Introduction To Information Security And

Forensics

Pakistan International Airlines

Submitted To:
Sir QamarMehmood

Submitted By:
Maria Altaf Satti (Bi-103018)
Mehwish Noureen (Bi-103011)
Introduction:

Pakistan International Airlines(less formally known as PIA; or Pakistan International), is the

national flag carrier and a state-owned enterprise of the Government of Pakistan. Headquartered
at Jinnah International Airport in Karachi it operates scheduled services to 24 domestic
destinations and 38 international destinations in 27 countries across Asia, Europe and North
America. Its main bases are at Karachi, Lahore and Islamabad/Rawalpindi.

The airline's secondary bases include Peshawar, Faisalabad, Quetta, Sialkot and Multan, from
which it connects the metropolitan cities with the main bases, the Middle East, Europe, and the
Far East. It is primarily owned by the Government of Pakistan and is regulated by the Ministry of
Defense as an autonomous body. It employed 18,043 people as of May 2008

Structure:

Pakistan International Airlines Corporation (PIAC) is majority owned by the Government of

Pakistan (87%) while the remainder (13%) by private shareholders. The airline is under the
administration of Ministry of defense the chairman of which is Muhammad Mian Nawaz Sharif.
The airline is managed by managing director as well as the Board of Directors. The Board
consists of nine independent non-executive members and has four sub-committees: an Audit
Committee, Brand and Advertising Committee, Finance Committee, and Human Resource
Committee each having its own charter and chairman. The MD leads the executive management
of staff who run the airline. The airline's main headquarters are located at Karachi Airport while
smaller sub head offices are located in several cities within Pakistan.

Servers:

The IT Department at PIA maintains a number of servers and storage arrays to support various
applications. Some of these applications have been developed in-house while some have been
acquired from third-party vendors. A certain number of applications are also hosted externally.
The block diagram shown below represents how different applications and modules are
connected to the 10 GBPS backbone.
Connectivity:

The fundamental purpose of a communications system is the exchange of data between two
parties. Communications networks are designed by interconnecting a variety of devices. This is
done to help share the information and make efficient use of common resources available within
an organization.
A high-level block diagram representing the PIA network is given below:

Local Area Network (LAN):

The PIA LAN is centered at the Computer Centre building situated next to PIA Head Office, in
the vicinity of Jinnah International Airport. It is based on a fiber-optic backbone and serves
different locations as follows:
Wide Area Network (WAN):

PIA also supports major WAN connectivity linking all its regional and local offices to PIA
Computer Centre. The WAN setup is being done in two phases as follows:
Definitions of Technical Terms:
Terms that are defined in the ICAO Vocabulary (Doc 9713, 2nd edition, 2001) and the Annexes
are used in accordance with the meanings and usages that are given there. A wide variety of
terms are in use throughout the world to explain services, measures, and concepts for airport
operations and development. Definitions of the few of the terminologies are as under:

Aircraft maintenance area: All the ground space and services provided for aircraft
maintenance. It includes aprons, hangars, building and workshops, vehicle parks and road.

Aircraft security check: An examination of the inside of an aircraft to which passengers may
have had right of entry and an examination of the hold for the reason of discovering doubtful
objects, arms, explosives or other hazardous devices, articles or substances.

Certification: A formal assessment and verification by or on behalf of the proper authority for
aviation security that a person possesses the necessary competencies to perform assigned
functions to a satisfactory level as defined by the appropriate authority.

Security inspection: An assessment of the accomplishment of appropriate national civil aviation

security program necessities by an airline, airport or other entity involved in security.

Security restricted area: Those areas of the airside of an airport which are identified as priority
risk areas where in addition to access control, other security controls are applied.

Security audit: An in-depth conformity assessment of all aspects of the accomplishment of the
national civil aviation security program.

Security control: A means by which the beginning of weapons, explosives or other hazardous
devices, articles or substances which may be used to commit an act of prohibited obstruction can
be prevented.

Security equipment: Device of a particular nature for use, individually or as part of a system, in
the anticipation or recognition of acts of unlawful intrusion with civil aviation and its services.

Permits: A permit system consists of cards or other documentation issued to individual persons
engaged on airports that otherwise has need for official access to the airport, airside or security
confidential area. Its purpose is to recognize the person and assist access. Vehicle permits are
issued and used for similar purposes to allow vehicular access. Permits are sometimes referred to
as airport identity cards or passenger.

Quality: Ability of a set of intrinsic personality of a product, system or process to fulfill

requirements of clientele and other concerned parties.

Quality Assurance: Part of quality management, paying attention on providing self-assurance

that quality requirements are fulfilled
International Obligation and Responsibilities:

Pakistan International Airlines- Security Program:

PIA Security curriculum is designed to meet the Pakistan Civil Aviation Authority directives and
measures defined in their latest Pakistan National Civil Aviation Program Manual (PNCAP) and
worldwide Standards and Recommended Practices contained in Annex 17 to the Convention on
International Civil Aviation (the “Chicago Convention”), as well as related aviation security
provisions found in other Annexes and IATA Operational Safety Audit (IOSA) standard
requirements. Security measures and requirements defined in the TSA (USA) Program,
Transport Canada (TC) security requirements and EU route sectors are strictly followed at all
foreign stations where PIA operates.

Security Program Objective:

The objective of this Security Program is to meet all airline security obligations through well
judged use of qualified and semi-trained manpower. This program is applied to both worldwide
as well as domestic operations in Pakistan with following objectives: -

a. Positive in identifying security risks and ensures this through a system of episodic audits,
surveys and security evaluation program equally with ASF/CAA Pakistan.

b. Utilize finest existing equipment including CCTVs for dynamic and inert inspection and
fortification of clientele and airlines resources.

c. Secure synchronization with Pakistan CAA, ASF, Customs and foreign stat(s) security powers
and other dictatorial bodies while protecting PIA safety at all forums.

d. Guarantee corporal infrastructure and pleasant work atmosphere, such as provision of

personnel, guidance, equipment and periodic inspections, are provided for the smooth
implementation of security operations.

