Easy Access Rules for Continuing Airworthiness (Regulation (EU) No 1321/2014)

ED Decision 2022/011/R

SUBCONTRACTING

1.Working under the management system of an organisation appropriately approved under Part-145 (subcontracting) refers to the case of one organisation, whether or not it is approved under Part-145, that carries out certain maintenance (see paragraph 3.1) under the approval certificate of a Part-145. In order to subcontract, the Part-145 organisation should have a procedure for the control of such subcontractors as described below. Any approved maintenance organisation that carries out maintenance under its own approval certificate for another approved maintenance organisation is not considered to be subcontracted for the purpose of this paragraph, but contracted by that other organisation (see GM2 145.A.205).

2.Maintenance of engines or engine modules other than ‘a complete workshop maintenance check or overhaul’ is intended to mean any maintenance that can be carried out without disassembly of the core engine or, in the case of modular engines, without disassembly of any core module.

3.FUNDAMENTALS OF SUBCONTRACTING UNDER PART-145

3.1.The most common reasons for allowing an organisation approved under Part-145 to sub-contract is to permit acceptance of certain maintenance tasks carried out by subcontractors when approvals by the competent authority of those subcontractors are not justified (e.g. limited scope of work, limited volume of maintenance activities, limited number of potential customers, limited need in time) or when the subcontractors cannot demonstrate compliance with all elements of the regulation (e.g. no maintenance facilities, specialised staff not covering all maintenance scope).

This subcontracting option permits the acceptance of the following maintenance:

(a)specialised maintenance services, such as, but not limited to, surface treatment (e.g. plating, plasma spraying), fabrication of specified parts for repairs/ modifications, welding, etc.;

(b)aircraft maintenance (e.g. line maintenance, leaks detection in fuel tanks, special repairs/modifications, complete aircraft painting) up to but not including a complete base maintenance check as specified in point 145.A.75(b);

(c)component maintenance.;

(d)engine maintenance up to but not including a complete workshop maintenance check or overhaul of an engine or engine module as specified in point 145.A.75(b).

3.2.When maintenance is carried out under the management system of a Part-145 organisation, it means that for the duration of such maintenance, the Part-145 approval has been temporarily extended to include the subcontractor. It therefore follows that all parts of the subcontractor (facilities, personnel, equipment and tools, components, maintenance data and procedures) involved with the maintenance organisation’s products undergoing maintenance should meet Part-145 requirements and the Part-145 organisation’s MOE for the duration of that maintenance, and it remains the Part-145 organisation’s responsibility to ensure such requirements are satisfied.

3.3.When subcontracting, the Part-145 organisation is not required to have complete facilities for the maintenance that it needs to sub-contract, but it should have its own expertise to determine whether the
subcontractor meets the necessary standards. However, a Part-145 organisation cannot be approved unless it has in-house the facilities, personnel, equipment and tools, components, maintenance data, procedures and expertise to carry out the majority of the maintenance for which it wishes to receive the terms of approval.

3.4.The organisation may find it necessary to include specialised
subcontractors to enable it to be approved to issue the certificate of release to service of a particular maintenance. Examples are provided in point 3.1(a). To authorise the use of such subcontractors, the competent authority will need to be satisfied that the Part-145 organisation has the necessary expertise and procedures to control such subcontractors.

3.5.A maintenance organisation working outside the scope of its terms of approval is deemed to be not approved for the work considered. Such an organisation may in this circumstance operate only as a subcontractor under the management system and control of another organisation appropriately approved under Part-145.

3.6.Authorisation to sub-contract is indicated by the competent authority approving the MOE containing a specific procedure on the control of subcontractors as well as a list of subcontractors.

4.PART-145 PROCEDURES FOR THE CONTROL OF SUBCONTRACTORS

4.1.A pre-audit procedure should be established whereby the Part-145 organisation should audit a prospective subcontractor to determine whether those services of the subcontractor that it wishes to use meet the intent of Part-145. This audit should be performed under the responsibility of the compliance monitoring function.

4.2.The Part-145 organisation needs to assess to what extent it will use the subcontractor resources (facilities included). The contract between the Part-145 organisation and the subcontractor will determine whether the Part-145 organisation requires its own paperwork, maintenance data and components to be used or, provided that they meet the requirements of Part-145, if the facilities, equipment and tools from the subcontractor will be used. In the case of
subcontractors who provide specialised services, it may for practical reasons be necessary to use their specialised services paperwork, maintenance data and components, subject to acceptance by the Part-145 organisation.

4.3.Unless the sub-contracted maintenance work can be fully inspected on receipt by the Part-145 organisation, it will be necessary for the Part-145 organisation to establish an MOE procedure to control the subcontracted maintenance work (and associated supporting documents). The organisation will need to consider whether to use its own personnel or to authorise the subcontractor personnel for that control.

4.4.The certificate of release to service may be issued either by subcontractor staff holding a certification authorisation issued by the Part-145 organisation in accordance with points 145.A.30 and 145.A.35 as appropriate, or by the Part-145 organisation certifying staff.

4.5.The subcontractor control procedure will need to address the relevant management system key processes such as safety risk management and compliance monitoring (see point 145.A.205). The procedure should ensure that records of all subcontractor audits and inspections, and the corresponding actions are kept, and provide information on when subcontractors are used. The procedure should include a clear revocation process for subcontractors that do not meet the Part-145 maintenance organisation’s requirements.

4.6.The Part-145 compliance monitoring staff will need to audit the subcontractor control function of the Part-145 organisation and to audit the subcontractors unless this task is already carried out by the subcontractor control function on behalf of the compliance monitoring function.

4.7.The contract between the Part-145 organisation and the
subcontractor should contain a provision to ensure that access to the subcontractor is granted to any person authorised by the authorities specified in point 145.A.140.

Regulation (EU) 2021/1963

(a)The following changes to the organisation shall require prior approval by the competent authority:

(1)changes to the certificate, including the terms of approval of the organisation;

(2)changes of the persons referred to in points 145.A.30(a), (b), (c) and (ca);

(3)changes to the reporting lines between the personnel nominated in accordance with points 145.A.30(b), (c) and (ca), and the accountable manager;

(4)the procedure as regards changes not requiring prior approval referred to in point (c);

(5)additional locations of the organisation other than those that are subject to point 145.A.75(c).

(b)For the changes referred to in point (a) and for all other changes requiring prior approval in accordance with this Annex, the organisation shall apply for and obtain an approval issued by the competent authority. The application shall be submitted before such changes take place in order to enable the competent authority to determine that there is continued compliance with this Annex and to amend, if necessary, the organisation certificate and the related terms of approval that are attached to it.

The organisation shall provide the competent authority with any relevant documentation.

The change shall only be implemented upon the receipt of a formal approval from the competent authority in accordance with point 145.B.330.

The organisation shall operate under the conditions prescribed by the competent authority during such changes, as applicable.

(c)All changes not requiring prior approval shall be managed and notified to the competent authority as set out in a procedure which is approved by the competent authority in accordance with point 145.B.310(h).

ED Decision 2022/011/R

APPLICATION TIME FRAMES

(a)The application for a change to an organisation certificate should be submitted at least 30 working days before the date of the intended changes.

(b)In the case of a planned change of a nominated person, the organisation should inform the competent authority at least 20 working days before the date of the proposed change.

(c)Unforeseen changes should be notified at the earliest opportunity, in order to enable the competent authority to determine whether there is continued compliance with the applicable requirements, and to amend, if necessary, the organisation certificate and the related terms of approval.

ED Decision 2022/011/R

MANAGEMENT OF CHANGES

The organisation should manage changes to the organisation in accordance with point (e) of AMC1 145.A.200(a)(3). For changes requiring prior approval, it should conduct a risk assessment and provide it to the competent authority upon request.

ED Decision 2022/011/R

CHANGES REQUIRING OR NOT REQUIRING PRIOR APPROVAL

Point is structured as follows:

•Point (a) introduces an obligation of prior approval (by the competent authority) for specific cases listed under (1) to (5);

•Point (b) address all instances (including (a)) where this Annex (Part-145) explicitly requires an approval by the competent authority (e.g. procedure for use of alternative tooling or equipment, ref. 145.A.40(a)(i)). Changes relevant to these instances should be considered as changes requiring a prior approval (see list in GM1 145.A.85(b)), unless otherwise specified by this Annex (Part-145).

Point (b) also indicates how all changes requiring prior approval should be handled;

•Point (c) introduces the possibility for the organisation to agree with the competent authority that certain changes to the organisation (other than those covered by (a) or (b)) can be implemented without prior approval depending on the compliance and safety performance of the organisation, and in particular, on its capability to apply change management principles.

ED Decision 2022/011/R

CHANGE OF THE NAME OF THE ORGANISATION

A change of the name requires the organisation to submit an application as a matter of urgency for a re-issue of their certificate.

If this is the only change to report, the application can be accompanied by a copy of the documentation that was previously submitted to the competent authority under the previous name, as a means of demonstrating that the organisation complies with the applicable requirements.

ED Decision 2022/011/R

CHANGE OF A NOMINATED PERSON

In accordance with point 145.A.85(a)(2), a change of a nominated person (ref. 145.A.30) requires a prior approval. In case of a unplanned/unanticipated change, a deputy (such as the deputy referred to in 145.A.30(b)) may ensure business continuity during the approval process of the new nominated person.

