Regulation (EU) 2021/1963
This section establishes the conditions for conducting the certification, oversight and enforcement tasks as well as the administrative and management system requirements to be followed by the competent authority that is responsible for the implementation and enforcement of Section A.
145.B.115 Oversight documentation
Regulation (EU) 2021/1963
The competent authority shall provide all the legislative acts, standards, rules, technical publications, and related documents to the relevant personnel in order to allow them to perform their tasks and to discharge their responsibilities.
Regulation (EU) 2021/1963
(a) The Agency shall develop acceptable means of compliance (“AMC”) that may be used to establish compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts.
(b) Alternative means of compliance may be used to establish compliance with this Regulation.
(c) Competent authorities shall inform the Agency of any alternative means of compliance used by organisations under their oversight or by themselves for establishing compliance with this Regulation.
GM1 145.B.120 Means of compliance
ED Decision 2022/011/R
ALTERNATIVE MEANS OF COMPLIANCE — GENERAL
(a) A competent authority may establish means to comply with the Regulation different from the AMC established by EASA.
In that case, the competent authority is responsible for demonstrating how these alternative means of compliance (AltMoC) establish compliance with the Regulation.
(b) AltMoC used by a competent authority, or by an organisation under its oversight, may be used by other competent authorities, or another organisation, only if processed again in accordance with respectively point 145.B.120 and point 145.A.120.
(c) AltMoC issued by the competent authority may cover the following cases:
AltMoC to be used by organisations under the oversight of the competent authority and made available to these organisations;
AltMoC to be used by the authority itself to discharge its responsibilities.
AMC1 145.B.120(b);(c) Means of compliance
ED Decision 2022/011/R
PROCESSING THE ALTERNATIVE MEANS OF COMPLIANCE
To meet the objective of points (b) and (c) of point 145.B.120:
(a) the competent authority should establish the means to consistently evaluate over time that all the AltMoC used by itself or by organisations under its oversight allow for the establishment of compliance with the Regulation.
(b) If the competent authority issues AltMoC for itself or for the organisations under its oversight, it should:
make them available to all relevant organisations;
notify the Agency as soon as the AltMoC is issued, including the information described in point (d) below.
(c) The competent authority should evaluate the AltMoC proposed by an organisation by analysing the documentation provided and, if considered necessary, inspecting the organisation.
When the competent authority finds that the AltMoC is in accordance with the Regulation, it should:
notify the applicant that the AltMoC is approved;
indicate that this AltMoC may be implemented, and agree when the MOE is to be amended; and
notify the Agency as soon as the AltMoC is approved, including the information described in point (d) below.
(d) The competent authority should provide the Agency with the following information:
a summary of the AltMoC;
the content of the AltMoC;
a statement that compliance with the Regulation is achieved; and
in support of that statement, an assessment demonstrating that the AltMoC reaches an acceptable level of safety, taking into account the level of safety provided by the corresponding EASA AMC.
All these elements describing the AltMoC form an integral part of the records to be kept in accordance with 145.B.220.
GM1 145.B.120(b);(c) Means of Compliance
ED Decision 2022/011/R
CASE WHERE THE REGULATION HAS NO CORRESPONDING EASA AMC
When there is no EASA AMC for a certain requirement in the Regulation, the competent authority may choose to develop national guides or other types of documents to help the organisations under its oversight in compliance demonstration. The competent authority may inform the Agency, so that such guides or other documents may later be considered for transposition into an AMC published by the Agency through the Agency rulemaking process.
145.B.125 Information to the Agency
Regulation (EU) 2021/1963
(a) The competent authority of the Member State shall notify the Agency in case of any significant problems with the implementation of Regulation (EU) 2018/1139 and its delegated and implementing acts within 30 days from the time the authority became aware of the problems.
(b) Without prejudice to Regulation (EU) No 376/2014 and its delegated and implementing acts, the competent authority shall provide the Agency as soon as possible with any safety-significant information stemming from the occurrence reports stored in the national database pursuant to Article 6(6) of Regulation (EU) No 376/2014.
AMC1 145.B.125(b) Information to the Agency
ED Decision 2022/011/R
EXCHANGE OF SAFETY-SIGNIFICANT INFORMATION WITH THE AGENCY
Each competent authority should appoint a coordinator to act as the contact point for the exchange of safety-significant information between the competent authority and the Agency.
GM1 145.B.125(b) Information to the Agency
ED Decision 2022/011/R
MEANING OF SAFETY-SIGNIFICANT INFORMATION STEMMING FROM THE OCCURRENCE REPORTS
‘Safety-significant information stemming from the occurrence reports’ means:
(a) a conclusive safety analysis which summarises individual occurrence data and provides an in-depth analysis of a safety issue, and which may be relevant for the Agency’s safety action planning; and
(b) individual occurrence data for the cases where the Agency is the competent authority, and which fulfils the reporting criteria of GM3 145.B.125(b).
GM2 145.B.125(b) Information to the Agency
ED Decision 2022/011/R
RECOMMENDED CONTENT FOR CONCLUSIVE SAFETY ANALYSES
A conclusive safety analysis should contain the following:
(a) a detailed description of the safety issue, including the scenario in which the safety issue takes place; and
(b) an indication of the stakeholders affected by the safety issue, including types of operations and organisations;
and, as appropriate:
(c) a risk assessment establishing the severity and probability of all the possible consequences of the safety issue;
(d) information about the existing safety barriers that the aviation system has in place to prevent the likely safety issue consequences from occurring;
(e) any mitigating actions already in place or developed to deal with the safety issue;
(f) recommendations for future actions to control the risk; and
(g) any other element the competent authority considers essential for the Agency to properly assess the safety issue.
GM3 145.B.125(b) Information to the Agency
ED Decision 2022/011/R
OCCURRENCES WHERE THE AGENCY IS THE COMPETENT AUTHORITY
Occurrences related to organisations or products, certified by the Agency, should be notified to the Agency if:
(a) the occurrence is defined as a reportable occurrence in accordance with the applicable regulation;
(b) the organisation responsible for addressing the occurrence is certified by the Agency; and
(c) the Member State competent authority has come to the conclusion that:
(1) the organisation certified by the Agency to which the occurrence relates has not been informed of the occurrence; or
(2) the occurrence has not been properly addressed or has been left unattended by the organisation certified by the Agency.
Such occurrence data should be reported in a format compatible with the European Coordination Centre for Accident and Incident Reporting Systems (ECCAIRS) and should provide all relevant information for its assessment and analysis, including necessary additional files in the form of attachments.
145.B.135 Immediate reaction to a safety problem
Regulation (EU) 2021/1963
(a) Without prejudice to Regulation (EU) No 376/2014 and its delegated and implementing acts, the competent authority shall implement a system to appropriately collect, analyse and disseminate safety information.
(b) The Agency shall implement a system to appropriately analyse any relevant safety information received and, without undue delay, provide the relevant authority of the Member States and the Commission with any information, including recommendations or corrective actions to be taken, that is necessary for them to react in a timely manner to a safety problem involving products, parts, appliances, persons or organisations that are subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.