Airline Security Policy:

PIA’s dedication to “Security” is based on the following elementary doctrine:

1. Defense of clients, staff and resources from illegal acts.

2. Obedience with all the dictatorial necessities pertaining to airline safety and defense.

3. Giving unambiguous instructions on airline’s security procedures to employees,

managing agents and contractors.
 4. Ensuring that PIA passengers’ relieve and protection are under no conditions
compromised by any safety measure.

5. The safety and defense of PIA’s clients, employees and services is the duty of every
worker.

The security policy is frequently reviewed on yearly basis in the PIA Security Training Program
Review Meeting and guarantee persistent importance to the PIA Security Program and other
state(s) requirements. In order to guarantee execution of security objectives and supervise act of
the security functions, monthly act reports have been received and analyzed by Senior
Management for further essential act and persistent enhancement purpose.

The Role and Responsibility for Aviation Security in the Airline:

PIAC formed under Government Act 1956 and subject to the provisions of Aircraft Act, 1934
(XXII of 1934) shall provide and further develop safe, efficient, adequate, economical and
properly coordinated air transport service. Keeping the corporation functions of safety and
security in view, PIA’s Security setup has been created to perform the following duties and play
key role in the airlines security functions:-

a. Security of moveable and immovable property against damage, theft, pilferage and
misappropriation.

b. Assist ASF measures for protection of PIA aircraft on apron and engineering area against
sabotage and damage.

c. Assist ASF in the anti hi-jacking measures.

d. Security of passenger baggage, cargo, valuable parcels and diplomatic mail bags against theft
and pilferage.

e. Coordinating Security of VVIP flights with the government agencies.

f. Security of PIA revenue documents against theft, misuse, fraud and prevent loss and leakage of
PIA revenue.

g. Collaborating with and seek assistance of local law enforcement agencies on matters
pertaining to PIA.

h. Check PIA employee uniforms, PIA identity cards and apron permits.

i. Arrange vetting and security clearance of all PIA employees.

j. Monitoring and assisting all departments in the implementation of their security measures
designed to ensure the safe custody of the corporation’s and client’s property on their charge.
k. Holding preliminary inquiries on occurrence of incidents.

l. Assisting and coordinating anti narcotics measures with Customs, ANF and ASF.

m. Preparation and issuance of PIA employees ID Cards and passes to PIA employees and
employees of contractors. Also obtain Special Branch Verification in this process.

n. Processing and vetting PIA personnel after employment before foreign posting and VVIP
clearance.

o. Processing of documents for the issuance of ASF Airport Entry passes to all PIA employees
who are required to work in the restricted areas and ensures display of passes.

p. Safeguarding the image and reputation of the Corporation through monitoring the conduct of
employees and contractors’ staff.

q. Collecting, collating, analyzing and distribution of information relating to airline’s security.

r. Investigation of serious cases and keeping the management informed of its outcome.

s. Generation of schedule backup for such operational security documents/records/CCTV

recording that are maintained and managed electronically as per the airlines management
directives, local/foreign state(s) regulatory body requirements.

t. In addition to PIA Security Programs policies and laid down security procedures we also
follow Civil Aviation Authority instruction and procedures defined in their latest Pakistan
National Civil Aviation Program Manual .

u. Strictly follow and implement applicable security requirements of other states domestic,
international operations where PIA’s operations are conducted.

Information and Communication:

Methods of internal and external communication at PIA include formal written communication
such as letter, e-mails, telephone intranet, circulars, admin order, minutes, wireless, mobile
phone, memos and inter office letters etc. This communication system is in line with corporate
communication system defined.

Provision of Resources:

The management shall ensure the existence of a physical infrastructure and work environment
under the direct control of PIA management that satisfies management and operational
requirements of the Security Program. In case of other stakeholder(s), PIA will coordinate with
the concerned authority/agency to ensure such provision of resources.
Purchases from External Supplier(s):

All purchasing functions like supplier evaluation, tendering, and supplier control are ensured by
the centralized Procurement Division of PIA, however Security Services related equipments
technical specification ensured by Security Section.

Description of Airline’s Operations:

Pakistan International Airlines Corporation (PIA) security section is mainly responsible to

provide sufficient information, guidance through procedures and instructions to the security
personnel with a view to protect its assets. The program would also be of great help to the
executives and management staff of other departments and sections who are responsible to
handle various security situations. It also defines the scope and limitations of Security Operations
for better understanding of its functions and the extent to which it can render assistance in liaison
with Government (local/foreign) Security Agencies and contracted security agencies.

a. In order to achieve the laid down functions the airline has evolved certain security procedures
to be followed by PIA employees including security personnel directly or through Government
Agencies including Airport Security Force (ASF) on domestic stations and Contracted Security
Agency (outsourced Security Agencies) and airport authorities at foreign stations.

b. All the domestic stations are adequately covered to ensure the security standards of the airline
including a few important foreign stations, whereas other stations security standards are
monitored through positioning of security personnel on temporary basis or through monitoring
tours of senior security personnel including the Govt. representatives.

c. The prevention of hi-jacking and sabotage is the prime responsibility of Airport Security Force
in Pakistan under the ASF Act of 1975 and concerned security agencies/authorities at foreign
stations. To achieve optimum results, PIA Security assists ASF in this fore-mentioned role by
following laid down procedures in flight handling, which also include measures to prevent
theft/pilferage of passenger and PIA property while performing these functions.

d. The details of the security operating procedures being followed in different areas of airline
activity as per CAA- Pakistan and IATA endorsed policies.

e. ASF at domestic airports and Security Agencies at foreign stations shall refuse transportation
to any person not willing to allow search of his or her person and property. Screening/search will
include physically impaired passengers requiring wheelchairs, orthopedic devices or implanted
electronic devices.

