Regulation (EU) No 965/2012
(a) The operator shall establish, implement and maintain a management system that includes:
(1) clearly defined lines of responsibility and accountability throughout the operator, including a direct safety accountability of the accountable manager;
(2) a description of the overall philosophies and principles of the operator with regard to safety, referred to as the safety policy;
(3) the identification of aviation safety hazards entailed by the activities of the operator, their evaluation and the management of associated risks, including taking actions to mitigate the risk and verify their effectiveness;
(4) maintaining personnel trained and competent to perform their tasks;
(5) documentation of all management system key processes, including a process for making personnel aware of their responsibilities and the procedure for amending this documentation;
(6) a function to monitor compliance of the operator with the relevant requirements. Compliance monitoring shall include a feedback system of findings to the accountable manager to ensure effective implementation of corrective actions as necessary; and
(7) any additional requirements that are prescribed in the relevant Subparts of this Annex or other applicable Annexes.
(b) The management system shall correspond to the size of the operator and the nature and complexity of its activities, taking into account the hazards and associated risks inherent in these activities.
NON-COMPLEX OPERATORS — GENERAL
(a) Safety risk management may be performed using hazard checklists or similar risk management tools or processes, which are integrated into the activities of the operator.
(b) The operator should manage safety risks related to a change. The management of change should be a documented process to identify external and internal change that may have an adverse effect on safety. It should make use of the operator’s existing hazard identification, risk assessment and mitigation processes.
(c) The operator should identify a person who fulfils the role of safety manager and who is responsible for coordinating the safety-management-related processes and tasks. This person may be the accountable manager or a person with an operational role within the operator.
(d) Within the operator, responsibilities should be identified for hazard identification, risk assessment and mitigation.
(e) The safety policy should include a commitment to improve towards the highest safety standards, comply with all applicable legal requirements, meet all applicable standards, consider best practices and provide appropriate resources.
(f) The operator should, in cooperation with other stakeholders, develop, coordinate and maintain an emergency response plan (ERP) that ensures orderly and safe transition from normal to emergency operations and return to normal operations. The ERP should provide the actions to be taken by the operator or specified individuals in an emergency and reflect the size, nature and complexity of the activities performed by the operator.
COMPLEX OPERATORS — ORGANISATION AND ACCOUNTABILITIES
The management system of an operator should encompass safety by including a safety manager and a safety review board in the organisational structure.
(a) Safety manager
(1) The safety manager should act as the focal point and be responsible for the development, administration and maintenance of an effective safety management system.
(2) The functions of the safety manager should be to:
(i) facilitate hazard identification, risk analysis and management;
(ii) monitor the implementation of actions taken to mitigate risks, as listed in the safety action plan;
(iii) provide periodic reports on safety performance;
(iv) ensure maintenance of safety management documentation;
(v) ensure that there is safety management training available and that it meets acceptable standards;
(vi) provide advice on safety matters; and
(vii) ensure initiation and follow-up of internal occurrence/accident investigations.
(3) If more than one person is designated for the safety management function, the accountable manager should identify the person who acts as the unique focal point (i.e. the 'safety manager').
(b) Safety review board
(1) The safety review board should be a high level committee that considers matters of strategic safety in support of the accountable manager’s safety accountability.
(2) The board should be chaired by the accountable manager and be composed of heads of functional areas.
(3) The safety review board should monitor:
(i) safety performance against the safety policy and objectives;
(ii) that any safety action is taken in a timely manner; and
(iii) the effectiveness of the operator’s safety management processes.
(c) The safety review board should ensure that appropriate resources are allocated to achieve the established safety performance.
(d) The safety manager or any other relevant person may attend, as appropriate, safety review board meetings. He/she may communicate to the accountable manager all information, as necessary, to allow decision making based on safety data.
SAFETY MANAGER
(a) Depending on the size of the operator and the nature and complexity of its activities, the safety manager may be assisted by additional safety personnel for the performance of all safety management related tasks.
(b) Regardless of the organisational set-up it is important that the safety manager remains the unique focal point as regards the development, administration and maintenance of the operator’s safety management system.
COMPETENCIES OF THE SAFETY MANAGER
(c) The safety manager as defined under AMC1 ORO.GEN.200(a)(1) is expected to support, facilitate and lead the implementation and maintenance of the safety management system, fostering an organisational culture for an effective safety management, risk management and occurrence reporting. The competencies for a safety manager should thus include, but not be limited to, the following:
(1) Knowledge of:
(i) ICAO standards and European requirements and provisions on safety management;
(ii) basic safety investigation techniques; and
(iii) human factors in aviation.
(2) Relevant and documented work experience, preferably in a comparable position, in:
(i) management systems including compliance monitoring systems and safety management;
(ii) risk management; and
(iii) the operations of the organisation.
(3) Other suitable competencies
(i) the promotion of a positive safety culture;
(ii) interpersonal, influencing and leadership skills;
(iii) oral and written communication skills;
(iv) data management, analytical and problem-solving skills;
(v) professional integrity.
COMPLEX OPERATORS — SAFETY ACTION GROUP
(a) A safety action group may be established as a standing group or as an ad-hoc group to assist or act on behalf of the safety review board.
(b) More than one safety action group may be established depending on the scope of the task and specific expertise required.
(c) The safety action group should report to and take strategic direction from the safety review board and should be comprised of managers, supervisors and personnel from operational areas.
(d) The safety action group should:
(1) monitor operational safety;
(2) define actions to mitigate the identified safety risks;
(3) assess the impact on safety of operational changes; and
(4) ensure that safety actions are implemented within agreed timescales.
(e) The safety action group should review the effectiveness of previous safety recommendations and safety promotion.
MEANING OF THE TERMS ‘ACCOUNTABILITY’ AND ‘RESPONSIBILITY’
In the English language, the notion of accountability is different from the notion of responsibility. Whereas ‘accountability’ refers to an obligation which cannot be delegated, ‘responsibility’ refers to an obligation that can be delegated.
