Regulation (EU) 2022/203
(a) The Agency shall develop acceptable means of compliance (‘AMC’) that may be used to establish compliance with Regulation (EU) 2018/1139 and its delegated and implementing acts.
(b) Alternative means of compliance may be used to establish compliance with this Regulation.
(c) Competent authorities shall inform the Agency of any alternative means of compliance used by organisations under their oversight or by themselves for establishing compliance with this Regulation.
GM1 21.B.115 and 21.B.215 Means of compliance
ED Decision 2022/021/R
ALTERNATIVE MEANS OF COMPLIANCE — GENERAL
(a) A competent authority may establish means to comply with the regulation, which are different from the AMC that are established by EASA.
In that case, the competent authority is responsible for demonstrating how those alternative means of compliance (AltMoC) establish compliance with the regulation.
(b) AltMoC that are used by a competent authority, or by an organisation under its oversight, may be used by other competent authorities, or another organisation, only if they are processed by those authorities in accordance with point 21.B.115 or 21.B.215, and by that organisation in accordance with point 21.A.124A or 21.A.134A.
(c) AltMoC that are issued by the competent authority may cover the following cases:
(1) AltMoC to be used by organisations under the oversight of the competent authority and which are made available to those organisations; and
(2) AltMoC to be used by the authority itself to discharge its responsibilities.
AMC1 21.B.115(b),(c) and 21.B.215(b),(c) Means of compliance
ED Decision 2022/021/R
PROCESSING THE ALTERNATIVE MEANS OF COMPLIANCE
To meet the objective of points (b) and (c) of points 21.B.115 and 21.B.215:
(a) the competent authority should establish the means to consistently evaluate over time that all the AltMoC that are used by itself or by organisations under its oversight allow for the establishment of compliance with the regulation;
(b) if the competent authority issues AltMoC for itself or for the organisations under its oversight, it should:
(1) make them available to all relevant organisations; and
(2) notify EASA of the AltMoC as soon as it is issued, including the information that is described in point (d) of this AMC;
(c) the competent authority should evaluate the AltMoC that is proposed by an organisation by analysing the documentation provided and, if considered necessary, by inspecting the organisation; when the competent authority finds that the AltMoC is in accordance with the Regulation, it should:
(1) notify the applicant that the AltMoC is approved;
(2) indicate that this AltMoC may be implemented, and agree when the production organisation exposition (POE) is to be amended accordingly; and
(3) notify EASA of the AltMoC approval as soon as it is approved, including the information that is described in point (d) of this AMC; and
(d) the competent authority should provide EASA with the following information:
(1) a summary of the AltMoC;
(2) the content of the AltMoC;
(3) a statement that compliance with the regulation is achieved; and
(4) in support of that statement, an assessment that demonstrates that the AltMoC reaches an acceptable level of safety, taking into account the level of safety that is achieved by the corresponding EASA AMC.
(e) All these elements that describe the AltMoC are an integral part of the records to be kept, which are managed in accordance with point 21.B.55.
GM1 21.B.115(b) and (c) and 21.B.215(b) and (c) Means of Compliance
ED Decision 2022/021/R
CASES IN WHICH THERE IS NO CORRESPONDING EASA AMC
When there is no EASA AMC to a certain requirement in the regulation, the competent authority may choose to develop national guides or other types of documents to assist the organisations under its oversight in compliance demonstration. The competent authority may inform EASA so that such guides or other documents may be later considered for incorporation into an AMC that is published by EASA using the EASA rulemaking process.
21.B.220 Initial certification procedure
Regulation (EU) 2022/203
(a) Upon receiving an application for the initial issue of a production organisation approval certificate, the competent authority shall verify the applicant’s compliance with the applicable requirements.
(b) A meeting with the accountable manager of the applicant shall be convened at least once during the investigation for initial certification to ensure that this person understands his or her role and accountability.
(c) The competent authority shall record all the findings issued, closure actions as well as the recommendations for the issue of the production organisation approval certificate.
(d) The competent authority shall confirm to the applicant in writing all the findings raised during the verification. For initial certification, all findings must be corrected to the satisfaction of the competent authority before the certificate can be issued.
(e) When satisfied that the applicant complies with the applicable requirements, the competent authority shall issue the production organisation approval certificate (EASA Form 55, see Appendix X).
(f) The certificate reference number shall be included on the EASA Form 55 in a manner specified by the Agency.
(g) The certificate shall be issued for an unlimited duration. The privileges and the scope of the activities that the organisation is approved to conduct, including any limitations as applicable, shall be specified in the terms of approval attached to the certificate.
AMC1 21.B.220 Initial certification procedure
ED Decision 2023/014/R
INVESTIGATION TEAM AND PROCEDURES
(a) The competent authority should appoint a production organisation investigation team for each applicant for a production organisation approval. This team is responsible for conducting all the relevant tasks related to the approval. The team should consist of a team leader to manage and lead the approval team and, if needed, one or more team members. The team leader should report to the manager who is responsible for the activities of the competent authority as defined in point 21.B.25(b).
(b) The competent authority should perform sufficient investigation activities for an applicant for a production organisation approval, to justify the recommendations for the issuance of the approval.
(c) The competent authority should prepare procedures for the investigation of a production organisation as part of the documented procedures that cover at least the following elements:
(1) evaluation of the application received;
(2) appointment of the investigation team;
(3) preparation and planning of the investigation;
(4) evaluation of the documentation (production organisation exposition, procedures, etc.);
(5) auditing;
(6) follow-up of corrective actions;
(7) recommendation for the issuance of a POA; and
(8) continued surveillance.
AMC1 21.B.220 Initial certification procedure
ED Decision 2023/014/R
VERIFICATION OF COMPLIANCE — INITIAL CERTIFICATION AUDITS
(a) In order to verify the organisation’s compliance with the applicable requirements, the investigation by the competent authority should include one or more audits of the organisation, together with interviews of the personnel, carried out at the organisation’s facilities.
(b) The competent authority should only conduct such an audit if it is satisfied that the application and supporting documentation are in compliance with the applicable requirements.
(c) The audit should focus on the following areas:
(1) the detailed management structure, notably its adequacy;
(2) the personnel: the adequacy of the number of staff, and of their qualifications and experience with regard to the intended terms of approval and the associated privileges;
(3) the processes used for safety risk management and compliance monitoring;
(4) the facilities and their adequacy regarding the organisation’s intended terms of approval including its scope of work; and
(5) the documentation based on which the approval should be granted.
(d) If an application for an approval is refused, the applicant should be informed of the right of appeal that exists under national or EU law.
AMC2 21.B.220 Initial certification procedure
ED Decision 2023/014/R
INVESTIGATION PREPARATION AND PLANNING
Following the acceptance of the application for a POA and before commencing an investigation, the competent authority should, for the preparation and planning of the investigation:
(a) identify the site locations that they need to investigate taking into account the scope of any other POA issued by a Member State, which are valid in the circumstances;
(b) establish any necessary liaison arrangement with other competent authorities;
(c) agree the size and composition of the investigation team and any specialist tasks likely to be covered and to select suitable team members from all involved competent authorities; and
(d) liaise with the competent authority of a Member State where the investigation of the organisation should include a facility in that Member State for one of the following reasons:
(1) where a production organisation has subcontracted production to another organisation and therefore a need arises to ensure that the contract has the same meaning for all the parties to the contract, and the competent authority agrees;
(2) to perform the audit of the production of a product, part, appliance, or material at the approved organisation facilities in that Member State.
AMC3 21.B.220 Initial certification procedure
ED Decision 2023/014/R
INVESTIGATION TEAM
(a) Type of team
The competent authority should appoint a production organisation approval team leader (POATL) and members appropriate to the nature and scope of the applicant’s organisation.
Where the facilities of the applicant are located in more than one Member State, the competent authority of the country of manufacture should liaise with the other involved competent authorities to agree and appoint a POATL and members appropriate to the nature and scope of the applicant’s organisation.
(b) Team leader selection
The team leader should satisfy all of the criteria for a team member and will be selected by considering the following additional criteria:
(1) the capability to lead and manage a team;
(2) the capability to prepare reports and be diplomatic;
(3) experience in approval team investigations (not necessarily only Part 21 Section A Subpart G);
(4) a knowledge of production and quality systems for aircraft and related products and parts; and
(5) a knowledge of management systems of production organisations.
(c) Team member selection
The competent authority should determine the size of the team and the specialisations to be covered taking into account the scope of work and the characteristics of the applicant. Team members should be selected by considering the following criteria:
(1) training, which is mandatory, for Part 21 Section A, Subparts A and G and Section B, Subparts A and G;
(2) education and experience, to cover appropriate aviation knowledge, audit practices and approval procedures, and
(3) the ability to verify that an applicant’s organisation conforms to its own procedures, and that its key personnel are competent.
GM1 21.A.139, 21.A.239, 21.B.120, 21.B.140, 21.B.220, and 21.B.240 The use of information and communication technologies (ICT) for performing remote audits
ED Decision 2022/021/R
This GM provides technical guidance on the use of remote information and communication technologies (ICT) to support:
— competent authorities when overseeing regulated organisations;
— regulated organisations when conducting internal audits / monitoring compliance of their organisation with the relevant requirements, and when evaluating vendors, suppliers and subcontractors.
In the context of this GM:
— ‘remote audit’ means an audit that is performed with the use of any real-time video and audio communication tools in lieu of the physical presence of the auditor on-site; the specificities of each type of approval / letter of agreement (LoA) need to be considered in addition to the general overview (described below) when applying the ‘remote audit’ concept;
— ‘auditing entity’ means the competent authority or organisation that performs the remote audit;
— ‘auditee’ means the entity being audited/inspected (or the entity audited/inspected by the auditing entity via a remote audit);
It is the responsibility of the auditing entity to assess whether the use of remote ICT constitutes a suitable alternative to the physical presence of an auditor on-site in accordance with the applicable requirements.
The conduct of a remote audit
The auditing entity that decides to conduct a remote audit should describe the remote audit process in its documented procedures and should consider at least the following elements:
— The methodology for the use of remote ICT is sufficiently flexible and non-prescriptive in nature to optimise the conventional audit process.
— Adequate controls are defined and are in place to avoid abuses that could compromise the integrity of the audit process.
— Measures to ensure that the security and confidentiality are maintained throughout the audit activities (data protection and intellectual property of the organisation also need to be safeguarded).
Examples of the use of remote ICT during audits may include but are not limited to:
— meetings by means of teleconference facilities, including audio, video and data sharing;
— assessment of documents and records by means of remote access, in real time;
— recording, in real time during the process, of evidence to document the results of the audit, including non-conformities, by means of exchange of emails or documents, instant pictures, video or/and audio recordings;
— visual (livestream video) and audio access to facilities, stores, equipment, tools, processes, operations, etc.