(c) Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the safety problem.
(d) The competent authority shall immediately notify measures taken under point (c) to all persons or organisations which need to comply with them under Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority shall also notify those measures to the Agency and, when combined action is required, to the other Member States concerned.
Regulation (EU) 2021/1963
(a) The competent authority shall establish and maintain a management system, including as a minimum:
(1) documented policies and procedures to describe its organisation, the means and methods for establishing compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts. The procedures shall be kept up to date, and serve as the basic working documents within that competent authority for all its related tasks;
(2) a sufficient number of personnel to perform its tasks and discharge its responsibilities. A system shall be in place to plan the availability of personnel in order to ensure the proper completion of all tasks;
(3) personnel that are qualified to perform their allocated tasks and that have the necessary knowledge and experience and receive initial and recurrent training to ensure continuing competency;
(4) adequate facilities and office accommodation for personnel to perform their allocated tasks;
(5) a function to monitor the compliance of the management system with the relevant requirements, and the adequacy of the procedures, including the establishment of an internal audit process and a safety risk management process. Compliance monitoring shall include a feedback system of audit findings to the senior management of the competent authority to ensure the implementation of corrective actions as necessary;
(6) a person or group of persons having a responsibility to the senior management of the competent authority for the compliance monitoring function.
(b) The competent authority shall, for each field of activity, including the management system, appoint one or more persons with the overall responsibility for the management of the relevant task(s).
(c) The competent authority shall establish procedures for the participation in a mutual exchange of all necessary information and assistance with any other competent authorities concerned, whether from the same Member State or from other Member States, including on:
(1) all findings raised and any follow-up actions taken as a result of the oversight of persons and organisations that carry out activities in the territory of a Member State, but certified by the competent authority of another Member State or by the Agency;
(2) information stemming from mandatory and voluntary occurrence reporting as required by 145.A.60.
(d) A copy of the procedures related to the management system and their amendments shall be made available to the Agency for the purpose of standardisation.
AMC1 145.B.200 Management system
ED Decision 2022/011/R
ORGANISATIONAL STRUCTURE
(a) In deciding upon the required organisational structure, the competent authority should review:
(1) the number of certificates to be issued, and the number and size of the potential Part‑145 approved maintenance organisations within that Member State;
(2) the possible use of qualified entities and of the resources of the competent authorities of other Member States to fulfil the continuing oversight obligations;
(3) the level of civil aviation activity, the number and complexity of the aircraft, and the size of the Member State’s aviation industry; and
(4) the potential growth of activities in the field of civil aviation.
(b) The competent authority should retain effective control of the important surveillance functions and should not delegate them in such a way that Part-145 organisations, in effect, regulate themselves in airworthiness matters.
(c) The set-up of the organisational structure should ensure that the various tasks and obligations of the competent authority do not solely rely on individuals. The continuous and undisturbed fulfilment of these tasks and obligations of the competent authority should also be guaranteed in case of illness, accidents or leave of individual employees.
AMC2 145.B.200 Management system
ED Decision 2022/011/R
GENERAL
(a) The competent authority designated by each Member State should be organised in such a way that:
(1) there is specific and effective management authority in the conduct of all the relevant activities;
(2) the functions and processes described in the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, AMC, Certification Specifications (CSs), and Guidance Material (GM) are properly implemented;
(3) the competent authority’s policy, organisation and operating procedures for the implementation of the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts are properly documented and applied;
(4) all the competent authority’s personnel who are involved in the related activities are provided with training where necessary;
(5) specific and effective provision is made for communicating and interfacing as necessary with EASA and the competent authorities of other Member States; and
(6) all the functions related to implementing the applicable requirements are adequately described.
(b) A general policy in respect of the activities related to the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts should be developed, promoted, and implemented by the manager at the highest appropriate level; for example, the manager at the top of the functional area of the competent authority that is responsible for such activities.
(c) Appropriate steps should be taken to ensure that the policy is known and understood by all the personnel involved, and all the necessary steps should be taken to implement and maintain the policy.
(d) The general policy, whilst also satisfying the additional national regulatory responsibilities, should, in particular, take into account:
(1) the provisions of Regulation (EU) 2018/1139;
(2) the provisions of the applicable implementing rules and their AMC, CSs, and GM;
(3) the needs of industry; and
(4) the needs of EASA and of the competent authority.
(e) The policy should define specific objectives for the key elements of the competent authority organisation and processes for implementing the related activities, including the corresponding control procedures and the measurement of the achieved standard.
AMC1 145.B.200(a)(1) Management system
ED Decision 2022/011/R
DOCUMENTED POLICIES AND PROCEDURES
(a) The various elements of the organisation involved with the activities related to Regulation (EU) 2018/1139 and its delegated and implementing acts should be documented in order to establish a reference source for the establishment and maintenance of this organisation.
(b) The documented procedures should be established in a way that facilitates their use. They should be clearly identified, kept up to date, and made readily available to all the personnel who are involved in the related activities.
(c) The documented procedures should cover, as a minimum, all of the following aspects:
(1) policies and objectives;
(2) the organisational structure;
(3) responsibilities and the associated authority;
(4) procedures and processes;
(5) internal and external interfaces;
(6) internal control procedures;
(7) the training of personnel;
(8) cross-references to associated documents;
(9) assistance from other competent authorities or EASA (where required).
(d) It is likely that the information may be held in more than one document or series of documents, and suitable cross-referencing should be provided. For example, the organisational structure and job descriptions are not usually in the same documentation as the detailed working procedures. In such cases, it is recommended that the documented procedures should include an index of cross references to all such other related information, and the related documentation should be readily available when required.
GM1 145.B.200(a)(2) Management system
ED Decision 2022/011/R
SUFFICIENT PERSONNEL
(a) This GM on the determination of the required personnel is limited to the performance of certification and oversight tasks, excluding any personnel who are required to perform tasks that are subject to any national regulatory requirements.
(b) The elements to be considered when determining who are the required personnel and planning their availability may be divided into quantitative and qualitative elements:
(1) Quantitative elements
(i) the estimated number of initial certificates to be issued;
(ii) the number of organisations to be certified by the competent authority;
(iii) the estimated number of subcontracted organisations used by certified organisations.
(2) Qualitative elements
(i) the size, nature, and complexity of the activities of certified organisations, taking into account:
(A) the privileges of each organisation;
(B) the types of approval and the scopes of approval;
(C) possible certification to industry standards;
(D) the number of personnel; and
(E) the organisational structure and the existence of subsidiaries;
(ii) the safety priorities identified;
(iii) the results of past oversight activities, including audits, inspections and reviews, in terms of risks and regulatory compliance, taking into account:
(A) the number and the levels of findings;
(B) the time frame for implementation of corrective actions; and
(C) the maturity of the management systems implemented by organisations, and their ability to effectively manage safety risks; and
(iv) the size and complexity of the Member State’s aviation industry, and the potential growth of activities in the field of civil aviation, which may be an indication of the number of new applications and changes to existing certificates to be expected.
