Regulation (EU) 2023/203
(a) The competent authority shall establish and maintain a management system, including as a minimum:
(1) documented policies and procedures to describe its organisation, means and methods to achieve compliance with Regulation (EC) No 216/2008 and its Implementing Rules. The procedures shall be kept up to date and serve as the basic working documents within that competent authority for all related tasks;
(2) a sufficient number of personnel to perform its tasks and discharge its responsibilities. Such personnel shall be qualified to perform their allocated tasks and have the necessary knowledge, experience, initial and recurrent training to ensure continuing competence. A system shall be in place to plan the availability of personnel, in order to ensure the proper completion of all tasks;
(3) adequate facilities and office accommodation to perform the allocated tasks;
(4) a function to monitor compliance of the management system with the relevant requirements and adequacy of the procedures including the establishment of an internal audit process and a safety risk management process. Compliance monitoring shall include a feedback system of audit findings to the senior management of the competent authority to ensure implementation of corrective actions as necessary; and
(5) a person or group of persons, ultimately responsible to the senior management of the competent authority for the compliance monitoring function.
(b) The competent authority shall, for each field of activity, including management system, appoint one or more persons with the overall responsibility for the management of the relevant task(s).
(c) The competent authority shall establish procedures for participation in a mutual exchange of all necessary information and assistance with other competent authorities concerned including on all findings raised and follow-up actions taken as a result of oversight of persons and organisations exercising activities in the territory of a Member State, but certified or authorised by or making declarations to the competent authority of another Member State or the Agency.
(d) A copy of the procedures related to the management system and their amendments shall be made available to the Agency for the purpose of standardisation.
(e) In addition to the requirements contained in point (a), the management system established and maintained by the competent authority shall comply with Annex I (Part-IS.AR) to Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.
[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]
AMC1 ARO.GEN.200(a) Management system
ED Decision 2014/025/R
GENERAL
(a) All of the following should be considered when deciding upon the required organisational structure:
(1) the number of certificates, attestations, authorisations and approvals to be issued;
(2) the number of declared organisations;
(3) the number of certified or authorised persons and organisations exercising an activity within that Member State, including persons or organisations certified or authorised by other competent authorities;
(4) the possible use of qualified entities and of resources of other competent authorities to fulfil the continuing oversight obligations;
(5) the level of civil aviation activity in terms of:
(i) number and complexity of aircraft operated;
(ii) size and complexity of the Member State’s aviation industry;
(6) the potential growth of activities in the field of civil aviation.
(b) The set-up of the organisational structure should ensure that the various tasks and obligations of the competent authority do not rely solely on individuals. A continuous and undisturbed fulfilment of these tasks and obligations of the competent authority should also be guaranteed in case of illness, accident or leave of individual employees.
GENERAL
(a) The competent authority designated by each Member State should be organised in such a way that:
(1) there is specific and effective management authority in the conduct of all relevant activities;
(2) the functions and processes described in the applicable requirements of Regulation (EC) No 216/200843 Regulation (EC) No 216/2008 of the European Parliament and of the Council of 20 February 2008 on common rules in the field of civil aviation and establishing a European Aviation Safety Agency, and repealing Council Directive 91/670/EEC, Regulation (EC) No 1592/2002 and Directive 2004/36/EC. OJ L 79, 19.3.2008, p. 1. Regulation as last amended by Commission Regulation (EU) No 6/2013 of 8 January 2013 (OJ L 4, 9.1.2013, p. 34). and its Implementing Rules and AMCs, Certification Specifications (CSs) and Guidance Material (GM) may be properly implemented;
(3) the competent authority’s organisation and operating procedures for the implementation of the applicable requirements of Regulation (EC) No 216/2008 and its Implementing Rules are properly documented and applied;
(4) all competent authority personnel involved in the related activities are provided with training where necessary;
(5) specific and effective provision is made for the communication and interface as necessary with the Agency and the competent authorities of other Member States; and
(6) all functions related to implementing the applicable requirements are adequately described.
(b) A general policy in respect of activities related to the applicable requirements of Regulation (EC) No 216/2008 and its Implementing Rules should be developed, promoted and implemented by the manager at the highest appropriate level; for example the manager at the top of the functional area of the competent authority that is responsible for such activities.