An agreement between the auditing entity and the auditee should be established when planning a remote audit, which should include the following:
— determining the platform for hosting the audit;
— granting security and/or profile access to the auditor(s);
— testing platform compatibility between the auditing entity and the auditee prior to the audit;
— considering the use of webcams, cameras, drones, etc., when the physical evaluation of an event (product, part, process, etc.) is desired or is necessary;
— establishing an audit plan which will identify how remote ICT will be used and the extent of their use for the audit purposes to optimise their effectiveness and efficiency while maintaining the integrity of the audit process;
— if necessary, time zone acknowledgement and management to coordinate reasonable and mutually agreeable convening times;
— a documented statement of the auditee that they shall ensure full cooperation and provision of the actual and valid data as requested, including ensuring any supplier or subcontractor cooperation, if needed; and
— data protection aspects.
The following equipment and set-up elements should be considered:
— the suitability of video resolution, fidelity, and field of view for the verification being conducted;
— the need for multiple cameras, imaging systems, or microphones, and whether the person that performs the verification can switch between them, or direct them to be switched and has the possibility to stop the process, ask a question, move the equipment, etc.;
— the controllability of viewing direction, zoom, and lighting;
— the appropriateness of audio fidelity for the evaluation being conducted; and
— real-time and uninterrupted communication between the person(s) participating to the remote audit from both locations (on-site and remotely).
When using remote ICT, the auditing entity and the other persons involved (e.g. drone pilots, technical experts) should have the competence and ability to understand and utilise the remote ICT tools employed to achieve the desired results of the audit(s)/assessment(s). The auditing entity should also be aware of the risks and opportunities of the remote ICT used and the impacts they may have on the validity and objectivity of the information gathered.
Audit reports and related records should indicate the extent to which remote ICT have been used in conducting remote audits and the effectiveness of remote ICT in achieving the audit objectives, including any item that it has not been able to be completely reviewed.
GM1 21.B.220(a) Initial certification procedure
ED Decision 2023/014/R
ORGANISATION APPROVAL — GENERAL
(a) Purpose of the procedures
The purpose of the procedures is to investigate the applicant’s production organisation for compliance with Part 21 in relation to the requested terms of approval. When appropriate, these procedures should also be used to investigate significant changes or applications for variations in the scope of approval.
(b) Initiation
The team leader initiates the procedure by:
(1) arranging a meeting with the team members to review the information provided in accordance with the application (according to point 21.A.134 and to take account of any other information available within the competent authority about the applicant;
(2) collecting information from other investigation or oversight teams of competent authorities or EASA on the functioning of the applicant’s organisation;
(3) arranging a meeting with the applicant in order to:
(i) enable the applicant to make a general presentation of its organisation and products, parts or appliances;
(ii) ensure that the accountable manager understands his or her role and accountability when signing the statement specified in point 21.A.143(a)(1);
(iii) enable the investigation team to describe the proposed investigation process; and
(iv) enable the investigation team to confirm to the applicant the identity of those managers nominated in accordance with Part 21 Subpart G, Section A.
(c) Preparation
The investigation team:
(1) studies the information gathered in the initiation phase;
(2) establishes an investigation plan which:
(i) takes account of the location of the applicant’s facility as identified per GM3 21.B.65(c);
(ii) defines areas of coverage and work-sharing between team members taking account of their individual expertise;
(iii) defines areas where more detailed investigation is considered necessary;
(iv) establishes the need for external advice to team members where expertise may be lacking within the team;
(v) includes completion of a comprehensive plan for the investigation in order to present it to the applicant; and
(vi) recognises the need to:
(A) review the documentation and procedures;
(B) verify compliance and implementation; and
(C) audit a sample of products, parts, and appliances;
(3) coordinates with the appropriate design organisation approval teams sufficiently for both parties to have confidence in the applicant’s coordination links with the holder of the approval of the design (as required by point 21.A.133; and
(4) establishes liaison with the applicant to plan mutually suitable dates and times for audits or inspections at each location needing investigation, and also to agree the investigation plan and approximate time scales with the applicant.
The investigation team:
(1) makes a check of the exposition for compliance with Part 21;
(2) audits the organisation, its organisational structure, working procedures and processes for compliance with Part 21, using internal compliance checklist and at the end of the investigation, prepares the EASA Form 56 as a summary document;
(3) checks that the exposition standard reflects the organisation, its procedures, practices and the requirements defined in point 21.A.143. Having checked and agreed an exposition issue or subsequent amendment, the competent authority should have a clear procedure to indicate its acceptance or rejection;
(4) performs sample audits at working level to verify that:
(i) work is performed in accordance with the system described in the exposition;
(ii) products, parts, appliances or material produced by the organisation are in conformity with the applicable design data;
(iii) facilities, working conditions, equipment and tools are in accordance with the exposition and appropriate for the work being performed;
(iv) competency and numbers of personnel are appropriate for the work being performed; and
(v) coordination between production and design is satisfactory; and
(5) at an advanced stage of the investigation, conducts an interim team review of audit results and matters arising, in order to determine any additional areas requiring investigation.
Each investigation team should be accompanied during the process by company representatives who are knowledgeable of the applicant’s organisation and procedures. This will ensure that the organisation is aware of the audit progress and problems as they arise. Access to information will also be facilitated.
The team leader should coordinate the work of the team members for an efficient investigation process, which will provide a consistent and effective investigation and reporting standards.
(e) Conclusions
(1) The team leader holds a team meeting to review the findings and observations so as to produce a final agreed report of findings.
(2) The team leader, on completion of the investigation, holds a meeting to verbally present the report to the applicant.
The team leader should be the chair of this meeting, but individual team members may present their own findings and observations.
(3) The meeting should agree the findings, corrective action time scales, and preliminary arrangements for any follow-up that may be necessary.
(4) Some items may as a result of this meeting be withdrawn by the team leader but if the investigation has been correctly performed, at this stage there should be no disagreement over the facts presented.
(5) Inevitably there will be occasions when the team leader/member carrying out the audit may find situations in the applicant or approval holder where he or she is unsure about compliance. In this case, the organisation is informed about possible non-compliance at the time and advised that the situation will be reviewed within the competent authority before a decision is made. The organisation should be informed of the decision without undue delay. Only if the decision results in a confirmation of non-compliance, this is recorded in the audit report, eventually in Part 4 of EASA Form 56 at the end of investigation, if not solved before.
(6) Completion of the audit report includes the need to record findings, observations, comments, etc. and this should reflect any problems found during the audit and should be the same as the ones made to the organisation during the debrief at the end of each audit. Under no circumstances should additional findings, observations, comments etc. be included in the audit report, unless the applicant or approval holder has previously been made aware of such comments.
An applicant may need to take corrective action and amend the proposed exposition before the competent authority is able to conclude its investigation. Such corrective actions should be described in a corrective action plan submitted by the organisation and agreed by the investigation team, so that there is a common understanding of the actions necessary before approval can be granted.
(7) Findings raised during the investigation are communicated at the last day of the audit to the organisation. The final version of the audit report is confirmed in writing to the organisation within 2 weeks of each audit. The reason for confirmation in writing is that many organisations take a considerable time to establish compliance. As a result, it is too easy to establish a position of confusion where the organisation claims it was not aware of the findings that prevented the issue of an approval.
(8) At the end of the investigation, the team leader will prepare the final report through an EASA Form 56 and in accordance with the competent authority internal procedures. The report will include the recommendations and any open finding or observation, together with the supporting documentation e.g. audit reports, corrective action plan, closure of findings, minutes of meetings held during the investigation, etc.
The intention of Part 4 of the EASA Form 56 is to provide a summary report of open findings, observations and outstanding items at the end of initial investigation or significant changes to recommend the issue of the approval, or the issue of the significant change approval.
(f) Management involvement
The investigation team should meet the accountable manager at least once during the investigation process and preferably twice, because he or she is ultimately responsible for ensuring compliance with the requirements for the initial granting and subsequent maintenance of the production organisation approval. Two is the preferred number of meetings with the accountable manager, with the first being conducted at the beginning of the investigation to explain the investigation process, and the second, at the end, to debrief on the results of the investigation.