ED Decision 2022/011/R

CHANGES REQUIRING PRIOR APPROVAL (OTHER THAN THOSE COVERED BY POINT 145.A.85(A))

The following are examples of changes that require prior approval by the competent authority (other than those covered by point 145.A.85(a)), as specified in Part-145:

(a) changes to the AltMoC [145.A.120(b)];

(b)changes to the MOE procedure for the use of alternative tooling or equipment [145.A.40(a)(i)];

(c)changes to the MOE procedure allowing a B-rated organisation to carry out maintenance on an installed engine during ‘base’ and ‘line’ maintenance [Appendix II, point (f)];

(d)changes to the MOE procedure allowing a C-rated organisation to carry out maintenance on an installed component (other than a complete engine/APU) during ‘base’ and ‘line’ maintenance or at an engine/APU maintenance facility [Appendix II, point (g)];

(e)changes to the procedures to establish and control the competency of personnel [145.A.30(e)];

(f) changes to the system for reporting to the competent authority on the safety performance and regulatory compliance of the organisation (in the case of an extension of the oversight planning cycle beyond 36 months) [145.B.305(d)].

Regulation (EU) 2021/1963

(a)The organisation’s certificate shall remain valid, subject to compliance with all of the following conditions:

1.the organisation remaining in compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts, taking into account the provisions of point 145.B.350 of this Annex related to the handling of findings;

2.the competent authority being granted access to the organisation as specified in point 145.A.140;

3.the certificate not being surrendered by the organisation, or suspended or revoked by the competent authority under point 145.B.355.

(b)Upon surrender or revocation, the certificate shall be returned to the competent authority without delay.

Regulation (EU) 2021/1963

(a)After the receipt of a notification of findings in accordance with point 145.B.350, the organisation shall:

(1)identify the root cause(s) of, and contributing factor(s) to, the non-compliance;

(2)define a corrective action plan;

(3)demonstrate the implementation of corrective action to the satisfaction of the competent authority.

(b)The actions referred to in point (a) shall be performed within the period agreed with that competent authority in accordance with point 145.B.350.

(c)The observations received in accordance with point 145.B.350(f) shall be given due consideration by the organisation. The organisation shall record the decisions taken in respect of those observations.

ED Decision 2022/011/R

FINDING-RELATED CORRECTIVE ACTION PLAN AND IMPLEMENTATION

After receiving the notification of findings, the organisation should identify and define the actions for all findings to address the effects of the non-compliance and its root cause(s) and contributing factor(s).

Depending on the issues, the organisation may need to take immediate corrections.

The corrective action plan should:

•include the correction of the issue, corrective actions and preventive actions, as well as the planning to implement these actions;

•be timely submitted to the competent authority for acceptance before it is effectively implemented.

After receiving the acceptance of the corrective action plan from the competent authority, the organisation should implement the associated actions.

Within the agreed period, the organisation should inform the competent authority that the corrective action plan has been completed and should send the associated evidence, as requested by the competent authority.

ED Decision 2022/011/R

DUE CONSIDERATION TO OBSERVATIONS

For each observation notified by the competent authority, the organisation should analyse the related issues and determine when actions are needed.

The handling of the observations may follow a process similar to the handling of the findings by the organisation.

The organisation should record the analysis and the outputs, such as the actions taken or the reasons for not taking actions.

ED Decision 2022/011/R

ROOT CAUSE ANALYSIS

(a) It is important that the analysis does not primarily focus on establishing who or what caused the non-compliance, but on why it was caused. Establishing the root cause(s) often requires an overarching view of the events and circumstances that led to it, to identify all the possible systemic and contributing factors (regulatory, technical, human factors, organisational factors, etc.) in addition to the direct factors.

(b) A narrow focus on single events or failures, or the use of a simple, linear model, such as a fault tree, to identify the chain of events that led to the non-compliance, may not properly reflect the complexity of the issue, and therefore there is a risk that important factors that must be addressed in order to prevent a reoccurrence will be ignored.

Such an inappropriate or partial root cause analysis often leads to defining ‘quick fixes’ that only address the symptoms of the non-conformity. A peer review of the results of the root cause analysis may increase its reliability and objectivity.

Regulation (EU) 2021/1963

(a)An organisation may use any alternative means of compliance to establish compliance with this Regulation.

(b)If an organisation wishes to use an alternative means of compliance, it shall, prior to using it, provide the competent authority with a full description. The description shall include any revisions to manuals or procedures that may be relevant, as well as an explanation indicating how compliance with this Regulation is achieved.

The organisation may use those alternative means of compliance subject to prior approval from the competent authority.

ED Decision 2022/011/R

GENERAL

(a)Acceptable means of compliance (AMC), as referred to in Article 76(3) of Regulation (EU) 2018/1139, are a tool to standardise the demonstration of compliance and facilitate the verification activities of the competent authorities with Regulation (EU) 2018/1139 and its delegated and implementing acts. They are published by the Agency to achieve these objectives. Whereas the competent authorities and the regulated entities are not legally bound to use them, applying them is recommended.

(b)If an organisation wishes to use means to comply with the Regulation different from the AMC established by EASA, that organisation may need to demonstrate compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts by using alternative means of compliance (AltMoC):

(1)established by its competent authority — see GM1 145.B.120; or

(2)established by that organisation and approved by its competent authority — see point (c) below.

An AltMoC does not allow deviation from Regulation (EU) 2018/1139 and its delegated or implementing acts.

(c)AltMoC established by an organisation and approved by its competent authority:

An organisation wishing to use a different means of compliance than the one published by the Agency, can propose and implement an AltMoC only once the competent authority approves it. In this case, the organisation is responsible for demonstrating how that AltMoC establishes compliance with the Regulation.

This approval will be granted by its competent authority on an individual basis and restricted to that specific applicant. Other organisations wishing to use the same means of compliance should follow the AltMoC process (demonstrating compliance with the Regulation) and obtain individual approval from their competent authority.

ED Decision 2022/011/R

WHEN AN ALTERNATIVE MEANS OF COMPLIANCE IS NEEDED

When there is no EASA AMC for a certain requirement in the Regulation, the means of compliance proposed by the organisation to that point of the Regulation do not need to go through the AltMoC process. It is the responsibility of the competent authority to verify that compliance with the Regulation is met. However, in certain cases the organisation may propose, and the competent authority may agree, to have such means of compliance follow the AltMoC process.

When there is an EASA AMC, the AltMoC process is needed in the following (not exhaustive) cases:

•a means to comply with the Regulation is technically different in character to the AMC published by EASA;

•A Form is significantly different from the one proposed in the EASA AMC.

Note: A Form required by the delegated and implementing acts cannot be changed.

Examples of issues not considered to require an AltMoC process include, but are not limited to:

•editorial changes to an EASA AMC, as long as it does not change the intent of the AMC;

— transposing an EASA AMC into the organisational structure, organisational processes, or standard operating procedures with different wording and terminology customised to the organisation’s environment, if this does not change the intent of the AMC and its associated level of safety.

ED Decision 2022/011/R

DESCRIPTION SUPPORTING THE ALTERNATIVE MEANS OF COMPLIANCE

(a) The description of the AltMoC should include:

a summary of the AltMoC;

the content of the AltMoC;

a statement that compliance with the Regulation is achieved; and

in support of that statement, an assessment demonstrating that the AltMoC reaches an acceptable level of safety, taking into account the level of safety provided by the corresponding EASA AMC.

(b) All these elements describing the AltMoC form an integral part of the management system records to be kept in accordance with 145.A.55.

Regulation (EU) 2021/1963

For the purpose of determining compliance with the relevant requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, the organisation shall ensure that access to any facility, aircraft, document, records, data, procedures or to any other material relevant to its activity subject to certification, whether it is subcontracted or not, is granted to any person authorised by one of the following authorities:

(a)the competent authority defined in point 145.1;

(b)the authority performing the oversight tasks in accordance with point 145.B.300(d).

Regulation (EU) 2021/1963

The organisation shall implement:

(a)any safety measures mandated by the competent authority in accordance with point 145.B.135;

(b)any relevant mandatory safety information issued by the Agency.

Regulation (EU) 2021/1963

(a)The organisation shall establish, implement and maintain a management system that includes:

(1)clearly defined accountability and lines of responsibility throughout the organisation, including a direct safety accountability of the accountable manager;

(2)a description of the overall philosophies and principles of the organisation with regard to safety (“the safety policy”), and the related safety objectives;

(3)the identification of aviation safety hazards entailed by the activities of the organisation, their evaluation and the management of the associated risks, including taking actions to mitigate the risks and verify their effectiveness;

(4)maintaining personnel trained and competent to perform their tasks;

(5)documentation of all management system key processes, including a process for making personnel aware of their responsibilities and the procedure for amending that documentation;

(6)a function to monitor the compliance of the organisation with the relevant requirements. Compliance monitoring shall include a feedback system of findings to the accountable manager to ensure the effective implementation of corrective actions as necessary.

(b)The management system shall correspond to the size of the organisation and the nature and complexity of its activities, taking into account the hazards and the associated risks inherent in those activities.

(c)If the organisation holds one or more additional organisation certificates within the scope of Regulation (EU) 2018/1139, the management system may be integrated with that required under the additional certificate(s) held.

ED Decision 2022/011/R

GENERAL

Safety management seeks to proactively identify hazards and to mitigate the related safety risks before they result in aviation accidents and incidents. Safety management enables an organisation to manage its activities in a more systematic and focused manner. When an organisation has a clear understanding of its role and contribution to aviation safety, it can prioritise safety risks and more effectively manage their resources and obtain optimal results.

The principles of the requirements in points 145.A.200, 145.A.202, 145.A.205 and the related AMC constitute the EU management system framework for aviation safety management. This framework addresses the core elements of the ICAO safety management system (SMS) framework defined in Appendix 2 to Annex 19, includes the elements of the compliance monitoring system, and promotes an integrated approach to the management of an organisation. It facilitates the introduction of the additional safety management components, building upon the existing management system, rather than adding them as a separate framework.