COMPLEX OPERATORS — SAFETY POLICY
(a) The safety policy should:
(1) be endorsed by the accountable manager;
(2) reflect organisational commitments regarding safety and its proactive and systematic management;
(3) be communicated, with visible endorsement, throughout the operator; and
(4) include safety reporting principles.
(b) The safety policy should include a commitment:
(1) to improve towards the highest safety standards;
(2) to comply with all applicable legislation, meet all applicable standards and consider best practices;
(3) to provide appropriate resources;
(4) to enforce safety as one primary responsibility of all managers; and
(5) not to blame someone for reporting something which would not have been otherwise detected.
(c) Senior management should:
(1) continually promote the safety policy to all personnel and demonstrate their commitment to it;
(2) provide necessary human and financial resources for its implementation; and
(3) establish safety objectives and performance standards.
SAFETY POLICY
The safety policy is the means whereby the operator states its intention to maintain and, where practicable, improve safety levels in all its activities and to minimise its contribution to the risk of an aircraft accident as far as is reasonably practicable.
The safety policy should state that the purpose of safety reporting and internal investigations is to improve safety, not to apportion blame to individuals.
COMPLEX OPERATORS — SAFETY RISK MANAGEMENT
(a) Hazard identification processes
(1) Reactive and proactive schemes for hazard identification should be the formal means of collecting, recording, analysing, acting on and generating feedback about hazards and the associated risks that affect the safety of the operational activities of the operator.
(2) All reporting systems, including confidential reporting schemes, should include an effective feedback process.
(b) Risk assessment and mitigation processes
(1) A formal risk management process should be developed and maintained that ensures analysis (in terms of likelihood and severity of occurrence), assessment (in terms of tolerability) and control (in terms of mitigation) of risks to an acceptable level.
(2) The levels of management who have the authority to make decisions regarding the tolerability of safety risks, in accordance with (b)(1), should be specified.
(c) Internal safety investigation
(1) The scope of internal safety investigations should extend beyond the scope of occurrences required to be reported to the competent authority.
(d) Safety performance monitoring and measurement
(1) Safety performance monitoring and measurement should be the process by which the safety performance of the operator is verified in comparison to the safety policy and objectives.
(2) This process should include:
(i) safety reporting, addressing also the status of compliance with the applicable requirements;
(ii) safety studies, that is, rather large analyses encompassing broad safety concerns;
(iii) safety reviews including trends reviews, which would be conducted during introduction and deployment of new technologies, change or implementation of procedures, or in situations of structural change in operations;
(iv) safety audits focussing on the integrity of the operator’s management system, and periodically assessing the status of safety risk controls; and
(v) safety surveys, examining particular elements or procedures of a specific operation, such as problem areas or bottlenecks in daily operations, perceptions and opinions of operational personnel and areas of dissent or confusion.
(e) The management of change
The operator should manage safety risks related to a change. The management of change should be a documented process to identify external and internal change that may have an adverse effect on safety. It should make use of the operator’s existing hazard identification, risk assessment and mitigation processes.
(f) Continuous improvement
The operator should continuously seek to improve its safety performance. Continuous improvement should be achieved through:
(1) proactive and reactive evaluations of facilities, equipment, documentation and procedures through safety audits and surveys;
(2) proactive evaluation of individuals’ performance to verify the fulfilment of their safety responsibilities; and
(3) reactive evaluations in order to verify the effectiveness of the system for control and mitigation of risk.
(g) The emergency response plan (ERP)
(1) An ERP should be established that provides the actions to be taken by the operator or specified individuals in an emergency. The ERP should reflect the size, nature and complexity of the activities performed by the operator.
(2) The ERP should ensure:
(i) an orderly and safe transition from normal to emergency operations;
(ii) safe continuation of operations or return to normal operations as soon as practicable; and
(iii) coordination with the emergency response plans of other organisations, where appropriate.
INTERNAL SAFETY REPORTING SCHEME
(a) The overall purpose of the internal safety reporting scheme is to use reported information to improve the level of the safety performance of the operator and not to attribute blame.
(b) The objectives of the scheme are to:
(1) enable an assessment to be made of the safety implications of each relevant incident and accident, including previous similar occurrences, so that any necessary action can be initiated; and
(2) ensure that knowledge of relevant incidents and accidents is disseminated, so that other persons and operators may learn from them.
(c) The scheme is an essential part of the overall monitoring function and it is complementary to the normal day-to-day procedures and ‘control’ systems and is not intended to duplicate or supersede any of them. The scheme is a tool to identify those instances where routine procedures have failed.
(d) All occurrence reports judged reportable by the person submitting the report should be retained as the significance of such reports may only become obvious at a later date.
RISK MANAGEMENT OF FLIGHT OPERATIONS WITH KNOWN OR FORECAST VOLCANIC ASH CONTAMINATION
(a) Responsibilities
The operator is responsible for the safety of its operations, including within an area with known or forecast volcanic ash contamination.
The operator should complete this assessment of safety risks related to known or forecast volcanic ash contamination as part of its management system before initiating operations into airspace forecast to be or aerodromes/operating sites known to be contaminated with volcanic ash.
This process is intended to ensure the operator takes account of the likely accuracy and quality of the information sources it uses in its management system and to demonstrate its own competence and capability to interpret data from different sources in order to achieve the necessary level of data integrity reliably and correctly resolve any conflicts among data sources that may arise.
In order to decide whether or not to operate into airspace forecast to be or aerodromes/operating sites known to be contaminated with volcanic ash, the operator should make use of the safety risk assessment within its management system, as required by ORO.GEN.200.
The operator’s safety risk assessment should take into account all relevant data including data from the type certificate holders (TCHs) regarding the susceptibility of the aircraft they operate to volcanic cloud-related airworthiness effects, the nature and severity of these effects and the related pre-flight, in-flight and post-flight precautions to be observed by the operator.
