Sofema Aviation Services Addresses Common Non-Conformities in EASA Audits

June 06, 2025

Blog

Steve Bentley, FRAeS and CEO of Sofema Aviation Services (with over 30 years of auditing experience), comments on the challenges of driving an effective compliance system

Introduction

As an auditor with over 30 years of experience, I firmly believe there are no truly “common” findings in EASA audits. However, there are areas of shortfall.

Each audit is inherently unique & shaped by the organisation’s context, its operational complexities, its safety culture maturity, and its interpretation of compliance obligations.
While trends in findings may appear across audits, framing them as “common” risks oversimplifying the nuanced reality of regulatory oversight.

That said, certain areas of non-conformities do frequently emerge, often because operators underestimate the regulatory expectations or treat compliance as a checklist exercise rather than an embedded, proactive system. Examples include:

Incomplete Management System Documentation: Organizations frequently fail to fully document their safety and compliance processes, particularly in aligning with EASA’s expectations under Part 21, 145, CAMO, or Part IS.
- This often stems from a misunderstanding of terms like “sufficient” or “appropriate” in EASA guidance, which are inherently subjective and require contextual interpretation.
Insufficient Data-Driven Risk Management: Many SMS implementations remain reactive, lacking predictive analytics, trend analysis, or data integration across departments.
- Operators may fulfill the basic requirements of hazard reporting and risk registers, but fail to demonstrate a proactive risk management system that identifies emerging risks before they manifest.

Training & Competence Disconnects

One of the most underestimated challenges in achieving sustainable compliance within an EASA-regulated environment is the disconnect between training completion and demonstrated competence.

Too often, organizations approach training as a transactional exercise—attending a course, completing an assessment, or holding a certificate—without critically assessing whether the training has resulted in the desired behavioural changes, knowledge application, and improvement in safety performance.

The Problem: Training ≠ Competence

In many organizations, training programs are structured around regulatory requirements rather than operational needs or risk profiles. The focus often remains on compliance demonstration (“Have we delivered the mandatory training?”) rather than performance measurement (“Has the training improved safety outcomes or operational effectiveness?”).

This results in:

Recurrent training that becomes routine and predictable, failing to engage participants or address evolving risks.
A lack of linkage between training activities and measurable safety performance indicators (SPIs), such as reduced incidents, improved reporting rates, or enhanced risk awareness.
Minimal follow-up on how training translates into behavioural change—the critical test of competence.
Failure to integrate training outcomes into the Safety Management System (SMS), leading to missed opportunities for continuous improvement.

The Solution: Shift from “Training Delivery” to “Competence Development”

To close this gap, organizations should reframe their training approach through the lens of competence management. Here’s how:

Define Competence Profiles – Move beyond regulatory requirements by developing detailed Competence Profiles for each safety-critical role, aligned with EASA AMC & GM, ICAO Doc 10002, and industry best practices. These profiles should specify:

Knowledge, skills, and attitudes required.
Performance criteria linked to operational scenarios and risk exposure.
Integration of human factors and non-technical skills (e.g., communication, decision-making, situational awareness).

Design Targeted, Risk-Based Training – Build training programs based on a risk assessment of your operations. For example:

Does the organization face new hazards (e.g., cybersecurity threats, operational complexities)?
Are there emerging trends in audit findings or safety reports that require targeted competence refreshers?
How can training support proactive risk management rather than just compliance?

Integrate Training Outcomes into SMS – Treat training as a safety performance tool. After each training cycle:

Measure effectiveness through feedback, knowledge assessments, and practical evaluations.
Track impact on safety performance indicators (e.g., reduction in errors, improved safety reporting rates, fewer procedural deviations).
Include training performance data in safety reviews, management meetings, and continuous improvement discussions.

Adopt a Continuous Improvement Model:

Implement post-training reviews (e.g., 30/60/90-day follow-ups) to assess how knowledge is being applied in practice.
Conduct training needs analysis (TNA) annually, or after significant events, regulatory changes, or safety performance deviations.
Ensure audit and feedback loops: Internal audits should evaluate not only training delivery but also competence outcomes and their effectiveness in managing operational risk.

Leverage a Blended Learning Approach:

Incorporate practical scenarios, case studies, simulations, and on-the-job assessments.
Use e-learning to cover theoretical content, freeing up in-person sessions for deep-dives, discussions, and skill application.

Define Accountability:

Assign clear responsibility for training oversight (e.g., Training Manager, Safety Manager, Quality Manager).
Ensure management engagement: Leaders must champion a culture where training is not a compliance task but a strategic investment in safety and performance.

EASA Guidance Alignment

Remember, EASA regulations are deliberately non-prescriptive in areas like competence management. Phrases like “appropriate”, “sufficient appear frequently in AMC/GM material—placing the onus on the organization to define its own standards.

Therefore, the regulatory minimum is:

To have a system that ensures personnel are competent to perform their tasks.
To maintain records of competence assessment, training completion, and evaluation.
To demonstrate continuous monitoring and improvement of training effectiveness within the SMS framework.

But the best practice is to go further:

To establish a robust Competence Management System where competence is a measurable, managed outcome—not just a certificate in a file.

Training and Competence Gaps: Training programs, particularly recurrent or continuation training, often fall short of ensuring competence.

- Organizations may “tick the box” for training completion but fail to measure its effectiveness, link it to safety performance outcomes, or integrate it into the continuous improvement cycle.

Weak Internal Audit Systems: Internal audits frequently focus on compliance verification rather than system effectiveness. Audit programs may lack depth in their sampling, fail to analyze trends in findings, or avoid addressing systemic issues, resulting in a superficial understanding of the organization’s true safety performance.

Poor Justification for Deviations and Tailored Processes: When operators adapt regulatory requirements to their specific context (as they are encouraged to under a risk-based framework), they often neglect to document the rationale behind these adaptations. This leaves a compliance gap when EASA expects to see clear, risk-based justifications for any “tailored” or alternative approaches.

Important Consideration – A Shift in Focus: From Compliance to Excellence

The real issue lies not in identifying so-called “common” non-conformities, but in challenging the mindset that treats regulatory compliance as the endpoint. EASA’s language—terms like sufficient, appropriate, proportionate—deliberately avoids prescribing rigid, one-size-fits-all standards. This places the burden on each organization

To define its own standards—not merely to meet the regulatory bar but, wherever possible, to exceed it.

Challenging teams to ask: “What does ‘sufficient’ mean in our context?”—not waiting for regulators to define it but owning the responsibility to establish standards that reflect the organization’s unique risks and opportunities.

Final Thoughts

In summary, while auditors can provide insights on areas where operators may fall short—such as in documentation, risk management, training, or internal audits

The real takeaway should not be a list of “common” findings. Rather, it is a call for a mindset shift: from aiming for compliance to striving for excellence.
EASA provides the regulatory framework, but it is the organization’s duty to interpret, adapt, and ultimately surpass these requirements in the interest of safety, performance, and continuous improvement.