|
Competent authority of an EU Member State or EASA
RECOMMENDATION REPORT IN SUPPORT OF Part 21 SUBPART G APPROVAL ISSUE / CONTINUATION / VARIATION / SIGNIFICANT CHANGE
PART 1 OF 5: BASIC DETAILS OF THE ASSESSMENT
Name of the organisation:
Approval reference:___________
Address(es) of the facilities surveyed:
Main Part 21 Subpart G activities at facilities surveyed:
Date(s) of survey:
Names and positions of the organisation’s senior management attended during survey:
Names of the competent authority staff:
Office: EASA Form 56 completion date:
Note: If it is determined that a recommendation for issue/continuation/variation/significant change of approval cannot be made because of a non-compliance with Part 21 Subpart G, the reasons for the non-compliance need to be identified in Part 4 of the report. A copy of Part 1 and Part 4, or at least the information included in these parts, must be given to the organisation to ensure that the organisation, in failing to obtain Part 21 Subpart G approval, even if only temporarily, has the same information as that in the files of the competent authority. |
EASA Form 56 Issue 4 — POAT Recommendation Audit Report — Part 1 of 5, Page 1 of 1 MONTH YEAR
|
Competent authority of an EU Member State or EASA
RECOMMENDATION REPORT IN SUPPORT OF Part 21 SUBPART G ISSUE /
PART 2 OF 5: Part 21 SUBPART G COMPLIANCE
Name of organisation:
Approval of organisation:
Approval reference: ___________ Survey reference:
Note A: This form has been compiled according to those points of Part 21 Subpart G which are relevant to an organisation trying to demonstrate compliance. Note B: The right-hand part of each box must be completed with one of the following three indicators: 1. a tick () which means compliance;) 2. NR which means that the requirement is NOT RELEVANT to the activity at the address surveyed; (the reason for NR should be stated in Part 4 of the report, unless the reason is obvious) 3. a number relating to a comment which must be recorded in Part 4 of the report. The left-hand part of each box is optional for use by the competent authority. |
|
21.A.3A Reporting system (a) N/A (b) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council and its delegated and implementing acts, any natural or legal person that holds or has applied for a production organisation approval certificate under Subpart G of this Section, or that produces a product, part or appliance under Subpart F of this Section, shall: (1) establish and maintain a system for collecting and assessing occurrence reports, including reports on errors, near misses and hazards, in order to identify adverse trends or to address deficiencies and extract occurrences whose reporting is mandatory in accordance with points 2 and 3 and those which are reported voluntarily. For organisations that have their principal place of business in a Member State, a single system may be established to meet the requirements of Regulation (EU) No 376/2014 of the European Parliament and of the Council and its implementing acts and of Regulation (EU) 2018/1139 and its delegated and implementing acts; (2) report to the responsible design approval holder all the cases where products, parts or appliances have been released by the production organisation and possible deviations from the applicable design data have been subsequently identified, and investigate with the design approval holder to identify those deviations which could lead to an unsafe condition; (3) report to the competent authority of the Member State responsible in accordance with point 21.1 and the Agency the deviations that have been identified in accordance with point 21.A.3A(b)2 and which could lead to an unsafe condition; (4) if the production organisation acts as a supplier to another production organisation, also report to that other organisation all the cases where it has released products, parts or appliances to that organisation and possible deviations from the applicable design data have been subsequently identified. (c) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council and its delegated and implementing acts, any natural or legal person, when reporting in accordance with points (a)(3), (b)(2), (b)(3) and (b)(4), shall appropriately protect the confidentiality of the person who reports and of the person(s) mentioned in the report. (d) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council and its delegated and implementing acts, any natural or legal person shall make the reports referred to in points (a)(3) and (b)(3) in a form and manner established by the Agency or the competent authority, respectively, and dispatch them as soon as practicable and in any case not later than 72 hours after the natural or legal person has identified that the occurrence may lead to a possible unsafe condition, unless exceptional circumstances prevent this. (e) Without prejudice to Regulation (EU) No 376/2014 of the European Parliament and of the Council and its delegated and implementing acts, if an occurrence reported under point (a)(3) or under point (b)(3) results from a deficiency in the design or a production deficiency, the holder of the type certificate, restricted type certificate, supplemental type certificate, major repair design approval, ETSO authorisation or any other relevant approval deemed to have been issued under this Regulation, or the production organisation as appropriate, shall investigate the reason for the deficiency and report to the competent authority of the Member State responsible in accordance with point 21.1 and to the Agency the results of its investigation and any action it intends to take or proposes to be taken to correct that deficiency. (f) If the competent authority finds that action is required to correct the deficiency, the holder of the type certificate, restricted type certificate, supplemental type certificate, major repair design approval, ETSO authorisation or any other relevant approval deemed to have been issued under this Regulation, or the production organisation as appropriate, shall submit the relevant data to the competent authority upon its request. 21.A.5 Record-keeping All natural or legal persons that hold or have applied for a type certificate, restricted type certificate, supplemental type certificate, ETSO authorisation, design or repair approval, permit to fly, production organisation approval certificate or letter of agreement under this Regulation shall: (a) N/A (b) when they produce a product, part or appliance, record the details of the production process relevant to the conformity of the product, part or appliance with the applicable design data, and the requirements imposed on their partners and suppliers, and make that data available to their competent authority in order to provide the information that is necessary to ensure the continuing airworthiness of the product, part or appliance; (c) with regard to permits to fly: (1) maintain the documents that are produced to establish and justify the flight conditions, and make them available to the Agency and to their competent authority of the Member State in order to provide the information that is necessary to ensure the continued airworthiness of the aircraft; (2) when they issue a permit to fly under the privilege of approved organisations, maintain the documents associated with it, including inspection records and documents that support the approval of the flight conditions and the issuance of the permit to fly itself, and make them available to the Agency and to their competent authority of the Member State responsible for the oversight of the organisation in order to provide the information that is necessary to ensure the continued airworthiness of the aircraft; (d) retain records of the competence and qualifications, referred to in points 21.A.139(c), 21.A.145(b), 21.A.145(c), 21.A.139(c), 21.A.145(a) or 21.A.145(e)(1), of the personnel that are involved in the following functions: (1) design or production; (2) independent monitoring of the compliance of the organisation with the relevant requirements; (3) safety management; (e) retain records of the authorisation of personnel, when they employ personnel that: (1) exercise the privileges of the approved organisation pursuant to points 21.A.163 and/or 21.A.263, as appropriate; (2) carry out the independent function to monitor the compliance of the organisation with the relevant requirements pursuant to points 21.A.139(e) and/or 21.A.139(e), as appropriate; (3) carry out the independent verification function of the demonstration of compliance pursuant to point 21.A.139(d)(2). 21.A.9 Access and investigation Any natural or legal person that holds or has applied for a type certificate, restricted type certificate, supplemental type certificate, ETSO authorisation, design change or repair approval, certificate of airworthiness, noise certificate, permit to fly, design organisation approval, production organisation approval certificate or letter of agreement under this Regulation, shall: (a) grant the competent authority access to any facility, product, part and appliance, document, record, data, process, procedure or to any other material in order to review any report, make any inspection, or perform or witness any flight and ground test, as necessary, in order to verify the initial and continued compliance of the organisation with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts; (b) make arrangements to ensure the competent authority has access, as provided for in point (a), also in respect of the natural or legal person’s partners, suppliers and subcontractors. 21.A.133 Eligibility Any natural or legal person (‘organisation’) shall be eligible as an applicant for an approval under this Subpart. The applicant shall: (a) justify that, for a defined scope of work, an approval under this Subpart is appropriate for the purpose of showing conformity with a specific design; and (b) hold or have applied for an approval of that specific design; or (c) have ensured, through an appropriate arrangement with the applicant for, or holder of, an approval of that specific design, satisfactory coordination between production and design. 21.A.134 Application Each application for a production organisation approval shall be made to the competent authority in a form and manner established by that authority, and shall include an outline of the information required by point 21.A.143 and the terms of approval requested to be issued under point 21.A.151. |
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 2 of 5, Page 1 of 5 MONTH YEAR
|
PART 2 OF 5 (CONTINUED): SURVEY REFERENCE: |
|
21.A.139 Production management system (a) The production organisation shall establish, implement and maintain a production management system that includes a safety management element and a quality management element, with clearly defined accountability and lines of responsibility throughout the organisation. (b) The production management system shall: (1) correspond to the size of the organisation, and to the nature and complexity of its activities, taking into account the hazards and associated risks inherent in these activities; (2) be established, implemented and maintained under the direct accountability of a single manager appointed pursuant to point 21.A.145(c)(1). (c) As part of the safety management element of the production management system, the production organisation shall: (1) establish, implement and maintain a safety policy and the corresponding related safety objectives; (2) appoint key safety personnel in accordance with point 21.A.145(c)(2); (3) establish, implement and maintain a safety risk management process to identify safety hazards entailed by its aviation activities, evaluate them and manage associated risks, including taking actions to mitigate the risks and verify their effectiveness; (4) establish, implement and maintain a safety assurance process that includes: (i) the measurement and monitoring of the organisation’s safety performance; (ii) the management of changes in accordance with point 21.A.147; and (iii) the principles for the continuous improvement of the safety management element; (5) promote safety in the organisation through: (i) training and education; (ii) communication; (6) establish an occurrence reporting system in accordance with point 21.A.3A in order to contribute to the continuous improvement of safety. (d) As part of the quality management element of the production management system, the production organisation shall: (1) ensure that each product, part or appliance produced by the organisation or by its partners, or supplied from or subcontracted to outside parties, conforms to the applicable design data and is in condition for safe operation, thus enabling the exercise of the privileges set out in point 21.A.163; (2) establish, implement, and maintain, as appropriate, within the scope of the approval, control procedures for: (i) document issue, approval or change; (ii) vendor and subcontractor assessment, audit and control; (iii) verifying that incoming products, parts, materials and equipment, including items supplied new or used by buyers of products, are as specified in the applicable design data; (iv) identification and traceability; (v) manufacturing processes; (vi) inspection and testing, including production flight tests; (vii) the calibration of tools, jigs, and test equipment; (viii) non-conforming item control; (ix) airworthiness coordination with the applicant for, or holder of, the design approval; (x) the completion and retention of records; (xi) the competence and qualifications of personnel; (xii) the issue of airworthiness release documents; (xiii) handling, storage and packing; (xiv) internal quality audits and the resulting corrective actions; (xv) work within the terms of approval performed at any location other than the approved facilities; (xvi) work performed after the completion of production but prior to delivery, to maintain the aircraft in a condition for safe operation; (xvii) the issue of a permit to fly and approval of associated flight conditions; (3) include specific provisions in the control procedures for any critical parts. (e) The production organisation shall establish, as part of the production management system, an independent monitoring function to verify compliance of the organisation with the relevant requirements of this Annex as well as compliance with and adequacy of the production management system. Monitoring shall include feedback to the person or group of persons referred to in point 21.A.145(c)(2) and to the manager referred to in point 21.A.145(c)(1) to ensure, where necessary, the implementation of corrective actions. (f) If the production organisation holds one or more additional organisation certificates within the scope of Regulation (EU) 2018/1139, the production management system may be integrated with that required under the additional certificate(s) held. |
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 2 of 5, Page 2 of 5 MONTH YEAR
|
PART 2 OF 5 (CONTINUED): SURVEY REFERENCE: |
|