(c) Based on the existing data from previous oversight planning cycles, and taking into account the situation within the Member State’s aviation industry, the competent authority may estimate:
(1) the standard working time required for processing applications for new certificates;
(2) the number of new certificates to be issued for each planning period; and
(3) the number of changes to existing certificates to be processed for each planning period.
(d) In line with the competent authority’s oversight policy, the following planning data should be determined:
(1) the standard number of audits to be performed per oversight planning cycle;
(2) the standard duration of each audit;
(3) the standard working time for audit preparation, on-site audit, reporting, and follow-up per inspector;
(4) the standard number of unannounced inspections to be performed;
(5) the standard duration of inspections, including preparation, reporting, and follow-up per inspector; and
(6) the minimum number and the required qualifications of the inspectors for each audit/inspection.
(e) The standard working time could be expressed either in working hours per inspector, or in working days per inspector. All planning calculations should then be based on the same unit (hours or working days).
(f) It is recommended to use a spreadsheet application to process the data defined under (c) and (d), to assist in determining the total number of working hours/days per oversight planning cycle required for certification, oversight and enforcement activities. This application could also serve as a basis for implementing a system for planning the availability of personnel.
(g) The number of working hours/days per planning period for each qualified inspector that may be allocated for certification, oversight and enforcement activities should be determined, taking into account:
(1) purely administrative tasks that are not directly related to certification and oversight;
(2) training;
(3) participation in other projects;
(4) planned absence; and
(5) the need to include a reserve for unplanned tasks or unforeseeable events.
(h) The determination of the working time available for certification, oversight and enforcement activities should also consider, as applicable:
(1) the use of qualified entities;
(2) cooperation with other competent authorities for approvals that involve more than one Member State;
(3) oversight activities under a bilateral aviation safety agreement.
(i) Based on the elements listed above, the competent authority should be able to:
(1) monitor the dates when audits and inspections are due, and when they were carried out;
(2) implement a system to plan the availability of personnel; and
(3) identify possible gaps between the number and the qualifications of personnel and the required volume of certification and oversight.
Care should be taken to keep planning data up to date in line with changes in the underlying planning assumptions, with particular focus on risk-based oversight principles.
AMC1 145.B.200(a)(3) Management system
ED Decision 2022/011/R
QUALIFICATION AND TRAINING — GENERAL
(a) It is essential for the competent authority to have the full capability to adequately assess the compliance and performance of an organisation by ensuring that the whole range of activities is assessed by appropriately qualified personnel.
(b) For each inspector, the competent authority should:
(1) define the competencies required to perform the allocated certification and oversight tasks;
(2) define the associated minimum qualifications that are required;
(3) establish initial and recurrent training programmes in order to maintain and to enhance the competency of inspectors at the level that is necessary to perform the allocated tasks; and
(4) ensure that the training provided meets the established standards, and is regularly reviewed and updated whenever necessary.
(c) The competent authority should ensure that training is provided by qualified trainers with appropriate training skills.
AMC2 145.B.200(a)(3) Management system
ED Decision 2022/011/R
QUALIFICATION AND TRAINING — INSPECTORS
(a) Competent authority inspectors should have:
(1) practical experience and expertise in the application of aviation safety standards and safe operating practices;
(2) comprehensive knowledge of:
(i) the relevant parts of the implementing rules, certification specifications and guidance material;
(ii) the competent authority’s procedures;
(iii) the rights and obligations of an inspector;
(iv) safety management systems based on the EU management system requirements and ICAO Annex 19, and compliance monitoring;
(v) continuing airworthiness management and maintenance;
(vi) operational procedures that affect the continuing airworthiness management of the aircraft or its maintenance;
(vii) maintenance-related human factors and human performance principles;
(3) training on auditing techniques and assessing and evaluating management systems and safety risk management processes;
(4) 5 years of relevant work experience for them to be allowed to work independently as inspectors. This may include experience gained during training to obtain the qualifications mentioned below in point (a)(5);
(5) a relevant engineering degree or an aircraft maintenance technician qualification with additional education. ‘Relevant engineering degree’ refers to an engineering degree from aeronautical, mechanical, electrical, electronic, avionics or other studies that are relevant to the maintenance and continuing airworthiness of aircraft/aircraft components;
(6) knowledge of a relevant sample of the type(s) of aircraft or components, gained through a formalised training course. Aircraft/engine type training courses should be at least at a level equivalent to a Part-66 Appendix III Level 1 General Familiarisation.
‘Relevant sample’ refers to courses that cover the typical aircraft or components that are within the scope of work;
(7) knowledge of maintenance standards, including fuel tank safety (FTS) training as described in Appendix IV to AMC5 145.A.30(e) and AMC2 145.B.200(a)(3).
(b) In addition to technical competency, inspectors should have a high degree of integrity, be impartial in carrying out their tasks, be tactful, and have a good understanding of human nature.
(c) A programme for recurrent training should be developed that ensures that the inspectors remain competent to perform their allocated tasks. As a general policy, it is not desirable for the inspectors to obtain technical qualifications from those entities that are under their direct regulatory oversight.
AMC3 145.B.200(a)(3) Management system
ED Decision 2022/011/R
INITIAL AND RECURRENT TRAINING — INSPECTORS
(a) Initial training programme
The initial training programme for inspectors should include, to an extent appropriate to their role, current knowledge, experience and skills, at least all of the following:
(1) aviation legislation, organisation, and structure;
(2) the Chicago Convention, the relevant ICAO Annexes and Documents;
(3) Regulation (EU) No 376/2014 on the reporting, analysis and follow-up of occurrences in civil aviation;
(4) overview of Regulation (EU) 2018/1139 and its delegated and implementing acts and the related AMC, CS, and GM;
(5) Regulation (EU) No 1321/2014 as well as any other applicable requirements;
(6) management systems, including the assessment of the effectiveness of a management system, in particular hazard identification and risk assessment, and non-punitive reporting techniques in the context of the implementation of a ‘just culture’;
(7) auditing techniques;
(8) procedures of the competent authority that are relevant to the inspectors’ tasks;
(9) human factors principles;
(10) the rights and obligations of inspecting personnel of the competent authority;
(11) on-the-job training that is relevant to the inspector’s tasks;
(12) technical training that is appropriate to the role and tasks of the inspector, in particular for those areas that require approvals.
NOTE: The duration of the on-the-job training should take into account the scope and complexity of the inspector’s tasks. The competent authority should assess whether the required competency has been achieved before an inspector is authorised to perform a task without supervision.
(b) Recurrent training programme
Once qualified, the inspector should undergo training periodically, as well as whenever deemed necessary by the competent authority, in order to remain competent to perform the allocated tasks. The recurrent training programme for inspectors should include, as appropriate to their role, at least the following topics:
(1) changes in aviation legislation, the operational environment and technologies;
(2) procedures of the competent authority that are relevant to the inspector’s tasks;
(3) technical training that is appropriate to the role and tasks of the inspector; and
(4) results from past oversight.
