(a) The certificate holder must develop and maintain processes and systems to acquire data with respect to its operations, products, and services to monitor the safety performance of the organization. These processes and systems must include, at a minimum, the following:

(1) Monitoring of operational processes.

(2) Monitoring of the operational environment to detect changes.

(3) Auditing of operational processes and systems.

(4) Evaluations of the SMS and operational processes and systems.

(5) Investigations of incidents and accidents.

(6) Investigations of reports regarding potential non-compliance with regulatory standards or other safety risk controls established by the certificate holder through the safety risk management process established in subpart C of this part.

(7) A confidential employee reporting system in which employees can report hazards, issues, concerns, occurrences, incidents, as well as propose solutions and safety improvements.

(b) The certificate holder must develop and maintain processes that analyze the data acquired through the processes and systems identified under paragraph (a) of this section and any other relevant data with respect to its operations, products, and services.

[80 FR 1326, Jan. 8, 2015, as amended at 82 FR 24010, May 25, 2017]