21.A.143 Production organisation exposition (a) The production organisation shall establish and maintain a production organisation exposition (POE) that provides directly or by cross reference the following information related to the production management system as described in point 21.A.139: (1) a statement signed by the accountable manager confirming that the production organisation exposition and any associated manuals which define the approved organisation’s compliance with this Subpart will be complied with at all times; (2) the title(s) and names of managers accepted by the competent authority in accordance with point 21.A.145(c)(2); (3) the duties and responsibilities of the manager(s) as required by point 21.A.145(c)(2) including matters on which they may deal directly with the competent authority on behalf of the organisation; (4) an organisational chart showing associated chains of responsibility of the managers as required by point 21.A.145(c)(1) and (2); (5) a list of certifying staff as referred to in point 21.A.145(d); (6) a general description of man-power resources; (7) a general description of the facilities located at each address specified in the production organisation’s certificate of approval; (8) a general description of the production organisation’s scope of work relevant to the terms of approval; (9) the procedure for the notification of organisational changes to the competent authority; (10) the amendment procedure for the production organisation exposition; (11) a description of the production management system, the policy, processes and procedures as provided for in point 21.A.139(c); (12) a list of the outside parties referred to in point 21.A.139(d)(1); (13) if flight tests are to be conducted, a flight test operations manual defining the organisation’s policies and procedures in relation to flight test. The flight test operations manual shall include: (i) a description of the organisation’s processes for flight test, including the flight test organisation involvement into the permit to fly issuance process; (ii) crewing policy, including composition, competency, currency and flight time limitations, in accordance with Appendix XII to this Annex I (Part 21), where applicable; (iii) procedures for the carriage of persons other than crew members and for flight test training, when applicable; (iv) a policy for risk and safety management and associated methodologies; (v) procedures to identify the instruments and equipment to be carried; (vi) a list of documents that need to be produced for flight test. (b) The initial issue of the POE shall be approved by the competent authority. (c) The POE shall be amended as necessary so that it remains an up-to-date description of the organisation. Copies of any amendments shall be supplied to the competent authority. 21.A.145 Resources The production organisation shall demonstrate that: (a) the facilities, working conditions, equipment and tools, processes and associated materials, number and competence of staff, and general organisation are adequate to discharge its obligations under point 21.A.165; (b) with regard to all necessary airworthiness, and environmental protection data: (1) the production organisation holds all data it needs to determine conformity with the applicable design data. Such data may originate from the Agency and from the holder of, or applicant for, the type certificate, restricted type certificate or design approval, and may include any exemption granted from the environmental protection requirements; (2) the production organisation has established a procedure to ensure that the airworthiness and environmental protection data are correctly incorporated in its production data; (3) such data are kept up to date and made available to all personnel that need access to such data to perform their duties; (c) with regard to management and staff: (1) an accountable manager has been appointed by the production organisation with the authority to ensure that, within the organisation, all production is performed to the required standards and that the production organisation is continuously in compliance with the requirements of the production management system referred to in point 21.A.139, and the data and procedures identified in the POE referred to in point 21.A.143; (2) a person or group of persons has/have been nominated by the accountable manager to ensure that the organisation is in compliance with the requirements of this Annex, and are identified, together with the extent of their authority; such person or group of persons shall be responsible to the accountable manager and have direct access to him. The person or group of persons shall have the appropriate knowledge, background and experience to discharge their responsibilities; (3) staff at all levels have been given the appropriate authority to be able to discharge their allocated responsibilities and that there is full and effective coordination within the production organisation in respect of airworthiness and environmental protection data matters; (d) with regard to certifying staff authorised by the production organisation to sign the documents issued under point 21.A.163 within the scope of the terms of approval: (1) they have the appropriate knowledge, background (including other functions in the organisation) and experience to discharge their allocated responsibilities; (2) they are provided with evidence of the scope of their authorisation. |
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 2 of 5, Page 3 of 5 MONTH YEAR
|
PART 2 OF 5 (CONTINUED): SURVEY REFERENCE: 21.A.147 Changes in the production management system After the issue of a production organisation approval certificate, each change in the production management system that is significant for the demonstration of conformity or the airworthiness and environmental protection characteristics of the product, part or appliance, shall be approved by the competent authority before being implemented. The production organisation shall submit an application for approval to the competent authority demonstrating that it will continue to comply with this Annex. 21.A.148 Changes of location A change of the location of the manufacturing facilities of the approved production organisation shall be deemed of significance and therefore shall comply with point 21.A.147. 21.A.149 Transferability Except as a result of a change in ownership, which is deemed significant for the purposes of point 21.A.147, a production organisation approval is not transferable. 21.A.151 Terms of approval The terms of approval shall identify the scope of work, the products or the categories of parts and appliances, or both, for which the holder is entitled to exercise the privileges under point 21.A.163. Those terms shall be issued as part of a production organisation approval. 21.A.153 Changes to the terms of approval Each change to the terms of approval shall be approved by the competent authority. An application for a change to the terms of approval shall be made in a form and manner established by the competent authority. The applicant shall comply with the applicable requirements of this Subpart. 21.A.163 Privileges Pursuant to the terms of approval issued under point 21.A.135, the holder of a production organisation approval may: (a) perform production activities under this Annex I (Part 21); (b) in the case of complete aircraft and upon presentation of a statement of conformity (EASA Form 52) under point 21.A.174, obtain an aircraft certificate of airworthiness and a noise certificate without further showing; (c) in the case of other products, parts or appliances, issue authorised release certificates (EASA Form 1) without further showing; (d) maintain a new aircraft that it has produced and issue a certificate of release to service (EASA Form 53) in respect of that maintenance; (e) under procedures agreed with its competent authority for production, for an aircraft it has produced, and when the production organisation itself is controlling under its POA the configuration of the aircraft and is attesting conformity with the design conditions approved for the flight, to issue a permit to fly in accordance with point 21.A.711(c) including approval of the flight conditions in accordance with point 21.A.710(b). |
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 2 of 5, Page 4 of 5 MONTH YEAR
|
PART 2 OF 5 (CONTINUED): SURVEY REFERENCE: |
|
21.A.165 Obligations of the holder The holder of a production organisation approval shall: (a) ensure that the production organisation exposition furnished in accordance with point 21.A.143 and the documents to which it refers, are used as basic working documents within the organisation; (b) maintain the production organisation in conformity with the data and procedures approved for the production organisation approval; (c) (1) determine that each completed aircraft conforms to the type design and is in condition for safe operation prior to submitting statements of conformity to the competent authority; or (2) determine that other products, parts or appliances are complete and conform to the approved design data and are in a condition for safe operation before issuing an EASA Form 1 to certify conformity to approved design data and condition for safe operation; (3) Additionally, in the case of environmental requirements, determine that: (i) the completed engine is in compliance with the applicable engine exhaust emissions requirements on the date of manufacture of the engine; and (ii) the completed aeroplane is in compliance with the applicable CO2 emissions requirements on the date its first certificate of airworthiness is issued; (4) determine that other products, parts or appliances conform to the applicable data before issuing an EASA Form 1 as a conformity certificate; (d) provide assistance to the holder of the type certificate or other design approval in dealing with any continuing airworthiness actions that are related to the products, parts or appliances that have been produced; (e) where, under its terms of approval, the holder of a production organisation approval intends to issue a certificate of release to service, determine, prior to issuing the certificate, that each completed aircraft has been subjected to necessary maintenance and is in condition for safe operation; (f) where applicable, under the privilege set out in point 21.A.163(e), determine the conditions under which a permit to fly can be issued; (g) where applicable, under the privilege set out in point 21.A.163(e), establish compliance with points 21.A.711 (c) and (e) before issuing an aircraft with a permit to fly; (h) comply with Subpart A of this Section. |
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 2 of 5, Page 5 of 5 MONTH YEAR
|
Competent authority of an EU Member State or EASA
RECOMMENDATION REPORT IN SUPPORT OF Part 21 SUBPART G ISSUE / CONTINUATION / VARIATION/SIGNIFICANT CHANGE
PART 3 OF 5: Part 21 SUBPART G EXPOSITION COMPLIANCE
Name of organisation:
Approval of organisation:
Approval reference: ___________ Survey reference:
Note A: Each box must be completed with one of the three following indicators: 1. a tick () which means compliance; 2. NR which means that the requirement is NOT RELEVANT to the activity at the address surveyed; (The reason for NR should be stated in Part 4 of the report unless the reason is obvious.); 3. a number relating to a comment which must be recorded in Part 4 of the report. Note B: The exposition may be compiled in any subject order as long as all applicable subjects are covered. Note C: If the organisation holds another Part approval requiring an exposition or handbook, it is acceptable to use this index as a supplement to the existing exposition or handbook and to cross-refer each subject to the position in the existing exposition or handbook. |
|
Production organisation exposition Revision status: (Content as required by point 21.A.143v(a))
(1) a statement signed by the accountable manager confirming that the production organisation exposition and any associated manuals which define the approved organisation’s compliance with this Annex will be complied with at all times; (2) the title(s) and names of the managers accepted by the competent authority in accordance with point 21.A.145(c)(2); (3) the accountability and responsibilities of the manager(s) as required by point 21.A.145(c)(2) including matters on which they may deal directly with the competent authority on behalf of the organisation; (4) an organisational chart showing the associated chains of accountability and responsibility of the managers as required by points 21.A.145 (c)(1) and (c)(2); (5) a list of certifying staff as referred to in point 21.A.145(d); [Note: a separate document may be referenced] (6) a description of man-power resources; |
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 3 of 5, Page 1 of 2 MONTH YEAR
|
PART 3 OF 5 (CONTINUED): SURVEY REFERENCE: |
|
(7) a general description of the facilities located at each address specified in the production organisation’s certificate of approval; (8) a general description of the production organisation’s scope of work that is relevant to the terms of approval; (9) the procedure for the notification of organisational changes to the competent authority; (10) the amendment procedure for the production organisation exposition; (11) a description of the production management system and the policy, processes and procedures as required by point 21.A.139(b)(1); (12) a list of those outside parties referred to in point 21.A.139(d)(1); and [Note: a separate document may be referenced] (13) if flight tests are to be conducted, a flight test operations manual defining the organisation’s policies and procedures in relation to flight test. |
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 3 of 5, Page 2 of 2 MONTH YEAR
|
Competent authority of an EU Member State or EASA
RECOMMENDATION REPORT IN SUPPORT OF Part 21 SUBPART G APPROVAL ISSUE / CONTINUATION / VARIATION/SIGNIFICANT CHANGE
PART 4 OF 5: FINDINGS ON Part 21 SUBPART G COMPLIANCE STATUS
Name of organisation:
Approval reference: _______________ Survey reference: _______________
Note A: Each finding must be identified by a number and the number must cross-refer to the same number in a box in Parts 2 or 3 of the Part 21 Subpart G survey report. Note B: As stated in Part 1, any comments recorded in this Part 4 should be copied to the organisation surveyed, together with Part 1. Note C: In the case of a partial clearance of a finding with some outstanding actions remaining, these actions have to be identified. |
|||||
|
NO: |
FINDING |
LEVEL |
OUTSTANDING ACTION |
CLEARANCE |
|
|
DATE |
REP.REF. |
||||
|
|
|
|
|
|
|
|
NAME & SIGNATURE OF INSPECTOR: Date:
|
|||||
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 4 of 5, Page 1 of 2 MONTH YEAR
|
PART 4 OF 5 (CONTINUED): Sheet ___ of ___ SURVEY REFERENCE: |
|||||
|
NO: |
FINDING |
LEVEL |
OUTSTANDING ACTION |
CLEARANCE |
|
|
DATE |
REP.REF. |
||||
|
|
|
|
|
|
|
|
NAME & SIGNATURE OF INSPECTOR: Date:
|
|||||
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 4 of 5, Page 2 of 2 MONTH YEAR
|
Competent authority of an EU Member State or EASA
RECOMMENDATION REPORT IN SUPPORT OF Part 21 SUBPART G APPROVAL ISSUE / CONTINUATION / VARIATION/SIGNIFICANT CHANGE
PART 5 OF 5: Part 21 SUBPART G APPROVAL RECOMMENDATION
Name of organisation:
Approval reference: _______________ Survey reference: _______________
Recommendation for issue / variation of approval/significant change:
The following Part 21 Subpart G terms of approval are recommended for the above organisation at the address(es) specified in Part 1 of this report:
or
Recommendation for continuation of existing approval:
It is recommended that the Part 21 Subpart G terms of approval identified in EASA Form 55 referenced
_______________ be continued.
Reporting performed according to the procedure for authority surveillance of suppliers of a POA holder located in other Member States, if applicable. (Strict confidentiality to be observed)
Name of the competent authority inspector making the recommendation:
Signature of the competent authority inspector:
Competent authority office: Date:
|
EASA Form 56 Issue 4 — POAT Recommendation Report POA Audit Report — Part 5 of 5, Page 1 of 1 MONTH YEAR
GM2 21.B.220 Initial certification procedure
ED Decision 2023/014/R
APPLICATION RECEIVED FROM ORGANISATIONS WITH FACILITIES/PARTNERS/SUPPLIERS/SUBCONTRACTORS LOCATED IN A THIRD COUNTRY
The obligations of the applicant are totally independent from the surveillance exercised by the competent authority. It is not acceptable that the applicant relies on the surveillance activities of the competent authority to simplify its tasks.