(c) Assessments of an inspector’s competency should take place at regular intervals that do not exceed 3 years. The results of these assessments, as well as any actions taken following the assessments, should be recorded.
AMC1 145.B.200(a)(5) Management system
ED Decision 2022/011/R
SAFETY RISK MANAGEMENT PROCESS
(a) The safety risk management process required by point (a)(5) of point 145.B.200 should be documented. The following should be defined in the related documentation:
(1) means for hazard identification, and the related data sources, taking into account data that comes from other competent authorities with which the competent authority interfaces in the State, or from the competent authorities of other Member States;
(2) risk management steps including:
(i) analysis (in terms of the probability and the severity of the consequences of hazards and occurrences);
(ii) assessment (in terms of tolerability); and
(iii) control (in terms of mitigation) of risks to an acceptable level;
(3) who holds the responsibilities for hazard identification and risk management;
(4) who holds the responsibility for the follow-up of risk mitigation actions;
(5) the levels of management who have the authority to make decisions regarding the tolerability of risks;
(6) means to assess the effectiveness of risk mitigation actions; and
(7) the link with the compliance monitoring function.
(b) To demonstrate that the safety risk management process is operational, competent authorities should be able to provide evidence that:
(1) the persons involved in internal safety risk management activities are properly trained;
(2) hazards that could impact the authority’s capabilities to perform its tasks and discharge its responsibilities have been identified and the related risk assessment is documented;
(3) regular meetings take place at appropriate levels of management of the competent authority to discuss the risks identified, and to decide on the tolerability of risks and possible risk mitigations;
(4) in addition to the initial hazard identification exercise, the risk management process is triggered as a minimum whenever changes occur that may affect the competent authority’s capability to perform any of the tasks required by Part-145;
(5) a record of the actions taken to mitigate risks is maintained, showing the status of each action and the owner of the action;
(6) there is a follow-up on the implementation of all risk mitigation actions;
(7) risk mitigation actions are assessed for their effectiveness;
(8) the results of risk assessments are periodically reviewed to check whether they remain relevant. (Are the assumptions still valid? Is there any new information?).
GM1 145.B.200(a)(5) Management system
ED Decision 2022/011/R
SAFETY RISK MANAGEMENT PROCESS
The purpose of safety risk management as part of the management system framework for competent authorities is to ensure the effectiveness of the management system. As for any organisation, hazard identification and risk management are expected to contribute to effective decision-making, to guide the allocation of resources and contribute to organisational success.
The safety risk management process required by point 145.B.200 is intended to address the safety risks that are directly related to the competent authority’s organisation and processes, and which may affect its capability to perform its tasks and discharge its responsibilities. This process is not intended to be a substitute for the State safety risk management SARPs defined in ICAO Annex 19, Chapter 3, component 3.3. This does not mean, however, that the competent authority may not use information and data that is obtained through its State Safety Programme (SSP), including oversight data and information, for the purposes of safety risk management as part of its management system.
The safety risk management process is also to be applied to the management of changes (145.B.210), which is intended to ensure that the management system remains effective whenever changes occur.
AMC1 145.B.200(d) Management system
ED Decision 2022/011/R
PROCEDURES AVAILABLE TO EASA
(a) Copies of the procedures related to the competent authority’s management system, and their amendments, that should be made available to EASA for the purpose of standardisation, should provide at least the following information:
(1) the competent authority’s organisational structure for the continuing oversight functions that it undertakes, with a description of the main processes. This information should demonstrate the allocation of responsibilities within the competent authority, and that the competent authority is capable of carrying out the full range of tasks for the size and complexity of the Member State’s aviation industry. It should also consider the overall proficiency and the scope of authorisation of the competent authority’s personnel;
(2) for personnel who are involved in oversight activities, the minimum required professional qualifications and amount of experience, and the principles that are used to guide their appointment (e.g. assessment);
(3) how the following are carried out: assessments of applications and evaluations of compliance, the issuing of certificates, continuing oversight activities, the follow-up of findings, enforcement measures and the resolution of safety concerns;
(4) the principles used for the management of exemptions and derogations;
(5) the processes that are in place to distribute the applicable safety information to enable a timely reaction to a safety problem;
(6) the criteria for planning continuing oversight activities (i.e. an oversight programme), including the management of interfaces when conducting continuing oversight activities (of air operations and of continuing airworthiness management, for example);
(7) an outline of the initial training of newly recruited oversight personnel (taking future activities into account), and the basic framework for the recurrent training of oversight personnel.
(b) As part of the continuous monitoring of a competent authority, EASA may request details of the working methods used, in addition to a copy of the procedures of the competent authority’s management system (and any amendments). These additional details are the procedures and the related guidance material that describes the working methods for the personnel of the competent authority who conduct oversight activities.
(c) Information related to the competent authority’s management system may be submitted in an electronic format.
145.B.205 Allocation of tasks to qualified entities
Regulation (EU) 2021/1963
(a) The competent authority may allocate tasks related to the initial certification or to the continuing oversight of organisations subject to Regulation (EU) 2018/1139 and its delegated and implementing acts, to qualified entities. When allocating tasks, the competent authority shall ensure that it has:
(1) put a system in place to initially and continuously assess whether the qualified entity complies with Annex VI to Regulation (EU) 2018/1139. That system and the results of the assessments shall be documented;
(2) established a written agreement with the qualified entity, approved by both parties at the appropriate management level, which stipulates:
(i) the tasks to be performed;
(ii) the declarations, reports and records to be provided;
(iii) the technical conditions to be met when performing such tasks;
(iv) the related liability coverage;
(v) the protection given to the information acquired when carrying out such tasks.
(b) The competent authority shall ensure that the internal audit process and safety risk management process established pursuant to point 145.B.200(a)(5) cover all the certification and continuing oversight tasks performed by the qualified entity on its behalf.
GM1 145.B.205 Allocation of tasks to qualified entities
ED Decision 2022/011/R
CERTIFICATION TASKS
The tasks that may be performed by a qualified entity on behalf of the competent authority include those that are related to the initial certification and to the continuing oversight of organisations as defined in Regulation (EU) No 1321/2014.
145.B.210 Changes in the management system
Regulation (EU) 2021/1963
(a) The competent authority shall have a system in place to identify the changes that affect its capability to perform its tasks and discharge its responsibilities as defined in Regulation (EU) 2018/1139 and its delegated and implementing acts. That system shall enable the competent authority to take action necessary to ensure that its management system remains adequate and effective.
(b) The competent authority shall update in a timely manner its management system to reflect any changes to Regulation (EU) 2018/1139 and its delegated and implementing acts so as to ensure its effective implementation.
(c) The competent authority shall notify the Agency of any changes affecting its capability to perform its tasks and discharge its responsibilities as provided for in Regulation (EU) 2018/1139 and its delegated and implementing acts.