This approach is intended to encourage organisations to embed safety management and risk-based decision-making into all their activities, instead of superimposing another system onto their existing management system and governance structure. In addition, if the organisation holds multiple organisation certificates within the scope of Regulation (EU) 2018/1139, it may choose to implement a single management system to cover all of its activities. An integrated management system may not only be used to capture management system requirements resulting from Regulation (EU) 2018/1139, but also could cover other regulatory frameworks requiring compliance with Annex 19 or other business management systems such as security, occupational health and environmental management systems. Integration will remove any duplication and exploit synergies by managing safety risks across multiple activities. Organisations may determine the best means to structure their management systems to suit their business and organisational needs.

The core part of the management system framework (145.A.200) focuses on what is essential to manage safety, by mandating the organisation to:

(a)clearly define accountabilities and responsibilities;

(b)establish a safety policy and the related safety objectives;

(c)implement safety reporting procedures in line with just culture principles;

(d)ensure the identification of aviation safety hazards entailed by its activities, ensure their evaluation, and the management of the associated risks, including:

(1)taking actions to mitigate the risks;

(2) verifying the effectiveness of the actions taken to mitigate the risks;

(e)monitor compliance, while considering any additional requirements that are applicable to the organisation;

(f)keep their personnel trained, competent, and informed about significant safety issues; and

(g)document all the key management system processes.

Compared with the previous Part-145 quality system ‘framework’ (now covered by point (b) and (e)), the new elements that are introduced by the management system are, in particular, those addressed under points (c) and (d).

Points (a), (b) and (g) address component 1 ‘Safety policy and objectives’ of the ICAO SMS framework. Points (c) and (d)(1) address component 2 ‘Safety Risk Management’ of the ICAO SMS framework. Point (d)(2) addresses component 3 ‘Safety Assurance’ of the ICAO SMS framework. Finally, point (f) addresses component 4 ‘Safety Promotion’ of the ICAO SMS framework.

Point 145.A.200 introduces the following as key safety management processes; these are further specified in the related AMC and GM:

•Hazard identification;

•Safety risk management;

•Internal investigation;

•Safety performance monitoring and measurement;

•Management of change;

•Continuous improvement;

•Immediate safety action and coordination with the aircraft operator’s Emergency Response Plan (ERP).

It is important to recognise that safety management will be a continuous activity, as hazards, risks and the effectiveness of safety risk mitigations will change over time.

These key safety management processes are supported by a compliance monitoring function as an integral part of the management system. Most aviation safety regulations constitute generic safety risk controls established by the ‘regulator’. Therefore, ensuring effective compliance with the regulations during daily operations and independent monitoring of compliance are fundamental to any management system for safety. The compliance monitoring function may, in addition, support the follow-up of safety risk mitigation actions. Moreover, where non-compliances are identified through internal audits, the causes will be thoroughly assessed and analysed. Such an analysis in return supports the risk management process by providing insights into causal and contributing factors, including human factors, organisational factors and the environment in which the organisation operates. In this way, the outputs of compliance monitoring become some of the various inputs to the safety risk management functions. Conversely, the output of the safety risk management processes may be used to determine focus areas for compliance monitoring. In this way, internal audits will inform the organisation’s management of the level of compliance within the organisation, whether safety risk mitigation actions have been implemented, and where corrective or preventive action is required. The combination of safety risk management and compliance monitoring should lead to an enhanced understanding of the end-to-end process and the process interfaces, exposing opportunities for increased efficiencies, which are not limited to safety aspects.

As aviation is a complex system with many organisations and individuals interacting together, the primary focus of the key safety management processes is on the organisational processes and procedures, but it also relies on the humans in the system. The organisation and the way in which it operates can have a significant impact on human performance. Therefore, safety management necessarily addresses how humans can contribute both positively and negatively to an organisation’s safety outcomes, recognising that human behaviour is influenced by the organisational environment.

The effectiveness of safety management largely depends on the degree of commitment of the senior management to create a working environment that optimises human performance and encourages personnel to actively engage in and contribute to the organisation’s management processes. Similarly, a positive safety culture relies on a high degree of trust and respect between the personnel and the management, and it must therefore be created and supported at the senior management level. If the management does not treat individuals who identify hazards and report adverse events in a consistently fair and just way, those individuals are unlikely to be willing to communicate safety issues or to work with the management to effectively address the safety risks. As with trust, a positive safety culture takes time and effort to establish, and it can be easily lost.

It is further recognised that the introduction of processes for hazard identification and risk assessment, mitigation and verification of the effectiveness of such mitigation actions will create immediate and direct costs, while related benefits are sometimes intangible, and may take time to materialise. Over time, an effective management system will not only address the risks of major occurrences, but also identify and address production inefficiencies, improve communication, foster a better organisational culture, and lead to a more effective control of contractors and suppliers. In addition, through an improved relationship with the authority, an effective management system may result in a reduced oversight burden.

Thus, by viewing safety management and the related organisational policies and key processes as items that are implemented not only to prevent incidents and accidents, but also to meet the organisation’s strategic objectives, any investment in safety should be seen as an investment in productivity and organisational success.

ED Decision 2022/011/R

ORGANISATION AND ACCOUNTABILITIES

(a)The management system should encompass safety by including a safety manager and a safety review board in the organisational structure. The functions of the safety manager are those defined in AMC1 145.A.30(c);(ca).

(b)Safety review board

(1)The safety review board should be a high-level committee that considers matters of strategic safety in support of the accountable manager’s safety accountability.

(2)The board should be chaired by the accountable manager and composed of the person or group of persons nominated under points 145.A.30.

(3)The safety review board should monitor:

(i)the safety performance against the safety policy and objectives;

(ii)that any safety action is taken in a timely manner; and

(iii)the effectiveness of the organisation’s management system processes.

(4)The safety review board may also be tasked with:

(i) reviewing the results of compliance monitoring;

(ii)monitoring the implementation of related corrective and preventive actions.

(c)The safety review board should ensure that appropriate resources are allocated to achieve the established safety objectives.

(d)Notwithstanding point (a), where justified by the size of the organisation and the nature and complexity of its activities and subject to a risk assessment and agreement by the competent authority, the organisation may not need to establish a formal safety review board. In this case, the tasks normally allocated to the safety review board should be allocated to the safety manager.

ED Decision 2022/011/R

SAFETY ACTION GROUP

(a)Depending on the size of the organisation and the nature and complexity of its activities, a safety action group may be established as a standing group or as an ad hoc group to assist, or act on behalf of the safety manager or the safety review board.

(b)More than one safety action group may be established, depending on the scope of the task and the specific expertise required.

(c)The safety action group usually reports to, and takes strategic direction from, the safety review board, and may be composed of managers, supervisors and personnel from operational areas.

(d)The safety action group may be tasked or assist with:

(1)monitoring safety performance;

(2)defining actions to control risks to an acceptable level;

(3)assessing the impact of organisational changes on safety;

(4)ensuring that safety actions are implemented within the agreed timescales;

(5)reviewing the effectiveness of previous safety actions and safety promotion.

ED Decision 2022/011/R

MEANING OF THE TERMS ‘ACCOUNTABILITY’ AND ‘RESPONSIBILITY’

In the English language, the notion of accountability is different from the notion of responsibility. Whereas ‘accountability’ refers to an obligation which cannot be delegated, ‘responsibility’ refers to an obligation that can be delegated.

ED Decision 2022/011/R

SAFETY POLICY AND OBJECTIVES

(a)The safety policy should:

(1)reflect organisational commitments regarding safety, and its proactive and systematic management, including the promotion of a positive safety culture;

(2)include internal reporting principles, and encourage personnel to report maintenancerelated errors, incidents and hazards;

(3)recognise the need for all personnel to cooperate with the compliance monitoring and internal investigations referred to under point (c) of AMC1 145.A.200(a)(3);

(4)be endorsed by the accountable manager;

(5)be communicated, with visible endorsement, throughout the organisation; and

(6)be periodically reviewed to ensure it remains relevant and appropriate for the organisation.

(b)The safety policy should include a commitment to:

(1)comply with all the applicable legislation, to meet all the applicable requirements, and adopt practices to improve safety standards;

(2)provide the necessary resources for the implementation of the safety policy;

(3)apply human factors principles, including giving due consideration to the aspect of fatigue;

(4)enforce safety as a primary responsibility of all managers; and

(5)apply ‘just culture’ principles to internal safety reporting and the investigation of occurrences and, in particular, not to make available or use the information on occurrences:

(i) to attribute blame or liability to frontline personnel or other persons for actions, omissions or decisions taken by them that are commensurate with their experience and training; or

(ii) for any purpose other than maintaining or improving aviation safety.

(c)Senior management should continually promote the safety policy to all personnel, demonstrate its commitment to it, and provide necessary human and financial resources for its implementation.

(d)Taking due account of its safety policy, the organisation should define safety objectives. The safety objectives should:

(1) form the basis for safety performance monitoring and measurement;

(2) reflect the organisation’s commitment to maintain or continuously improve the overall effectiveness of the management system;

(3) be communicated throughout the organisation; and

(4) be periodically reviewed to ensure they remain relevant and appropriate for the organisation.

ED Decision 2022/011/R

SAFETY POLICY

(a)The safety policy is the means whereby the organisation states its intention to maintain and, where practicable, improve safety levels in all its activities and to minimise its contribution to the risk of an aircraft accident or serious incident as far as is reasonably practicable. It reflects the management’s commitment to safety, and should reflect the organisation’s philosophy of safety management, as well as being the foundation on which the organisation’s management system is built. It serves as a reminder of ‘how we do business here’. The creation of a positive safety culture begins with the issuance of a clear, unequivocal policy.