f. ASF is responsible in Pakistan and contracted security agency/security authorities at foreign

station(s) to take effective measures to prevent unauthorized articles from being taken onboard
an aircraft by transfer/transit passengers. Effective sterile areas in the domestic lounges are
maintained by ASF and cabin baggage is re-screened.
g. Cabin crew in the domestic stations and Security Agencies at overseas stations shall ensure
that disembarking passengers do not leave items on board an aircraft at transit stops in normal
operation and specially on increased security threat level at transit stops
(Internationally/Domestic). Security rules of the foreign countries shall be fully complied with
for disembarking passengers at transit stops.

h. ASF and Security Service Provider agencies at Foreign Stations are responsible to take
effective measures to prevent unauthorized / prohibited items from being taken onboard by
passengers including transit passengers, irrespective of cabin or checked baggage.

i. PIA’s Security Services/outsourced security agencies ensures effective security measures while
transferring hold baggage for international/domestic passenger flights.

Security Review Committee (SRC):

The purpose of this Security Review Committee is to ensure effective implementation of PIA
Security Program. The committee will consist of the following members:

a) Head of Security

b) Zonal Heads (North/South/Central)

c) DQC Manager

d) Head Operations & Training

The Security Review Committee will ensure the following agenda points to review and take
necessary action for effective implementation and continual improvement in the PIA Security
Program.

1. Oversight review of previous period security function performance

2. Suggest/incorporate new measure for continual improvement.

3. Review and assessment of security threat identified and controlled.

4. Promotion of security awareness among employees, customers and all stakeholders.

The above committee will conduct regular meetings on annual basis.

Airport Vetting Procedure and Security Clearance of Employees:

This direction requires airport vetting procedures and covers the vetting procedures that have to
be undertaken to obtain restricted area passes as laid down by Ministry of Defense.
a. Airport Security Forces (ASF-Pakistan) is responsible for issuing and controlling restricted
area Functionary Passes/Vehicle Entrance Permit within Pakistan. PIA security ensures timely
process of documentation of all PIA employees and vehicles requiring ASF Functionary
Passes/Vehicle Entrance Permits for restricted areas as per laid down procedures in Pakistan
National Civil Aviation Program Manual.

b. Station Manager at foreign stations ensures obtaining valid air side restricted area
passes/vehicle permits where PIA operates.

c. Airport authorities at foreign stations rules and regulations are strictly followed for the
issuance and revalidation of passes. PIA all employees having airport Functionary Pass is
responsible to display valid passes/vehicle permit before access to the restricted areas.

Head of Security (General Manager Security Services), Duties and

Responsibilities:
a. General Manager/Head of Security Services is mainly responsible for development,
implementation, and maintenance of PIA security program.

b. Make plans and proposals for ensuring that security throughout PIA operations is maintained
at an appropriate level.

c. Develop corporate security policies and establish organizations and systems to implement and
monitor these policies.

d. Develop plans for the recruitment and training of security staff. Provide for their motivation,
career development and discipline.

e. Work in close liaison with Government Agencies including Director General Civil Aviation
Authority, Custom, ASF, Immigration, Anti Narcotics Force, Intelligence Bureau and Police and
other operating state(s) security authorities/ company/agencies for security matters.

f. Ensure the necessary level of liaison with the security units of other airlines and government
security forces at PIA domestic and foreign stations authorities/agencies where PIA operates.

g. Supplement ASF measures for protection of PIA aircraft on airports in Pakistan.

h. Plan and monitor deployment of security staff and resources.

i. Keep abreast of the latest amendments in the law of land, modern techniques of scientific
management and new developments in the sphere of his activities. Ensure proper application of
new techniques and procedures for improving the efficiency and productivity level of employees
reporting to him.
j. Plan proper budget for the operation of his division and monitor expenditure under agreed
heads.

k. Ensure effective, efficient and smooth functioning of Security Section. Perform any other
function as assigned, from time to time, by Director HRA and Coordination/ Managing
Director/CEO. To act upon threat perceptions and analysis received from the Ministry of
Defense and local agencies for safety of PIA installations and equipment.

l. To coordinate and provide necessary assistance to ASF at times of universal alert due to
perceived threats

m. The Head of Security is generally assigned responsibility for:

 Formulation of an overall security policy for senior management acceptance.

 The development and promulgation of security standards and practices to provide line
management with direction and control.

 Establishing a clear order of command in the security structure.

 Ensuring effectiveness of security program by regular evaluation and inspection.

 Effective liaison with governments, authorities and law enforcement agencies.

 Ensuring an effective risk analysis, threat assessment and response capability.

 Initiating special security measures during periods/instances of increased threat.

 Providing specialized advice to senior and line management in all security functions.

 Protection, intelligence, information and investigation.

n. Report directly to Head of organization (PIA) MD/CEO PIA incase emergency situations.

Security Manager- Head Office Installation Duties and Responsibilities:

a. Controls and monitors efficient working of security functions, duty rosters and attendance of
the Security Staff deployed on all PIA premises/installations at Karachi Airport as well as in the
town.

b. Ensures submission of daily security and performance reports. Checks reports, statements and
certificates submitted daily by the shifts and initiate action accordingly.
Duty Security Officer- Installation Duties and Responsibilities:

a. Controls the function of security staff working in shift at all installations posts. Supervises
works of all security operational staff. Collaborates with and seeks assistance of law enforcement
agencies in smooth functioning of airline operations.

b. Ensures security of movable and immovable property against damage, arson, theft, pilferage
and misappropriation. Keeps close liaison with other departments/sections of PIA working
during his duty hours.

Security Supervisor Duties and Responsibilities:

Security Staff working under him/her make sure that Security Orders/Instructions are executed to
supplement ASF measures for protection of the aircraft, installations, anti-hijacking and sabotage

Quality Assurance:

Quality assurance verify that system changes are authorized, tested and implemented in a
controlled manner prior to being introduced into the production environment. With the assistance
of librarian software, personnel also oversee the proper maintenance of program versions and
source code to object integrity.