Regulation (EU) 2021/1963
(a) The competent authority shall establish a record-keeping system that allows the adequate storage, accessibility and reliable traceability of:
(1) the management system’s documented policies and procedures;
(2) the training, qualifications and authorisations of its personnel;
(3) the allocation of tasks, covering the elements required by point 145.B.205, as well as the details of tasks allocated;
(4) certification processes and continuing oversight of certified organisations, including:
(i) the application for an organisation certificate;
(ii) the competent authority’s continuing oversight programme, including all the assessments, audits and inspection records;
(iii) the organisation certificate, including any changes to it;
(iv) a copy of the oversight programme, listing the dates when audits are due and when audits were carried out;
(v) copies of all formal correspondence;
(vi) recommendations for the issue or continuation of a certificate, details of findings and actions taken by the organisations to close those findings, including the date of closure, enforcement actions and observations;
(vii) any assessment, audit and inspection report issued by another competent authority pursuant to point 145.B.300(d);
(viii) copies of all the organisation MOEs or manuals, and of any amendments to them;
(ix) copies of any other documents approved by the competent authority;
(5) documents supporting the use of alternative means of compliance;
(6) safety information provided in accordance with point 145.B.125 and follow-up measures;
(7) the use of safeguard and flexibility provisions in accordance with Article 70, Article 71(1) and Article 76(4) of Regulation (EU) 2018/1139.
(b) The competent authority shall maintain a list of all the organisation certificates it has issued.
(c) All the records referred to in points (a) and (b) shall be kept for a minimum period of 5 years, subject to applicable data protection law.
(d) All the records referred to in points (a) and (b) shall be made available, upon request, to a competent authority of another Member State or to the Agency.
AMC1 145.B.220(a) Record-keeping
ED Decision 2022/011/R
GENERAL
(a) The record-keeping system should ensure that all records are accessible within a reasonable time whenever they are needed. These records should be organised in a manner that ensures their traceability and retrievability throughout the required retention period.
(b) All records that contain sensitive data regarding applicants or organisations should be stored in a secure manner with controlled access to ensure their confidentiality.
(c) Records should be kept in paper form, or in an electronic format, or a combination of the two. Records that are stored on microfilm or optical discs are also acceptable. The records should remain legible and accessible throughout the required retention period. The retention period starts when the record is created.
(d) Paper systems should use robust material which can withstand normal handling and filing. Computer record systems should have at least one backup system, which should be updated within 24 hours of any new entry. Computer record systems should include safeguards to prevent any unauthorised personnel from altering the data.
(e) All computer hardware that is used to ensure the backup of data should be stored in a different location from the one that contains the working data, and in an environment that ensures that the data remains in a good condition. When hardware or software changes take place, special care should be taken to ensure that all the necessary data continues to be accessible throughout at least the full period specified in point 145.B.220(c).
AMC1 145.B.220(a)(1) Record-keeping
ED Decision 2022/011/R
COMPETENT AUTHORITY MANAGEMENT SYSTEM
Records that are related to the competent authority’s management system should include, as a minimum, and as applicable:
(a) the documented policies and procedures;
(b) the personnel files of the competent authority’s personnel, with the supporting documents related to their training and qualifications;
(c) the results of the competent authority’s internal audits and safety risk management processes, including audit findings, and corrective, preventive and risk mitigation actions; and
(d) the contract(s) established with any qualified entities that perform certification or oversight tasks on behalf of the competent authority.
145.B.300 Oversight principles
Regulation (EU) 2021/1963
(a) The competent authority shall verify:
(1) compliance with the requirements that are applicable to organisations, prior to issuing an organisation certificate;
(2) continued compliance with the applicable requirements of the organisations it has certified;
(3) the implementation of appropriate safety measures mandated by the competent authority in accordance with points 145.B.135(c) and (d).
(b) This verification shall:
(1) be supported by documentation specifically intended to provide personnel responsible for oversight with guidance to perform their functions;
(2) provide the organisations concerned with the results of oversight activities;
(3) be based on assessments, audits and inspections and, if needed, unannounced inspections;
(4) provide the competent authority with the evidence needed in case further action is required, including the measures provided for in point 145.B.350.
(c) The competent authority shall establish the scope of the oversight set out in points (a) and (b) taking into account the results of past oversight activities and the safety priorities.
(d) If the facilities of an organisation are located in more than one State, the competent authority, as defined in point 145.1, may agree to have the oversight tasks performed by the competent authority(ies) of the Member State(s) where the facilities are located, or by the Agency for facilities that are located outside a territory for which Member States are responsible under the Chicago Convention. Any organisation that is subject to such an agreement shall be informed of its existence and of its scope.
(e) For any oversight activities that are performed at facilities located in a Member State other than where the organisation has its principal place of business, the competent authority, as defined in point 145.1, shall inform the competent authority of that Member State before performing any on-site audit or inspection of the facilities.
(f) The competent authority shall collect and process any information deemed necessary for performing oversight activities.
AMC1 145.B.300(a);(b);(c) Oversight principles
ED Decision 2022/011/R
MANAGEMENT SYSTEM ASSESSMENT
As part of the initial certification of an organisation, the competent authority should assess the organisation’s management system and processes to make sure that all the required enablers of a functioning management system are present and suitable.
As part of its continuing oversight activities, the competent authority should verify that the required enablers remain present and operational, and assess the effectiveness of the organisation’s management system and processes.
When significant changes take place in the organisation, the competent authority should determine whether there is a need to review the existing assessment to ensure that it is still valid.
AMC1 145.B.300(f) Oversight principles
ED Decision 2022/011/R
INFORMATION DEEMED NECESSARY FOR OVERSIGHT
This information should include, as a minimum:
(a) any occurrence reports received by the competent authority;
(b) the reports received following the issuing of any one-off certification authorisations as defined in point 145.A.30(j)(5);
(c) the results of the following types of inspections and surveys if they indicate an issue that originates from a Part-145 organisation:
(i) ramp inspections performed in accordance with Subpart RAMP of Annex II (Part-ARO) to Commission Regulation (EU) No 965/2012 on air operations;
(ii) product surveys of aircraft, pursuant to point M.B.303 or point ML.B.303;
(iii) product audits conducted pursuant to point CAMO.B.305(b)(1) or point 145.B.305(b)(1); and
(iv) physical surveys or partial airworthiness reviews performed by the competent authority in line with AMC M.B.901.
Regulation (EU) 2021/1963
(a) The competent authority shall establish and maintain an oversight programme covering the oversight activities required by point 145.B.300.
(b) The oversight programme shall take into account the specific nature of the organisation, the complexity of its activities, the results of past certification or oversight activities, or both, and it shall be based on the assessment of the associated risks. It shall include, within each oversight planning cycle:
(1) assessments, audits and inspections, including, as appropriate:
(i) management system assessments and process audits;
(ii) product audits of a relevant sample of the maintenance carried out by the organisation;
(iii) sampling of the airworthiness reviews performed;
(iv) unannounced inspections;
(2) meetings convened between the accountable manager and the competent authority to ensure that both parties remain informed of all significant issues.