(c) Appropriate steps should be taken to ensure that the policy is known and understood by all personnel involved, and all necessary steps should be taken to implement and maintain the policy.
(d) The general policy, whilst also satisfying additional national regulatory responsibilities, should in particular take into account:
(1) the provisions of Regulation (EC) No 216/2008;
(2) the provisions of the applicable Implementing Rules and their AMCs, CSs and GM;
(3) the needs of industry; and
(4) the needs of the Agency and of the competent authority.
(e) The policy should define specific objectives for key elements of the organisation and processes for implementing related activities, including the corresponding control procedures and the measurement of the achieved standard.
DOCUMENTED POLICIES AND PROCEDURES
(a) The various elements of the organisation involved with the activities related to Regulation (EC) No 216/2008 and its Implementing Rules should be documented in order to establish a reference source for the establishment and maintenance of this organisation.
(b) The documented procedures should be established in a way that facilitates their use. They should be clearly identified, kept up-to-date and made readily available to all personnel involved in the related activities.
(c) The documented procedures should cover, as a minimum, all of the following aspects:
(1) policy and objectives;
(2) organisational structure;
(3) responsibilities and associated authority;
(4) procedures and processes;
(5) internal and external interfaces;
(6) internal control procedures;
(7) training of personnel;
(8) cross-references to associated documents;
(9) assistance from other competent authorities or the Agency (where required).
(d) It is likely that the information is held in more than one document or series of documents, and suitable cross-referencing should be provided. For example, organisational structure and job descriptions are not usually in the same documentation as the detailed working procedures. In such cases, it is recommended that the documented procedures include an index of cross-references to all such other related information, and the related documentation should be readily available when required.
QUALIFICATION AND TRAINING — GENERAL
(a) It is essential that the competent authority has the full capability to adequately assess the continued competence of an organisation by ensuring that the whole range of activities is assessed by appropriately qualified personnel.
(b) For each inspector, the competent authority should:
(1) define the competencies required to perform the allocated certification and oversight tasks;
(2) define the associated minimum qualification requirements;
(3) establish initial and recurrent training programmes in order to maintain and to enhance inspector competency at the level necessary to perform the allocated tasks; and
(4) ensure that the training provided meets the established standards and is regularly reviewed and updated whenever necessary.
(c) The competent authority may provide training through its own training organisation with qualified trainers or through another qualified training source.
(d) When training is not provided through an internal training organisation, adequately experienced and qualified persons may act as trainers, provided their training skills have been assessed. If required, an individual training plan should be established covering specific training skills. Records should be kept of such training and the assessment, as appropriate.
QUALIFICATION AND TRAINING — INSPECTORS
(a) Initial training programme:
The initial training programme for inspectors should include, as appropriate to their role, current knowledge, experience and skills in at least all of the following:
(1) aviation legislation organisation and structure;
(2) the Chicago Convention, relevant ICAO annexes and documents;
(3) overview of Regulation (EC) No 216/2008, its implementing rules and the related AMC, CS, and GM;
(4) Regulation (EU) No 965/2012 as well as other applicable requirements;
(5) management systems, including the assessment of the effectiveness of a management system, in particular hazard identification and risk assessment, and non-punitive reporting techniques in the context of the implementation of a ‘just culture’;
(6) auditing techniques;
(7) competent authority procedures relevant to the inspectors’ tasks;
(8) human factors principles;
(9) rights and obligations of inspecting personnel of the competent authority;
(10) ‘on-the-job’ training, relevant to the inspector’s tasks;
(11) technical training, including training on aircraft-specific subjects, appropriate to the role and tasks of the inspector, in particular for those areas requiring approvals.
(b) Recurrent training programme:
Once qualified, the inspector should undergo training periodically as well as whenever deemed necessary by the competent authority in order to remain competent to perform the allocated tasks. The recurrent training programme for inspectors should include, as appropriate to their role, at least the following topics:
(1) changes in aviation legislation, operational environment and technologies;
(2) competent authority procedures relevant to the inspector’s tasks;
(3) technical training, including training on aircraft-specific subjects, appropriate to the role and tasks of the inspector; and
(4) results from past oversight.
(c) An assessment of an inspector’s competency should take place at regular intervals not exceeding three years.