(b)The commitment to apply ‘just culture’ principles forms the basis for the organisation’s internal rules describing how ‘just culture’ principles are guaranteed and implemented.

(c) For organisations that have their principal place of business in a Member State, Regulation (EU) No 376/2014 defines the ‘just culture’ principles to be applied (refer in particular to Article 16(11) of that Regulation).

ED Decision 2023/013/R

SAFETY MANAGEMENT KEY PROCESSES

(a)Hazard identification processes

(1)A reporting scheme should be the formal means of collecting, recording, analysing, acting on, and generating feedback about hazards, events and the associated risks that may affect safety.

(2)The hazards identification should include in particular:

(i)hazards that may be linked to human factors issues that affect human performance; and

(ii)hazards that may stem from the organisational set-up or the existence of complex operational and maintenance arrangements (such as when multiple organisations are contracted, or when multiple levels of contracting/subcontracting are included).

(b)Risk management processes

(1)A formal safety risk management process should be developed and maintained that ensures reactive, proactive and predictive approach composed by:

(i) analysis (e.g. in terms of the probability and severity of the consequences of hazards and occurrences);

(ii) assessment (in terms of tolerability);

(iii) control (in terms of mitigation) of risks to an acceptable level.

Note: The severity of the consequence should be evaluated to the best knowledge and engineering judgement of the organisation, and this evaluation may require collecting information from the competent authority, incident/accident investigation reports, the design approval holder, the declarant of a declaration of design compliance, etc.

(2)The levels of management who have the authority to make decisions regarding the tolerability of safety risks, in accordance with (b)(1)(ii), should be specified.

(c)Internal investigation

(1)In line with its just culture policy, the organisation should define how to investigate incidents such as errors or near misses, in order to understand not only what happened, but also how it happened, to prevent or reduce the probability and/or consequence of future recurrences (refer to AMC1 145.A.202). This approach should avoid concentrating the analysis on who was (were) directly or indirectly concerned by the events.

(2)The scope of internal investigations should extend beyond the scope of the occurrences required to be reported to the competent authority in accordance with point 145.A.60, to include the reports referred to in 145.A.202(b).

(d)Safety performance monitoring and measurement

(1)Safety performance monitoring and measurement should be the processes by which the safety performance of the organisation is verified in comparison with the safety policy and the safety objectives.

(2)These processes may include, as appropriate to the size, nature and complexity of the organisation:

(i)safety reporting, which may also address the status of compliance with the applicable requirements;

(ii)safety reviews, including trend reviews, which would be conducted during the introduction of new products and their components, new equipment/technologies, the implementation of new or changed procedures, or in situations of organisational changes that may have an impact on safety;

(iii)safety audits that focus on the integrity of the organisation’s management system, and on periodically assessing the status of safety risk controls;

(iv)safety surveys, examining particular elements or procedures in a specific area, such as identified problem areas, or bottlenecks in daily maintenance activities, perceptions and opinions of maintenance management personnel, and areas of dissent or confusion; and

(v)other indicators relevant to safety performance, which may be generated by automated means.

(e)Management of change

Changes may introduce new hazards or threaten existing safety risk controls. The management of change should be a documented process established by the organisation to identify external and internal changes that may have an adverse effect on the safety of its maintenance activities. It should make use of the organisation’s existing hazard identification, risk assessment and mitigation processes.

(f)Continuous improvement

The organisation should continuously seek to improve its safety performance and the effectiveness of its management system. Continuous improvement may be achieved through:

(1)audits carried out by external organisations;

(2)assessments, including assessments of the effectiveness of the safety culture and management system, in particular to assess the effectiveness of the safety risk management processes;

(3)staff surveys, including cultural surveys, that can provide useful feedback on how engaged personnel are with the management system;

(4)monitoring the recurrence of incidents and occurrences;

(5)evaluation of safety performance indicators and reviews of all the available safety performance information; and

(6)the identification of lessons learned.

(g)Immediate safety action and coordination with the operator’s Emergency Response Plan (ERP)

(1) Procedures should be implemented that enable the organisation to act promptly when it identifies safety concerns with the potential to have an immediate effect on flight safety, including clear instructions on who to contact at the owner/operator/CAMO, and how to contact them, including outside of normal business hours. These provisions are without prejudice to the occurrence reporting required by point 145.A.60.

(2) If applicable, procedures should be implemented to enable the organisation to react promptly if the ERP is triggered by the operator and it requires the support of the Part145 organisation.

ED Decision 2022/011/R

SAFETY RISK MANAGEMENT — INTERFACES BETWEEN ORGANISATIONS

(a)Safety risk management processes should specifically address the planned implementation of, or participation of the organisation in, complex operational and maintenance arrangements (such as when multiple organisations are contracted, or when multiple levels of contracting/subcontracting are included).

(b)Hazard identification and risk assessment start with the identification of all the parties involved in the arrangement, including independent experts and non-approved organisations. This identification process extends to cover the overall control structure, and assesses in particular the following elements across all subcontract levels and all parties within such arrangements:

(1)coordination and interfaces between the different parties;

(2)applicable procedures;

(3)communication between all the parties involved, including reporting and feedback channels;

(4)task allocation, responsibilities and authorities; and

(5)the qualifications and competency of key personnel with reference to point 145.A.30.

(c)Safety risk management should focus on ensuring the following aspects:

(1)clear assignment of accountability and allocation of responsibilities;

(2)that only one party is responsible for a specific aspect of the arrangement, with no overlapping or conflicting responsibilities, in order to eliminate coordination errors;

(3)the existence of clear reporting lines, both for occurrence reporting and progress reporting;

(4)the possibility for staff to directly notify the organisation of any hazard that suggests an obviously unacceptable safety risk as a result of the potential consequences of this hazard.

(d)The safety risk management processes should ensure that there is regular communication between all the parties involved to discuss work progress, risk mitigation actions, and changes to the arrangements, as well as any other significant issues.

ED Decision 2022/011/R

MANAGEMENT OF CHANGE

(a)Unless they are properly managed, changes in organisational structure, facilities, the scope of work, personnel, documentation, policies and procedures, etc. can result in the inadvertent introduction of new hazards, and expose the organisation to new or increased risks. Effective organisations seek to improve their processes, with conscious recognition that changes can expose the organisation to potentially latent hazards and risks if they are not properly and effectively managed.

(b)Regardless of the magnitude of a change, large or small, its safety implications should always be proactively considered. This is primarily the responsibility of the team that proposes and/or implements the change. However, a change can only be successfully implemented if all the personnel affected by the change are engaged, are involved and participate in the process. The magnitude of a change, its safety criticality, and its potential impact on human performance should be assessed in any change management process.

(c)The process for the management of change typically provides principles and a structured framework for managing all aspects of the change. Disciplined application of the management of change can maximise the effectiveness of the change, engage the staff, and minimise the risks that are inherent in a change.

(d)The introduction of a change is the trigger for the organisation to perform their hazard identification and risk management processes.

Some examples of change include, but are not limited to:

(1)changes to the organisational structure;

(2)the inclusion of a new aircraft type in the terms of approval;

(3)the addition of aircraft of the same or a similar type;

(4)significant changes in personnel (affecting key personnel and/or large numbers of personnel, high turnover);

(5)new or amended regulations;

(6)changes to the security arrangements;

(7)changes in the economic situation of an organisation (e.g. commercial or financial pressure);

(8)new schedule(s), location(s), equipment, and/or operational procedures; and

(9)the addition of new subcontractors.

(e)A change may have the potential to introduce new, or to exacerbate pre-existing, human factors issues. For example, changes in computer systems, equipment, technology, personnel changes, including changes in management personnel, procedures, work organisation, or work processes are likely to affect performance.

(f)The purpose of integrating human factors (HF) into the management of change is to minimise potential risks by specifically considering the impact of the change on the people within a system.

(g)Special consideration, including any HF issues, should be given to the ‘transition period’. In addition, the activities utilised to manage these issues should be integrated into the change management plan.

(h)Effective management of change should be supported by the following:

(1)implementation of a process for formal hazard identification/risk assessment for major operational changes, major organisational changes, changes in key personnel, and changes that may affect the way maintenance is carried out;

(2)identification of changes that are likely to occur in business which would have a noticeable impact on:

(i)resources — material and human;

(ii)management direction — policies, processes, procedures, training; and

(iii)management control;

(3)safety cases/risk assessments that are focused on aviation safety;

(4)the involvement of key stakeholders in the change management process, as appropriate.

(i)During the management of change process, previous risk assessments and existing hazards are reviewed for possible effect.

ED Decision 2022/011/R

COMMUNICATION ON SAFETY

(a)The organisation should establish communication regarding safety matters that:

(1)ensures that all personnel are aware of the safety management activities, as appropriate for their safety responsibilities;

(2)conveys safety-critical information, especially related to assessed risks and analysed hazards;

(3)explains why particular actions are taken; and

(4)explains why safety procedures are introduced or changed.

(b)Regular meetings with personnel, at which information, actions, and procedures are discussed, may be used to communicate safety matters.

ED Decision 2022/011/R

SAFETY PROMOTION

(a)Safety training, combined with safety communication and information sharing, forms part of safety promotion.

(b)Safety promotion activities should support:

(1) the organisation’s policies, encouraging a positive safety culture, creating an environment that is favourable to the achievement of the organisation’s safety objectives;

(2) organisational learning; and

(3) the implementation of an effective safety reporting scheme and the development of a just culture.

(c)Depending on the particular safety issue, safety promotion may also constitute or complement risk mitigation actions.