The operator should ensure that personnel required to be familiar with the details of the safety risk assessments receives all relevant information (both pre-flight and in-flight) in order to be in a position to apply appropriate mitigation measures as specified by the safety risk assessments.
(b) Procedures
The operator should have documented procedures for the management of operations into airspace forecast to be or aerodromes/operating sites known to be contaminated with volcanic ash.
These procedures should ensure that, at all times, flight operations remain within the accepted safety boundaries as established through the management system allowing for any variations in information sources, equipment, operational experience or organisation. Procedures should include those for flight crew, flight planners, dispatchers, operations, continuing airworthiness personnel such that they are in a position to evaluate correctly the risk of flights into airspace forecast to be contaminated by volcanic ash and to plan accordingly.
Continuing airworthiness personnel should be provided with procedures allowing them to correctly assess the need for and to execute relevant continuing airworthiness interventions.
The operator should retain sufficient qualified and competent staff to generate well supported operational risk management decisions and ensure that its staff are appropriately trained and current. It is recommended that the operator make the necessary arrangements for its relevant staff to take up opportunities to be involved in volcanic ash exercises conducted in their areas of operation.
(c) Volcanic activity information and operator’s potential response
Before and during operations, information valuable to the operator is generated by various volcano agencies worldwide. The operator’s risk assessment and mitigating actions need to take account of, and respond appropriately to, the information likely to be available during each phase of the eruptive sequence from pre-eruption through to end of eruptive activity. It is nevertheless noted that eruptions rarely follow a deterministic pattern of behaviour. A typical operator’s response may consist of the following:
(1) Pre-eruption
The operator should have in place a robust mechanism for ensuring that it is constantly vigilant for any alerts of pre-eruption volcanic activity relevant to its operations. The staff involved need to understand the threat to safe operations that such alerts represent.
An operator whose routes traverse large, active volcanic areas for which immediate International Airways Volcano Watch (IAVW) alerts may not be available, should define its strategy for capturing information about increased volcanic activity before pre-eruption alerts are generated. For example, an operator may combine elevated activity information with information concerning the profile and history of the volcano to determine an operating policy, which could include re-routing or restrictions at night. This would be useful when dealing with the 60% of volcanoes which are unmonitored.
Such an operator should also ensure that its crews are aware that they may be the first to observe an eruption and so need to be vigilant and ready to ensure that this information is made available for wider dissemination as quickly as possible.
(2) Start of an eruption
Given the likely uncertainty regarding the status of the eruption during the early stages of an event and regarding the associated volcanic cloud, the operator’s procedures should include a requirement for crews to initiate re-routes to avoid the affected airspace.
The operator should ensure that flights are planned to remain clear of the affected areas and that consideration is given to available aerodromes/operating sites and fuel requirements.
It is expected that the following initial actions will be taken by the operator:
(i) determine if any aircraft in flight could be affected, alert the crew and provide advice on re-routing and available aerodromes/operating sites as required;
(ii) alert management;
(iii) for flight departures, brief flight crew and revise flight and fuel planning in accordance with the safety risk assessment;
(iv) alert flight crew and operations staff to the need for increased monitoring of information (e.g. special air report (AIREP), volcanic activity report (VAR), significant weather information (SIGMET), NOTAMs and company messages);
(v) initiate the gathering of all data relevant to determining the risk; and
(vi) apply mitigations identified in the safety risk assessment.
(3) On-going eruption
As the eruptive event develops, the operator can expect the responsible Volcanic Ash Advisory Centre (VAAC) to provide volcanic ash advisory messages (VAA/VAGs) defining, as accurately as possible, the vertical and horizontal extent of areas and layers of volcanic clouds. As a minimum, the operator should monitor, and take account of, this VAAC information as well as of relevant SIGMETs and NOTAMs.
Other sources of information are likely to be available such as VAR/AIREPs, satellite imagery and a range of other information from State and commercial organisations. The operator should plan its operations in accordance with its safety risk assessment taking into account the information that it considers accurate and relevant from these additional sources.
The operator should carefully consider and resolve differences or conflicts among the information sources, notably between published information and observations (pilot reports, airborne measurements, etc.).
Given the dynamic nature of the volcanic hazards, the operator should ensure that the situation is monitored closely and operations adjusted to suit changing conditions.
The operator should be aware that the affected or danger areas may be established and presented in a different way than the one currently used in Europe, as described in EUR Doc 019-NAT Doc 006.
The operator should require reports from its crews concerning any encounters with volcanic emissions. These reports should be passed immediately to the appropriate air traffic services (ATS) unit and to the operator’s competent authority.
For the purpose of flight planning, the operator should treat the horizontal and vertical limits of the temporary danger area (TDA) or airspace forecast to be contaminated by volcanic ash as applicable, to be overflown as it would mountainous terrain, modified in accordance with its safety risk assessment. The operator should take account of the risk of cabin depressurisation or engine failure resulting in the inability to maintain level flight above a volcanic cloud, especially when conducting ETOPS operations. Additionally, minimum equipment list (MEL) provisions should be considered in consultation with the TCHs.
Flying below volcanic ash contaminated airspace should be considered on a case-by-case basis. It should only be planned to reach or leave an aerodrome/operating site close to the boundary of this airspace or where the ash contamination is very high and stable. The establishment of Minimum Sector Altitude (MSA) and the availability of aerodromes/operating sites should be considered.
(d) Safety risk assessment
When directed specifically at the issue of intended flight into airspace forecast to be or aerodromes/operating sites known to be contaminated with volcanic ash, the process should involve the following:
(1) Identifying the hazards
The generic hazard, in the context of this document, is airspace forecast to be or aerodromes/operating sites known to be contaminated with volcanic ash, and whose characteristics are harmful to the airworthiness and operation of the aircraft.
This GM is referring to volcanic ash contamination since it is the most significant hazard for flight operations in the context of a volcanic eruption. Nevertheless, it might not be the only hazard and therefore the operator should consider additional hazards which could have an adverse effect on aircraft structure or passengers safety such as gases.
