In this Sofema Aviation Services white paper discussion, Steve Bentley, FRAeS, CEO of Sofema Aviation Services, explores how modern EASA auditing is evolving toward a more risk-based, performance-driven, and collaborative approach that strengthens safety culture while maintaining regulatory integrity.
Introduction
Here we will discuss each of the following points in turn:
- Applying a more practical, risk-based approach during audits
- Balancing compliance without losing effectiveness
- How to avoid being perceived as ‘policing’ and instead promote a culture of safety and continuous improvement.
- How to interpret EASA requirements with flexibility
- How to ensure consistency between different auditors?”
The goal of the modern EASA auditor is not to find a “guilty party,” but to find a “broken process.” When we align our audits with the principles of Root Cause Analysis and Performance-Based Oversight, we stop being a burden to the Business Area Owner and start being the guardian of their operational resilience.
The Bedrock of EASA comprises the Implementing Rules (IRs) – “hard law”- where there is no flexibility Hard Law. The competence of a senior auditor lies in how they navigate the “Soft Law” the Acceptable Means of Compliance (AMC) and Guidance Material (GM).
- The Foundation of Hard Law – When an auditor encounters a direct violation of an IR approach must be absolute to ensure we maintain the structural integrity of the regulatory framework.
Applying the Risk-Based Lens
The “line” is drawn at the intersection of safety impact and systemic stability.
- A practical, risk-based approach asks: “Does this deviation increase the probability of a technical failure or an operational hazard?” whether the risk is solid or administrative.
Drawing the Line – Effectiveness is lost when auditors focus on “low-value” findings that do not contribute to safety.
- We should ensure effectiveness by prioritizing findings that reveal a breakdown in the Management System or Safety Culture.
- If the “book” is used to punish minor administrative lapses while ignoring a toxic culture where engineers are afraid to report defects, the audit has failed its primary objective.
Performance-Based Oversight (PBO)
- A Masterclass auditor doesn’t just look at what is happening during the audit; they look at Safety Performance Indicators (SPIs).
- Effectiveness is lost when auditors focus on “low-value” findings while ignoring deteriorating safety trends. If an organization shows 100% compliance on paper but has a rising trend in “near-miss” incidents, the audit must pivot to investigate the effectiveness of the Management System.
Solid vs. Administrative Risk
- We must prioritize findings that reveal a breakdown in Safety Culture. If the “book” is used to punish minor administrative lapses while ignoring a toxic culture where staff are afraid to report defects, the audit has failed its primary objective.
From “Policing” to Partnership: Promoting a Culture of Continuous Improvement
The “Auditor-as-Police” archetype is a vestige of the pre-SMS era.
- It creates a “hide-and-seek” culture where Nominated Persons (NPs) only show the auditor what they want them to see.
- To move toward a culture of continuous improvement, the auditor must transition into the role of a Systemic Consultant.
The Transparency Shift – Auditors avoid the “policing” label by practicing Collaborative Auditing.
- This involves discussing potential findings with the Business Area Owner (BAO) in real-time.
- There should be “no surprises” at the closing meeting.
- When a finding is identified, the auditor should frame it as a “Systemic Vulnerability” rather than a “Personal Failure.”
The Auditor as a Mirror – Instead of saying, “You are non-compliant,” the effective auditor asks,
- “How does your current process prevent a mistake here?”
- By letting the BAO discover the gap themselves, the auditor promotes ownership.
- This shift fosters a Just Culture, where the organization views the audit as a free “stress test” of their defenses rather than a threat to their license.
Adding Value – Continuous improvement is triggered when the auditor highlights Observations (not just findings) that suggest better ways of working based on industry best practices.
- This demonstrates that the auditor is an asset to the organization’s growth, not just a hurdle to its operation.
The Interpretation Paradox: Flexibility vs. Consistency
EASA allows for Alternative Means of Compliance (AltMoC). – To use an AltMoC, the organization must provide a full risk assessment and a detailed demonstration that the IR (Implementing Rule) is still met. The CA then evaluates this, and if they approve it, they must notify EASA.
An auditor must recognize an organization’s unique methodology for meeting a requirement only when that methodology is supported by a Competent Authority (CA)-approved AltMoC.
This “flexibility” is not a subjective judgment made on the hangar floor; it is a formal regulatory status achieved only after the organization has:
- Demonstrated Equivalent Safety: Provided the CA with a comprehensive safety case, underpinned by data-driven evidence, proving that the proposed method meets the intent of the Implementing Rule (IR) as effectively as the published AMC.
- Conducted a Formal Risk Assessment: Identified and mitigated any latent hazards introduced by the alternative approach.
- Secured CA Approval and EASA Registration: Verified that the Competent Authority has officially approved the deviation and, where required, notified EASA of the registration.
Ensuring Auditor Consistency – Inconsistency between auditors is a leading cause of frustration for NPs and Accountable Managers.
To mitigate this, Sofema and similar high-level organizations advocate for:
- The Compliance Library: A centralized record of internal “Interpretative Bulletins.” When a complex regulation is interpreted in a specific way, it is recorded so future auditors follow the same logic.
- Peer Review and Shadow Audits: Regularly “auditing the auditor” ensures that one individual isn’t being overly lenient while another is being excessively rigid.
- Standardization Meetings: Senior auditors should meet regularly to discuss “Grey Areas” and align their philosophies.
The Objective Standard – Consistency is achieved not by making every auditor think the same, but by ensuring they all use the same objective evidence criteria.
If three different auditors examine the same set of data, the evidence should lead them to the same conclusion, regardless of their personal styles.
Closing the Loop: Root Cause and Effectiveness
A significant shortfall in traditional auditing is stopping at the identification of the finding. A Masterclass audit focuses on the “Why” and the “Next Step.”
- Focus on Root Cause: The auditor should push the organization to investigate the why.
- Verification of Effectiveness: An audit is only truly closed when there is evidence that the corrective action actually reduced the risk, rather than just masking the symptom.
Conclusion
Modern EASA auditing is a high-level balancing act. It requires the backbone to uphold Hard Law, the intellect to interpret Soft Law, and the emotional intelligence to foster a Safety Culture. When we audit the process instead of the person, we transform from a regulatory hurdle into a strategic asset.
Next Steps
Join Sofema for an open-access EASA Compliance Auditors Masterclass on 20 May, led by industry expert and CEO, Steven Bentley. This session will explore the evolving auditor role under Part-CAMO and SMS, focusing on risk-based auditing and modern competencies. Register here as places are limited.
Explore 525+ aviation courses at Sofema, or contact [email protected] for support.
Tags:
SMS, SafetyManagementSystem, EASACompliance, AviationSafety, ContinuousImprovement, AviationTraining, RegulatoryCompliance, AviationWebinars, SofemaAviationServices, AviationAuditing, Sofema Aviation (SA), RiskBasedAuditing
