Corrective Action Plan (CAP)

A Corrective Action Plan is the formal mechanism by which an EASA-approved organization acknowledges a compliance finding and commits to a structured remediation pathway. The legal obligation to respond to findings is set out in ORO.GEN.150 (for AOC holders under Commission Regulation (EU) No 965/2012), ORA.GEN.150 (for ATOs under Commission Regulation (EU) No 1178/2011), and CAMO.A.150 (for CAMOs under Commission Regulation (EU) 2017/363). For Part-145 maintenance organizations, the parallel provision is 145.A.95. AMC1 to each of these articles defines the content, timeline, and acceptance criteria for a CAP in response to a Competent Authority finding.

Findings are classified into two levels. A Level 1 finding is any significant non-compliance with applicable requirements that lowers safety below an acceptable standard or seriously hazards flight safety. The organization must respond to a Level 1 finding with immediate action (typically within 24 hours to 3 working days depending on the authority's direction) and submit a CAP within a timeline specified by the Competent Authority, which is normally no longer than 14 days. A Level 2 finding is any other non-compliance that does not meet the Level 1 threshold. Under AMC1 ORO.GEN.150, the organization has 90 days from the date of written notification to submit a CAP for a Level 2 finding, and the CAP must demonstrate that corrective actions will be completed within a further period agreed with the Competent Authority — typically no more than 6 months from the finding date, though extensions can be granted for systemic issues requiring structural change.

A properly structured CAP contains six mandatory elements. First, immediate corrective action (containment): the steps taken straight away to eliminate or reduce the safety risk while the root cause is investigated — for example, suspending a specific operation, withdrawing a manual revision, or removing an instructor from line duties pending investigation. Second, root cause analysis: identification of the underlying systemic reason the non-compliance occurred, not just the surface symptom. Root cause analysis frameworks commonly used in aviation include the Reason Model (latent and active failure analysis), the SHELL model, and the Ishikawa (fishbone) diagram methodology. Third, corrective action: the specific change to process, procedure, documentation, training, or resource that directly addresses the root cause. Fourth, preventive action: broader systemic measures that prevent recurrence across similar processes or areas not covered by the corrective action — this is the element most commonly omitted or superficially treated. Fifth, a responsible person and target completion date for each action item. Sixth, a verification method — how the organization will confirm the actions have been implemented and are effective, which typically means a follow-up internal audit of the relevant area.

The CAP concept exists within the broader Safety Management System (SMS) framework as defined under ORO.GEN.200 and Part-ORA ORA.GEN.200. The SMS's Safety Assurance function (AMC1 ORO.GEN.200(a)(3)) requires organizations to monitor the effectiveness of safety risk controls — which includes verifying that corrective actions from both internal and external findings are effective and do not introduce new risks. A CAP that is technically compliant with the regulatory response requirements but fails to address the systemic root cause will produce a repeat finding at the next oversight cycle, which is itself a Management System finding under ORO.GEN.200. EASA standardization reports consistently identify repeat findings as a marker of Management System immaturity.

Under FAA regulations, the functional equivalent process is governed by different instruments depending on the enforcement context. For certificate holders, 14 CFR Part 13 defines FAA enforcement procedures; enforcement-related actions are described in FAA Order 2150.3C (FAA Compliance and Enforcement Program). The FAA's Compliance Program (Order 8000.373A) emphasises compliance actions over legal enforcement where the certificate holder demonstrates good faith — the equivalent of submitting an acceptable CAP. Letters of Investigation (LOIs) and Certificate Action proceedings are the FAA mechanisms that create the formal response obligation most analogous to a Competent Authority Level 1 finding. Part 5 SMS (§ 5.75) also requires a corrective action process as part of Safety Assurance for Part 121 air carriers, with substantive overlap with the EASA CAP concept.

The quality of an organization's CAP responses is one of the clearest indicators of Management System maturity visible to a Competent Authority oversight inspector. A CAP that simply documents the symptom-level fix without root cause analysis — for example, responding to a finding about expired medical certificates by updating the specific affected file, without addressing why the tracking system failed — will close the immediate finding but leave the underlying vulnerability intact. The organization may achieve formal CAP closure while remaining structurally susceptible to the same non-compliance. When the same finding recurs at the next oversight cycle, the Competent Authority faces a choice between accepting another CAP and escalating to Level 1 classification or certificate action — and the organization faces the credibility damage of demonstrating that its corrective action processes are ineffective.

The relationship between the CAP process and Just Culture is important and often misunderstood. A finding does not imply individual misconduct; the CAP response should focus on systemic root causes rather than individual blame. When organizations use CAPs as a vehicle for disciplinary action against the individual associated with the non-compliance, they suppress the reporting culture and the information flow that makes both the SMS and the Compliance Monitoring Function effective. EASA's Just Culture framework (defined in Regulation (EU) 376/2014 and its implementing regulation (EU) 2015/1018 for occurrence reporting) explicitly protects individuals who report safety concerns in good faith, and the same cultural logic applies to the internal compliance monitoring environment. A CAP that documents a process fix alongside a named employee's disciplinary outcome undermines both functions simultaneously.

Aviatize's compliance and auditing module manages the full CAP lifecycle from finding creation to verified closure. When an internal audit raises a finding — or when a Competent Authority finding is recorded — the module generates a structured CAP record with fields mapped to the six required elements: immediate containment action, root cause analysis narrative, corrective action, preventive action, responsible person assignment, and target date. The finding is classified (Level 1 / Level 2 / Observation) at creation, and the module enforces the relevant response timelines through automated escalation alerts — the CMM and Accountable Manager receive notifications if a CAP response has not been initiated within the regulatory window. Each CAP item is tracked individually to closure, with evidence attachment for completed actions and a mandatory verification step before the finding can be marked closed.

For the preventive action and effectiveness verification elements — the parts most commonly omitted in manual CAP processes — Aviatize links CAP records to the audit program: completing a CAP with a preventive action automatically generates a follow-up audit task in the CMM's program for the relevant area, scheduled at the verification date specified in the CAP. This closes the loop between finding, remedy, and confirmation of effectiveness rather than leaving verification as an informal judgement. The KPI reporting and dashboards module surfaces CAP metrics — open findings by age, findings by area, repeat findings by regulatory reference — providing the Accountable Manager and the Competent Authority with the compliance health indicators that demonstrate the organization's corrective action process is functioning rather than merely recording findings.