Within this generic hazard, the operator should develop its own list of specific hazards taking into account its specific aircraft, experience, knowledge and type of operation, and any other relevant data stemming from previous eruptions.
(2) Considering the severity and consequences of the hazard occurring (i.e. the nature and actual level of damage expected to be inflicted on the particular aircraft from exposure to that volcanic ash cloud).
(3) Evaluating the likelihood of encountering volcanic ash clouds with characteristics harmful to the safe operation of the aircraft.
For each specific hazard within the generic hazard, the likelihood of adverse consequences should be assessed, either qualitatively or quantitatively.
(4) Determining whether the consequent risk is acceptable and within the operator’s risk performance criteria.
At this stage of the process, the safety risks should be classified as acceptable or unacceptable. The assessment of tolerability will be subjective, based on qualitative data and expert judgement, until specific quantitative data are available in respect of a range of parameters.
(5) Taking action to reduce the safety risk to a level that is acceptable to the operator’s management.
Appropriate mitigation for each unacceptable risk identified should then be considered in order to reduce the risk to a level acceptable to the operator’s management.
(e) Procedures to be considered when identifying possible mitigations actions
When conducting a volcanic ash safety risk assessment, the operator should consider the following non-exhaustive list of procedures and processes as mitigation:
(1) Type certificate holders
Obtaining advice from the TCHs and other engineering sources concerning operations in potentially contaminated airspace and/or aerodromes/operating sites contaminated by volcanic ash.
This advice should set out:
(i) the features of the aircraft that are susceptible to airworthiness effects related to volcanic ash;
(ii) the nature and severity of these effects;
(iii) the effect of volcanic ash on operations to/from contaminated aerodromes/operating sites, including the effect on take-off and landing aircraft performance;
(iv) the related pre-flight, in-flight and post-flight precautions to be observed by the operator including any necessary amendments to aircraft operating manuals, aircraft maintenance manuals, master minimum equipment list/dispatch deviation or equivalents; and
(v) the recommended inspections associated with operations in volcanic ash potentially contaminated airspace and operations to/from volcanic ash contaminated aerodromes/operating sites; this may take the form of instructions for continuing airworthiness or other advice.
(2) Operator/contracted organisations’ personnel
Definition of procedures for flight planning, operations, engineering and maintenance ensuring that:
(i) personnel responsible for flight planning are in a position to evaluate correctly the risk of encountering volcanic ash contaminated airspace, or aerodromes/operating sites, and can plan accordingly;
(ii) flight planning and operational procedures enable crews to avoid areas and aerodromes/operating sites with unacceptable volcanic ash contamination;
(iii) flight crew are aware of the possible signs of entry into a volcanic ash cloud and execute the associated procedures;
(iv) continuing airworthiness personnel are able to assess the need for and to execute any necessary maintenance or other required interventions; and
(v) crews are provided with appropriate aircraft performance data when operating to/from aerodromes/operating sites contaminated with volcanic ash.
(3) Provision of enhanced flight watch
This should ensure:
(i) close and continuous monitoring of VAA, VAR/AIREP, SIGMET, NOTAM, ASHTAM and other relevant information, and information from crews, concerning the volcanic ash cloud hazard;
(ii) access to plots of the affected areas from SIGMETs, NOTAMs and relevant company information for crews and personnel responsible for the management and the supervision of the flight operations; and
(iii) communication of the latest information to crews and personnel responsible for the management and the supervision of the flight operations in a timely fashion.
(4) Flight planning
Flexibility of the process to allow re-planning at short notice should conditions change.
(5) Departure, destination and alternate aerodromes
For the airspace to be traversed, or the aerodromes/operating sites in use, parameters to evaluate and take account of:
(i) the probability of contamination;
(ii) any additional aircraft performance requirements;
(iii) required maintenance considerations;
(iv) fuel requirements for re-routeing and extended holding.
(6) Routing policy
Parameters to evaluate and take account of:
(i) the shortest period in and over the forecast contaminated area;
(ii) the hazards associated with flying over the contaminated area;
(iii) drift down and emergency descent considerations;
(iv) the policy for flying below the contaminated airspace and the associated hazards.
(7) Diversion policy
Parameters to evaluate and take account of:
(i) maximum allowed distance from a suitable aerodrome/operating site;
(ii) availability of aerodromes/operating sites outside the forecast contaminated area;
(iii) diversion policy after an volcanic ash encounter.
(8) Minimum equipment list (MEL)
Additional provisions in the MEL for dispatching aircraft with unserviceabilities that might affect the following non-exhaustive list of systems:
(i) air conditioning packs;
(ii) engine bleeds;
(iii) pressurisation system;
(iv) electrical power distribution system;
(v) air data system;
(vi) standby instruments;
(vii) navigation systems;
(viii) de-icing systems;
(ix) engine-driven generators;
(x) auxiliary power unit (APU);
(xi) airborne collision avoidance system (ACAS);
(xii) terrain awareness warning system (TAWS);
(xiii) autoland systems;
(xiv) provision of crew oxygen;
(xv) supplemental oxygen for passengers.
(9) Standard operating procedures
Crew training to ensure they are familiar with normal and abnormal operating procedures and particularly any changes regarding but not limited to:
(i) pre-flight planning;
(ii) in-flight monitoring of volcanic ash cloud affected areas and avoidance procedures;
(iii) diversion;
(iv) communications with ATC;
(v) in-flight monitoring of engine and systems potentially affected by volcanic ash cloud contamination;
(vi) recognition and detection of volcanic ash clouds and reporting procedures;
(vii) in-flight indications of a volcanic ash cloud encounter;
(viii) procedures to be followed if a volcanic ash cloud is encountered;
(ix) unreliable or erroneous airspeed;
(x) non-normal procedures for engines and systems potentially affected by volcanic ash cloud contamination;
(xi) engine-out and engine relight;
(xii) escape routes; and
(xiii) operations to/from aerodromes/operating sites contaminated with volcanic ash.
