Regulation (EU) 2018/395

1. The operator shall establish, implement and maintain a management system that includes all of the following:
   1. clearly defined lines of responsibility and accountability throughout the organisation of the operator, including a direct safety accountability of the accountable manager;
   2. a description of the overall philosophies and principles of the operator with regard to safety, which shall be known as the safety policy;
   3. the identification of aviation safety hazards entailed by the activities of the operator, the evaluation of those hazards and the management of associated risks, including by taking actions to mitigate those risks where necessary and verifying the effectiveness of those actions;
   4. maintaining personnel trained and competent to perform their tasks;
   5. documentation of all key processes of the management system, including a process for making personnel aware of their responsibilities and the procedure for amending that documentation;
   6. a function to monitor compliance of the operator with the requirements of this Annex. Such compliance monitoring shall include a feedback system of findings to the accountable manager of the operator to ensure effective implementation of corrective actions as necessary;
   7. the processes necessary to ensure compliance with the requirements of Articles 4, 5, 6 and 13 of Regulation (EU) No 376/2014.
2. The management system shall correspond to the size of the operator and the nature and complexity of its activities, taking into account the hazards and associated risks of those activities.

ED Decision 2018/004/R

The safety policy should include a commitment to improve towards the highest safety standards, comply with all applicable legal requirements, meet all applicable standards, consider best practices, and provide appropriate resources.

ED Decision 2018/004/R

Hazard identification and safety risk management should:

1. be performed using internal safety or occurrence reports, hazard checklists, risk registers or similar risk management tools or processes, integrated into the activities of the operator;
2. in particular address safety risks related to a change; by making use of the existing hazard identification, risk assessment and mitigation tools or processes; and
3. include provisions for emergency response or a formal emergency response plan (ERP) to define the actions to be taken by the operator or specified individuals in an emergency.

ED Decision 2018/004/R

The safety training programme may consist of self-instruction via the media (newsletters, flight safety magazines, etc), classroom training, e-learning or similar training provided by training service providers.

ED Decision 2018/004/R

MANAGEMENT SYSTEM DOCUMENTATION

1. The operator’s management system documentation should at least include the following information:
   1. a statement signed by the accountable manager to confirm that the operator will continuously work in accordance with the applicable requirements and the operator’s documentation, as required by this Annex;
   2. the operator’s scope of activities;
   3. the titles and names of persons referred to in BOP.ADD.040(a) and (c);
   4. an organisation chart showing the lines of responsibility among the persons referred to in BOP.ADD.040;
   5. a general description and location of the facilities referred to in BOP.ADD.045;
   6. procedures specifying how the operator ensures compliance with the applicable requirements;
   7. the amendment procedure for the operator’s management system documentation.
2. The operator’s management system documentation may be included in a separate manual, or in (one of) the manual(s) required in this Annex. A cross reference should be included.

ED Decision 2018/004/R

1. Methodology
   1. The operator should accomplish the compliance monitoring by means of internal auditing.
   2. Notwithstanding (1), an operator with five or less full-time equivalents (FTEs), involved in the activity subject to this Subpart, may choose to accomplish compliance monitoring through an organisational review.
2. General provisions for compliance monitoring
   1. The operator should specify the basic structure of the compliance monitoring function applicable to the activities conducted.
   2. The operator should ensure that personnel performing an audit or an organisational review, either internal to the operator or external, have relevant knowledge, background and experience as appropriate to the activities being audited or reviewed, including knowledge and experience in compliance monitoring.
   3. The operator should monitor compliance with the procedures it has designed to ensure safe activities. In doing so, the operator should as a minimum, and where appropriate, monitor compliance with:
      1. all activities for which the declaration is required;
      2. manuals, logs and records;
      3. training standards;
      4. management system procedures; and
      5. standard operating procedures (SOPs).
   4. The operator should ensure that the status of all corrective and preventive actions is monitored and that these actions are implemented within a specified time frame. Action closure should be recorded along with a summary of the action taken.
   5. Based on the results of the audit or the organisational review, the accountable manager should determine the need for and initiate, as appropriate, further actions to address deficiencies or to further improve the operator’s management system.
3. Provisions, in addition to (b), for auditing
   1. The independence of the audit function should be ensured, in particular in cases where those performing the audit are also responsible for other functions for the operator.
   2. The operator should establish a compliance monitoring programme, defining a calendar for the audits to be performed. The frequency and depth of such audits should be determined with due regard to:
      1. the volume and complexity of operations;
      2. results of the safety risk management processes;
      3. results of past compliance monitoring;
      4. findings raised by the competent authority; and
      5. the scope of changes not requiring prior competent authority approval.
4. Provisions, in addition to (b), for the organisational review
   1. The organisational review should be performed at intervals not exceeding 12 months.
   2. As part of the management system documentation, the operator should describe the organisational review programme and related responsibilities.
   3. The organisational review programme may consist of:
      1. checklist(s) covering all items necessary to be addressed in order to demonstrate that the operator ensures effective compliance with the applicable requirements; \\and
      2. a schedule for the accomplishment of the different checklist items, where each item should be checked at least at intervals not exceeding 12 months.

ED Decision 2018/004/R

1. ‘audit’ means a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which requirements are complied with.
2. ‘organisational review’ means a systematic and documented process for obtaining evidence and evaluating it to determine the extent to which requirements are complied with.

ED Decision 2018/004/R

1. Compliance monitoring audits or organisational reviews may be documented using a compliance monitoring checklist. The following provides a basic checklist, to be adapted as necessary to address the particular type of operations and to cover all relevant procedures described in the management system documentation and operations manual.
2. Each checklist item may be addressed using an appropriate combination of:
   1. review of records and documentation;
   2. interview of the personnel involved; and
   3. feedback provided by contractors.

bop.add.030compliance_monitoring_checklist.pdf

BOP.ADD.035 Contracted activities