An SMS gap analysis is the structured self-assessment a Part 135 operator runs to compare its operation against every requirement in 14 CFR Part 5 — across all four SMS components — and to document where it already complies, partially complies, or has a gap. It is the first thing operators do toward the May 28, 2027 deadline. The output is a gap register: one row per Part 5 requirement, each with a status, the evidence found, the corrective action needed, an owner, and a target date. The FAA's free Part 5 automation/SAS gap tools (FAA guidance) give you the requirement checklist; the discipline you must add is treating the register and its corrective-action close-out evidence as version-controlled compliance records, retained per §5.97 — not a spreadsheet that goes stale before your first surveillance evaluation.
How to Do an SMS Gap Analysis: The 5-Step Framework
"How to do an SMS gap analysis" is the most common search behind this topic, and the honest answer is that it is a disciplined inventory, not a mystery. You are comparing what your operation does today against what 14 CFR Part 5 requires, line by line, and writing down the difference. Here is the framework that produces a usable result rather than a binder that sits on a shelf.
Build the requirement checklist
List every applicable Part 5 line item across the four components — plus the §5.95 documentation requirement and the §5.97 records-retention requirements. The FAA’s Part 5 automation tool and SAS gap guidance (FAA guidance) lay out the same requirement set and make a good source checklist. This is your assessment scope.
Assess current state, line by line
For each requirement, gather what already exists — a general operations manual, training records, an informal reporting habit — and rate it: compliant, partial, or gap. Be ruthless. “We sort of do this verbally” is a gap, because Part 5 wants a documented process you can evidence.
Log everything in a gap register
One row per requirement: the Part 5 cite, the current status, the evidence you found (or the absence of it), the corrective action needed, an owner, and a target close-out date. This register is the deliverable — and it is a compliance document, not a scratch file.
Prioritize the structural gaps first
Items where there is no process at all come first: a missing accountable executive designation (§5.25), no written safety reporting policy (§5.21(a)(4)), no hazard-identification process (§5.51–§5.53). These are the load-bearing pieces the rest of the SMS hangs on.
Close each gap — and keep the proof
Closing a gap means producing the actual artifact (the signed policy, the documented process, the training record) and recording the close-out in the register. The close-out evidence is what a FAA inspector verifies. Retain it per §5.97 — the register is never “done,” it is maintained.
A gap analysis is not a risk assessment — don't confuse the two
The gap analysis asks "what parts of Part 5 am I missing?" The risk assessment (§5.51–§5.55) asks "how severe is this specific hazard and what control do I need?" The gap analysis tells you whether you even have a hazard-identification process; the risk assessment is the output of running that process. You do the gap analysis to start your SMS; a mature SMS produces risk assessments continuously.
The Part 135 SMS Gap Analysis Checklist, by Component
A "Part 135 SMS gap analysis checklist" is simply the Part 5 requirements turned into assessment questions. Below is a working checklist organized by the four components you gap-assess against. For each line, your gap register records compliant / partial / gap, the evidence, and an owner. Every requirement here is drawn from the text of 14 CFR Part 5; confirm the current text against the regulation and your assigned FSDO.
Safety Policy
14 CFR §5.21–§5.27Does the operation have the governance pieces Part 5 requires before anything else can function?
Gap-analysis questions for this component
- Is there a signed safety policy with safety objectives and a resourcing commitment? (§5.21)
- Is an accountable executive — with control of the financial and human resources — designated and documented? (§5.25)
- Is there a written safety reporting policy and a definition of unacceptable behavior / disciplinary action? (§5.21(a)(4)–(5))
- Is there an emergency response plan? (§5.27)
- Are SMS roles and responsibilities assigned to management personnel? (§5.25)
Safety Risk Management
14 CFR §5.51–§5.55Is there a documented process to identify hazards and analyze, assess, and control risk — applied to new systems, changes, and procedures?
Gap-analysis questions for this component
- Is safety risk management applied to new systems, revised systems, and new operational procedures? (§5.51)
- Is there a documented hazard-identification process? (§5.53)
- Is there a defined method to analyze and assess safety risk (likelihood + severity)? (§5.55)
- Is there a process to develop and implement risk controls, and to re-assess after controls are applied?
- Are hazards found through safety assurance fed back into the risk-management process? (§5.51)
Safety Assurance
14 CFR §5.71–§5.75Does the operation monitor, audit, and investigate to confirm the SMS and its risk controls are actually working?
Gap-analysis questions for this component
- Are operational processes and the operational environment monitored for change? (§5.71)
- Are operational processes and systems audited, and is the SMS itself evaluated? (§5.71)
- Are incidents, accidents, and potential regulatory non-compliance investigated? (§5.71)
- Is there a confidential employee reporting system for hazards and concerns? (§5.71)
- Is collected data analyzed, and is corrective action taken and tracked to closure? (§5.73–§5.75)
Safety Promotion
14 CFR §5.91–§5.93Do the people who operate the SMS have the training and the safety communication they need to do their part?
Gap-analysis questions for this component
- Is SMS training provided to each individual identified in §5.23, sufficient to attain and maintain competency? (§5.91)
- Are training completions documented for every covered individual?