(10) Provision for aircraft technical log
This should ensure:
(i) systematic entry in the aircraft technical log related to any actual or suspected volcanic ash encounter whether in-flight or at an aerodrome/operating site; and
(ii) checking, prior to flight, of the completion of maintenance actions related to an entry in the aircraft technical log for a volcanic ash cloud encounter on a previous flight.
(11) Incident reporting
Crew requirements for:
(i) reporting an airborne volcanic ash cloud encounter (VAR);
(ii) post-flight volcanic ash cloud reporting (VAR);
(iii) reporting non-encounters in airspace forecast to be contaminated; and
(iv)filing a mandatory occurrence report in accordance with ORO.GEN.160.
(12) Continuing airworthiness procedures
Procedures when operating in or near areas of volcanic ash cloud contamination:
(i) enhancement of vigilance during inspections and regular maintenance and appropriate adjustments to maintenance practices;
(ii) definition of a follow-up procedure when a volcanic ash cloud encounter has been reported or suspected;
(iii) thorough investigation for any sign of unusual or accelerated abrasions or corrosion or of volcanic ash accumulation;
(iv) reporting to TCHs and the relevant authorities observations and experiences from operations in areas of volcanic ash cloud contamination;
(v) completion of any additional maintenance recommended by the TCH or by the Competent Authority.
(f) Reporting
The operator should ensure that reports are immediately submitted to the nearest ATS unit using the VAR/AIREP procedures followed up by a more detailed VAR on landing together with, as applicable, a report, as defined in Commission Regulation (EU) No 996/2010 and Regulation (EU) No 376/2014, and an aircraft technical log entry for:
(1) any incident related to volcanic clouds;
(2) any observation of volcanic ash activity; and
(3) any time that volcanic ash is not encountered in an area where it was forecast to be.
(g) References
Further guidance on volcanic ash safety risk assessment is given in ICAO Doc. 9974 (Flight safety and volcanic ash — Risk management of flight operations with known or forecast volcanic ash contamination).
GM3 ORO.GEN.200(a)(3) Management system
ED Decision 2014/017/R
SAFETY RISK ASSESSMENT — RISK REGISTER
The results of the assessment of the potential adverse consequences or outcome of each hazard may be recorded by the operator in a risk register, an example of which is provided below.
|
Hazard |
Incident Sequence Description |
Existing Controls |
Outcome |
Additional Mitigation required |
Outcome |
Actions and Owners |
Monitoring and Review Requirements |
|||||
|
No. |
Description |
|||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
COMPLEX ORGANISATIONS — SAFETY RISK MANAGEMENT — INTERFACES BETWEEN ORGANISATIONS
(a) Hazard identification and risk assessment start with an identification of all parties involved in the arrangement, including independent experts and non-approved organisations. It extends to the overall control structure, assessing, in particular, the following elements across all subcontract levels and all parties within such arrangements:
(1) coordination and interfaces between the different parties;
(2) applicable procedures;
(3) communication between all parties involved, including reporting and feedback channels;
(4) task allocation responsibilities and authorities; and
(5) qualifications and competency of key personnel.
(b) Safety risk management focuses on the following aspects:
(1) clear assignment of accountability and allocation of responsibilities;
(2) only one party is responsible for a specific aspect of the arrangement — no overlapping or conflicting responsibilities, in order to eliminate coordination errors;
(3) existence of clear reporting lines, both for occurrence reporting and progress reporting;
(4) possibility for staff to directly notify the operator of any hazard suggesting an obviously unacceptable safety risk as a result of the potential consequences of this hazard.
TRAINING AND COMMUNICATION ON SAFETY
(a) Training
(1) All personnel should receive safety training as appropriate for their safety responsibilities.
(2) Adequate records of all safety training provided should be kept.
(b) Communication
(1) The operator should establish communication about safety matters that:
(i) ensures that all personnel are aware of the safety management activities as appropriate for their safety responsibilities;
(ii) conveys safety critical information, especially relating to assessed risks and analysed hazards;
(iii) explains why particular actions are taken; and
(iv) explains why safety procedures are introduced or changed.
(2) Regular meetings with personnel where information, actions and procedures are discussed may be used to communicate safety matters.
TRAINING AND COMMUNICATION ON SAFETY
The safety training programme may consist of self-instruction via the media (newsletters, flight safety magazines), classroom training, e-learning or similar training provided by training service providers.
MANAGEMENT SYSTEM DOCUMENTATION — GENERAL
(a) The operator’s management system documentation should at least include the following information:
(1) a statement signed by the accountable manager to confirm that the operator will continuously work in accordance with the applicable requirements and the operator’s documentation, as required by this Annex;
(2) the operator's scope of activities;
(3) the titles and names of persons referred to in ORO.GEN.210(a) and (b);
(4) an operator chart showing the lines of responsibility between the persons referred to in ORO.GEN.210;
(5) a general description and location of the facilities referred to in ORO.GEN.215;
(6) procedures specifying how the operator ensures compliance with the applicable requirements;
(7) the amendment procedure for the operator’s management system documentation.
(b) The operator’s management system documentation may be included in a separate manual or in (one of) the manual(s), as required by the applicable subpart(s). A cross-reference should be included.
COMPLEX OPERATORS — SAFETY MANAGEMENT MANUAL
(a) The safety management manual (SMM) should be the key instrument for communicating the approach to safety for the whole of the operator. The SMM should document all aspects of safety management, including the safety policy, objectives, procedures and individual safety responsibilities.
(b) The contents of the safety management manual should include all of the following:
(1) scope of the safety management system;
(2) safety policy and objectives;
(3) safety accountability of the accountable manager;
(4) safety responsibilities of key safety personnel;
(5) documentation control procedures;
(6) hazard identification and risk management schemes;
(7) safety action planning;
(8) safety performance monitoring;
(9) incident investigation and reporting;
(10) emergency response planning;
(11) management of change (including organisational changes with regard to safety responsibilities);
(12) safety promotion.