(d)Qualifications and training aspects are further specified in the AMC and the GM to point 145.A.30.

ED Decision 2022/011/R

MANAGEMENT SYSTEM DOCUMENTATION

(a)The organisation may document its safety policy, safety objectives and all its key management system processes in a separate manual (e.g. a Safety Management Manual or Management System Manual), or in its MOE (see AMC1 145.A.70(a), Part 3 ‘Management system procedures’). Organisations that hold multiple organisation certificates within the scope of Regulation (EU) 2018/1139 may prefer to use a separate manual in order to avoid duplication. That manual or the MOE, depending on the case, should be the key instrument for communicating the approach to the management system for the whole of the organisation.

(b)The organisation may also choose to document some of the information that is required to be documented in separate documents (e.g. policy documents, procedures). In that case, it should ensure that the manual or the MOE contains adequate references to any document that is kept separately. Any such documents are to be considered to be integral parts of the organisation’s management system documentation.

ED Decision 2022/011/R

COMPLIANCE MONITORING — GENERAL

(a)The primary objectives of compliance monitoring are to provide an independent monitoring function on how the organisation ensures compliance with the applicable requirements, policies and procedures, and to request action where non-compliances are identified.

(b)The independence of the compliance monitoring should be established by always ensuring that audits and inspections are carried out by personnel who are not responsible for the functions, procedures or products that are audited or inspected.

ED Decision 2022/011/R

COMPLIANCE MONITORING — INDEPENDENT AUDIT

(a)An essential element of the compliance monitoring function is the independent audit.

(b)The independent audit should be an objective process of routine sample checks of all aspects of the organisation’s ability to carry out all maintenance to the standards required by this Regulation. It should include checking compliance of the organisation procedures with the Regulation, adherence of the organisation to these procedures, and product or maintenance sampling (i.e. product audit), as this is the end result of the maintenance process.

(c)The independent audit should provide an objective overview of the complete set of maintenance-related activities. It should include a percentage of unannounced audits carried out on a sample basis while maintenance is being carried out. This means that some audits should be carried out during the night for those organisations that work at night.

(d)The organisation should establish an audit plan to show when and how often the activities as required by this Regulation will be audited.

(e)Except as specified in points (h) and (j), the audit plan should ensure that all aspects of Part-145 compliance are verified every year, including all the subcontracted activities. The auditing may be carried out as a complete single exercise or subdivided over the annual period. The independent audit should not require each procedure to be verified against each product line when it can be shown that the particular procedure is common to more than one product line and the procedure has been verified every year without resultant findings. Where findings have been identified, compliance with the particular procedure should be verified against other product lines until the findings have been closed, after which the independent audit procedure may revert back to a yearly interval for the particular procedure.

(f)Except as specified otherwise in point (h), the independent audit should sample check one product (such as one aircraft or engine or component) while undergoing maintenance on each product line every year as a demonstration of compliance with the maintenance procedures and requirements associated with that specific product. This should include in particular the verification of:

the maintenance data and compliance with the organisation procedures, including consideration of human factors issues;

the facility and maintenance environment;

the standard of inspection and precautions;

the completion of work cards/worksheet;

the tools and material;

the authorisation of the person carrying out maintenance.

For the purpose of this AMC, a product line includes any product under an Appendix II approval class rating as specified in the terms of approval issued to the particular organisation.

It therefore follows, for example, that a Part-145 maintenance organisation approved to maintain aircraft, engines, brakes and autopilots would need to carry out at least four complete product audits each year, except as specified otherwise in points (f), (h) or (j).

(g)The product audit includes witnessing any relevant testing and visually inspecting the product and the associated documentation. The product audit should not involve repeated disassembly or testing unless the product audit identifies findings that require such an action.

(h)Except as specified otherwise in point (j), where the organisation contracts the independent audit element of the compliance monitoring function in accordance with point (l), the audit should be carried out twice every year.

(i)Except as specified otherwise in point (j), where the organisation has line stations listed as per point 145.A.75(d), the compliance monitoring documentation should include a description of how these line stations are integrated into the monitoring and include a plan to audit each listed line station at a frequency consistent with the extent of flight activity at the particular line station and the related safety hazards identified. Except as specified otherwise in point (j), the maximum period between audits of a particular line station should not exceed 2 years.

(j)Except as specified otherwise in point (f), provided that there are no safety-related findings, the audit planning cycle specified in this AMC may be increased by up to 100 %, subject to a risk assessment and/or mitigation actions, and agreement by the competent authority.

(k)A report should be issued each time an audit is carried out describing what was checked and the resulting non-compliance findings against applicable requirement and procedures.

(l)Organisations with a maximum of 10 maintenance staff actively engaged in carrying out maintenance may subcontract the whole independent audit element of the compliance monitoring function to another organisation or contract a qualified and competent person to become responsible for this element, with the agreement of the competent authority.

This does not prevent a larger organisation from occasionally using external support for conducting particular audits.

ED Decision 2022/011/R

COMPLIANCE MONITORING — CONTRACTING OF THE INDEPENDENT AUDIT

(a)If external personnel are used to perform independent audits:

(1)any such audits should be performed under the responsibility of the compliance monitoring manager; and

(2)the organisation remains responsible for ensuring that the external personnel have the relevant knowledge, background, and experience that are appropriate to the activities being audited, including knowledge and experience in compliance monitoring.

(b)The organisation retains the ultimate responsibility for the effectiveness of the compliance monitoring function, in particular for the effective implementation and follow-up of all corrective actions.

ED Decision 2022/011/R

COMPLIANCE MONITORING — FEEDBACK SYSTEM

(a)Another essential element of the compliance monitoring function is the feedback system.

(b)The feedback system should not be contracted to external persons or organisations.

(c)When a non-compliance is found, the compliance monitoring function should ensure that the root cause(s) and contributing factor(s) are identified (see GM1 145.A.95), and that corrective actions are defined. The feedback part of the compliance monitoring function should define who is required to address any non-compliance in each particular case, and the procedure to be followed if the corrective action is not completed within the defined time frame. The principal functions of the feedback system are to ensure that all findings resulting from the independent audits of the organisation are properly investigated and corrected in a timely manner, and to enable the accountable manager to be kept informed of safety issues and the extent of compliance with Part-145.

(d)The independent audit reports referred to in AMC2 145.A.200(a)(6) should be sent to the relevant department(s) for corrective action, giving target closure dates. These target dates should be discussed with the relevant department(s) before the compliance monitoring function confirms the dates in the report. The relevant department(s) is (are) required to implement the corrective action and inform the compliance monitoring function of the status of the implementation of the action.

(e)Unless the review of the results from compliance monitoring is given to the safety review board (ref. AMC1 145.A.200(a)(1) point (b)(4)), the accountable manager should hold regular meetings with staff to check the progress of corrective actions. These meetings may be delegated to the compliance monitoring manager on a day-to-day basis, provided that the accountable manager:

(1)meets the senior staff involved at least twice per year to review the overall performance of the compliance monitoring function; and

(2)receives at least a half-yearly summary report on non-compliance findings.

(f)All records pertaining to the independent audit and the feedback system should be retained for the period specified in point 145.A.55(c) or for such periods as to support changes to the audit planning cycle in accordance with AMC2 145.A.200(a)(6), whichever is the longer.

ED Decision 2022/011/R

COMPLIANCE MONITORING FUNCTION

The compliance monitoring function is one of the elements that is required to be in compliance with the applicable requirements. This means that the compliance monitoring function itself should be subject to independent monitoring of compliance in accordance with 145.A.200(a)(6).

ED Decision 2022/011/R

COMPLIANCE MONITORING — AUDIT PLAN

(a)The purpose of this GM is to provide guidance on one acceptable working audit plan to meet part of the needs of point 145.A.200(a)(6). There is any number of other acceptable working audit plans.

(b)The audits described in the audit plan are intended to monitor compliance with the applicable requirements, and at the same time to review all areas of the organisation to which those requirements are applicable.

(c)In order to achieve this objective, as a first element, the organisation needs to identify all the regulatory requirements that are applicable to the activity and the scope of work under consideration, to allow the audit plan to focus on the relevant topics. Each topic (e.g. facilities, personnel, etc.) should be cross-referred with the relevant requirement and the related procedure of the organisation in the exposition that describes the particular topic. If the organisation follows a specific means of compliance to demonstrate compliance with the rule, that information may also be stated.

(d)As a second element, all the functional areas of the organisation in which Part-145 functions are intended to be carried out (i.e. the types of maintenance-related activities), including subcontracting, need to be listed in order to identify the applicability of any topic to each functional area.

(e)A matrix can be used, as shown in the example below, to capture the two elements mentioned above. This matrix is intended to be a living document to be customised by each particular organisation depending on its scope of work and its structure. This matrix should represent the overall compliance of the audit system, and needs to be amended, as necessary, based upon any change to the applicable regulations, the procedures of the organisation or the functional areas of the organisation (e.g. a change in the scope of work to include line maintenance, etc.)

Example (to be further completed) of an audit matrix for an organisation involved in aircraft base maintenance that does not hold airworthiness review privilege:

(f)The audit plan can be presented as a simplified schedule (see below), showing the operational areas of the organisation (i.e. where the maintenance-related activities are effectively carried out) against a timetable to indicate when each particular area was scheduled for audit and when the audit was completed. The audit plan should include a number of product audits (depending on the number of product lines), some of which should be unannounced (see AMC2 145.A.200(a)(6)).