Facilities located in a third country
When any part of the production facilities of an applicant for a POA is located outside the Member States, then the location will be treated in all aspects as part of the applicant’s POA organisation.
Therefore, the investigating competent authority will include the facilities outside the Member States:
(a) fully in their investigation and surveillance activities for the applicant for, or holder of, the POA;
(b) in the terms of approval of the EASA Form 55 (see Part 21 Appendix X) when issuing the POA.
Partners/suppliers/subcontractors located in a third country
The competent authority should define, on the basis of Part 21 and its associated AMC and GM, a clear procedure on supplier control. This procedure should include the control of partners/suppliers/subcontractors of the applicant for, or holder of, a POA that are located outside the Member States.
In respect of the applicant for, or holder, of the POA, the competent authority should:
(1) investigate, for the initial approval and consequent continued surveillance, the production organisation, and its partners/suppliers/subcontractors at the necessary level, to ensure that the organisation can comply with the requirements of Part 21;
(2) in accordance with the competent authority procedure, assess and accept the documented procedure for supplier control as part of the POA holder’s quality system, and changes to that procedure prior to implementation; and
(3) in accordance with the competent authority procedure, assess the necessary level of surveillance to be exercised by the production organisation on partners / suppliers / subcontractors and check the audit plan of the production organisation against this level.
The level of cooperation between the competent authority and the competent authority of the third country where a partner/supplier/subcontractor of the production organisation is located may influence the authorities’ activities concerning this partner/supplier/subcontractor. Cooperation with the competent authority of the third country should be based on the capability and goodwill of that authority, and a complete interchange of necessary information.
The involvement of this competent authority of the third country in the surveillance of the partner/supplier/subcontractor will be based on the following principles:
(a) A recognition agreement under Article 68 of Regulation EU) 2018/1139 covering production subjects has been concluded:
(1) The competent authority in accordance with GM1 21.A.139(d)(1) may decide that direct surveillance of the POA holder activities at the foreign location may not be necessary.
(2) In any other case, provisions of the recognition agreement on the subject apply (technical assistance, etc.).
(b) If a recognition agreement has not been concluded, or it does not cover production subjects, it may be necessary that the competent authority of the Member State, EASA, and the competent authority of a third country enter into a specific working arrangement addressing the following matters:
(1) acceptance by the competent authority of the third country of conducting surveillance of the relevant production activities on behalf of the competent authority, under the respective quality standards defined by the competent authority.
(2) tasks to be performed; and
(3) practical methods.
These arrangements are between authorities and do not relieve the applicant of its obligations.
— In all cases, even though surveillance tasks are delegated to the competent authority of the third country, the competent authority remains the responsible authority and may consequently exercise direct surveillance if necessary.
— If it is not possible to delegate surveillance tasks to the competent authority of the third country, the competent authority will have to establish a direct surveillance programme in accordance with its procedure concerning supplier control as part of the overall surveillance of the POA holder.
GM3 21.B.220 Initial certification procedure
ED Decision 2023/014/R
COMPETENT AUTHORITY SURVEILLANCE OF SUPPLIERS OF A POA HOLDER LOCATED IN OTHER MEMBER STATES
(a) The aviation legislation identifies specific State obligations in relation to complete products.
The State of manufacture, as used in ICAO Annex 8, normally identifies the country where the final assembly and the final determination of airworthiness is made. However, sub-assemblies and parts may be produced by POA holders in other countries and Form 1 - Authorised Release Certificate will identify those countries as the locations for production.
Among Member States, the obligations of the State of manufacture may be discharged through the use of the Part 21 POA system.
According to Part 21 Section A, Subpart G, each POA holder must have established and documented in its POE a system for its own control of suppliers/supplies. Surveillance of this system is part of the responsibility of the competent authority of the POA holder wherever the suppliers are located.
This surveillance may be exercised through the POA holder and/or at supplier level especially in the cases where the supplier would be eligible for its own POA.
The purpose of this procedure is to ensure the completeness of the chain of responsibilities so that no separate technical agreement between these competent authorities is necessary, and when necessary to establish a means of communication between the involved competent authorities of the Member States.
(b) Principle to organise competent authority supplier surveillance between Member States
In order to avoid duplication and to take the best advantage of Regulation (EU) 2018/1139(EC) No 216/2008 that establishes under Article 67 mutual recognition of certificates issued by production organisations approved in accordance with Part 21 Section A, Subpart G by a Member State, the principle for the competent authority surveillance of the suppliers of a POA holder located in other Member States is for the responsible competent authority to delegate surveillance activities to the other competent authority of the supplier.
This applies between Member States and for suppliers holding a Part 21 POA.
Delegation of surveillance tasks does not imply a delegation of the overall responsibility, therefore the competent authority of the contractor always retains the right of direct supervision at the supplier location especially when serious quality problems are encountered. In such a case, there will be coordination between both competent authorities.
This delegation of surveillance is to be considered automatic as soon as the supplier holds a Part 21 POA, provided that the intended supply is included in the approved scope of work. Evidence of that approval will normally be found through the release of the supplied parts with a Form 1. In addition, the competent authority of the supplier should immediately inform the competent authority of the contractor in any case of a serious quality problem.
In the cases where the competent authority of the contractor considers that it is necessary to establish closer ties with the competent authority of the supplier (i.e., critical or significant parts), the exchange of information between the competent authorities should be organised as follows:
(1) Tasks of the competent authority of the POA contractor
The competent authority of the contractor should inform in writing the competent authority of the subcontractor of the following:
(i) The identification (and location) of the contractor;
(ii) The identification (and location) of the subcontractor;
(iii) The identification of the subcontracting (parts, contract No, etc.);
(iv) A reference to the quality requirements attached to the contract;
(v) The name and address of the competent authority office/person in charge of the POA;
(vi) Whether direct delivery authorisation (DDA) applies;
(vii) Any specific action item/requirement from the competent authority; and
(viii) A request for a bi-annual reporting (both ways).
EASA Form 58A is provided for the convenience of the competent authority for this purpose.
The competent authority of the contractor should require the contract/order from the contractor to the subcontractor to indicate that it is placed under the surveillance of its competent authority on behalf of the competent authority of the contractor, and should address the subject to the payment of the possible surveillance fees.
(2) Tasks of the competent authority of the supplier (subcontractor)
On receipt of the information from the competent authority of the contractor, the competent authority of the subcontractor should:
(i) verify that the scope of work of the POA of the supplier covers the intended supply (or envisage extending it in liaison with the supplier).
(ii) verify that the specific quality requirements for the parts have been introduced into the quality system of the supplier.
(iii) confirm to the competent authority of the contractor that the procurement is included in the POA of the supplier and that their surveillance will cover this activity; and
(iv) indicate the name and address of the competent authority’s office/person in charge of the POA.
If the supplier has no POA under Part 21, or does not want to extend it, and/or if its competent authority cannot conduct surveillance on behalf of the other competent authority, the competent authority of the supplier will inform the competent authority of the contractor in order for it to decide on the appropriate actions.
(3) Exchange of information between the competent authorities
This information should normally take two forms:
— Immediate exchange of information between both competent authorities in case of serious quality problems;
— A bi-annual exchange of information on a given date in order to guarantee proper ongoing control of the subcontract by both competent authorities.
This information should cover in a concise form:
(i) for the competent authority of the contractor:
— a résumé of the quality problems encountered by the contractor, on receipt inspection, on installation on aircraft or on in service aircraft; and
— a status of the reference documents.
(ii) For the competent authority of the subcontractor:
— a résumé of at least the following subjects:
— changes in organisation and qualification of the subcontractor.(in case of impact on the procurement);
— quality problems encountered during manufacture;
— corrective actions following problems encountered earlier on the procurement;
— findings from competent authorities surveillance that may have an impact on the procurement; and
— quality problems related to the contractor procurement (materials, documentation, procedures, processes).
Any exchange of information between competent authorities according to this procedure is strictly confidential and should not be disclosed to other parties.
It is recommended to plan at least every 5 years a meeting between industry and the two competent authorities to review each major subcontract to verify that there is proper management by the various parties involved.
3. Miscellaneous
(a) Release documentation
The release of parts by the POA subcontractor to the contractor will be accompanied by an ‘Authorised Release Certificate EASA Form 1’ issued for ‘Airworthiness’ or for ‘Conformity ’ as appropriate.
(b) Subsubcontracting
If the subcontractor wants itself to subcontract, it is up to the competent authority of the subcontractor to verify that this is done in accordance with the conditions of the contract, to organise as necessary the related authority surveillance and to inform the competent authority of the contractor.