(c) The SMM may be contained in (one of) the manual(s) of the operator.
MANAGEMENT SYSTEM DOCUMENTATION — GENERAL
(a) It is not required to duplicate information in several manuals. The information may be contained in any of the operator manuals (e.g. operations manual), which may also be combined.
(b) The operator may also choose to document some of the information required to be documented in separate documents (e.g. procedures). In this case, it should ensure that manuals contain adequate references to any document kept separately. Any such documents are then to be considered an integral part of the operator’s management system documentation.
COMPLIANCE MONITORING — GENERAL
(a) Compliance monitoring
The implementation and use of a compliance monitoring function should enable the operator to monitor compliance with the relevant requirements of this Annex and other applicable Annexes.
(1) The operator should specify the basic structure of the compliance monitoring function applicable to the activities conducted.
(2) The compliance monitoring function should be structured according to the size of the operator and the complexity of the activities to be monitored.
(b) Organisations should monitor compliance with the procedures they have designed to ensure safe activities. In doing so, they should as a minimum, and where appropriate, monitor compliance with the following:
(1) privileges of the operator;
(2) manuals, logs, and records;
(3) training standards;
(4) management system procedures and manuals;
(5) activities of the organisation carried out under the supervision of the nominated persons in accordance with ORO.GEN.210(b); and
(6) any outsourced activities in accordance with ORO.GEN.205, for compliance with the contract.
(c) Organisational set up
(1) To ensure that the operator continues to meet the requirements of this Part and other applicable Parts, the accountable manager should designate a compliance monitoring manager. The role of the compliance monitoring manager is to ensure that the activities of the operator are monitored for compliance with the applicable regulatory requirements, and any additional requirements as established by the operator, and that these activities are carried out properly under the supervision of the relevant head of functional area.
(2) The compliance monitoring manager should be responsible for ensuring that the compliance monitoring programme is properly implemented, maintained and continually reviewed and improved.
(3) The compliance monitoring manager should:
(i) have direct access to the accountable manager;
(ii) not be one of the other persons referred to in ORO.GEN.210(b);
(iii) be able to demonstrate relevant knowledge, background and appropriate experience related to the activities of the operator, including knowledge and experience in compliance monitoring; and
(iv) have access to all parts of the operator, and as necessary, any contracted operator.
(4) In the case of a non-complex operator, this task may be exercised by the accountable manager provided he/she has demonstrated having the related competence as defined in (c)(3)(iii).
(5) In the case the same person acts as compliance monitoring manager and as safety manager, the accountable manager, with regards to his/her direct accountability for safety, should ensure that sufficient resources are allocated to both functions, taking into account the size of the operator and the nature and complexity of its activities.
(6) The independence of the compliance monitoring function should be established by ensuring that audits and inspections are carried out by personnel not responsible for the function, procedure or products being audited.
(7) If more than one person is designated for the compliance monitoring function, the accountable manager should identify the person who acts as the unique focal point (i.e. the 'compliance monitoring manager').
(d) Compliance monitoring documentation
(1) Relevant documentation should include the relevant part(s) of the operator’s management system documentation.
(2) In addition, relevant documentation should also include the following:
(i) terminology;
(ii) specified activity standards;
(iii) a description of the operator;
(iv) the allocation of duties and responsibilities;
(v) procedures to ensure regulatory compliance;
(vi) the compliance monitoring programme, reflecting:
(A) schedule of the monitoring programme;
(B) audit procedures including an audit plan that is implemented, maintained, and continually reviewed and improved;
(C) reporting procedures;
(D) follow-up and corrective action procedures; and
(E) recording system.
(vii) the training syllabus referred to in (e)(2);
(viii) document control.
(e) Training
(1) Correct and thorough training is essential to optimise compliance in every operator. In order to achieve significant outcome of such training, the operator should ensure that all personnel understand the objectives as laid down in the operator’s management system documentation.
(2) Those responsible for managing the compliance monitoring function should receive training on this task. Such training should cover the requirements of compliance monitoring, manuals and procedures related to the task, audit techniques, reporting and recording.
(3) Time should be provided to train all personnel involved in compliance management and for briefing the remainder of the personnel.
(4) The allocation of time and resources should be governed by the volume and complexity of the activities concerned.
COMPLIANCE MONITORING — GENERAL
(a) The organisational set-up of the compliance monitoring function should reflect the size of the operator and the nature and complexity of its activities. The compliance monitoring manager may perform all audits and inspections himself/herself or appoint one or more auditors by choosing personnel having the related competence as defined in AMC1 ORO.GEN.200(a)(6) point (c)(3)(iii), either from, within or outside the operator.
(b) Regardless of the option chosen it must be ensured that the independence of the audit function is not affected, in particular in cases where those performing the audit or inspection are also responsible for other functions for the operator.
(c) In case external personnel are used to perform compliance audits or inspections:
(1) any such audits or inspections are performed under the responsibility of the compliance monitoring manager; and
(2) the operator remains responsible to ensure that the external personnel has relevant knowledge, background and experience as appropriate to the activities being audited or inspected; including knowledge and experience in compliance monitoring.
(d) The operator retains the ultimate responsibility for the effectiveness of the compliance monitoring function, in particular for the effective implementation and follow-up of all corrective actions.
COMPLEX OPERATORS — COMPLIANCE MONITORING PROGRAMME
(a) Typical subject areas for compliance monitoring audits and inspections for operators should be, as applicable:
(1) actual flight operations;
(2) ground de-icing/anti-icing;
(3) flight support services;
(4) load control;
(5) technical standards.
(b) Operators should monitor compliance with the operational procedures they have designed to ensure safe operations, airworthy aircraft and the serviceability of both operational and safety equipment. In doing so, they should, where appropriate, additionally monitor the following:
(1) operational procedures;
(2) flight safety procedures;
(3) operational control and supervision;
(4) aircraft performance;
(5) all weather operations;
(6) communications and navigational equipment and practices;
(7) mass, balance and aircraft loading;
(8) instruments and safety equipment;
(9) ground operations;
(10) flight and duty time limitations, rest requirements, and scheduling;
(11) aircraft maintenance/operations interface;
(12) use of the MEL;
(13) flight crew;
(14) cabin crew;
(15) dangerous goods;
(16) security.