(c) The oversight planning cycle shall not exceed 24 months.
(d) Notwithstanding point (c), the oversight planning cycle may be extended to 36 months if the competent authority has established that during the previous 24 months:
(1) the organisation has demonstrated that it can effectively identify aviation safety hazards and manage the associated risks;
(2) the organisation has continuously demonstrated compliance with point 145.A.85 and it has full control over all changes;
(3) no level 1 findings have been issued;
(4) all corrective actions have been implemented within the time period that was accepted or extended by the competent authority as provided for in point 145.B.350.
Notwithstanding point (c), the oversight planning cycle may be further extended to a maximum of 48 months if, in addition to the conditions provided in points (d)(1) to (4), the organisation has established, and the competent authority has approved, an effective continuous system for reporting to the competent authority on the safety performance and regulatory compliance of the organisation itself.
(e) The oversight planning cycle may be shortened if there is evidence that the safety performance of the organisation has decreased.
(f) The oversight programme shall include records of the dates when assessments, audits, inspections and meetings are due, and when assessments, audits, inspections and meetings have been effectively carried out.
(g) At the completion of each oversight planning cycle, the competent authority shall issue a recommendation report on the continuation of the approval, reflecting the results of the oversight.
AMC1 145.B.305(a);(b) Oversight programme
ED Decision 2022/011/R
ANNUAL REVIEW
(a) The oversight planning cycle and the related oversight programme for each organisation should be reviewed annually to ensure that they remain adequate regarding any changes in the nature of the organisation, the complexity of its activities or the safety performance of the organisation.
(b) When reviewing the oversight planning cycle and the related oversight programme, the competent authority should also consider any relevant information collected in accordance with points 145.A.60 and 145.B.300(f).
AMC1 145.B.305(b) Oversight programme
ED Decision 2022/011/R
SPECIFIC NATURE OF THE ORGANISATION AND COMPLEXITY OF ITS ACTIVITIES — RESULTS OF PAST CERTIFICATION OR OVERSIGHT ACTIVITIES
When determining the oversight programme, including the product audits, the competent authority should consider in particular the following elements, as applicable:
(1) the effectiveness of the organisation’s management system in identifying and addressing non‑compliances and safety hazards;
(2) the implementation by the organisation of any industry standards that are directly relevant to the organisation’s activities subject to this Regulation;
(3) the procedure applied for and the scope of changes not requiring prior approval;
(4) any specific procedures implemented by the organisation that are related to any alternative means of compliance used;
(5) the number of approved locations and the activities performed at each location;
(6) the number and type of any subcontractors that perform maintenance tasks; and
(7) the volume of activity for each A, B, C and D class rating, as applicable.
AMC2 145.B.305(b) Oversight programme
ED Decision 2022/011/R
SUBCONTRACTED ACTIVITIES
If a Part-145 organisation subcontracts maintenance tasks, the competent authority should determine whether the subcontracted organisation needs to be audited and included in the oversight programme, taking into account the specific nature and complexity of the subcontracted activities, the results of previous oversight activities of the approved organisation, and the assessment of the associated risks.
For such audits, competent authority inspectors should ensure that they are accompanied throughout the audit by a senior technical member of the Part-145 organisation.
NOTE: If a Part-145 organisation subcontracts maintenance tasks, the competent authority should ensure that the Part-145 organisation manages the risks related to, and that it has sufficient control over, the subcontracted activities (see AMC1 145.A.75(b)).
AMC1 145.B.305(b)(1) Oversight programme
ED Decision 2022/011/R
(a) The oversight programme should indicate which aspects of the approval will be covered by each audit.
(b) Part of each audit should concentrate on the audit reports produced by the organisation’s compliance monitoring function, to determine whether the organisation has been identifying and correcting its problems.
(c) At the conclusion of the audit, the auditing inspector should complete an audit report that identifies the areas and processes that were audited, and includes all the findings that were raised.
(d) At the completion of each oversight planning cycle, a new EASA Form 6 should be issued.
AMC1 145.B.305(c) Oversight programme
ED Decision 2022/011/R
OVERSIGHT PLANNING CYCLE — AUDIT AND INSPECTION
(a) When determining the oversight planning cycle and defining the oversight programme, the competent authority should assess the risks related to the activity and set-up of each organisation, and adapt the oversight to the level of risk identified and to the effectiveness of the organisation’s management system, in particular its ability to effectively manage safety risks.
(b) The competent authority should establish a schedule of audits and inspections that is appropriate to each organisation. The planning of audits and inspections should take into account the results of the hazard identification and the risk assessment conducted and maintained by the organisation as part of the organisation’s management system. Inspectors should work in accordance with the schedule provided to them.
(c) When the competent authority, having regard to the level of risk identified and the effectiveness of the organisation’s management system, varies the frequency of an audit or inspection, it should ensure that all aspects of the organisation’s activity are audited and inspected within the applicable oversight planning cycle.
AMC2 145.B.305(c) Oversight programme
ED Decision 2022/011/R
OVERSIGHT PLANNING CYCLE — AUDIT
(a) For each organisation certified by the competent authority, all applicable requirements including relevant processes should be audited at periods that do not exceed the applicable oversight planning cycle. The beginning of the first oversight planning cycle is normally determined by the date of issue of the first certificate. If the competent authority wishes to align the oversight planning cycle with the calendar year, it should shorten the first oversight planning cycle accordingly.
(b) Audits should include at least one on-site audit within each oversight planning cycle. For organisations that carry out their regular activities at more than one site, the determination of the sites and the requirements at these sites to be audited should consider the results of past oversight activities and the volume of activities at each site, as well as the main risk areas identified.
(c) For organisations that hold more than one certificate under Regulation (EU) 2018/1139, the competent authority may define an integrated oversight schedule that includes all the applicable audit items. In order to avoid any duplication of audits, credit may be granted for specific audit items that have already been completed during the current oversight planning cycle, provided that:
(1) the specific audit item is the same for all the certificates under consideration;
(2) there is satisfactory evidence on record that those specific audit items were carried out, and that all the related corrective actions have been implemented to the satisfaction of the competent authority;
(3) the competent authority is satisfied that there is no evidence that standards have deteriorated regarding those specific audit items for which credit is granted.
GM1 145.B.305(c) Oversight programme
ED Decision 2022/011/R
The expression ‘shall not exceed 24 months’ does not imply that 24 months is a minimum duration for the oversight cycle. Based on the elements specified in 145.B.300(c) and 145.B.305(b) (e.g. safety priorities, assessment of the risks, complexity of activities), the competent authority may decide to apply a cycle of less than 24 months (e.g. 12 months).