Example (to be further completed) of an audit plan for an organisation, mentioned in point (e), that has two base maintenance hangars, and hydraulic and electrical workshops:

(g)The audit of each operational area will review all the topics that are applicable to the relevant functional area. For each topic, the audit should check that the particular Part-145 requirement is documented in the corresponding procedure in the exposition, and that the procedure is effectively implemented in the operational area that is being audited. In addition, the audit should also identify any practice/process implemented in the operational area which has not been documented in any procedure in the exposition.

ED Decision 2022/011/R

THE USE OF INFORMATION AND COMMUNICATION TECHNOLOGIES (ICT) FOR PERFORMING REMOTE AUDITS

This GM provides technical guidance on the use of remote information and communication technologies (ICT) to support:

•competent authorities when overseeing regulated organisations;

•regulated organisations when conducting internal audits/monitoring compliance of their organisation with the relevant requirements, and when evaluating vendors, suppliers and subcontractors.

In the context of this GM:

•‘remote audit’ means an audit that is performed with the use of any real-time video and audio communication tools instead of the physical presence of the auditor on-site; the specificities of each type of approval need to be considered in addition to the general overview (described below) when applying the ‘remote audit’ concept;

•‘auditing entity’ means the competent authority or organisation that performs the remote audit;

•‘auditee’ means the entity being audited/inspected (or the entity audited/inspected by the auditing entity via a remote audit);

It is the responsibility of the auditing entity to assess whether the use of remote ICT constitutes a suitable alternative to the physical presence of an auditor on-site in accordance with the applicable requirements. 

THE CONDUCT OF A REMOTE AUDIT

The auditing entity that decides to conduct a remote audit should describe the remote audit process in its documented procedures and should consider at least the following elements:

•The methodology for the use of remote ICT is sufficiently flexible and non-prescriptive in nature to optimise the conventional audit process. 

•Adequate controls are defined and are in place to avoid abuses that could compromise the integrity of the audit process.

•Measures to ensure that the security and confidentiality are maintained throughout the audit activities (data protection and intellectual property of the organisation also need to be safeguarded).

Examples of the use of remote ICT during audits may include but are not limited to:

•meetings by means of teleconference facilities, including audio, video and data sharing;

•assessment of documents and records by means of remote access, in real time;

•recording, in real time during the process, of evidence to document the results of the audit, including non-conformities, by means of exchange of emails or documents, instant pictures, video or/and audio recordings;

•visual (livestream video) and audio access to facilities, stores, equipment, tools, processes, operations, etc.

An agreement between the auditing entity and the auditee should be established when planning a remote audit, which should include the following: 

•determining the platform for hosting the audit;

•granting security and/or profile access to the auditor(s);

•testing platform compatibility between the auditing entity and the auditee prior to the audit;

•considering the use of webcams, cameras, drones, etc. when the physical evaluation of an event (product, part, process, etc.) is desired or is necessary;

•establishing an audit plan which will identify how remote ICT will be used and the extent of their use for the audit purposes to optimise their effectiveness and efficiency while maintaining the integrity of the audit process;

•if necessary, time zone acknowledgement and management to coordinate reasonable and mutually agreeable convening times;

•a documented statement of the auditee that they shall ensure full cooperation and provision of the actual and valid data as requested, including ensuring any supplier or subcontractor cooperation, if needed; and

•data protection aspects.

The following equipment and set-up elements should be considered:

•the suitability of video resolution, fidelity, and field of view for the verification being conducted;

•the need for multiple cameras, imaging systems, or microphones, and whether the person that performs the verification can switch between them, or direct them to be switched and has the possibility to stop the process, ask a question, move the equipment, etc.;

•the controllability of viewing direction, zoom, and lighting;

•the appropriateness of audio fidelity for the evaluation being conducted; and

•real-time and uninterrupted communication between the person(s) participating to the remote audit from both locations (on-site and remotely).

When using remote ICT, the auditing entity and the other persons involved (e.g. drone pilots, technical experts) should have the competence and ability to understand and utilise the remote ICT tools employed to achieve the desired results of the audit(s)/assessment(s). The auditing entity should also be aware of the risks and opportunities of the remote ICT used and the impacts they may have on the validity and objectivity of the information gathered. 

Audit reports and related records should indicate the extent to which remote ICT have been used in conducting remote audits and the effectiveness of remote ICT in achieving the audit objectives, including any item that has not been able to be completely reviewed.

Regulation (EU) 2023/203

In addition to the management system referred to in point 145.A.200, the maintenance organisation shall establish, implement and maintain an information security management system in accordance with Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.

[Applicable from 22 February 2026 – Regulation (EU) 2023/203]

Regulation (EU) 2021/1963

(a)As part of its management system, the organisation shall establish an internal safety reporting scheme to enable the collection and evaluation of such occurrences that are to be reported under point 145.A.60.

(b)The scheme shall also enable the collection and evaluation of those errors, near misses and hazards reported internally that do not fall under point (a).

(c)Through that scheme, the organisation shall:

(1)identify the causes of, and contributing factors to, the errors, near misses and hazards reported, and address them as part of its safety risk management process in accordance with point 145.A.200(a)(3);

(2)ensure an evaluation of all known, relevant information relating to errors, near misses, hazards and the inability to follow procedures, and a method to circulate the information as necessary.

(d)The organisation shall make arrangements to ensure the collection of safety issues related to subcontracted activities.

ED Decision 2022/011/R

(a)Each internal safety reporting scheme should ensure confidentiality and enable and encourage free and frank reporting of any potentially safety-related occurrence, including incidents such as errors or near misses, safety issues and identified hazards. This will be facilitated by the establishment of a just culture.

(b)The internal safety reporting scheme should contain the following elements:

(1)clearly identified aims and objectives with demonstrable corporate commitment;

(2)a just culture policy as part of the safety policy, and related just culture implementation procedures;

(3)a process to:

(i)identify those reports which require investigation; and

(ii)when so identified, investigate all the causal and contributing factors, including technical, organisational, managerial, or human factors issues, and any other contributing factors related to the occurrence, incident, error or near miss that was identified;

(iii)if adapted to the size and complexity of the organisation, analyse the collective data showing the trends and frequencies of the contributing factors;

(4)appropriate corrective actions based on the findings of investigations;

(5)initial and recurrent training for staff involved in internal investigations;

(6)where relevant, the organisation should cooperate with the owner, operator or CAMO on occurrence investigations by exchanging relevant information to improve aviation safety.

(c)The internal safety reporting scheme should:

(1)ensure the confidentiality of the reporter;

(2)be closed loop, to ensure that actions are taken internally to address safety issues and hazards; and

(3)feed into the recurrent training as defined in AMC3 145.A.30(e) whilst maintaining the appropriate confidentiality.

(d)Feedback should be given to staff both on an individual and a more general basis to ensure their continued support of the safety reporting scheme.

ED Decision 2022/011/R

GENERAL

(a)The overall purpose of the internal safety reporting scheme is to collect information reported by the organisation personnel and use this reported information to improve the level of compliance and safety performance of the organisation. The purpose is not to attribute blame.

(b)The objectives of the scheme are to:

(1)enable an assessment to be made of the safety implications of each relevant incident (errors, near miss), safety issue and hazard reported, including previous similar issues, so that any necessary action can be initiated; and

(2)ensure that knowledge of relevant incidents, safety issues and hazards is shared so that other persons and organisations may learn from them.

(c)The scheme is an essential part of the overall monitoring function and should be complementary to the normal day-to-day procedures and ‘control’ systems; it is not intended to duplicate or supersede any of them. The scheme is a tool to identify those instances in which routine procedures have failed or may fail.

(d)All reports should be retained, as the significance of such reports may only become obvious at a later date.

(e)The collection and analysis of timely, appropriate and accurate data will allow the organisation to react to the information that it receives, and to take the necessary action.

Regulation (EU) 2021/1963

(a)The organisation shall ensure that when contracting or subcontracting any part of its maintenance activities:

(1)the maintenance conforms to the applicable requirements;

(2)any aviation safety hazard associated with such contracting or subcontracting is considered as part of the organisation’s management system.

(b)If the organisation subcontracts any part of its maintenance activities to another organisation, the subcontracted organisation shall work under the scope of approval of the subcontracting organisation.

ED Decision 2022/011/R

RESPONSIBILITY WHEN CONTRACTING OR SUBCONTRACTING MAINTENANCE

(a)Regardless of the approval status of the subcontracted organisations, a Part-145 organisation is responsible for ensuring that all subcontracted activities are subject to hazard identification and risk management, as required by point 145.A.200(a)(3), and to compliance monitoring, as required by point 145.A.200(a)(6).

(b)A Part-145 organisation is responsible for identifying hazards that may stem from the existence of complex maintenance arrangements (such as when multiple organisations are contracted, or when multiple levels of contracting/subcontracting are included) with due regard to the organisations’ interfaces (see GM1 145.A.200(a)(3)). In addition, the compliance monitoring function should at least check that the approval of the contracted maintenance organisation(s) effectively covers the contracted activities, and that it is still valid.

(c)A Part-145 organisation is responsible for ensuring that interfaces and communication channels are established with the contracted maintenance organisation(s) for occurrence reporting. This does not replace the obligation of the contracted organisation(s) to report to the competent authority in accordance with Regulation (EU) No 1321/2014.

For subcontracted activities, interfaces and communication channels are also needed for the purpose of the internal safety reporting scheme (145.A.202).

ED Decision 2022/011/R

DIFFERENCE BETWEEN ‘CONTRACTING MAINTENANCE’ AND ‘SUBCONTRACTING MAINTENANCE’

(a)‘Subcontracting maintenance’ means subcontracting to a third party under the maintenance organisation management system.

