsements from civil aviation authorities.
As a proprietary program, however, IOSA also has elicited questions from the NTSB about the potential for influence — that is, as a force parallel to government oversight — that could inhibit official awareness of safety issues by limiting release of information solely to current or prospective airline code-share partners. NTSB questioners asked whether IATA leaders have any similar concerns at the meeting on Oct. 26–27, 2010, in Washington.
“IOSA has evolved so that it has many uses beyond code-sharing, which was the original driver … [but] was never meant to be ‘pseudo-regulatory,’” said Jim Anderson, senior audit adviser, IATA. “It has been clear from the get-go that these are voluntary audit standards … and IOSA is nothing more than a tool that can be used to complement what the regulator does by law … that can be used by state authorities outside their own purview or jurisdiction.”
IATA’s position is that IOSA offers possibilities for civil aviation authorities to “complement regulatory oversight (i.e., access to audit reports),” citing as an example the U.S. Federal Aviation Administration’s (FAA’s) acceptance of IOSA registration as equivalent to a U.S. airline’s own audit of a non-U.S. code-share partner (ASW, 11/10, “Code-Sharing Collectivism”). “Some states use IOSA in their … air operator certificate–approval process,” Anderson added. “Some states … mandate IOSA for all operators.”
The evolution of IOSA has involved input from the FAA from its inception. “We accept the IOSA protocols, and FAA is on every committee with IATA,” said John Barbagallo, manager, International Programs and Policy Division, FAA Flight Standards Service (see “FAA’s IASA Visits Gauge Political Will,”). “We perform assessments of every code-share audit conducted by IATA, and we conduct audits of IATA itself … to ensure that they are up to date on the latest processes.”
FAA’s IASA Visits Gauge Political Will
The U.S. Federal Aviation Administration (FAA) International Aviation Safety Assessment (IASA) program annually checks relevant records for countries that have air carriers operating to the United States, currently 53. Ten countries are selected, using a scoring system, for on-site audit visits the following year. Their scores quantify risk factors such as prior discrepancies in ramp inspection reports, grounding of aircraft, FAA inspectors’ placement of airlines on the agency’s heightened surveillance list, accident/incident investigation reports and reports on the financial health of countries and airlines, said John Barbagallo, manager, International Programs and Policy Division, FAA Flight Standards Service.
After an IASA visit, FAA inspectors render judgments about the country’s aviation oversight capacity based on factors such as national air law; aviation regulations; structure, funding and responsibility of the civil aviation authority; qualification and guidance of aviation inspectors; licensing of aviation professionals; aircraft and airline certification; proven effectiveness in resolving safety issues; and, especially, quality of oversight of operations to the United States.
“We check to see if the country has the political will for [compliance with global standards] — without political will, nothing else is going to work,” Barbagallo told the U.S. National Transportation Safety Board’s October 2010 symposium titled Airline Code-Sharing Arrangements and Their Role in Aviation Safety, in Washington. “We give [officials in] the candidate country the questions and the answers. The only thing that countries have to prove is that they have implemented these [standards] … for a long period of time.”
Entering 2011, the FAA has designated 22 of 102 audited countries as Category 2 — that is, in the judgment of the FAA’s inspectors, they did not meet International Civil Aviation Organization (ICAO) standards.1 This means that if the Category 2 country’s air carriers did not already conduct air carrier operations to the United States, such flights could not subsequently be approved.
If a country has Category 1 status (i.e., meets ICAO standards) and one or more of its air carriers already operate flights to the United States, consequences of a downgrade include a freeze on operational changes, placement on FAA’s heightened surveillance list and immediate suspension of all code-sharing arrangements between U.S. carriers and partner carriers from that country.
“[The United States] does not have direct authority over foreign air carriers [or] countries that they come from … but we have created some programs that get us to where we want to go regarding safety,” he said. “[IASA] probably has had the most effect in international aviation safety [compared with] any other program. … We have pulled more than 100 countries up into compliance … because the program has teeth.” Potentially high economic gains/losses for states, airlines and other stakeholders typically are the strongest safety-compliance incentives, Barbagallo explained.
The FAA’s legal right to assess civil aviation oversight in specific countries under IASA stems from bilateral air safety agreements, he noted. If a country has signed an agreement with the United States but declines to admit FAA inspectors within 60 days of notification of an IASA visit — which typically involves one week on site — the FAA automatically rates the country as Category 2, Barbagallo said.
The Flight Standards Service in 2010 initiated a training course that provides a path for any of some 5,000 inspectors to become certified to participate in IASA. “FAA also will offer [a Category 2] country technical assistance,” Barbagallo said. “We will send inspectors to help them. … We will do anything to get them back into compliance.”
- As of Dec. 1, 2010, countries designated as Category 2 by the FAA were Bangladesh; Belize; Côte d’Ivoire; Croatia; Democratic Republic of Congo; Gambia; Ghana; Guyana; Haiti; Honduras; Indonesia; Israel; Kiribati; Nauru; Nicaragua; Paraguay; Philippines; Serbia and Montenegro; Swaziland; Ukraine; Uruguay; and Zimbabwe.