POLICY STATEMENT:

PIA Engineering & Maintenance “Safety and Quality Policy” states as:‘Airworthiness and
Quality Maintenance of aircraft and aircraft components is our highest priority. We are
committed to continuously improve the quality of all our products and services to our customers’
satisfaction. This includes safety, reliability, performance and customer values. Recognizing
safety as a prime consideration at all times, we will ensure good maintenance practices through
the application of human factor principles, and encouraging personnel to report maintenance
related errors / incidents. Compliance with procedures, regulations, quality and safety standards,
and cooperation with quality auditors is the responsibility of all personnel of PIA Engineering &
Maintenance.’

DIRECTOR (ENGINEERING & MAINTENANCE):

Director (Engineering & Maintenance) shall assist the Accountable Manager for all PIA
Engineering & Maintenance organizational activities. Reporting directly to Accountable
Manager, Director (Engineering & Maintenance) shall be responsible to:

i. Manage organizational activities, fulfilling corporate commitment by Accountable Manager

and implementing Safety and Quality Policy in the Organization complying with EASA Part –
145 requirements.
ii. Recommend appointment / promotion / transfer of Chief Engineers, Deputy Chief Engineers
and Aircraft Engineers to Accountable Manager. However, transfer of Deputy Chief Engineers /
Aircraft Engineers, within the Organization, shall be approved by Director (Engineering &
Maintenance).

iii. Review the requirements related to human resource, facilities, equipment, spares and
maintenance capability enhancement. Such requirements must be brought into the Knowledge of
Accountable Manager without any delay.

iv. Collaborate with Chief Engineer (Quality Assurance) for implementation of an effective
quality assurance system in the Organization to ensure that all activities are accomplished to the
highest standards of airworthiness and workmanship.

v. Participate in Management Reviews to review progress on corrective / preventive actions and

overall organizational performance, in terms of quality. Ensure corrective actions
implementation in timely manner against any finding, observed by personnel from the
Competent Authority / Engineering Quality Assurance during quality audits.

vi. Ensure that required facilities, tooling, test equipment and spares are procured, maintained
and utilized as per EASA Part – 145 requirements.

vii. Ensure that all maintenance, requested by customer, shall be performed and certified in
accordance as per the standard required by the EASA Part – 145requirements and organizational
procedures. Records of maintenance performed shall be archived, in a safe / secure location, for
the permissible period.

viii. Establish system for review of all applicable technical standards, in order to maintain
airworthiness of aircraft / aircraft components and associated systems.

ix. Initiate approval for all fee and charges related to EASA Part – 145 Approval beforehand,
ensuring the payments are made within the agreed frame of time.

x. Make arrangements for free access of personnel from the Competent Authority to PIA
Engineering & Maintenance facilities, whenever required in respect to EASAPart-145 approval.

xi. Represent PIA Engineering & Maintenance in his authorized position for all correspondences
with the Competent Authority and other organizations.

xii. Propose plans for organizational capability enhancement in PIA Engineering &Maintenance
and supervise timely accomplishment of all such approved plans.
CHIEF ENGINEER (QUALITY ASSURANCE):

Chief Engineer (Quality Assurance) is authorized by the Accountable Manager for surveillance
of all activities ensuring that the Organization remains in compliance with EASA Part – 145
requirements. Chief Engineer (Quality Assurance) is responsible to manage company approval
system for the Organization, under delegated authority by Pakistan Civil Aviation Authority.
Main responsibilities are to:

i. Implement independent quality assurance system for surveillance of organizational activities as

per EASA PART – 145 requirements, through annual audit plan for procedure and product
audits.

ii. Conduct scheduled audit and unscheduled product audits, request corrective actions against
findings and generate audit reports as quality feedback and hence monitor implementation of
remedial actions by respective divisions.

iii. Participate in management reviews to present progress on remedial actions against significant
findings and quality issues. Moreover, any major deviation from EASA Part-145 requirements
must be communicated to the Accountable Manager, in a timely manner.

iv. Develop ‘Maintenance Organization Exposition’ and other associated maintenance

procedures, control their subsequent amendments and submit such amendments to the Competent
Authority for Approval prior to the implementation.

v. Manage effective technical qualifications system for AME Licences / Company Approvals
applications processing in close liaison with the Pakistan Civil Aviation Authority and conduct
examinations for various categories of Company Approvals.

vi. Issue certification authorizations to maintenance personnel, fulfilling requirements as per laid
down organizational procedures and control such authorizations in the Organization. Manage
certification authorizations records and maintain the list of certifying staff for PIA Engineering
& Maintenance.

vii. Evaluate and approve plans, contents, pre-qualification rules and durations for any initial and
continuation training with regular review of organizational procedures effectiveness.

viii. Evaluate and approve suppliers for Approved Vendors List (AVL), administer suppliers
follow up and monitor quality of contracted tasks and incoming stores.

ix. Appraise and submit the Company Capability List (CCL) of PIA Engineering &Maintenance
and subsequent revisions to the Competent Authority for approval.

x. Report an un airworthy condition to the Competent Authority and request for any concession
in justified cases, if deemed necessary.
 xi. Devote maximum time to activities for continual improvement, in respect of quality assurance
concept. Supervise personnel assigned with duties in Engineering Quality Assurance division.

xii. Represent the organization in authorized position for correspondences with the Authorities
and other organizations.