QUALIFICATION AND TRAINING — CREW RESOURCE MANAGEMENT (CRM)
For the oversight of the operator’s CRM training, the inspectors of the competent authority should be qualified and trained as follows:
(a) Qualification
To fulfil the qualification provisions, inspectors should:
(1) have adequate knowledge of the relevant flight operations;
(2) have adequate knowledge of human performance and limitations (HPL);
(3) have completed initial CRM training;
(4) have received additional training in the fields of group management, group dynamics and personal awareness; and
(5) have experience in the assessment of the effectiveness of training programmes and management systems.
(b) Training
The training of inspectors should be both theoretical and practical, and should include:
(1) in-depth knowledge of the CRM training elements as laid down in Part-ORO; and
(2) specific skills for the oversight of the operator’s CRM training including the assessment of non-technical skills using proper techniques and methodologies.
AMC4 ARO.GEN.200(a)(2) Management system44 Please note that this AMC shall not apply to inspecting staff already qualified as inspector to perform oversight tasks, as per Article 3 of EASA ED Decision 2017/006/R.
ED Decision 2017/006/R
INSPECTOR QUALIFICATION FOR CAT OPERATIONS
(a) For CAT operations of aircraft with an MOPSC of more than 19 seats or with an MCTOM of more than 45 360 kg, an inspector who performs initial certification or oversight tasks relating to:
(1) the flight crew operating procedures contained in Part B (e.g. Chapters B-2, B-3, and B-9) of the Operations Manual (OM), or
(2) the aircraft/FSTD part of the flight crew training syllabi and checking programmes contained in Part D of the OM,
should have the following qualifications:
(i) operational experience in air transport operations appropriate to the allocated tasks;
(ii) experience in either operational management within an air transport operation; or as an examiner; or as an instructor; and
(iii) hold or have held a valid type rating on the aircraft type concerned; or a class rating as appropriate; or a rating on aircraft types/classes with similar technical and operational characteristics.
(b) For CAT operations with an MOPSC of 19 seats or less, the authority should establish the inspector qualifications required to perform the allocated initial certification and oversight tasks. The assigned inspector should undergo theoretical training on aircraft systems and operations.
(c) For in-flight inspections of CAT operations, the inspector should have relevant knowledge of the route and area.
FATIGUE RISK MANAGEMENT INSPECTOR TRAINING
An inspector involved in the approval process of operator’s flight time specification schemes and fatigue risk management (FRM) should receive the following training:
(a) Initial training
(1) Theory and effects of fatigue
(2) Human factors related to fatigue
(3) Typical hazards and risks related to fatigue, their possible mitigation measures, and the maturity of hazard identification models (reactive, proactive and predictive)
(4) FRM training and promotion methodologies and how to support ongoing development of FRM
(5) Data collection and analysis methods related to FRM
(6) Integration of FRM into the Management System
(7) Fatigue management documentation, implementation and assurance methodologies
(8) Regulatory framework and current best practices
(9) Auditing and assessment of the effectiveness of an operator’s FRM
(b) Recurrent training (at least every 3 years)
(1) Review of FRM implementation issues
(2) Recent incidents related to fatigue
(3) New FRM developments
(4) Review of changes in legislation, and best practices.
SUFFICIENT PERSONNEL
(a) This GM on the determination of the required personnel is limited to the performance of certification, authorisation and oversight tasks, excluding personnel required to perform tasks subject to any national regulatory requirements.
(b) The elements to be considered when determining required personnel and planning their availability may be divided into quantitative and qualitative elements:
(1) Quantitative elements:
(i) the estimated number of initial certificates to be issued;
(ii) the number of organisations certified by the competent authority;
(iii) the number of persons to whom the competent authority has issued a licence, certificate, rating, authorisation or attestation;
(iv) the estimated number of persons and organisations, as well as the estimated number of subcontracted organisations used by those persons and organisations, exercising their activity within the territory of the Member State and established or residing in another Member State;
(v) the number of organisations having declared their activity to the competent authority;
(vi) the number of organisations holding a specialised operations authorisation issued by the competent authority.