(c) Language
Except if it is agreed otherwise, it is recommended to use the English language for the exchange of information between the competent authorities.
|
Competent authority of an EU Member State or EASA
REQUEST FOR REPORTING ON SUBCONTRACTOR SURVEILANCE |
|||
|
Document reference number: |
<REQUEST REF. NO.> |
||
|
As competent authority which issued a POA to: |
<CONTRACTOR COMPANY> |
||
|
With approval reference: |
<CONTRACTOR POA REF. NO..> |
||
|
The <COMPETENT AUTHORITY> has determined that there is a need for direct authority supplier surveillance of: |
<SUBCONTRACTOR COMPANY> |
||
|
With approval reference: |
<SUBCONTRACTOR POA REF.NO.> |
||
|
Which is situated in: |
<COUNTRY OF SUBCONTRACTOR COMPANY> |
||
|
As part of the surveillance as required for the Part 21 Section A, Subpart G approved production organisation, according to GM3 21.B.220, the competent authority of the subcontractor is requested to perform authority surveillance on the specific sub‑assemblies and parts as details and requirements are defined below. |
|||
|
Identification of subcontracting (parts, contract No., etc.): |
|
||
|
Reference to the quality requirements attached to the contract between contractor and subcontractor: |
|
||
|
Name and address of the requesting competent authority office/person in charge of the POA: |
|
||
|
Direct delivery authorisation (DDA) applies: |
Yes No |
||
|
Specific action item/requirement from the competent authority of the contractor: |
|
||
|
Request and details required for a bi-annual reporting (both ways) according to GM3 21.B.220 (Strict confidentiality to be observed): |
|
||
|
Name and signature of the competent authority person making the request: |
|
||
|
Competent authority office: |
Date: |
||
EASA Form 58A – Request for reporting on subcontractor surveillance, Page x of x
|
Competent authority of an EU Member State or EASA
REPORT ON SUBCONTRACTOR SURVEILLANCE |
||
|
Document reference number: |
<REPORT REF. NO.> |
|
|
Reporting request reference number: |
< REQUEST REF. NO > |
|
|
As responsible competent authority the <COMPETENT AUTHORITY> issued a POA to and is performing direct authority surveillance of: |
<SUBCONTRACTOR COMPANY> |
|
|
With approval reference: |
<SUBCONTRACTOR POA REF. NO..> |
|
|
Which is a subcontracted supplier of: |
<CONTRACTOR COMPANY> |
|
|
With approval reference : |
<CONTRACTOR POA REF.NO.> |
|
|
Which is situated in: |
<COUNTRY OF CONTRACTOR COMPANY> |
|
|
According to GM No. 4 to 21.B.220(c) and on request of the competent authority of the contractor company the <COMPETENT AUTHORITY> reports on the results of its authority surveillance on the specific parts and appliances defined below: |
||
|
Identification of subcontracting (parts, contract No., …): |
|
|
|
Identification of attachments to this report (if needed): |
|
|
|
Date and identification of the previous report: |
|
|
|
Résumé of surveillance results: |
|
|
|
Changes in organisation and qualification of the subcontractor (in case of impact on the procurement): |
|
|
|
Quality problems encountered during manufacture: |
|
|
|
Corrective actions following problems encountered earlier in the procurement: |
|
|
|
Findings from competent authority surveillance that may have an impact on the procurement: |
|
|
|
Quality problems related with the contractor procurement (materials, documentation, procedures, processes): |
|
|
|
Note: the exchange of information between competent authorities according to this procedure is strictly confidential and should not be disclosed to other parties. |
||
|
Name and signature of the competent authority person reporting: |
||
|
Competent authority office: |
Date: |
|
EASA Form 58B – Report on subcontractor surveillance, Page x of x
AMC1 21.B.220(e) Initial certification procedure
ED Decision 2023/014/R
ISSUE OF THE CERTIFICATE
(a) The competent authority should base its decision to issue a POA on the recommendation report (EASA Form 56, see GM1 21.B.220) of the investigation team submitted by the POA team leader. EASA Form 56 includes a proposal by the investigation team for the scope and terms of approval that define the products, parts and appliances for which the approval is to be granted, with appropriate limitations.
(b) When the competent authority issues the approval, a final controlled copy of an acceptable exposition for the organisation should be supplied to the competent authority.
(c) A record should be kept by the competent authority and should upon request be brought to the attention of EASA for standardisation purposes.
Regulation (EU) 2022/203
(a) The competent authority shall verify:
1. compliance with the requirements that are applicable to organisations, prior to issuing the production organisation approval certificate;
2. continued compliance with the applicable requirements of the organisations it has certified;
3. the implementation of appropriate safety measures mandated by the competent authority according to points 21.B.20(c) and (d).
(b) This verification shall:
1. be supported by documentation specifically intended to provide personnel responsible for oversight with guidance to perform their functions;
2. provide the organisations concerned with the results of oversight activities;
3. be based on assessments, audits, inspections and, if needed, unannounced inspections;
4. provide the competent authority with the evidence needed in case further action is required, including the measures provided for in point 21.B.225.
(c) The competent authority shall establish the scope of the oversight defined in points (a) and (b) taking into account the results of past oversight activities and the safety priorities.
(d) If the facilities of an organisation are located in more than one State, the competent authority, as defined in point 21.1, may agree to have the oversight tasks performed by the competent authority(ies) of the Member State(s) where the facilities are located, or by the Agency for facilities that are located outside a territory for which Member States are responsible under the Chicago Convention. Any organisation that is subject to such an agreement shall be informed of its existence and of its scope.
(e) For any oversight activities that are performed at facilities located in a Member State other than where the organisation has its principal place of business, the competent authority, as defined in point 21.1, shall inform the competent authority of that Member State before performing any on-site audit or inspection of the facilities.
(f) The competent authority shall collect and process any information deemed necessary for performing oversight activities.
(g) With regard to the certification and oversight of the organisation’s compliance with point 21.A.139A, in addition to complying with points (a) to (f), the competent authority shall review any approval granted under point IS.I.OR.200(e) of this Regulation or point IS.D.OR.200(e) of Delegated Regulation (EU) 2022/1645 following the applicable oversight audit cycle and whenever changes are implemented in the scope of work of the organisation.
[point (g) is applicable from 22 February 2026 – Regulation (EU) 2023/203]
AMC1 21.B.221 Oversight principles
ED Decision 2023/014/R
OVERSIGHT TEAM AND PROCEDURES
(a) The competent authority should appoint a production organisation oversight team for each holder of a production organisation approval. This team is responsible for conducting all the relevant tasks related to the approval. The team should consist of a team leader to manage and lead the oversight team and, if needed, one or more team members. The team leader should report to the manager who is responsible for the activities of the competent authority as defined in point 21.B.25(b).
(b) The competent authority should perform sufficient oversight activities for the holder of a production organisation approval, to justify the recommendations for the maintenance, amendment, limitation, suspension or revocation of the approval.
(c) The competent authority should prepare procedures for the oversight of a production organisation as part of the documented procedures that cover at least the following elements:
(1) appointment of the production organisation oversight team;
(2) review of result of past oversight activities;
(3) appointment of the production organisation oversight team;
(4) preparation and planning of the oversight;
(5) evaluation of the documentation (production organisation exposition, procedures, etc.)
(6) auditing;
(7) follow-up of corrective actions;
(8) recommendation for the amendment, limitation, suspension or revocation of a production organisation approval; and
(9) continued surveillance.
AMC2 21.B.221 Oversight principles
ED Decision 2023/014/R
(a) As part of the initial certification of an organisation in accordance with point 21.B.220, the competent authority should assess the organisation’s management system and its processes to make sure that all the required enablers of a functioning management system are present and suitable.
(b) As a result of their oversight, the competent authority should be satisfied as to the effectiveness of the organisation’s management system and processes.
(c) When significant changes take place in the organisation, the competent authority should determine whether there is a need to review the existing assessment to ensure that it is still valid.
AMC1 21.B.221(f) Oversight principles
ED Decision 2023/014/R
INFORMATION DEEMED NECESSARY FOR OVERSIGHT
This information should include, as a minimum:
(a) any occurrence reports received by the competent authority;
(b) the results of the following types of inspections and surveys if they indicate an issue that originates from a Part 21 Section A, Subpart G organisation:
(1) ramp inspections performed in accordance with Subpart RAMP of Annex II (Part‑ARO)
(2) product audits conducted pursuant to point 21.B.222(b)(1); and
(3) results from other POA Investigations.
Regulation (EU) 2022/203
(a) The competent authority shall establish and maintain an oversight programme covering the oversight activities required by point 21.B.221(a).
(b) The oversight programme shall take into account the specific nature of the organisation, the complexity of its activities, the results of past certification and/or oversight activities, and it shall be based on the assessment of the associated risks. It shall include, within each oversight planning cycle:
1. assessments, audits and inspections, including, as appropriate:
(i) management system assessments and process audits;
(ii) product audits of a relevant sample of the products, parts and appliances that are within the scope of the organisation;
(iii) sampling of the work performed; and
(iv) unannounced inspections;
2. meetings convened between the accountable manager and the competent authority to ensure that both parties remain informed of all significant issues.
(c) The oversight planning cycle shall not exceed 24 months.
(d) Notwithstanding point (c), the oversight planning cycle may be extended to 36 months if the competent authority has established that during the previous 24 months:
1. the organisation has demonstrated that it can effectively identify aviation safety hazards and manage the associated risks;
2. the organisation has continuously demonstrated compliance with points 21.A.147 and 21.A.148 and it has full control over all changes to the production management system;
3. no level 1 findings have been issued;
4. all corrective actions have been implemented within the time period that was accepted or extended by the competent authority as defined in point 21.B.225.
Notwithstanding point (c), the oversight planning cycle may be further extended to a maximum of 48 months if, in addition to the conditions provided in points (1) to (4) above, the organisation has established, and the competent authority has approved, an effective continuous system for reporting to the competent authority on the safety performance and regulatory compliance of the organisation itself.
(e) The oversight planning cycle may be reduced if there is evidence that the safety performance of the organisation has decreased.
(f) The oversight programme shall include records of the dates when assessments, audits, inspections and meetings are due, and when assessments, audits, inspections and meetings have been effectively carried out.
(g) At the completion of each oversight planning cycle, the competent authority shall issue a recommendation report on the continuation of the approval, reflecting the results of the oversight.
AMC1 21.B.222 Oversight programme
ED Decision 2023/014/R
(a) The oversight planning cycle and the related oversight programme for each organisation should be reviewed annually to ensure that they remain adequate regarding any changes in the nature of the organisation, the complexity of its activities or the safety performance of the organisation.
(b) When reviewing the oversight planning cycle and the related oversight programme, the competent authority should also consider any relevant information collected in accordance with points 21.A.3A and 21.B.215(d).
AMC1 21.B.222(a) and (b) Oversight programme
ED Decision 2023/014/R
OVERSIGHT PLANNING
(a) When defining the oversight programme, the competent authority should assess the risks related to the activity and set-up of each organisation and adapt the oversight to the level of risk identified and to the effectiveness of the organisation’s management system, in particular its ability to effectively manage safety risks.
(b) The competent authority should establish a schedule of assessments, audits and inspections that is appropriate to each organisation. The planning of assessments, audits and inspections should take into account the results of the hazard identification and risk assessment conducted and maintained by the organisation as part of the organisation’s management system. Inspectors should work in accordance with the schedule provided to them.