PERMISSION MODEL:

DATA ACCESS MATRIX OF QUALITY ASSURANCE DEPARTMENT:

Modules
LOGIN ACCOUNT CREATION AIRCRAFT DATA ENTRY RAMP INSPECTION DATA ENTRY INSPECTION CLOSURE
Users
Insert Modify Delete Insert Modify Delete Insert Modify Delete Insert Modify Private

Deputy Chief Engineer

X X X X X X
Aircraft Engineer
X X X X X X
Line Manager
X X X X X X X X X X X
Data Entry Supervisor
X X X X X X X X X X X X
REPAIR PROCEDURE:
PURPOSE:

To describe PIA Engineering & Maintenance policies regarding repair on aircraft / aircraft
component.

PROCEDURE:

General:

Repair and maintenance on aircraft / aircraft components shall be performed in accordance with
aircraft and component maintenance data provided by the manufacturer and organizational
procedures. Maintenance data shall be available in workshops and maintenance areas accessible
to concerned personnel. Once defect has been logged, appropriate facilities, tools, equipment and
maintenance data are then defined and prepared to perform work in conformity with approved
repair data. All repairs shall be carried out keeping in view of the approved scope of work. For
customer aircraft, when defect / damage are detected during maintenance, customer /operator
shall be informed through defect report. Repair shall then be carried out after review of Repair
Order of customer. If customer / operator do not agree for repair, certifying staff shall assess
airworthiness of aircraft due to subject damage before issuing Certificate of Release to Service.
In case of agreement, following process shall be followed:

Repair Process:

Defects found shall be recorded on appropriate Technical Logbook / Aircraft Repair Order
(ARO) / Work card / Worksheet by Aircraft Engineer (production) concerned. Area involved
shall be inspected thoroughly for hidden damage, including areas adjacent to obviously damaged
parts. Structure Repair & Modification group / Aircraft Engineer (production) concerned shall
perform assessment of structural damage / defect mentioned in the ARO / Work card /Worksheet
in accordance with relevant maintenance data. Aircraft Engineer (production) concerned is
responsible for definition of repair solution. Repair solution is either:

Case I: Replacement of damaged parts in accordance with relevant maintenance data

Case II: Repair solution already given in relevant maintenance data, hence approved
Case III: Repair solution does not exist in the relevant maintenance data
For cases ‘I & II’, repair solution defined by AMM / SRM / CMM shall be implemented as any
other maintenance task.

Case III: Repair Solution does not exist in the Relevant Maintenance Data Aircraft / aircraft
component shall be assessed by Aircraft Engineer (production) concerned for damage and all
relevant information shall be recorded. Pertinent information and drawings of damaged area shall
be sent to the Original Equipment Manufacturer (OEM) along with proposed repair solution (if
any) and to the Competent Authority of aircraft registration. Manufacturer (or organization
appropriately approved to classify the repair) and the Competent Authority of aircraft
registration, shall classify repair as ‘Major’ or ‘Minor’. For minor repair, solution shall be
implemented after endorsement of manufacturer and approval of the Competent Authority of
aircraft registration. In case, the Competent Authority does not approve this repair, Deputy Chief
Engineer (Technical Services Engineering) concerned will seek assistance from Type Certificate
holder.

Documents controlled by PIA:

Availability of maintenance data in the Organization shall be ensured by Deputy Chief Engineer
(Technical Publication & Records) through periodic inventory checks.

CONTROL OF COMPUTER MAINTENANCE RECORD SYSTEM:

PURPOSE:

To define PIA Aircraft Maintenance Management Information System (PAMMIS) used for
management of information related to aircraft / aircraft components maintenance computerized
recording. ‘PAMMIS’ system organization, capabilities and procedures are described in
“PAMMIS User Manual”.

PROCEDURE:

General:

‘PAMMIS’ is online system, managed on mainframe with data terminals at different locations
within the Organization. Deputy Chief Engineer (HR & Training) shall maintain security against
unauthorized access at different levels through issuing passwords for utilization of relevant
functions. It also ensures protection against any illicit alterations in the computerized records /
database. Backup of ‘PAMMIS’ shall be accomplished on daily and weekly basis. Log backup of
databases shall be performed on daily basis. It covers any data deletion, modification and
changes. After every seven days of daily backup, an archive backup is created to record all
changes in database. Computer backup discs, tapes etc. are stored in different locations from
those containing working discs. Entire record / backup shall be stored in a safe way with regard
to fire, flood and theft in an environment, ensuring that such record / backup remains in good
condition in the IT department building, PIAC Head office, Karachi. Deputy Chief Engineer (HR
& Training) shall ensure that in case of any changes in computer programs, previous data shall
be available for a period of at least three years.

Database of PAMMIS:

PIA Aircraft Maintenance Management Information System (PAMMIS) consists of five different
modules:

a) Support Functions:

This module contains master information that is required by all other modules of PAMMIS.
Basically, two types of data are available through this module: Tables are maintained for aircraft
registration, line station, flight operation, flight sector, ATA codes, etc. which can be used for
verification throughout the system to ensure data integrity and available to all users. Aircraft
operation data is update of aircraft & component Flight Hours (FH), Flight Cycle (FC) and
Landings (Ldg). Information provided by Aircraft Flight Logbook is used by the system to
compute times (FH, FC, Ldg) for individual component and sub-assembly of all aircraft types.

b. Aircraft defect and delay (MEL):

This module provides data / report on standard parameters for monitoring aircraft status and
performance. Engine / APU oil consumption for each aircraft is provided for review on daily
basis. Maintenance Log function gives ability to record, review and analyze maintenance log
defect and associated defect corrective action. Major outputs of this module include repeated
defects, carried forward defects, open defects and defects summary sequenced by ATA chapter.
Delay and Incident Occurrences function allows recording review and analyzing delays and
incidents information for planning review purposes. Carried Forward Defect Monitoring and
Control Function (MEL) module allows to record, review and analyze all Minimum Equipment
List (MEL) items raised due to carried forward defect out of the main base.

c) LRU management / Repair abroad:

LRU management / Repair abroad module is designed to track, monitor and control components
(Line Replacement Units), providing all pertinent information such as part number, alternate part
number, serial number, applicability, ATA chapter, shop life, vendor, turnaround time, float,
location, component history, serialization, etc.

d) Aircraft maintenance check planning and control:

This module provides aircraft maintenance check and configuration management information.

e) Aircraft modification:

This module provides pertinent information on current aircraft modification status with regards
to Service Bulletins and Airworthiness Directives.
PROCEDURE TO DETECT AND RECTIFY MAINTENANCE ERRORS:
PURPOSE:

To describe PIA Engineering & Maintenance policies regarding the means for detecting
maintenance errors, identification of contributing factors and measures to avoid any reoccurrence
of similar errors during maintenance on aircraft / aircraft components.