GM3 ORO.GEN.200(a)(6) Management system
ED Decision 2014/017/R
NON-COMPLEX OPERATORS — COMPLIANCE MONITORING
(a) Compliance monitoring audits and inspections may be documented on a ‘Compliance Monitoring Checklist’, and any findings recorded in a ‘Non-compliance Report’. The following documents may be used for this purpose.
|
COMPLIANCE MONITORING CHECKLIST Year: |
|||
|
Subject |
Date checked |
Checked by |
Comments/Non-compliance Report No. |
|
Flight Operations |
|||
|
Aircraft checklists checked for accuracy and validity |
|
|
|
|
Minimum five flight plans checked and verified for proper and correct information |
|
|
|
|
Flight planning facilities checked for updated manuals, documents and access to relevant flight information |
|
|
|
|
Incident reports evaluated and reported to the appropriate competent authority |
|
|
|
|
Ground Handling |
|||
|
Contracts with ground handling organisations established and valid, if applicable |
|
|
|
|
Instructions regarding fuelling and de-icing issued, if applicable |
|
|
|
|
Instructions regarding dangerous goods issued and known by all relevant personnel, if applicable |
|
|
|
|
Mass & Balance |
|||
|
Min. five load sheets checked and verified for proper and correct information, if applicable |
|
|
|
|
Aircraft fleet checked for valid weight check, if applicable |
|
|
|
|
Minimum one check per aircraft of correct loading and distribution, if applicable |
|
|
|
|
Training |
|||
|
Training records updated and accurate |
|
|
|
|
All pilot licenses checked for currency, correct ratings and valid medical check |
|
|
|
|
All pilots received recurrent training |
|
|
|
|
Training facilities & Instructors approved |
|
|
|
|
All pilots received daily inspection (DI) training |
|
|
|
|
Documentation |
|||
|
All issues of operations manual (OM) checked for correct amendment status |
|
|
|
|
AOC checked for validity and appropriate operations specifications, if applicable |
|
|
|
|
Aviation requirements applicable and updated |
|
|
|
|
Crew flight and duty time record updated, if applicable |
|
|
|
|
Flight documents record checked and updated |
|
|
|
|
Compliance monitoring records checked and updated |
|
|
|
|
— NON-COMPLIANCE REPORT — No: |
||||
|
To Compliance Monitoring Manager |
Reported by: |
Date: |
||
|
Category
Flight Operations
Training |
||||
|
Description:
|
Reference:
|
|||
|
Level of finding:
|
||||
|
Root-cause of non-compliance:
|
||||
|
Suggested correction:
|
||||
|
Compliance Monitoring Manager:
Corrective action required |
||||
|
Responsible Person: |
Time limitation: |
|||
|
Corrective action: |
Reference:
|
|||
|
Signature Responsible Person: |
Date: |
|||
|
Compliance Monitoring Manager
Correction and corrective action verified |
||||
|
Signature Compliance Monitoring Manager: |
Date: |
|||
AUDIT AND INSPECTION
(a) ‘Audit’ means a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which requirements are complied with.
(b) ‘Inspection’ means an independent documented conformity evaluation by observation and judgement accompanied as appropriate by measurement, testing or gauging, in order to verify compliance with applicable requirements.
AMC1 ORO.GEN.200(b) Management system
ED Decision 2017/004/R
SIZE, NATURE AND COMPLEXITY OF THE ACTIVITY
(a) An operator should be considered as complex when it has a workforce of more than 20 full time equivalents (FTEs) involved in the activity subject to Regulation (EC) No 216/200854 Regulation (EC) No 216/2008 of the European Parliament and of the Council of 20 February 2008 on common rules in the field of civil aviation and establishing a European Aviation Safety Agency, and repealing Council Directive 91/670/EEC, Regulation (EC) No 1592/2002 and Directive 2004/36/EC. OJ L 79, 19.3.2008, p. 1. and its Implementing Rules.
(b) Operators with up to 20 FTEs involved in the activity subject to Regulation (EC) No 216/200855 Regulation (EC) No 216/2008 of the European Parliament and of the Council of 20 February 2008 on common rules in the field of civil aviation and establishing a European Aviation Safety Agency, and repealing Council Directive 91/670/EEC, Regulation (EC) No 1592/2002 and Directive 2004/36/EC. OJ L 79, 19.3.2008, p. 1. and its Implementing Rules may also be considered complex based on an assessment of the following factors:
(1) in terms of complexity, the extent and scope of contracted activities subject to the approval;
(2) in terms of risk criteria, the extent of the following:
(i) operations requiring a specific approval;
(ii) high-risk commercial specialised operations;
(iii) operations with different types of aircraft used; and
(iv) operations in challenging environment (offshore, mountainous area, etc.).
ORO.GEN.200A Information security management system
Regulation (EU) 2023/203
In addition to the management system referred to in point ORO.GEN.200, the operator shall establish, implement and maintain an information security management system in accordance with Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.
[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]
ORO.GEN.205 Contracted activities
Regulation (EU) 2019/1384
(a) When contracting or purchasing any services or products as a part of its activities, the operator shall ensure all of the following:
(1) that the contracted or purchased services or products comply with the applicable requirements;
(2) that any aviation safety hazards associated with contracted or purchased services or products are considered by the operator's management system.
(b) When the certified operator or the SPO authorisation holder contracts any part of its activity to an organisation that is not itself certified or authorised in accordance with this Part to carry out such activity, the contracted organisation shall work under the approval of the operator. The contracting organisation shall ensure that the competent authority is given access to the contracted organisation, to determine continued compliance with the applicable requirements.
RESPONSIBILITY WHEN CONTRACTING ACTIVITIES
(a) The operator may decide to contract certain activities to external organisations.