(c) When the competent authority, having regard to the level of risk identified and the effectiveness of the organisation’s management system, varies the frequency of an audit or inspection, it should ensure that all the aspects of the organisation’s activities are audited and inspected within the applicable oversight planning cycle.
AMC1 21.B.222(b) Oversight programme
ED Decision 2023/014/R
When determining the oversight programme, including a relevant sample of production activities under the scope of the organisation as product audits, the competent authority should consider in particular the following elements, as applicable:
(a) the effectiveness of the organisation’s management system in identifying and addressing non‑compliances and safety hazards;
(b) the implementation by the organisation of any industry standards that are directly relevant to the organisation’s activity subject to Part 21;
(b) the procedures for the management and the scope of non-significant changes;
(c) any specific procedures implemented by the organisation that are related to any alternative means of compliance used;
(d) the number of approved locations and the activities performed at each location;
(e) the number and scope of subcontractors that perform production activities; and
(f) the volume of activity for each product or parts.
AMC2 21.B.222(b) Oversight programme
ED Decision 2023/014/R
If a production organisation subcontracts production activities, the competent authority should determine whether the subcontracted organisations need to be audited and include this in the oversight programme, taking into account the specific nature and complexity of the subcontracted activities, the results of previous oversight activities of the production organisation, and assessment of the associated risks.
For such an audit, the competent authority inspectors should ensure that they are accompanied throughout the audit by a representative of the production organisation.
NOTE: If a production organisation subcontracts production activities, the competent authority should verify that the production organisation has sufficient control over the subcontracted activities and manages the related risks.
AMC1 21.B.222(b)(1) Oversight programme
ED Decision 2023/014/R
ASSESSMENTS, AUDIT AND INSPECTIONS
(a) The oversight programme should indicate which aspects of the approval will be covered by each assessment, audit or inspection.
(c) At the conclusion of the assessment, audit or inspection, the POA team should complete a report that identifies the areas and processes that were covered and includes all the findings and observations that were raised.
(d) At the completion of each oversight planning cycle, the POATL responsible for the POA should complete an EASA Form 56 (see GM1 21.B.220) as a summary report for the continued surveillance, including the recommendation for a continuation of the POA, as applicable. EASA Form 56 should be countersigned by the person responsible within the competent authority for the acceptance. At this stage, there is no limitation on the number of level 2 findings that may be open, provided that they are within the time limits of the respective corrective action plans.
GM1 21.B.222(b)(1)(ii) Oversight programme
ED Decision 2023/014/R
GUIDE TO THE CONDUCT OF MONITORING PRODUCTION STANDARDS
(a) Point 21.B.222(b)(1)(ii) identifies the need for a sample investigation of products, parts or appliances, their associated conformity determinations and the certifications made by a POA holder. For this to be performed effectively and efficiently, the competent authority should integrate a sampling plan as part of the planning of the investigation and continued surveillance activities that are appropriate to the scope and size of the relevant applicant.
(b) The sample investigation could, for example, include:
(1) a modification (or change);
(2) the installation, testing, or operation of a major part or system;
(3) the accuracy and generation of the flight test report data;
(4) the accuracy and generation of the weighing report data;
(5) an engine test bed run;
(6) the traceability of records;
(7) the accuracy and generation of the statement of conformity data and the associated safe operation determination; and
(8) the accuracy and generation of EASA Form 1 data.
AMC1 21.B.222(c) Oversight programme
ED Decision 2023/014/R
OVERSIGHT PLANNING CYCLE — AUDIT
(a) For each organisation approved by the competent authority, all applicable requirements including processes should be audited at periods that do not exceed the applicable oversight planning cycle. The beginning of the first oversight planning cycle is normally determined by the date of issue of the first approval. If the competent authority wishes to align the oversight planning cycle with the calendar year, it should shorten the first oversight planning cycle accordingly.
(b) The oversight planning should include at least one on-site audit within each oversight planning cycle. For organisations that carry out their regular activities at more than one site, the determination of the sites and the requirements to be audited at these sites should consider the results of past oversight activities and the volume of activity at each site, as well as the main risk areas identified.
(c) For organisations that hold more than one approval under Regulation (EU) 2018/1139, the competent authority may define an integrated oversight schedule to include all the applicable audit items. In order to avoid any duplication of audits, credit may be granted for any specific audit items already completed during the current oversight planning cycle, provided that:
(1) the specific audit item is the same for all the approvals under consideration;
(2) there is satisfactory evidence on record that the specific audit items were carried out and that all corrective actions have been implemented to the satisfaction of the competent authority; and
(3) the competent authority should be satisfied that there is no evidence that standards have deteriorated regarding those specific audit items for which credit is granted.
GM1 21.B.222(c) Oversight programme
ED Decision 2023/014/R
STANDARD OVERSIGHT PLANNING CYCLE
The expression ‘shall not exceed 24 months’ does not imply that 24 months is a minimum duration for the oversight cycle. Based on the elements specified in 21.B.221(c) and 21.B.222(b) (e.g. safety priorities, assessment of the risks, complexity of activities), the competent authority may decide to apply a cycle of less than 24 months (e.g. 12 months).
AMC1 21.B.222(d) and (e) Oversight programme
ED Decision 2023/014/R
EXTENSION OF THE OVERSIGHT PLANNING CYCLE BEYOND 24 MONTHS
(a) Regardless of planning cycle length, the competent authority should perform at least one focused inspection of the organisation (inspection of a specific area, element or aspect of the organisation) within each 12‑month segment of the applicable oversight planning cycle, to support the determined length of the planning cycle.
(b) If the oversight planning was beyond 24 months and the results of the focused inspection indicate a decrease in the safety performance of the organisation, the competent authority should revert to a 24‑month (or shorter) oversight planning cycle and review the oversight programme accordingly.
(c) In order to be able to apply an oversight planning cycle of up to 36 months, the competent authority should agree on the format and contents of the continuous reporting to be made by the organisation on its safety performance and regulatory compliance.
(d) To enable the competent authority to apply an oversight planning cycle of up to 48 months, the competent authority should establish, implement and maintain a methodology to evaluate the safety performance of the organisation, focusing on the organisation’s ability to effectively identify aviation safety hazards and manage the associated risks.
GM1 21.B.222(d)(2) Oversight programme
ED Decision 2023/014/R
ORGANISATION’S CONTROL OVER THE CHANGES
For the purpose of extending the oversight planning beyond 24 months, the continuous compliance of the organisation with 21.A.147 and 21.A.148, and the full control over all changes referred to in point 21.B.222(d)(2), includes in particular the ability of the organisation to manage adequately the changes not requiring prior approval foreseen in 21.A.147 and 21.A.148.
21.B.225 Findings and corrective actions; observations
Regulation (EU) 2022/203
(a) The competent authority shall have a system in place to analyse findings for their safety significance.
(b) A level 1 finding shall be issued by the competent authority when any significant non-compliance is detected with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, with the organisation’s procedures and manuals, or with the certificate including the terms of approval which lowers safety or seriously endangers flight safety.
The level 1 findings shall also include:
1. any failure to grant the competent authority access to the organisation’s facilities referred to in point 21.A.9 during normal operating hours and after two written requests;
2. obtaining the production organisation approval certificate or maintaining its validity by falsification of the submitted documentary evidence;
3. any evidence of malpractice or fraudulent use of the production organisation approval certificate; and
4. failure to appoint an accountable manager pursuant to point 21.A.245(a)/
(c) A level 2 finding shall be issued by the competent authority when any non-compliance is detected with the applicable requirements of Regulation (EU) 2018/1139 and its delegated and implementing acts, with the organisation’s procedures and manuals, or with the certificate including the terms of approval, which is not classified as a level 1 finding.
(d) When a finding is detected during oversight or by any other means, the competent authority shall, without prejudice to any additional action required by Regulation (EU) 2018/1139 and its delegated and implementing acts, communicate in writing the finding to the organisation and request corrective action to address the non-compliance(s) identified. Where a level 1 finding directly relates to an aircraft, the competent authority shall inform the competent authority of the Member State in which the aircraft is registered.
1. If there are any level 1 findings, the competent authority shall take immediate and appropriate action to prohibit or limit the activities of the organisation involved and, if appropriate, it shall take action to revoke the production organisation approval certificate or to limit or suspend it in whole or in part, depending upon the extent of the level 1 finding, until successful corrective action has been taken by the organisation.
2. If there are any level 2 findings, the competent authority shall:
(i) grant the organisation a corrective action implementation period that is appropriate to the nature of the finding, and that in any case shall initially not be more than 3 months. The period shall commence from the date of the written communication of the finding to the organisation requesting corrective action to address the non-compliance identified. At the end of this period, and subject to the nature of the finding, the competent authority may extend the 3‑month period provided that a corrective action plan has been agreed by the competent authority;
(ii) assess the corrective action and implementation plan proposed by the organisation, and if the assessment concludes that they are sufficient to address the non-compliance, accept them;
(iii) if the organisation fails to submit an acceptable corrective action plan, or fails to perform the corrective action within the time period accepted or extended by the competent authority, the finding shall be raised to level 1 and action shall be taken as laid down in point (d)(1).
(e) The competent authority may issue observations for any of the following cases not requiring level 1 or level 2 findings:
1. for any item whose performance has been assessed to be ineffective; or
2. when it has been identified that an item has the potential to cause a non-compliance under points (b) or (c); or
3. when suggestions or improvements are of interest for the overall safety performance of the organisation.
The observations issued under this point shall be communicated in writing to the organisation and recorded by the competent authority.
GM 21.B.225(a) Objective evidence
ED Decision 2012/020/R
Objective evidence is a fact which is, or can be documented, based on observations, measurements or tests that can be verified. Objective evidence generally comes from the following:
a) documents or manuals
b) examination of equipment/products
c) information from interview questions and observations of POA activities.
AMC 21.B.225(a) Notification of findings
ED Decision 2012/020/R
In case of a level one finding confirmation must be obtained in a timely manner that the accountable manager received the letter containing details of the level one finding and the approval suspension details.
A level two finding requires timely and effective handling by the competent authority to ensure completion of the corrective action. This includes intermediate communication, including reminding letters as necessary, with the POA holder to verify that the corrective action plan is followed.
GM1 21.B.225(b) Findings and corrective actions; observations
ED Decision 2023/014/R
EXAMPLE OF A LEVEL 1 FINDING
The production organisation cannot demonstrate compliance with 21.A.139(d)2.(xii) and 21.A.163(c), as evidenced by:
The POA holder released the ‘critical’ Part No XXX, Serial Number YYY with EASA Form 1 No ZZZZ having ticked the box ‘Certifies that the items identified above were manufactured in conformity to: approved design data and are in a condition for safe operation’; while:
(a) the released part is not included in the organisation’s capability list/scope of work; and/or
(b) the POA holder could not demonstrate that the released part is covered by an EASA approved/accepted type design.