PROCEDURE:

Generalities:

Maintenance errors may be defined in number of ways and categorizing types of error scan lead
to solutions / remedial actions to prevent reoccurrence of similar errors. Each maintenance error
can be categorized to factors, contributing maintenance error such as slip, mistake or violation of
procedure, ignorance of maintenance data, etc. Detection of maintenance errors can be
accomplished with different means:

♦ Any person in the Organization, upon detection of maintenance error, shall inform Aircraft
Engineer / Deputy Chief Engineer (production) concerned to communicate such error to Aircraft
Engineer (Technical Services Engineering) concerned.

♦ Investigations of flight delays / incidents / repeated defects, post base maintenance failures,
unscheduled component removals and post-maintenance test bench failures of components by
Technical Services Engineering (concerned).

♦ Spot checks performed during aircraft / aircraft component maintenance.

♦ Internal quality audit findings observed during product audits and forwarded to Deputy Chief
Engineer (Technical Services Engineering) concerned. As policy, management functions must
encourage reporting maintenance error by personnel of the Organization. Chief Engineer
(Quality Assurance) shall ensure that no punitive action shall be initiated against person
reporting errors. Reporting Forms shall be made available with Deputy Chief Engineer
(Technical Services Engineering) and error reporting shall always be considered as a positive
action. Aircraft Engineer (Technical Services Engineering) concerned shall initiate ‘Maintenance
Error Report’ (Refer AMP 2-3 for sample), mentioning details of maintenance error and
proposed action plan. A copy of “Maintenance Error Report”, duly verified by Deputy Chief
Engineer (Technical Services Engineering) concerned shall be des patched to Deputy Chief
Engineer (Human Factors). Deputy Chief Engineer (Technical Services Engineering) concerned
shall retain originals for record, ensuring follow-up for training of maintenance personnel (Refer
AMP 2-3 for process flow).Deputy Chief Engineer (Technical Services Engineering) concerned
shall prepare a monthly summary of all findings related to maintenance errors for feedback to
Chief Engineer (Quality Assurance) and Chief Engineer (production) concerned.
QUALIFYING INSPECTORS:
PURPOSE:

To define PIA engineering& Maintenance policies regarding training and qualification of

Inspectors in the Organization. Inspectors shall be the following personnel:

♦ Aircraft Engineer (QA) Maintenance

♦ Store Quality Inspectors (incoming stores inspection)

PROCEDURE:

Aircraft Engineer (QA) Maintenance:

Aircraft Engineer holding valid AME Licence / AEIA Class – I Company Approval, formerly
working in aircraft / aircraft maintenance areas, are eligible to become Aircraft Engineer (QA)
Maintenance. Such personnel shall be assigned task of quality assurance inspections and spot
check during aircraft / aircraft components maintenance activities due to their previous
experience and necessary technical knowledge of processes, products and working methods
applied in the assigned areas. Selection of personnel shall be based on qualifications, skills /
aptitude, analytical approach and specific knowledge of aviation legislation, quality standards,
maintenance processes, various computer applications, etc. Additional organizational procedures,
aviation legislation and human factors training shall be provided to such personnel. Ramp
inspections of PIA Owned Aircraft shall be performed as planned by Deputy Chief Engineer
(QA) Maintenance. The selection of Aircraft for Ramp Inspection shall be based on the Flight
Number / Sector / destination, planning shall be such that complete schedule is encompassed.
The ideology of Ramp Inspections shall be driven from the EASA ‘Safety Assessment of
Foreign Aircraft’ (SAFA) regulation. Spot Checks are performed to monitor organizational
procedures implementation in day to-day maintenance activities on aircraft / aircraft components
(Refer AMP 3-1 for details). Deputy Chief Engineer (QA) Maintenance shall plan such activities
and nominate Aircraft Engineer (QA) Maintenance to perform Spot Checks. ‘Discrepancy
Report / Corrective Action Request’ (Refer AMP 3-1 for sample) shall be raised against any
finding during spot check process. Such request shall be handed over to concerned section for
appropriate corrective action. Deputy Chief Engineer (concerned) shall ensure that an
appropriate, timely corrective action against the finding has been taken and finding has been
eliminated in an effective manner. Such action shall be recorded and submitted to Deputy Chief
Engineer (QA)Maintenance within 07 days period. Deputy Chief Engineer (QA) Maintenance
shall ensure that all records related to Spot Checks / Ramp Inspections shall be archived for a
period of at least two years after closure of particular finding.
.
Store Quality Inspector (Incoming Stores Inspection):

Selection for Store Quality Inspectors in the organization shall be based on technical training,
competence, experience and ability to perform inspection functions. Five years aircraft / aircraft
component maintenance experience shall be considered as minimum mandatory
requirement.Stores Quality Inspectors shall be made familiar with regulatory requirements,
applicable organizational procedures and aircraft components / material acceptance criteria
(EASA Form 1, FAA 8130-3 / TCA 24-0078 with double release or Certificate of
Conformity).Comprehensive initial training shall be provided to technical staff and assessment
shall be performed by Technical Assistant to Chief Engineer (Quality Assurance). Such
personnel shall be designated as Stores Quality Inspectors and ‘Inspection Permit’(Class – II)
shall be issued by Chief Engineer (Quality Assurance). Such permit shall authorize Store Quality
Inspector to issue Serviceable Tag (Certificate of Inspection) for incoming stores. Continuation
training shall be provided to Stores Quality Inspectors in every two-year period, planned by
Deputy Chief Engineer (HR, Training & Automation). Continuation training shall be
accomplished through amalgamation of classroom session and dissemination of information
through issuance of technical publications such as Quality Alerts / Advisories, Technical
Notices, Human Factor Bulletins, etc. Essential topics to be covered in continuation training are
as follows:

i. Amendments in EASA Part-145

ii. Changes in organizational procedures
iii. Aviation legislation and Human factor issues

Deputy Chief Engineer (HR, Training & Automation) shall archive all training records for such
personnel. Record of Store Quality Inspectors’ qualifications and authorizations shall be archived
by Technical Assistant to Chief Engineer (Quality Assurance).