NTSB Chairman Deborah Hersman, noting parallels between IOSA and FAA oversight activities, asked airline/alliance presenters, “Why do we need the IOSA audits? Why isn’t the regulatory standard sufficient? Is it because the regulatory structure isn’t nimble enough?” She also inquired whether civil aviation authorities routinely request, and succeed in obtaining, IOSA audit reports.
Currently, airlines typically do not ask regulators for their assessments of other airlines, and in turn, regulators typically do not ask for proprietary airline audit reports, some presenters replied.
“In the overwhelming number of cases, it is in the auditee’s best interest and [to its] benefit to authorize release,” said IATA’s Anderson. Nick Lacey, COO of Morten, Beyer & Agnew, one of eight IOSA-accredited audit organizations, added that the same principle applies among code-share partners. “It may be very important for a U.S. mainline carrier to see that the code-share partner actually addresses runway incursions [although not required to do so], for example,” he said.
“Some [airlines] share, and some may be inhibited from doing so,” said Mark Lennon, head of operational risk and compliance at British Airways, representing the Oneworld Alliance. “[We would share] U.K. Civil Aviation Authority audit reports of British Airways with a prospective code-share partner … It is very unusual for me to ever have a reason to deny access to an IOSA audit report.”
Michael Quiello, vice president, corporate safety, security and environment at United Airlines, concurred that IOSA audit reports generally are released to another airline, not a civil aviation authority. “I sign a compliance statement saying that [partners] have passed the IOSA audit, and send it over to the FAA,” he said. “We don’t send the whole report.”
Addressing Hersman’s other questions, Lennon and Quiello said that IOSA fills a gap in areas that regulatory structures do not address. “The regulatory structure was built at a different time with a different approach,” Lennon said, emphasizing that IOSA also provides a common frame of reference and “auditable” language as opposed to international regulatory vagary and variation.
Barriers to Awareness
Hersman summarized part of the NTSB’s final report on the February 2009 crash of Colgan Air Flight 3407 near Buffalo, New York, which said that the airline had been placed on the IOSA registry. In September 2007, the airline completed a corrective action plan to close IOSA findings, some later considered relevant to the accident investigation. FAA principal operations inspectors for the airline apparently had minimal awareness of the corrective actions before the accident and assumed that they were inconsequential to FAA oversight, she noted.
“The principal operations inspector said he was aware of the audits, but he did not have copies of the [IOSA or U.S. Department of Defense (DOD) audit reports], and he added that findings from the [IOSA] audit were minor and DOD issues were not within the scope of his responsibility,” Hersman said. “But one of the things that [IATA and the DOD] found in the audits was that Colgan’s internal evaluation program was ineffective. [NTSB’s] concern was that if this internal evaluation program had been effective, [the airline] might have caught some of the issues and concerns with [pilot] training records.”
During 2011, de-identified information from IOSA audits will be shared for the first time among IATA, the International Civil Aviation Organization (ICAO), the U.S. Department of Transportation and the Commission of the European Union. IATA initially contributed this information from its Global Safety Information Center representing 345 airlines — now 347 — that have completed IOSA audits. ICAO coordinates this information exchange, which involves representatives from IATA, ICAO, the FAA and the European Aviation Safety Agency (EASA).
“When it comes to safety, there is no room for secrets and silos,” Giovanni Bisignani, IATA director general and CEO, said in September 2010 during the signing of a memorandum of understanding that had been announced in late March. “There is no competition when it comes to protecting our passengers. Safety is a constant challenge, and information is the key to driving improvements … [and will] help us to identify trends and potential threats. … IOSA sets the standard of safety for airlines, and aggregated IOSA audit information will complement audit information from the other partners in developing global safety priorities.”
IATA also said it has positioned the IOSA program to “drive worldwide implementation of proven safety/security practices, significantly reduce the number of industry audits conducted and complement the [ICAO] Universal Safety Oversight Audit Program, which assesses individual states.”
NTSB also inquired about the possibility of some role for IOSA findings about specific airlines in regulatory oversight. At present, principal operations inspectors’ awareness varies from carrier to carrier, said John Duncan, manager, Air Transportation Division, FAA Flight Standards Service. “The carrier has to authorize [an IOSA audit report’s] release to whoever wants to see it. [The answer] really depends on the relationship between the carrier and the [FAA] certificate management office, and how they’re dealing with those issues.” Principal operations inspectors receive no training or policy guidance as to a relationship between the IOSA program and their duties, he said.
The process of becoming an IOSA-registered airline begins with obtaining the latest IOSA Standards Manual from the IATA Web site and familiarizing operations personnel with about 900 IOSA standards and recommended practices (ISARPs, including some 2,000 subparts) in eight airline operational areas. IATA provides information about the commercial IOSA audit organizations, whose 200 IOSA-accredited auditors can offer consulting during a preparatory visit before conducting the actual, or registry, audit.