(2) Qualitative elements:
(i) the size, nature and complexity of activities of certified, authorised and declared organisations (cf. AMC1 ORO.GEN.200(b)) ,taking into account:
(A) privileges of the organisation;
(B) type of approval, scope of approval, multiple certification, authorisation and declared activities;
(C) possible certification to industry standards;
(D) types of aircraft/flight simulation training devices (FSTDs) operated;
(E) number of personnel; and
(F) organisational structure, existence of subsidiaries;
(ii) the safety priorities identified;
(iii) the results of past oversight activities, including audits, inspections and reviews, in terms of risks and regulatory compliance, taking into account:
(A) number and level of findings;
(B) timeframe for implementation of corrective actions; and
(C) maturity of management systems implemented by organisations and their ability to effectively manage safety risks, taking into account also information provided by other competent authorities related to activities in the territory of the Member States concerned; and
(iv) the size and complexity of the Member State’s aviation industry and the potential growth of activities in the field of civil aviation, which may be an indication of the number of new applications and changes to existing certificates and authorisations to be expected.
(c) Based on existing data from previous oversight planning cycles and taking into account the situation within the Member State’s aviation industry, the competent authority may estimate:
(1) the standard working time required for processing applications for new certificates (for persons and organisations) and authorisations;
(2) the number of new declarations or changed declarations;
(3) the number of new certificates and authorisations to be issued for each planning period; and
(4) the number of changes to existing certificates and authorisations to be processed for each planning period.
(d) In line with the competent authority’s oversight policy, the following planning data should be determined specifically for each type of organisation certified by the competent authority as well as for declared organisations, including those being authorised:
(1) standard number of audits to be performed per oversight planning cycle;
(2) standard duration of each audit;
(3) standard working time for audit preparation, on-site audit, reporting and follow-up, per inspector;
(4) standard number of ramp and unannounced inspections to be performed;
(5) standard duration of inspections, including preparation, reporting and follow-up, per inspector;
(6) minimum number and required qualification of inspectors for each audit/inspection.
(e) Standard working time could be expressed either in working hours per inspector or in working days per inspector. All planning calculations should then be based on the same unit (hours or working days).
(f) It is recommended to use a spreadsheet application to process data defined under (c) and (d), to assist in determining the total number of working hours/days per oversight planning cycle required for certification, authorisation, oversight and enforcement activities. This application could also serve as a basis for implementing a system for planning the availability of personnel.
(g) For each type of organisation certified or high risk commercial specialised operation authorised by the competent authority, the number of working hours/days per planning period for each qualified inspector that may be allocated for certification, authorisation, oversight and enforcement activities should be determined, taking into account:
(1) purely administrative tasks not directly related to oversight and certification/authorisation;
(2) training;
(3) participation in other projects;
(4) planned absence; and
(5) the need to include a reserve for unplanned tasks or unforeseeable events.
(h) The determination of working time available for certification, authorisation, oversight and enforcement activities should also consider:
(1) the possible use of qualified entities; and
(2) possible cooperation with other competent authorities for approvals or authorisations involving more than one Member State.
(i) Based on the elements listed above, the competent authority should be able to:
(1) monitor dates when audits and inspections are due and when they have been carried out;
(2) implement a system to plan the availability of personnel; and
(3) identify possible gaps between the number and qualification of personnel and the required volume of certification/authorisation and oversight.
Care should be taken to keep planning data up-to-date in line with changes in the underlying planning assumptions, with particular focus on risk-based oversight principles.
INSPECTOR COMPETENCY
(a) Competency is a combination of individual skills, practical and theoretical knowledge, attitude, training, and experience.
(b) An inspector should, by his/her qualifications and competencies, command the professional respect of the inspected personnel.
SPECIFIC FLIGHT OPERATIONS INSPECTOR QUALIFICATION
(a) The following characteristics should be considered in order to establish aircraft types/classes with similar technical and operational characteristics:
(1) Engine technology;
(2) Certification basis;
(3) Level of automation;
(4) Flight controls logic (e.g. fly-by-wire, conventional, etc.); and
(5) Size and mass of the aircraft (e.g. maximum take-off mass, wake turbulence category, etc.).
(b) The following factors should be considered with regard to knowledge of the route and area:
(1) Climatological conditions, e.g. exceptionally cold weather;
(2) Availability of adequate aerodromes and their specific features, e.g. high elevation, poor English/communication capability, exceptional approach procedures;
(3) Navigational procedures, including PBN requirements, ETOPS and extended diversion time requirements;
(4) Communication procedures, including required communication performance, any specific and contingency procedures, e.g. loss of communication, drift down, oxygen escape; and
(5) Equipment requirements related to search and rescue, e.g. polar, desert operations, oceanic, remote areas.