COMPETENCE ASSESSMENT OF PERSONNEL:

PURPOSE:

To describe PIA Engineering & Maintenance policies for the competence assessment
ofmanagement personnel, Certifying Staff and Quality Assurance personnel.

PROCEDURE:

Generalities:

Performance appraisal for all personnel with respect to their duties and responsibilities shall be
carried out on yearly basis. However, the competence assessment of Certifying Staff and Quality
Assurance personnel with respect to specific functions / tasks shall be carried out during process
of issuance / revalidation of relevant Authorizations’. The competence assessment shall be
performed on following principles:

♦ Knowledge of organizational procedures laid down in Maintenance organization Exposition

(MOE), Associate Maintenance Procedures (AMP) and other applicable documents.

♦ Awareness of regulations / requirements, issued by the International Civil Aviation

organization (ICAO), European Aviation Safety Agency (EASA), Federal Aviation
Administration (FAA), Pakistan Civil Aviation Authority (CAA-Pak) and ability to fulfill their
obligations for compliance in the organization

♦ Comprehension of human performance limitations and human factors leading to maintenance

errors during aircraft / aircraft component maintenance

Assessment of Management Personnel:

Credentials of individual shall be submitted for initial assessment to Competent Authority prior
to approval as management personnel. Performance appraisal of management personnel shall
establish competency on following, in addition to above general items:

♦ Comprehension on technical issues, with competence to resolve all procedural and technical
complications falling under his responsibilities

♦ Managerial skills including leadership qualities and ability to motivate teams, whilst practicing
good human factor principles

♦ Understanding the application of modern quality concepts in the organization

♦ Ability to ensure that all required maintenance is performed as per maintenance data and when
inability to perform / complete a particular task is evident, problem shall be reported to Chief
Engineer (Quality Assurance) for appropriate action.

♦ Comprehension of Supervisor also performing maintenance tasks, that such task must not be
undertaken when incompatible with any management responsibility.

Assessment of Quality Assurance Personnel:

It shall be ensured that Aircraft Engineers in Engineering Quality Assurance shall have similar
technical qualifications and status to those working in maintenance areas for reasons of integrity
and objectivity. Quality Assurance personnel shall be assessed for competence upon selection
and issuance / revalidation of relevant authorizations by Chief Engineer (Quality Assurance).
Deputy Chief Engineer (Quality Audit) shall perform competence assessment of Quality Audit
personnel. Aircraft Engineer (Quality Audit) shall be able to monitor compliance with Part-145
requirements, identifying non-compliance in an effective / timely manner. During assessment, in
addition to items listed in generalities, it shall be determined that Quality Assurance personnel
possess skills / aptitude, analytical approach and specific knowledge of aviation legislation,
quality standards, maintenance processes, various computer applications, etc.

Technology Requirements:

New Technology:

The system should be designed in such a way as to easily allow the incorporation of new
technologies, as they become available.
Multiple Environments:

In addition to the production environment, the system must support independent copies for
training, development, and test environments. These environments must be sufficiently isolated
from production and from each other so that operations in one environment do not affect those of
another. The environments will be employed as follows:

Production – all production processing will be performed in this environment.

Development – all development activities including unit and system testing will be conducted in
this environment.

Test – after all development, unit and system testing has been completed, this environment will
be used for User Acceptance Testing before the system is accepted into production.

Training – for all in-house implementation and post implementation training activities

System Performance:

The system must be responsive with high availability feature. The system should support rapid
fail-over or redeployment in the event of problems or planned maintenance. Ninety-nine percent
of all fail-over events must take place in less than five minutes. Any volume (batch) processing
must not interfere with online responsiveness or availability. Contractor must provide system
availability figures of its proposed solution. In case various components have different values,
these must be specifically mentioned.

Archive and Purge:

The system must support the periodic archival and purging of unused or obsolete information.
Archived information should be available for historical reporting in such a manner that queries
could be performed on archived data using automated data retrieval functions. Contractor must
provide a complete data archival plan.

Recovery:

The system must automatically recover to the last complete prior transaction in the event of a
failure. Confidential transaction failed and that it must be re-entered. Recovery must occur
without operator intervention. Contractor must provide contingency and backup recovery
procedures with guaranteed Service Level Agreements (SLAs).

Backup and Reorganization:

The system must provide for the unattended daily backup of all information and data to a media
that can be stored offsite for disaster recovery purposes. Backups must not prevent the system
from being available at all times and must not disrupt system operations. There should be no
performance degradation during data backup. Database reorganizations should not significantly
impair system availability. Contractor must provide the calculation of time taken to backup data
with respect to data size increase.

Print Management:

The system should provide a method for managing the print environment for report distribution
so that reports are directed to the appropriate print facility. Both high speeds centralized printing
facilities as well as local LAN-based printing facilities will be employed in addition to printing
over internet / intranet.

Technology Architecture:

The Contractor should provide recommendations of the technology architecture with the
following features preference:

 N-tiered Client/Server architecture incorporating thin presentation-logic-client

communicating with client-neutral, server-based applications, communicating with the
database.