AMC1 145.B.305(d) Oversight programme
ED Decision 2022/011/R
EXTENSION OF THE OVERSIGHT PLANNING CYCLE BEYOND 24 MONTHS
(a) If the competent authority applies an oversight planning cycle that exceeds 24 months, it should, at a minimum, perform one focused inspection of the organisation (inspection of a specific area, element or aspect of the organisation) within each 12-month segment of the applicable oversight planning cycle to support the extended oversight programme.
(b) If the results of this inspection indicate a decrease in the safety performance or regulatory compliance of the organisation, the competent authority should revert back to a 24-month (or less) oversight planning cycle and review the oversight programme accordingly.
GM1 145.B.305(d)(2) Oversight programme
ED Decision 2022/011/R
ORGANISATION’S CONTROL OVER THE CHANGES
For the purpose of extending the oversight planning beyond 24 months, the continuous compliance of the organisation with 145.A.85 and the full control over all changes referred to in point 145.B.305(d)(2) includes in particular the ability of the organisation to manage adequately the changes not requiring prior approval foreseen in 145.A.85(c).
145.B.310 Initial certification procedure
Regulation (EU) 2021/1963
(a) Upon receiving an application from an organisation for the initial issue of a certificate, the competent authority shall verify the organisation’s compliance with the applicable requirements.
(b) A meeting with the accountable manager of the organisation shall be convened at least once during the investigation for initial certification to ensure that that person understands his or her role and accountability.
(c) The competent authority shall record all the findings issued, closure actions as well as the recommendations for the issue of the certificate.
(d) The competent authority shall confirm to the organisation in writing all the findings raised during the verification. For initial certification, all findings must be corrected to the satisfaction of the competent authority before the certificate can be issued.
(e) When satisfied that the organisation complies with the applicable requirements, the competent authority shall:
(1) issue the certificate as established in Appendix III “EASA Form 3-145” in accordance with the class and rating system provided for in Appendix II;
(2) formally approve the MOE.
(f) The certificate reference number shall be included on the EASA Form 3-145 certificate in a manner specified by the Agency.
(g) The certificate shall be issued for an unlimited duration. The privileges and the scope of the activities that the organisation is approved to conduct, including any limitations as applicable, shall be specified in the terms of approval attached to the certificate.
(h) To enable the organisation to implement changes without prior competent authority approval in accordance with point 145.A.85(c), the competent authority shall approve the relevant MOE procedure that sets out the scope of such changes and describes how such changes will be managed and notified to the competent authority.
AMC1 145.B.310 Initial certification procedure
ED Decision 2022/011/R
(a) In order to verify the organisation’s compliance with the applicable requirements, the competent authority should conduct an audit of the organisation, including interviews of the personnel, and inspections carried out at the organisation’s facilities.
(b) The competent authority should only conduct such an audit if it is satisfied that the application and the supporting documentation, including the results of the pre-audit performed by the organisation, are in compliance with the applicable requirements.
(c) The audit should focus on the following areas:
(1) the detailed management structure, including the names and qualifications of personnel as required by points (a), (b), (c) and (ca) of point 145.A.30, and the adequacy of the organisation and its management structure;
(2) the personnel:
(i) the adequacy of the number of staff, and of their qualifications and experience with regard to the intended terms of approval and the associated privileges;
(ii) the validity of any licences and/or authorisations, as applicable;
(3) the processes used for safety risk management and compliance monitoring;
(4) the facilities and their adequacy regarding the organisation’s scope of work;
(5) the documentation based on which the certificate should be granted (i.e. the documentation required by Part-145):
(i) verification that the procedures specified in the MOE comply with the applicable requirements; and
(ii) verification that the accountable manager has signed the exposition statement.
(d) If an application for an organisation certificate is refused, the applicant should be informed of the right of appeal that exists under national law.
AMC1 145.B.310(a) Initial certification procedure
ED Decision 2022/011/R
AUDIT
(a) The competent authority should determine how and by whom the audit shall be conducted. For example, it will be necessary to determine whether one large team audit, a short series of small team audits, or a long series of single inspector audits is most appropriate for the particular situation.
(b) The audit may be structured so as to verify the organisation’s processes related to a product line. For example, in the case of an organisation with Airbus A310 and A320 ratings, the audit should concentrate on the maintenance processes of one aircraft type only for a full compliance check, and depending upon the result, the second aircraft type may only require a sample check against those aspects that were seen to be weak regarding compliance for the first type.
(c) In determining the scope of the audit and which activities of the organisation will be assessed during the audit, the privileges of the approved organisation should be taken into account, e.g. their approval to carry out airworthiness reviews.
(d) Competent authority auditing inspectors should always ensure that they are accompanied throughout the audit by a senior member of the organisation, who is normally the compliance monitoring manager. The reason for being accompanied is to ensure that the organisation is fully aware of any findings raised during the audit.
(e) At the end of the audit, the auditing inspector should inform the senior member of the organisation of all the findings that were raised during the audit.
AMC1 145.B.310(c) Initial certification procedure
ED Decision 2022/011/R
There may be occasions when the competent authority inspector is unsure about the compliance of some aspects of the organisation applying for the initial issue of a certificate. If this occurs, the inspector should inform the organisation about the possible non-compliance at the time, and about the fact that the situation will be reviewed within the competent authority before a decision is made. If the review concludes that there is no finding, then a verbal confirmation to the organisation should suffice.
AMC2 145.B.310(c) Initial certification procedure
ED Decision 2022/011/R
(a) The audit should be recorded using the audit report EASA Form 6 (Appendix II to AMC2 145.B.310(c)).
(b) A review of the EASA Form 6 audit report form should be carried out by a competent independent person nominated by the competent authority. A satisfactory review of the audit report should be indicated by a signature on the EASA Form 6.
(c) The audit reports should include the date when each finding was closed, together with a reference to the closure actions.
AMC1 145.B.310(d) Initial certification procedure
ED Decision 2022/011/R
All findings should be confirmed in writing to the applicant organisation within 2 weeks of the on-site audit.
145.B.330 Changes – organisations
Regulation (EU) 2021/1963
(a) Upon receiving an application for a change that requires prior approval, the competent authority shall verify the organisation’s compliance with the applicable requirements before issuing the approval.
(b) The competent authority shall establish the conditions under which the organisation may operate during the change unless the competent authority determines that the organisation’s certificate needs to be suspended.
(c) When it is satisfied that the organisation complies with the applicable requirements, the competent authority shall approve the change.
(d) Without prejudice to any additional enforcement measures, if the organisation implements changes requiring prior approval without having received the approval of the competent authority pursuant to point (c), the competent authority shall consider the need to suspend, limit or revoke the organisation’s certificate.
(e) For changes not requiring prior approval, the competent authority shall include the review of such changes in its continuing oversight in accordance with the principles set forth in point 145.B.300. If any non-compliance is found, the competent authority shall notify the organisation, request further changes, and act in accordance with point 145.B.350.
AMC1 145.B.330 Changes — organisations
ED Decision 2022/011/R
(a) The competent authority should have adequate control over any changes to the personnel specified in points (a), (b), (c), (ca) and (k) of point 145.A.30. Such changes in personnel will require an amendment to the exposition.