GM4 ARO.GEN.200(a)(2) Management system
ED Decision 2017/006/R
INSPECTOR TRAINING PROGRAMMES
(a) The competent authority may adapt the duration and depth of the individual training programme of an inspector, provided the required competencies are achieved and maintained.
(b) The following documents, as appropriate to the role of the inspector, are relevant for the initial training programme for inspectors referred to in AMC2 ARO.GEN.200(a)(2):
(1) The Chicago Convention and relevant ICAO annexes and documents
(2) Regulation (EU) No 376/2014 (Occurrences in civil aviation)
(3) Regulation (EC) No 216/2008, and related implementing rules such as:
(i) Regulation (EU) No 1178/2011 (Air Crew Regulation);
(ii) Regulation (EU) No 1332/2011;(Part-AUR);
(iii) Regulation (EU) No 923/2012 (Part-SERA);
(iv) Regulation (EU) No 748/2012 (OSD); and
(v) Regulation (EU) No 1321/2014 (Part-M, Part-145).
(c) The duration of the on-the-job training should take into account the scope and complexity of the inspector’s tasks. The competent authority should assess whether the required competence has been achieved before an inspector is authorised to perform a task without supervision.
FATIGUE RISK MANAGEMENT INSPECTOR TRAINING
‘Theory and effects of fatigue’ refers to:
(a) sleep;
(b) circadian rhythm;
(c) adaptation (acclimatisation) after time-jet zone crossing (westbound and eastbound) and jet lag;
(d) shift work;
(e) bio-mathematical fatigue models; and
(f) measurement of fatigue.
FATIGUE RISK MANAGEMENT INSPECTOR TRAINING
Guidance on training for inspectors on fatigue risk management is contained in ICAO Doc 9966 (Manual for the Oversight of Fatigue Management Approaches).
INSPECTOR EXPERIENCE IN EITHER OPERATIONAL MANAGEMENT WITHIN AN AIR TRANSPORT OPERATION OR AS AN INSTRUCTOR OR AS AN EXAMINER
The inspector assigned to certification and oversight tasks should have sufficient experience in roles that enable a thorough understanding of the operational processes.
(a) Experience in operational management refers to previous appointments in functions of organisational relevance, such as in any of the areas below:
(1) flight operations and operational control;
(2) flight crew training; and
(3) management system.
Such appointments should not be limited to senior management functions such as nominated persons in accordance with point (b) of ORO.GEN.210. It is important that the inspector assigned to certification and oversight tasks in accordance with AMC4 ARO.GEN.200(a)(2) have sufficient experience which enables a thorough understanding of the operational processes within air transport operations.
(b) In the context of the approval and oversight of aircraft specific flight crew training and checking, the inspector should have experience as an instructor.
PROCEDURES AVAILABLE TO THE AGENCY
(a) Copies of the procedures related to the competent authority’s management system and their amendments to be made available to the Agency for the purpose of standardisation should provide at least the following information:
(1) Regarding continuing oversight functions undertaken by the competent authority, the competent authority’s organisational structure with description of the main processes. This information should demonstrate the allocation of responsibilities within the competent authority, and that the competent authority is capable of carrying out the full range of tasks regarding the size and complexity of the Member State’s aviation industry. It should also consider overall proficiency and authorisation scope of competent authority personnel.
(2) For personnel involved in oversight activities, the minimum professional qualification requirements and experience and principles guiding appointment (e.g. assessment).
(3) How the following are carried out: assessing applications and evaluating compliance, issuance of certificates and authorisations, performance of continuing oversight, follow-up of findings, enforcement measures and resolution of safety concerns.
(4) Principles of managing exemptions and derogations.
(5) Processes in place to disseminate applicable safety information for timely reaction to a safety problem.
(6) Criteria for planning continuing oversight (oversight programme), including adequate management of interfaces when conducting continuing oversight (air operations, flight crew licensing, continuing airworthiness management for example).
(7) Outline of the initial training of newly recruited oversight personnel (taking future activities into account), and the basic framework for continuation training of oversight personnel.