The candidate airline selects the audit organization, and schedules the audit. If completed successfully, the airline and IATA receive the final IOSA audit report and IATA posts only the airline’s name on the IOSA registry Web page.1 Registered status is valid for 24 months, assuming that audit findings of problems are corrected and documentation and implementation have been verified within 12 months of audit completion. To remain on the registry, each airline must successfully complete a new IOSA audit prior to the end of the validity period.
IATA then functions as the official repository of IOSA audit reports and updates the IOSA registry as changes occur. Each IOSA audit report remains the property of the airline audited, and disclosure of the contents remains under the control of that airline, Anderson said. IATA handles requests for IOSA reports and provides them only if authorized by the airline.
At IOSA’s core is a common set of standards. “IATA does not introduce [audit] specifications that are not already in the ICAO standards and recommended practices, U.S. Federal Aviation Regulations or EU–OPS — unless we are able to make sure that there is a legitimate safety issue,” Anderson said. “When we make changes, they are based on something that is going to improve safety. … We have to be careful that we don’t … make a requirement that a large population of the world’s airlines can’t meet.” Most changes therefore are recommended best practices not covered by the primary sources of regulations. One such change was that airlines should maintain a runway incursion risk reduction program.
The typical audit generates some “audit findings” of nonconformity to the standards and “audit observations” of nonconformity to recommended practices within ISARPs. “The number of findings, generally, is directly related to [the airline’s] preparation,” Anderson said. “Airlines that are extremely diligent in preparing for the audit will have very few findings; airlines that don’t prepare have a lot of findings. We have had airlines with over 400 findings — that’s a lot.” The high level of voluntary commitment by IOSA candidate airlines to adopt recommended practices has surprised IATA, he said.
IOSA audit reports prepared by one audit organization also have indicated a wide range in total findings per audit. “As an audit organization, we have seen from zero findings to over 200 findings on an initial audit,” Morten’s Lacey said. “The operator that had over 200 findings did not meet the timetable for closing those findings. … [Preparation] probably is the major benefit of the audit. … It typically takes an airline three or months to conduct and document corrective actions.”
The IOSA program’s cumulative results reflect the multiple audits undergone by airlines currently on the IOSA registry, but do not indicate airlines that did not get past the first steps toward an IOSA registry audit. “We have done a lot of IOSA preparation visits, never to have the operators return [to request the IOSA registry audit],” he said. “They just said, ‘No, it’s not for us — at least not now.’”
Reliance on IOSA
Several presenters said that IOSA has become “integral” to their safety management systems (SMSs), internal evaluation programs and/or operating functions. United Airlines requires all branded code-share partners — those that operate aircraft in the United Airlines livery — to be IOSA-registered, Quiello said. This complements the airline’s own program of quality and safety review of all mainline and express code-share partners.
“On non-branded carriers, we look for IOSA registration, [but] sometimes because of fleet requirements, they might not meet IOSA standards because of equipage,” he said. “They will not be able to meet an IOSA registration, but we do expect them to meet [another form of ICAO-based] audit … We use the IOSA audits, and on the off years, we do an audit ourselves [of code-share partners]. We also do [smaller-scale] ad hoc audits if the circumstances warrant.”
Before considering prospective code-share partners, American Airlines first reviews their IOSA audit reports and their DOD reports on voluntary safety programs and internal evaluation programs pertaining to charter airlift, said Dave Campbell, vice president, safety, security and environment for the airline.
In May 2011, US Airways expects its fourth IOSA audit to validate successful implementation of ICAO-derived standards not yet required in the United States, especially its Level 4 SMS, which was developed under the FAA’s SMS demonstration program. “IOSA is more comprehensive than the U.S. Department of Transportation and FAA safety program guidelines for foreign code-share audits, which require conformity to ICAO standards and to ICAO Annex 1, Personnel Licensing; Annex 6, Operation of Aircraft; Annex 8, Airworthiness of Aircraft; and Annex 18, Safe Transport of Dangerous Goods by Air,” said Paul Morell, vice president, safety and regulatory compliance. “IOSA is nimble and allows us to be nimble. … We merged with America West Airlines in 2005. IOSA [auditors] came in two years after that integration process to validate [the safety aspects] for us. When the audit was over, I could say we didn’t miss anything, and that we did a good job.”
British Airways’ Lennon added, “IOSA is a key tool. … We clearly have no desire to go and audit again should [the air carrier already] have an IOSA [registration]. In fact, depending upon our assessment of the operator, it might be that we entirely base our judgment on the IOSA registration of the operator and our individual interaction with them, and we may never need to audit them.”
That does not exclude follow-up activities, however. British Airways reviews how code-share partners have closed their IOSA audit findings and the performance of their SMS, including how they conduct voluntary incident reporting programs, the quality of ongoing self-assessment of risks, the stability and effectiveness of management organization, and fleet stability. Qualitative assessments of partners’ SMSs and internal evaluation programs reveal whether the partner airline resolves safety issues at the structural, root-cause level or only at the symptom level, he added.