This is the case when a third party carries out certain maintenance tasks on behalf of the Part145 organisation, and the responsibility remains with the Part-145 organisation (this Part-145 organisation must have the tasks within its scope of approval). Whether the third party is approved or not is not relevant for the designation of subcontracting, since the third party will be working under the management system of the Part-145 organisation, and the maintenance will be released under the approval of this organisation.

(b)‘Contracting maintenance’ means contracting to another maintenance organisation which will release the maintenance under its own approval.

This is the case when a Part-145 organisation, contracted to carry out maintenance by an owner/operator/CAMO, further contracts certain maintenance tasks to another approved Part145 organisation, and transfers the responsibility for the release of such tasks to the second Part-145 organisation.

Contracting should only be envisaged when it is allowed by the person or organisation that requests the maintenance.

(c)In case (a), the subcontracted organisation works under the approval of the contracting organisation, whereas in case (b), the contracted organisation works under its own approval.

SECTION B — AUTHORITY REQUIREMENTS

Regulation (EU) 2021/1963

This section establishes the conditions for conducting the certification, oversight and enforcement tasks as well as the administrative and management system requirements to be followed by the competent authority that is responsible for the implementation and enforcement of Section A.

Regulation (EU) 2021/1963

The competent authority shall provide all the legislative acts, standards, rules, technical publications, and related documents to the relevant personnel in order to allow them to perform their tasks and to discharge their responsibilities.

Regulation (EU) 2021/1963

(a)The Agency shall develop acceptable means of compliance (“AMC”) that may be used to establish compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts.

(b)Alternative means of compliance may be used to establish compliance with this Regulation.

(c)Competent authorities shall inform the Agency of any alternative means of compliance used by organisations under their oversight or by themselves for establishing compliance with this Regulation.

ED Decision 2022/011/R

ALTERNATIVE MEANS OF COMPLIANCE — GENERAL

(a) A competent authority may establish means to comply with the Regulation different from the AMC established by EASA.

In that case, the competent authority is responsible for demonstrating how these alternative means of compliance (AltMoC) establish compliance with the Regulation.

(b)AltMoC used by a competent authority, or by an organisation under its oversight, may be used by other competent authorities, or another organisation, only if processed again in accordance with respectively point 145.B.120 and point 145.A.120.

(c) AltMoC issued by the competent authority may cover the following cases:

AltMoC to be used by organisations under the oversight of the competent authority and made available to these organisations;

AltMoC to be used by the authority itself to discharge its responsibilities.

ED Decision 2022/011/R

PROCESSING THE ALTERNATIVE MEANS OF COMPLIANCE

To meet the objective of points (b) and (c) of point 145.B.120:

(a) the competent authority should establish the means to consistently evaluate over time that all the AltMoC used by itself or by organisations under its oversight allow for the establishment of compliance with the Regulation.

(b) If the competent authority issues AltMoC for itself or for the organisations under its oversight, it should:

make them available to all relevant organisations;

notify the Agency as soon as the AltMoC is issued, including the information described in point (d) below.

(c) The competent authority should evaluate the AltMoC proposed by an organisation by analysing the documentation provided and, if considered necessary, inspecting the organisation.

When the competent authority finds that the AltMoC is in accordance with the Regulation, it should:

notify the applicant that the AltMoC is approved;

indicate that this AltMoC may be implemented, and agree when the MOE is to be amended; and

notify the Agency as soon as the AltMoC is approved, including the information described in point (d) below.

(d)The competent authority should provide the Agency with the following information:

a summary of the AltMoC;

the content of the AltMoC;

a statement that compliance with the Regulation is achieved; and

in support of that statement, an assessment demonstrating that the AltMoC reaches an acceptable level of safety, taking into account the level of safety provided by the corresponding EASA AMC.

All these elements describing the AltMoC form an integral part of the records to be kept in accordance with 145.B.220.

ED Decision 2022/011/R

CASE WHERE THE REGULATION HAS NO CORRESPONDING EASA AMC

When there is no EASA AMC for a certain requirement in the Regulation, the competent authority may choose to develop national guides or other types of documents to help the organisations under its oversight in compliance demonstration. The competent authority may inform the Agency, so that such guides or other documents may later be considered for transposition into an AMC published by the Agency through the Agency rulemaking process.

Regulation (EU) 2023/203

(a)The competent authority of the Member State shall notify the Agency in case of any significant problems with the implementation of Regulation (EU) 2018/1139 and its delegated and implementing acts within 30 days from the time the authority became aware of the problems.

(b)Without prejudice to Regulation (EU) No 376/2014 and its delegated and implementing acts, the competent authority shall provide the Agency as soon as possible with any safety-significant information stemming from the occurrence reports stored in the national database pursuant to Article 6(6) of Regulation (EU) No 376/2014.

(c)The competent authority of the Member State shall provide the Agency as soon as possible with safety-significant information stemming from the information security reports it has received pursuant to point IS.I.OR.230 of Annex II (Part-IS.I.OR) to Implementing Regulation (EU) 2023/203

[Applicable from 22 February 2026 – Regulation (EU) 2023/203]

ED Decision 2022/011/R

EXCHANGE OF SAFETY-SIGNIFICANT INFORMATION WITH THE AGENCY

Each competent authority should appoint a coordinator to act as the contact point for the exchange of safety-significant information between the competent authority and the Agency.

ED Decision 2022/011/R

MEANING OF SAFETY-SIGNIFICANT INFORMATION STEMMING FROM THE OCCURRENCE REPORTS

‘Safety-significant information stemming from the occurrence reports’ means:

(a)a conclusive safety analysis which summarises individual occurrence data and provides an in-depth analysis of a safety issue, and which may be relevant for the Agency’s safety action planning; and

(b)individual occurrence data for the cases where the Agency is the competent authority, and which fulfils the reporting criteria of GM3 145.B.125(b).

ED Decision 2022/011/R

RECOMMENDED CONTENT FOR CONCLUSIVE SAFETY ANALYSES

A conclusive safety analysis should contain the following:

(a)a detailed description of the safety issue, including the scenario in which the safety issue takes place; and

(b)an indication of the stakeholders affected by the safety issue, including types of operations and organisations;

and, as appropriate:

(c)a risk assessment establishing the severity and probability of all the possible consequences of the safety issue;

(d)information about the existing safety barriers that the aviation system has in place to prevent the likely safety issue consequences from occurring;

(e)any mitigating actions already in place or developed to deal with the safety issue;

(f)recommendations for future actions to control the risk; and

(g)any other element the competent authority considers essential for the Agency to properly assess the safety issue.

ED Decision 2023/013/R

OCCURRENCES WHERE THE AGENCY IS THE COMPETENT AUTHORITY

Occurrences related to organisations or products, certified by the Agency or subject to a declaration of design compliance (in accordance with Part 21 Light Subpart C), should be notified to the Agency if:

(a)the occurrence is defined as a reportable occurrence in accordance with the applicable regulation;

(b)the organisation responsible for addressing the occurrence is either certified or subject to oversight by the Agency; and

(c)the Member State competent authority has come to the conclusion that:

(1)the organisation certified or subject to oversight by the Agency to which the occurrence relates has not been informed of the occurrence; or

(2)the occurrence has not been properly addressed or has been left unattended by the organisation certified or subject to oversight by the Agency.

Such occurrence data should be reported in a format compatible with the European Coordination Centre for Accident and Incident Reporting Systems (ECCAIRS) and should provide all relevant information for its assessment and analysis, including necessary additional files in the form of attachments.

Regulation (EU) 2021/1963

(a)Without prejudice to Regulation (EU) No 376/2014 and its delegated and implementing acts, the competent authority shall implement a system to appropriately collect, analyse and disseminate safety information.

(b)The Agency shall implement a system to appropriately analyse any relevant safety information received and, without undue delay, provide the relevant authority of the Member States and the Commission with any information, including recommendations or corrective actions to be taken, that is necessary for them to react in a timely manner to a safety problem involving products, parts, appliances, persons or organisations that are subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.

(c)Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the safety problem.

(d)The competent authority shall immediately notify measures taken under point (c) to all persons or organisations which need to comply with them under Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority shall also notify those measures to the Agency and, when combined action is required, to the other Member States concerned.

Regulation (EU) 2023/203

(a)The competent authority shall implement a system to appropriately collect, analyse, and disseminate information related to information security incidents and vulnerabilities with a potential impact on aviation safety that are reported by organisations. This shall be done in coordination with any other relevant authorities responsible for information security or cybersecurity within the Member State to increase the coordination and compatibility of reporting schemes.

(b)The Agency shall implement a system to appropriately analyse any relevant safety-significant information received in accordance with point 145.B.125(c), and without undue delay provide the Member States and the Commission with any information, including recommendations or corrective actions to be taken, necessary for them to react in a timely manner to an information security incident or vulnerability with a potential impact on aviation safety involving products, parts, non-installed equipment, persons or organisations subject to Regulation (EU) 2018/1139 and its delegated and implementing acts.

(c)Upon receiving the information referred to in points (a) and (b), the competent authority shall take adequate measures to address the potential impact on aviation safety of the information security incident or vulnerability.

(d)Measures taken in accordance with point (c) shall immediately be notified to all persons or organisations that shall comply with them under Regulation (EU) 2018/1139 and its delegated and implementing acts. The competent authority of the Member State shall also notify those measures to the Agency and, when combined action is required, the competent authorities of the other Member States concerned.

[Applicable from 22 February 2026 – Regulation (EU) 2023/203]

ED Decision 2023/010/R

(a)To appropriately collect and analyse information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should implement means that ensure the necessary confidentiality.

(b)When disseminating information related to information security incidents and vulnerabilities with a potential impact on aviation safety, the competent authority should properly select the appropriate recipient(s) to prevent the content of a report from being exploited to the detriment of aviation safety, by revealing, for instance, uncorrected vulnerabilities.