(b) A written agreement should exist between the operator and the contracted organisation clearly defining the contracted activities and the applicable requirements.
(c) The contracted safety-related activities relevant to the agreement should be included in the operator's safety management and compliance monitoring programmes.
(d) The operator should ensure that the contracted organisation has the necessary authorisation or approval when required, and commands the resources and competence to undertake the task.
AMC2 ORO.GEN.205 Contracted activities
ED Decision 2019/019/R
THIRD-PARTY PROVIDERS
(a) The initial audit and/or the continuous monitoring of contracted organisations may be performed by a third-party provider on behalf of the operator when it is demonstrated that:
(1) a documented arrangement has been established with the third-party provider;
(2) the audit standards applied by the third-party provider address the scope of this Regulation in sufficient detail;
(3) the third-party provider uses an evaluation system, designed to assess the operational, management and control systems of the contracted organisation;
(4) the independence of the third-party provider, its evaluation system as well as the impartiality of the auditors is ensured;
(5) the auditors are appropriately qualified and have sufficient knowledge, experience and training, including on-the-job training, to perform their allocated tasks;
(6) audits are performed on-site;
(7) access to the relevant data and facilities is granted to the level of detail necessary to verify compliance with the applicable requirements;
(8) access to the full audit report is granted;
(9) procedures have been established for monitoring continuous compliance of the contracted organisation with the applicable requirements; and
(10) procedures have been established to notify the contracted organisation of any non-compliance with the applicable requirements, the corrective actions to be taken, the follow-up of these corrective actions, and closure of findings.
(b) The use of a third-party provider for the initial audit or the monitoring of continuous compliance of the contracted organisation does not exempt the operator from its responsibility under the applicable requirements.
(c) The operator should maintain a list of the contracted organisations monitored by the third-party provider. This list and the full audit report prepared by the third-party provider should be made available to the competent authority upon request.
CONTRACTING — GENERAL
(a) Operators may decide to contract certain activities to external organisations for the provision of services related to areas such as:
(1) ground de-icing/anti-icing;
(2) ground handling;
(3) flight support (including performance calculations, flight planning, navigation database and dispatch);
(4) training; and
(5) manual preparation.
(b) Contracted activities include all activities within the operator’s scope of approval that are performed by another organisation either itself certified or authorised to carry out such activity or if not certified or authorised, working under the operator’s approval.
(c) The ultimate responsibility for the product or service provided by external organisations should always remain with the operator.
RESPONSIBILITY WHEN CONTRACTING ACTIVITIES
(a) Regardless of the approval status of the contracted organisation, the contracting operator is responsible for ensuring that all contracted activities are subject to hazard identification and risk management, as required by ORO.GEN.200(a)(3), and to compliance monitoring, as required by ORO.GEN.200(a)(6).
(b) When the contracted organisation is itself certified or authorised to carry out the contracted activities, the operator’s compliance monitoring should at least check that the approval effectively covers the contracted activities and that it is still valid.
ORO.GEN.210 Personnel requirements
Regulation (EU) No 965/2012
(a) The operator shall appoint an accountable manager, who has the authority for ensuring that all activities can be financed and carried out in accordance with the applicable requirements. The accountable manager shall be responsible for establishing and maintaining an effective management system.
(b) A person or group of persons shall be nominated by the operator, with the responsibility of ensuring that the operator remains in compliance with the applicable requirements. Such person(s) shall be ultimately responsible to the accountable manager.
(c) The operator shall have sufficient qualified personnel for the planned tasks and activities to be performed in accordance with the applicable requirements.
(d) The operator shall maintain appropriate experience, qualification and training records to show compliance with point (c).
(e) The operator shall ensure that all personnel are aware of the rules and procedures relevant to the exercise of their duties.
INFORMATION ON THE ACCOUNTABLE MANAGER
As part of being granted an air operator certificate (AOC), the operator should provide the competent authority with the following detailed information regarding the accountable manager:
(a) name of the accountable manager;
(b) position within the organisation;
(c) information on means to ensure that all activities can be financed and carried out;
(d) qualification relevant to the position; and
(e) work experience relevant to the position.
FUNCTION OF THE ACCOUNTABLE MANAGER
(a) The accountable manager should have the overall responsibility for running the organisation.
(b) When the accountable manager is not the chief executive officer, the competent authority should be assured that the accountable manager has direct access to the chief executive officer and has the necessary air operations funding allocation.
ORO.GEN.215 Facility requirements
Regulation (EU) No 965/2012
The operator shall have facilities allowing the performance and management of all planned tasks and activities in accordance with the applicable requirements.
Regulation (EU) No 965/2012
(a) The operator shall establish a system of record-keeping that allows adequate storage and reliable traceability of all activities developed, covering in particular all the elements indicated in ORO.GEN.200.
(b) The format of the records shall be specified in the operator’s procedures.
(c) Records shall be stored in a manner that ensures protection from damage, alteration and theft.
GENERAL
(a) The record-keeping system should ensure that all records are accessible whenever needed within a reasonable time. These records should be organised in a way that ensures traceability and retrievability throughout the required retention period.
(b) Records should be kept in paper form or in electronic format or a combination of both. Records stored on microfilm or optical disc format are also acceptable. The records should remain legible throughout the required retention period. The retention period starts when the record has been created or last amended.
(c) Paper systems should use robust material which can withstand normal handling and filing. Computer systems should have at least one backup system which should be updated within 24 hours of any new entry. Computer systems should include safeguards against the ability of unauthorised personnel to alter the data.
(d) All computer hardware used to ensure data backup should be stored in a different location from that containing the working data and in an environment that ensures they remain in good condition. When hardware or software changes take place, special care should be taken that all necessary data continues to be accessible at least through the full period specified in the relevant subpart. In the absence of such indication, all records should be kept for a minimum period of 5 years.
RECORDS
Microfilming or optical storage of records may be carried out at any time. The records should be as legible as the original record and remain so for the required retention period.