 Thin client, for remote users.

 Applications distributed at servers located at Head Office

 Centralized database, located at Head Office

 While designing the technology architecture, the Contractor should ensure that the
following are kept under consideration:

 Solution should be scalable with complete platform independence – PIA does not intend
to be tied down to a single platform

 Solution should be effortlessly portable from one system to another

 Should provide support for different flavors of UNIX; however it should be a totally
interoperable solution

 There must be open source support. In this context, the Contractor must specify the
current scenario vis-à-vis the solution offered and the future roadmap

 Optimization of licensing costs for the platform software

 PIA‘s existing Local and Wide Area Network, and minimization of Wide Area Network
bandwidth requirements.
Simplicity of System Administration and Operations:

Ease of business continuity planning and execution.

Authentication:

The system must support authentication methods that will assure that only authorized users are
able to access protected data and transactions. These could include support for digital signatures
and PKI infrastructure also.

System Availability:

Overall it should be a highly available solution. It must be available for access by authorized
personnel from anywhere at any time of the day or night (24 x 7 availability). The system must
be equally usable from remote locations as from the Head Office. Web-based access should be
supported.

Transaction Timing:

The system must support real time operations. Changes to data or the status of processes should
be immediately available in the system. System operations should not artificially constrain the
business processes supported by the system. The system must support effective dating for
transactions, including both future and retroactive changes. The authority for such transactions
must be included in the security capabilities of the system. The assignment of a retroactive date
must generate the changes required to bring the system up to the current date.

Online Documentation and Training:

The system must include customizable online documentation and training materials such as
context-specific help, search capability, business process documentation and process maps.

Storage / Record Retrieval:

Record collection and retention is an important organizational requirement. The ability to easily
archive, retain and access records is required. Records retention procedures must allow
information to be stored in a way that can be accessible indefinitely.

Communication:

The system should foster information sharing at all levels of the organization. For example,
policy directives and goals should be incorporated into the budget planning process; departments
should be able to share purchasing intentions and specifications and “best business practices”
should be readily available for consultation. In addition, the system should provide a single place
for users to quickly access information and updates on organizational news and policies.
Flexibility:

The system must be easily reconfigured to respond to changes in business practices, policy
directives, organization structure, statutes and regulations. As business requirements change, the
system must also change to support the new requirements. Flexibility should extend both to
enterprise-wide as well as industry specific practices.

Analytic Tools:

PIA desires decision support tools and information bases that are fully integrated with the system
to facilitate strategic planning, tactical operations and organization-wide analysis.
The system should support the easy movement of data to common packaged PC-based
applications such as Microsoft Office. The system should include the ability to locate
information or text through a search capability. The system should be capable of producing
“what if” scenarios to support decision-making.

Reporting / Inquiry:

The system must include comprehensive inquiry / reporting tools that allow for easy access to
authorized data. Executive interfaces to the data with “drill down” capability to examine details
should be included in these tools. It should also be possible to create reports that reflect status as
of a specified point in time. Standard reports should be included to serve as models for
customized reporting and to provide for basic functional reports. Report wizards or similar
techniques should be available to guide users through report creation. The system must be
designed such that reporting activities do not compromise responsiveness of the interactive
system. Reports should be formatted to print on local PC and LAN attached printers, centralized
high-speed printers, as well as over internet and intranet. It should be possible to deliver fixed
reports to users on a pre-determined schedule to be reviewed online, to be retained online or to
be printed at the user‘s discretion. System should be able to deliver the reports using its own
messaging / workflow engine as well as PIA‘s email system, Lotus Notes. The system should be
able to demonstrate useful demographic and forecasting capabilities; support text-based,
parameterized and wild-card searches; and provide users the ability to develop ad hoc reports at
their discretion.

Access Control:

The system must support multiple levels of security while providing single sign-on facility to the
users. This includes protecting certain fields from unauthorized access. In addition, access to
certain functions and data must be protected until they are approved by PIA‘s concerned policy
makers. Application security should be integrated with database security. Data files / tables
should only be accessed through the ERP; direct access through different query languages should
not be possible. Templates or group functions should be provided to facilitate maintenance.
Changes in assignment (employee transfers) or termination / retirement should automatically
trigger a review of the employee‘s security privileges. Comprehensive logs of transactions and
security incidents must be maintained for auditing purposes. System should provide
authorization, authentication, integrity and non-repudiation facilities for critical transactions.
Password length as per industry standards should be supported. System should be capable to
maintain audit trails and logs, allow secure remote login and support digital signature and time
stamp, etc.

Security Control:
Encryption: An ideal encryption strategy allows data to be stored on the memory drive, but
renders the data useless without the required encryption key, which is usually a strong encryption
key. Encryption is a good method to protect information written to the device from loss or theft
of the device. So they should apply encryption on all the important documents to secure the
important data.

Enforce security personnel:

For the purpose of each system security automatic locks are configured on the desktop computers
which automatically lock the system when unattended for few minutes.

Update the antivirus policy:

The organization should configure antivirus software to scan all the attached drives and
removable media and the user must scan all the files before opening them.

Include return information:

In the event that a flash drive is lost or misplaced, including a small, readable text file with return
information could help to retrieve the device. It also is prudent to include a legal disclaimer that
clearly identifies the information on the drive as confidential and protected by law.

Protection of printers:

The organization should also protect its printers as today’s printers store document contents in
their on board memories so the printer should be protected because if the hacker steals the printer
and access that memory than he might get some important information through it.

Standards for E-mail Security:

To improve the e-mail security, organization should:

 Address the security aspects of the deployment of mail server through maintenance and
administration standards.
 Ensure that the mail server application is deployed, configured and managed to meet the
security policy and guidelines laid down by management.
  Consider the implementation of encryption technologies to protect user authentication
and mail data.

Identification and authentication:

Identification and authentication in logical access control software is the process of establishing
and proving one’s identity.