[Applicable from 22 February 2026 – Regulation (EU) 2023/203]

ED Decision 2023/010/R

When deemed necessary, a two-step mechanism could be used: a report alerting about the information security event or incident and the availability of additional data that would require controlled and confidential distribution. This report should only alert recipients of the urgency and the necessity for organisations and competent authorities to establish further communication through secure means.

Therefore, the report should consist of two parts: one limited to mostly public information and one containing the sensitive data that should be restricted to the recipients who need to know. Wherever possible, reports should be based on an agreed taxonomy.

[Applicable from 22 February 2026 – Regulation (EU) 2023/203]

Regulation (EU) 2023/203

(a)The competent authority shall establish and maintain a management system, including as a minimum:

(1)documented policies and procedures to describe its organisation, the means and methods for establishing compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts. The procedures shall be kept up to date, and serve as the basic working documents within that competent authority for all its related tasks;

(2)a sufficient number of personnel to perform its tasks and discharge its responsibilities. A system shall be in place to plan the availability of personnel in order to ensure the proper completion of all tasks;

(3)personnel that are qualified to perform their allocated tasks and that have the necessary knowledge and experience and receive initial and recurrent training to ensure continuing competency;

(4)adequate facilities and office accommodation for personnel to perform their allocated tasks;

(5)a function to monitor the compliance of the management system with the relevant requirements, and the adequacy of the procedures, including the establishment of an internal audit process and a safety risk management process. Compliance monitoring shall include a feedback system of audit findings to the senior management of the competent authority to ensure the implementation of corrective actions as necessary;

(6)a person or group of persons having a responsibility to the senior management of the competent authority for the compliance monitoring function.

(b)The competent authority shall, for each field of activity, including the management system, appoint one or more persons with the overall responsibility for the management of the relevant task(s).

(c)The competent authority shall establish procedures for the participation in a mutual exchange of all necessary information and assistance with any other competent authorities concerned, whether from the same Member State or from other Member States, including on:

(1)all findings raised and any follow-up actions taken as a result of the oversight of persons and organisations that carry out activities in the territory of a Member State, but certified by the competent authority of another Member State or by the Agency;

(2)information stemming from mandatory and voluntary occurrence reporting as required by 145.A.60.

(d)A copy of the procedures related to the management system and their amendments shall be made available to the Agency for the purpose of standardisation.

(e)In addition to the requirements contained in point (a), the management system established and maintained by the competent authority shall comply with Annex I (Part-IS.AR) to Implementing Regulation (EU) 2023/203 in order to ensure the proper management of information security risks which may have an impact on aviation safety.

[Applicable from 22 February 2026 – Regulation (EU) 2023/203]

ED Decision 2022/011/R

ORGANISATIONAL STRUCTURE

(a)In deciding upon the required organisational structure, the competent authority should review:

(1)the number of certificates to be issued, and the number and size of the potential Part145 approved maintenance organisations within that Member State;

(2)the possible use of qualified entities and of the resources of the competent authorities of other Member States to fulfil the continuing oversight obligations;

(3)the level of civil aviation activity, the number and complexity of the aircraft, and the size of the Member State’s aviation industry; and

(4)the potential growth of activities in the field of civil aviation.

(b)The competent authority should retain effective control of the important surveillance functions and should not delegate them in such a way that Part-145 organisations, in effect, regulate themselves in airworthiness matters.

(c)The set-up of the organisational structure should ensure that the various tasks and obligations of the competent authority do not solely rely on individuals. The continuous and undisturbed fulfilment of these tasks and obligations of the competent authority should also be guaranteed in case of illness, accidents or leave of individual employees.

ED Decision 2022/011/R

GENERAL

(a)The competent authority designated by each Member State should be organised in such a way that:

(1)there is specific and effective management authority in the conduct of all the relevant activities;

(2)the functions and processes described in the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, AMC, Certification Specifications (CSs), and Guidance Material (GM) are properly implemented;

(3)the competent authority’s policy, organisation and operating procedures for the implementation of the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts are properly documented and applied;

(4)all the competent authority’s personnel who are involved in the related activities are provided with training where necessary;

(5)specific and effective provision is made for communicating and interfacing as necessary with EASA and the competent authorities of other Member States; and

(6)all the functions related to implementing the applicable requirements are adequately described.

(b)A general policy in respect of the activities related to the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts should be developed, promoted, and implemented by the manager at the highest appropriate level; for example, the manager at the top of the functional area of the competent authority that is responsible for such activities.

(c)Appropriate steps should be taken to ensure that the policy is known and understood by all the personnel involved, and all the necessary steps should be taken to implement and maintain the policy.

(d)The general policy, whilst also satisfying the additional national regulatory responsibilities, should, in particular, take into account:

(1)the provisions of Regulation (EU) 2018/1139;

(2)the provisions of the applicable implementing rules and their AMC, CSs, and GM;

(3)the needs of industry; and

(4)the needs of EASA and of the competent authority.

(e)The policy should define specific objectives for the key elements of the competent authority organisation and processes for implementing the related activities, including the corresponding control procedures and the measurement of the achieved standard.

ED Decision 2022/011/R

DOCUMENTED POLICIES AND PROCEDURES

(a)The various elements of the organisation involved with the activities related to Regulation (EU) 2018/1139 and its delegated and implementing acts should be documented in order to establish a reference source for the establishment and maintenance of this organisation.

(b)The documented procedures should be established in a way that facilitates their use. They should be clearly identified, kept up to date, and made readily available to all the personnel who are involved in the related activities.

(c)The documented procedures should cover, as a minimum, all of the following aspects:

(1)policies and objectives;

(2)the organisational structure;

(3)responsibilities and the associated authority;

(4)procedures and processes;

(5)internal and external interfaces;

(6)internal control procedures;

(7)the training of personnel;

(8)cross-references to associated documents;

(9)assistance from other competent authorities or EASA (where required).

(d)It is likely that the information may be held in more than one document or series of documents, and suitable cross-referencing should be provided. For example, the organisational structure and job descriptions are not usually in the same documentation as the detailed working procedures. In such cases, it is recommended that the documented procedures should include an index of cross references to all such other related information, and the related documentation should be readily available when required.

ED Decision 2022/011/R

SUFFICIENT PERSONNEL

(a)This GM on the determination of the required personnel is limited to the performance of certification and oversight tasks, excluding any personnel who are required to perform tasks that are subject to any national regulatory requirements.

(b)The elements to be considered when determining who are the required personnel and planning their availability may be divided into quantitative and qualitative elements:

(1)Quantitative elements

(i)the estimated number of initial certificates to be issued;

(ii)the number of organisations to be certified by the competent authority;

(iii) the estimated number of subcontracted organisations used by certified organisations.

(2)Qualitative elements

(i)the size, nature, and complexity of the activities of certified organisations, taking into account:

(A)the privileges of each organisation;

(B)the types of approval and the scopes of approval;

(C)possible certification to industry standards;

(D)the number of personnel; and

(E)the organisational structure and the existence of subsidiaries;

(ii)the safety priorities identified;

(iii)the results of past oversight activities, including audits, inspections and reviews, in terms of risks and regulatory compliance, taking into account:

(A)the number and the levels of findings;

(B)the time frame for implementation of corrective actions; and

(C)the maturity of the management systems implemented by organisations, and their ability to effectively manage safety risks; and

(iv)the size and complexity of the Member State’s aviation industry, and the potential growth of activities in the field of civil aviation, which may be an indication of the number of new applications and changes to existing certificates to be expected.

(c)Based on the existing data from previous oversight planning cycles, and taking into account the situation within the Member State’s aviation industry, the competent authority may estimate:

(1)the standard working time required for processing applications for new certificates;

(2)the number of new certificates to be issued for each planning period; and

(3)the number of changes to existing certificates to be processed for each planning period.

(d)In line with the competent authority’s oversight policy, the following planning data should be determined:

(1)the standard number of audits to be performed per oversight planning cycle;

(2)the standard duration of each audit;

(3)the standard working time for audit preparation, on-site audit, reporting, and follow-up per inspector;

(4)the standard number of unannounced inspections to be performed;

(5)the standard duration of inspections, including preparation, reporting, and follow-up per inspector; and

(6)the minimum number and the required qualifications of the inspectors for each audit/inspection.

(e)The standard working time could be expressed either in working hours per inspector, or in working days per inspector. All planning calculations should then be based on the same unit (hours or working days).

(f)It is recommended to use a spreadsheet application to process the data defined under (c) and (d), to assist in determining the total number of working hours/days per oversight planning cycle required for certification, oversight and enforcement activities. This application could also serve as a basis for implementing a system for planning the availability of personnel.

(g)The number of working hours/days per planning period for each qualified inspector that may be allocated for certification, oversight and enforcement activities should be determined, taking into account:

(1)purely administrative tasks that are not directly related to certification and oversight;

(2)training;

(3)participation in other projects;

(4)planned absence; and

(5)the need to include a reserve for unplanned tasks or unforeseeable events.

(h)The determination of the working time available for certification, oversight and enforcement activities should also consider, as applicable:

(1)the use of qualified entities;

(2)cooperation with other competent authorities for approvals that involve more than one Member State;

(3)oversight activities under a bilateral aviation safety agreement.

(i)Based on the elements listed above, the competent authority should be able to:

(1)monitor the dates when audits and inspections are due, and when they were carried out;

(2)implement a system to plan the availability of personnel; and

(3)identify possible gaps between the number and the qualifications of personnel and the required volume of certification and oversight.

Care should be taken to keep planning data up to date in line with changes in the underlying planning assumptions, with particular focus on risk-based oversight principles.