Consequently, the released part is not eligible for installation on in-service type-certificated aircraft.
GM1 21.B.125(b) and 21.B.225(b) Findings and corrective actions; observations
ED Decision 2023/014/R
SIGNIFICANT NON-COMPLIANCE
Significant non-compliance includes uncontrolled non-compliance with applicable design data, which is non-compliance that:
(a) cannot be discovered through systematic analysis; or
(b) prevents the identification of the affected products, parts, appliances, or material.
GM2 21.B.125(b) and 21.B.225(b) Findings and corrective actions; observations
ED Decision 2023/014/R
EVIDENCE
A finding can only be raised on the basis of evidence.
Evidence is a fact that is, or can be, documented based on observations, measurements, or tests that can be verified. Evidence generally comes from the following:
(a) documents or manuals;
(b) examination of equipment/products; and
(c) information from interview questions and from observations of an organisation’s activities, as applicable.
AMC1 21.B.125(d) and 21.B.225(d) Findings and corrective actions; observations
ED Decision 2023/014/R
NOTIFICATION OF FINDINGS
In the case of a level 1 finding, confirmation should be obtained in a timely manner that the accountable manager has taken note of the finding and its details.
A finding requires effective oversight by the competent authority to monitor the timely completion of the corrective action. That oversight may include intermediate communication, such as letters, as necessary, to remind the approval holder to verify that the corrective action plan is followed.
GM1 21.B.125(e) and 21.B.225(e) Findings and corrective actions; observations
ED Decision 2023/014/R
DIFFERENCE BETWEEN A ‘LEVEL 2 FINDING’ AND AN ‘OBSERVATION’
(a) ‘Findings’ are issued for non-compliance with the regulation, with the organisation’s procedures and manuals, or with the certificate including the terms of approval, whereas ‘observations’ may be issued to an organisation that remains compliant with the regulation, while additional input to the organisation may be considered for continuous improvement (see points (1), (2), and (3) of point 21.B.125(e)).
The competent authority may decide to issue a ‘level 2 finding’ when the ‘observations’ process is not managed correctly or is overlooked (see points 21.A.125B(c) and 21.A.158(c)).
(b) Examples to help differentiate between a ‘level 2 finding’ and an ‘observation’ are provided below, based on the requirements for the control and calibration of tools in accordance with point 21.A.139(b)(1)(vii).
Example of a ‘level 2 finding’:
The organisation could not demonstrate compliance with some elements of point 21.A.145(a) regarding the control register of the tools and equipment, as evidenced by the fact that:
(a) some sampled tools that are physically available in the tool store were missing in the tool control register that is managed by the organisation; or
(b) one tool was not correctly identified (e.g. incorrect part number or serial number) in the tool control register.
Examples of ‘observations’:
(a) Accumulation of tools in the tool store, which have not been yet sent for calibration. This situation may have some consequences regarding the availability of tools and the operational capabilities during a peak of activities (ineffectiveness of the process).
(b) The process for managing the tool control register through the dedicated software is not detailed enough (potential to cause a ‘level 2 finding’).
(c) The colour of the ‘unserviceable’ tag of the tools may generate some confusion. The organisation should consider changing the colour of that unserviceable tag to better alert its staff to the particular status of the unserviceable tools (potential improvement).
21.B.240 Changes in production management system
Regulation (EU) 2022/203
(a) Upon receiving an application for a significant change to the production management system, the competent authority shall verify the organisation’s compliance with the applicable requirements of this Annex before issuing the approval.
(b) The competent authority shall establish the conditions under which the organisation may operate during the evaluation of a change unless the competent authority determines that the production organisation approval certificate needs to be suspended.
(c) When it is satisfied that the organisation complies with the applicable requirements, the competent authority shall approve the change.
(d) Without prejudice to any additional enforcement measures, if the organisation implements a significant change to the production management system without having received the approval of the competent authority pursuant to point (c), the competent authority shall consider the need to suspend, limit or revoke the organisation’s certificate.
(e) For non-significant changes to the production management system, the competent authority shall include the review of such changes in its continuing oversight in accordance with the principles set forth in point 21.B.221. If any non-compliance is found, the competent authority shall notify the organisation, request further changes and act in accordance with point 21.B.225.
AMC1 21.B.240 Changes in production management system
ED Decision 2023/014/R
APPLICATION FOR SIGNIFICANT CHANGES OR A VARIATION OF SCOPE AND TERMS OF THE POA
(a) The competent authority should have adequate control over any changes to the personnel specified in points 21.A.145 (c)(1) and (c)(2). Such changes in personnel will require an amendment to the exposition.
(b) When an organisation submits the name of a new nominee for any of the personnel specified in points 21.A.145 (c)(1) and (c)(2), the competent authority may require the organisation to produce a written résumé of the proposed person. The competent authority should reserve the right to interview the nominee or call for additional evidence of their suitability before deciding upon the nominee being acceptable.
(c) For changes requiring prior approval, in order to verify the organisation’s compliance with the applicable requirements, the competent authority should conduct an audit of the organisation, limited to the extent of the changes, and determine whether the organisation needs to provide a safety risk assessment.
(d) If required for verification, the audit may include interviews and inspections carried out at the organisation’s facilities.
(e) The competent authority should receive an application for any significant changes or for a change to the terms of approval of the POA on an EASA Form 51 completed by the applicant.
(f) The applicable part(s) of EASA Form 56 should be used to document the assessment of any changes to the POA.
GM1 21.A.139, 21.A.239, 21.B.120, 21.B.140, 21.B.220, and 21.B.240 The use of information and communication technologies (ICT) for performing remote audits
ED Decision 2022/021/R
This GM provides technical guidance on the use of remote information and communication technologies (ICT) to support:
— competent authorities when overseeing regulated organisations;
— regulated organisations when conducting internal audits / monitoring compliance of their organisation with the relevant requirements, and when evaluating vendors, suppliers and subcontractors.
In the context of this GM:
— ‘remote audit’ means an audit that is performed with the use of any real-time video and audio communication tools in lieu of the physical presence of the auditor on-site; the specificities of each type of approval / letter of agreement (LoA) need to be considered in addition to the general overview (described below) when applying the ‘remote audit’ concept;
— ‘auditing entity’ means the competent authority or organisation that performs the remote audit;
— ‘auditee’ means the entity being audited/inspected (or the entity audited/inspected by the auditing entity via a remote audit);
It is the responsibility of the auditing entity to assess whether the use of remote ICT constitutes a suitable alternative to the physical presence of an auditor on-site in accordance with the applicable requirements.
The conduct of a remote audit
The auditing entity that decides to conduct a remote audit should describe the remote audit process in its documented procedures and should consider at least the following elements:
— The methodology for the use of remote ICT is sufficiently flexible and non-prescriptive in nature to optimise the conventional audit process.
— Adequate controls are defined and are in place to avoid abuses that could compromise the integrity of the audit process.
— Measures to ensure that the security and confidentiality are maintained throughout the audit activities (data protection and intellectual property of the organisation also need to be safeguarded).
Examples of the use of remote ICT during audits may include but are not limited to:
— meetings by means of teleconference facilities, including audio, video and data sharing;
— assessment of documents and records by means of remote access, in real time;
— recording, in real time during the process, of evidence to document the results of the audit, including non-conformities, by means of exchange of emails or documents, instant pictures, video or/and audio recordings;
— visual (livestream video) and audio access to facilities, stores, equipment, tools, processes, operations, etc.
An agreement between the auditing entity and the auditee should be established when planning a remote audit, which should include the following:
— determining the platform for hosting the audit;
— granting security and/or profile access to the auditor(s);
— testing platform compatibility between the auditing entity and the auditee prior to the audit;
— considering the use of webcams, cameras, drones, etc., when the physical evaluation of an event (product, part, process, etc.) is desired or is necessary;
— establishing an audit plan which will identify how remote ICT will be used and the extent of their use for the audit purposes to optimise their effectiveness and efficiency while maintaining the integrity of the audit process;
— if necessary, time zone acknowledgement and management to coordinate reasonable and mutually agreeable convening times;
— a documented statement of the auditee that they shall ensure full cooperation and provision of the actual and valid data as requested, including ensuring any supplier or subcontractor cooperation, if needed; and
— data protection aspects.
The following equipment and set-up elements should be considered:
— the suitability of video resolution, fidelity, and field of view for the verification being conducted;
— the need for multiple cameras, imaging systems, or microphones, and whether the person that performs the verification can switch between them, or direct them to be switched and has the possibility to stop the process, ask a question, move the equipment, etc.;
— the controllability of viewing direction, zoom, and lighting;
— the appropriateness of audio fidelity for the evaluation being conducted; and
— real-time and uninterrupted communication between the person(s) participating to the remote audit from both locations (on-site and remotely).
When using remote ICT, the auditing entity and the other persons involved (e.g. drone pilots, technical experts) should have the competence and ability to understand and utilise the remote ICT tools employed to achieve the desired results of the audit(s)/assessment(s). The auditing entity should also be aware of the risks and opportunities of the remote ICT used and the impacts they may have on the validity and objectivity of the information gathered.
Audit reports and related records should indicate the extent to which remote ICT have been used in conducting remote audits and the effectiveness of remote ICT in achieving the audit objectives, including any item that it has not been able to be completely reviewed.
21.B.240A Changes to the information security management system
Regulation (EU) 2023/203
(a) For changes managed and notified to the competent authority in accordance with the procedure set out in point IS.D.OR.255(a) of the Annex (Part‑IS.D.OR) to Delegated Regulation (EU) 2022/1645, the competent authority shall include the review of such changes in its continuing oversight in accordance with the principles laid down in point 21.B.221. If any non-compliance is found, the competent authority shall notify the organisation thereof, request further changes and act in accordance with point 21.B.225.
(b) For other changes requiring an application for approval in accordance with point IS.D.OR.255(b) of the Annex (Part‑IS.D.OR) to Delegated Regulation (EU) 2022/1645:
(1) upon receiving the application for the change, the competent authority shall check the organisation’s compliance with the applicable requirements before issuing the approval;
(2) the competent authority shall establish the conditions under which the organisation may operate during the implementation of the change;
(3) if it is satisfied that the organisation complies with the applicable requirements, the competent authority shall approve the change.
[applicable from 22 February 2026 – Regulation (EU) 2023/203]