(b) As part of the continuous monitoring of a competent authority, the Agency may request details of the working methods used, in addition to the copy of the procedures of the competent authority’s management system (and amendments). These additional details are the procedures and related guidance material describing working methods for competent authority personnel conducting oversight.
(c) Information related to the competent authority’s management system may be submitted in electronic format.
ARO.GEN.205 Allocation of tasks to qualified entities
Regulation (EU) 2023/203
[applicable until 21 February 2026 — Regulation (EU) No 379/2014]
ARO.GEN.205 Allocation of tasks
[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]
(a) Tasks related to the initial certification, specialised operation authorisation or continuing oversight of persons or organisations subject to Regulation (EC) No 216/2008 and its Implementing Rules shall be allocated by Member States only to qualified entities. When allocating tasks, the competent authority shall ensure that it has:
(1) put a system in place to initially and continuously assess that the qualified entity complies with Annex V to Regulation (EC) No 216/2008.
This system and the results of the assessments shall be documented.
(2) established a documented agreement with the qualified entity, approved by both parties at the appropriate management level, which clearly defines:
(i) the tasks to be performed;
(ii) the declarations, reports and records to be provided;
(iii) the technical conditions to be met in performing such tasks;
(iv) the related liability coverage; and
(v) the protection given to information acquired in carrying out such tasks.
(b) The competent authority shall ensure that the internal audit process and safety risk management process required by ARO.GEN.200(a)(4) covers all certification, authorisation or continuing oversight tasks performed on its behalf.
(c) For the certification and oversight of the organisation’s compliance with point ORO.GEN.200A, the competent authority may allocate tasks to qualified entities in accordance with point (a), or to any relevant authority responsible for information security or cybersecurity within the Member State. When allocating tasks, the competent authority shall ensure that:
(1) all aspects related to aviation safety are coordinated and taken into account by the qualified entity or relevant authority;
(2) the results of the certification and oversight activities performed by the qualified entity or relevant authority are integrated in the overall certification and oversight files of the organisation;
(3) its own information security management system established in accordance with point ARO.GEN.200(e) covers all the certification and continuing oversight tasks performed on its behalf.
[applicable from 22 February 2026 — Implementing Regulation (EU) 2023/203]
ARO.GEN.210 Changes in the management system
Regulation (EU) No 965/2012
(a) The competent authority shall have a system in place to identify changes that affect its capability to perform its tasks and discharge its responsibilities as defined in Regulation (EC) No 216/2008 and its Implementing Rules. This system shall enable it to take action as appropriate to ensure that its management system remains adequate and effective.
(b) The competent authority shall update its management system to reflect any change to Regulation (EC) No 216/2008 and its Implementing Rules in a timely manner, so as to ensure effective implementation.
(c) The competent authority shall notify the Agency of changes affecting its capability to perform its tasks and discharge its responsibilities as defined in Regulation (EC) No 216/2008 and its Implementing Rules.
Regulation (EU) 2015/140
(a) The competent authority shall establish a system of record-keeping providing for adequate storage, accessibility and reliable traceability of:
(1) the management system’s documented policies and procedures;
(2) training, qualification and authorisation of its personnel;
(3) the allocation of tasks, covering the elements required by ARO.GEN.205 as well as the details of tasks allocated;
(4) certification processes and continuing oversight of certified organisations;
(4a) the process of authorisation of a high risk commercial specialised operation and continuing oversight of an authorisation holder;
(5) declaration processes and continuing oversight of declared organisations;
(6) details of training courses provided by certified organisations, and if applicable, records relating to FSTDs used for such training;
(7) oversight of persons and organisations exercising activities within the territory of the Member State, but overseen, certified or authorised by the competent authority of another Member State or the Agency, as agreed between these authorities;
(8) oversight of operations of other-than complex motor-powered aircraft by non-commercial operators;
(9) the evaluation and notification to the Agency of alternative means of compliance proposed by organisations subject to certification, or authorisation and the assessment of alternative means of compliance used by the competent authority itself;
(10) findings, corrective actions and date of action closure;
(11) enforcement measures taken;
(12) safety information and follow-up measures; and
(13) the use of flexibility provisions in accordance with Article 14 of Regulation (EC) No 216/2008.