(b) When an organisation submits the name of a new nominee for any of the personnel specified in points (a), (b), (c), (ca) and (k) of point 145.A.30, the competent authority may require the organisation to produce a written résumé of the proposed person’s qualifications. The competent authority should reserve the right to interview the nominee or to call for additional evidence of their suitability before deciding upon them being acceptable.
(c) For changes requiring prior approval, in order to verify the organisation’s compliance with the applicable requirements, the competent authority should conduct an audit of the organisation, limited to the extent of the changes. The competent authority may also request the organisation to provide the risk assessment referred to in AMC2 145.A.85 for review.
(d) If required, the audit may include interviews and inspections carried out at the organisation’s facilities.
(e) The applicable part(s) of EASA Form 6 should be used to document the assessment of any changes to the Part-145 approval.
GM1 145.B.330 Changes — organisations
ED Decision 2022/011/R
CHANGE OF THE NAME OF THE ORGANISATION
(a) On receipt of the application and the amendment to the relevant parts of the MOE, the competent authority should reissue the certificate.
(b) A change of only the name does not require the competent authority to audit the organisation unless there is evidence that other aspects of the organisation have changed.
AMC1 145.B.330(e) Changes — organisations
ED Decision 2022/011/R
REVIEW OF CHANGES NOT REQUIRING PRIOR APPROVAL
The authority should implement a process to review the changes not requiring prior approval. This should include at least, as part of the continuing oversight activities during the oversight cycle:
auditing the organisation process for changes not requiring prior approval;
selecting a sample of these changes and verifying their compliance with the applicable requirements.
145.B.350 Findings and corrective actions; observations
Regulation (EU) 2021/1963
(a) The competent authority shall have a system in place to analyse findings for their safety significance.
(b) A level 1 finding shall be issued by the competent authority when any significant non-compliance is detected with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, with the organisation’s procedures and manuals, or with the organisation’s certificate including the terms of approval, which lowers safety or seriously endangers flight safety.
Level 1 findings shall also include:
(1) any failure to grant the competent authority access to the organisation’s facilities referred to in point 145.A.140 during normal operating hours and after two written requests;
(2) obtaining the organisation certificate or maintaining its validity by falsification of the submitted documentary evidence;
(3) any evidence of malpractice or fraudulent use of the organisation certificate;
(4) the lack of an accountable manager.
(c) A level 2 finding shall be issued by the competent authority when any non-compliance is detected with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, with the organisation’s procedures and manuals, or with the organisation’s certificate including the terms of approval, which is not classified as a level 1 finding.
(d) When a finding is detected during oversight or by any other means, the competent authority shall, without prejudice to any additional action required by Regulation (EU) 2018/1139 and its delegated and implementing acts, communicate in writing the finding to the organisation and request corrective action to address the non-compliance identified. If a level 1 finding directly relates to an aircraft, the competent authority shall inform the competent authority of the Member State in which the aircraft is registered.
(1) If there are any level 1 findings, the competent authority shall take immediate and appropriate action to prohibit or limit the activities of the organisation involved and, if appropriate, it shall take action to revoke the certificate or to limit or suspend it in whole or in part, depending on the extent of the level 1 finding, until successful corrective action has been taken by the organisation.
(2) If there are any level 2 findings, the competent authority shall:
(i) grant the organisation a corrective action implementation period that is appropriate to the nature of the finding, and that in any case shall initially not be more than 3 months. The period shall commence from the date of the written communication of the finding to the organisation requesting corrective action to address the non-compliance identified. At the end of that period, and subject to the nature of the finding, the competent authority may extend the 3-month period provided that a corrective action plan has been agreed with the competent authority;
(ii) assess the corrective action plan and implementation plan proposed by the organisation, and if the assessment concludes that they are sufficient to address the non-compliance, accept them.
(3) If the organisation fails to submit an acceptable corrective action plan, or fails to perform the corrective action within the time period accepted or extended by the competent authority, the finding shall be raised to level 1 and action shall be taken as laid down in point (d)(1).
(4) The competent authority shall record all the findings that it has raised or that have been communicated to it in accordance with point (e) and, where applicable, the enforcement measures it has applied, as well as all corrective actions and the dates of the action closures for all the findings.
(e) Without prejudice to any additional enforcement measures, when an authority performing the oversight tasks pursuant to point 145.B.300(d) identifies any non-compliance with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts by an organisation certified by the competent authority of another Member State or the Agency, it shall inform that competent authority and provide an indication of the level of the finding.
(f) The competent authority may issue observations for any of the following cases not requiring level 1 or level 2 findings:
(1) for any item whose performance has been assessed to be ineffective;
(2) when it has been identified that an item has the potential to cause a non-compliance under points (b) or (c);
(3) when suggestions or improvements are of interest for the overall safety performance of the organisation.
The observations issued under this point shall be communicated in writing to the organisation and recorded by the competent authority.
GM1 145.B.350(f) Findings and corrective actions; observations
ED Decision 2022/011/R
DIFFERENCE BETWEEN ‘LEVEL 2 FINDING’ AND ‘OBSERVATION’
(a) ‘Findings’ are issued for non-compliance with the Regulation, whereas ‘observations’ may be issued to an organisation remaining compliant with the Regulation while additional inputs for the organisation could be considered for continuous improvement.
However, the competent authority may decide to issue a ‘level 2’ finding when the ‘observations’ process is not managed correctly or overlooked.
(b) Examples to help differentiate between a ‘level 2 finding’ and an ‘observation’ are provided below, based on the provisions for the control and calibration of tools in accordance with point 145.A.40(b).
Example of a ‘level 2 finding’
The organisation could not demonstrate compliance with some elements of 145.A.40(b) regarding the control register of the tools, equipment and particularly test equipment process as evidenced by:
(1) the fact that some sampled tools physically available in the tools store were missing in the tools control register managed by the organisation;
(2) the fact that one tool has not been correctly identified (e.g. incorrect P/N, S/N) in the tools control register.
Examples of ‘observations’
Accumulation of tools in the store not sent yet for calibration. This situation could generate some consequences on the availability of tools and operational capabilities during a peak of activities (ineffectiveness of the process).
The process to manage the tools control register through the dedicated software is not detailed enough (potential to cause a level 2 finding).
The colour of the ‘unserviceable’ tag of the tools could generate some confusion. The organisation should consider changing the colour of this unserviceable tag to better alert the staff on the particular status of the unserviceable tools (potential improvement).
145.B.355 Suspension, limitation and revocation
Regulation (EU) 2021/1963
The competent authority shall:
(a) suspend a certificate when it considers that there are reasonable grounds that such action is necessary to prevent a credible threat to aircraft safety;
(b) suspend, revoke or limit a certificate if such action is required pursuant to point 145.B.350;
(c) suspend or limit in whole or in part a certificate if unforeseeable circumstances outside the control of the competent authority prevent its inspectors from discharging their oversight responsibilities over the oversight planning cycle.