(b) The competent authority shall maintain a list of all organisation certificates and specialised operations authorisations it issued as well as declarations it received.
(c) All records shall be kept for the minimum period specified in this Regulation. In the absence of such indication, records shall be kept for a minimum period of five years subject to applicable data protection law.
GENERAL
(a) The record-keeping system should ensure that all records are accessible whenever needed within a reasonable time. These records should be organised in a way that ensures traceability and retrievability throughout the required retention period.
(b) Records should be kept in paper form or in electronic format or a combination of both media. Records stored on microfilm or optical disc form are also acceptable. The records should remain legible and accessible throughout the required retention period. The retention period starts when the record has been created.
(c) Paper systems should use robust material, which can withstand normal handling and filing. Computer systems should have at least one backup system, which should be updated within 24 hours of any new entry. Computer systems should include safeguards against unauthorised alteration of data.
(d) All computer hardware used to ensure data backup should be stored in a different location from that containing the working data and in an environment that ensures they remain in good condition. When hardware or software changes take place, special care should be taken that all necessary data continue to be accessible at least through the full period specified in the relevant Subpart or by default in ARO.GEN.220(c).
COMPETENT AUTHORITY MANAGEMENT SYSTEM
Records related to the competent authority’s management system should include, as a minimum and as applicable:
(a) the documented policies and procedures;
(b) the personnel files of competent authority personnel, with supporting documents related to training and qualifications;
(c) the results of the competent authority’s internal audit and safety risk management processes, including audit findings and corrective actions; and
(d) the contract(s) established with qualified entities performing certification, authorisation or oversight tasks on behalf of the competent authority.
ORGANISATIONS
Records related to an organisation certified or operations authorised by or having declared its activity to the competent authority should include, as appropriate to the type of organisation:
(a) the application for an organisation approval, a specialised operation authorisation or the declaration received;
(b) the documentation based on which the approval or authorisation has been granted and any amendments to that documentation;
(c) the organisation approval certificate or specialised operation authorisation, including any changes;
(d) a copy of the continuing oversight programme listing the dates when audits are due and when such audits were carried out;
(e) continuing oversight records, including all audit and inspection records;
(f) copies of all relevant correspondence;
(g) details of any exemption and enforcement actions;
(h) any report from other competent authorities relating to the oversight of the organisation; and
(i) a copy of any other document approved by the competent authority.
ORGANISATIONS — DOCUMENTATION
Documentation to be kept as records in support of the approval includes the management system documentation, including any technical manuals, such as the operations manual, and training manual, that have been submitted with the initial application, and any amendments to these documents.
AUTHORISATION HOLDERS — DOCUMENTATION
Documentation to be kept as records in support of the authorisation of a high risk commercial specialised operation include the risk assessment documentation and related standard operating procedures (SOP), as well as a description of the management system of the proposed operation and a statement that all the documentation sent to the competent authority has been verified by the operator and found in compliance with the applicable requirements. Any amendments to these documents should be documented.
ACTIVITIES PERFORMED IN THE TERRITORY OF A MEMBER STATE BY PERSONS OR ORGANISATIONS ESTABLISHED OR RESIDING IN ANOTHER MEMBER STATE
(a) Records related to the oversight of activities performed in the territory of a Member State by persons or organisations established or residing in another Member State should include, as a minimum:
(1) oversight records, including all audit and inspection records and related correspondence;
(2) copies of all relevant correspondence to exchange information with other competent authorities relating to the oversight of such persons/organisations;
(3) details of any enforcement measures and penalties; and
(4) any report from other competent authorities relating to the oversight of these persons/organisations, including any notification of evidence showing non-compliance with the applicable requirements.
(b) Records should be kept by the competent authority having performed the audit or inspection and should be made available to other competent authorities at least in the following cases:
(1) serious incidents or accidents;
(2) findings through the oversight programme where organisations certified or authorised by another competent authority are involved, to determine the root cause;
(3) an organisation being certified, authorised or having approvals in several Member States.
(c) When records are requested by another competent authority, the reason for the request should be clearly stated.
(d) The records can be made available by sending a copy or by allowing access to them for consultation.
GENERAL
Records are required to document results achieved or to provide evidence of activities performed. Records become factual when recorded. Therefore, they are not subject to version control. Even when a new record is produced covering the same issue, the previous record remains valid.