- Is safety information communicated throughout the organization? (§5.93)
- Are safety communications (bulletins, meetings, lessons learned) recorded?
- Is there evidence the workforce understands the safety reporting policy and how to use it?
Single-pilot operators: scope the checklist, don't skip it
Under §5.9(e), a single-pilot Part 135 operator (one pilot performing all necessary functions) is exempted from specific line items — including §5.21(a)(4), §5.21(a)(5), §5.23(a)(2), §5.23(a)(3), §5.27(a)–(b), §5.71(a)(7), §5.93, and §5.97(d). Mark those as not-applicable in your register; assess and close everything else. The deadline is the same May 28, 2027. See our single-pilot Part 135 SMS guide for the full applicability breakdown.
Turn your gap analysis into an audit-ready evidence trail
FileFlo's free FAA readiness score takes 3 minutes and shows which document gaps are most likely to surface in a Part 5 SMS surveillance evaluation. It is the fastest way to sanity-check where your gap register should start. No signup required. Free.
5-day free trial · No credit card required · Cancel anytime
The Gap Register: Why It's a Tracked Document, Not a One-Time Report
Most "SMS gap analysis tool" searches are looking for a checklist that spits out a report. That report is the easy half. The half that determines whether you pass your first surveillance evaluation is what happens to the report afterward — and that is where the gap register comes in. The register is the living document that tracks each Part 5 requirement from "gap" to "closed," along with the evidence that proves the closure.
Here is the structure of a workable gap register. Each row is one requirement; the register as a whole is the audit trail of your implementation.
Anatomy of an SMS gap register
| Part 5 Requirement | Status | Evidence / Gap | Corrective Action | Owner | Close-out |
|---|---|---|---|---|---|
| §5.25 Accountable executive designated | Gap | No formal designation on file | Draft + sign designation letter | Owner/CEO | Signed letter, dated |
| §5.21 Signed safety policy | Partial | Draft exists, unsigned | Finalize + executive signature | Dir. of Safety | Signed policy, v1.0 |
| §5.21(a)(4) Safety reporting policy | Gap | Informal verbal reporting only | Write reporting policy + form | Dir. of Safety | Policy + reporting process |
| §5.51–§5.53 Hazard ID process | Gap | No documented process | Adopt hazard-ID procedure | Dir. of Safety | Procedure in SMS manual |
| §5.71 Confidential reporting system | Partial | Mailbox exists, not confidential | Stand up confidential channel | Dir. of Safety | System + first reports |
| §5.91 SMS training (per §5.23) | Gap | No SMS-specific training | Build + deliver training | Dir. of Safety | Completion records |
Illustrative structure only — your register reflects your actual operation and the current text of 14 CFR Part 5.
Notice what the right-hand columns do: every closed row points to a real artifact — a signed letter, a procedure in the SMS manual, a set of training completion records. That artifact is the corrective-action evidence, and it is the thing a FAA principal inspector actually verifies. A gap register with green statuses but no linked evidence is exactly the kind of document that falls apart during a Part 135 surveillance evaluation.
The register also has a retention dimension that operators routinely miss. The documents that close out your gaps are SMS records, and 14 CFR §5.97 sets concrete retention periods: Safety Assurance records (audits, evaluations, monitoring data) for a minimum of 5 years; Safety Risk Management records for as long as the control remains relevant; training records for as long as the individual is employed. The gap analysis is the on-ramp to a recordkeeping obligation that never ends — see our aviation records retention schedule and what records a Part 135 operator must keep for the full picture.
Where FileFlo Fits: The Register and Its Evidence, Kept Audit-Ready
FileFlo holds the proof — it does not run your SMS or write your manual
FileFlo is a compliance document intelligence platform — the proof layer. It classifies, indexes, version-controls, and tracks the expiration of the documents that close out your gap register, and it produces an inspector-format evidence binder on demand. It is not an SMS platform, does not run your safety management system, does not author your SMS manual, does not replace a safety manager or director of safety, and does not give legal or safety-program advice. It does not run the gap analysis for you — it keeps the resulting register and its evidence audit-ready.
The FAA's free Part 5 tools (FAA guidance) are good at the front of the process — laying out the requirements and helping you produce a point-in-time gap report. The problem they don't solve is the two-plus years between starting your analysis and your first surveillance evaluation, during which gaps close one by one, the SMS manual gets revised, training records accumulate, and the corrective-action evidence has to stay organized and retrievable. That is a document-management problem, and it is the one FileFlo is built for.
Each Gap-Register Row Links to Real Evidence
When you close a gap — a signed accountable-executive designation (§5.25), a documented hazard-ID procedure (§5.51), a set of SMS training completions (§5.91) — FileFlo classifies the uploaded artifact against the specific Part 5 section it satisfies, so a green row in your register always points to a verifiable document rather than an assertion.
Expiration & Retention Tracking per §5.97
Safety Assurance records carry a 5-year minimum; training records persist for the individual’s employment; risk-control records persist while the control is relevant. FileFlo tracks these retention clocks and surfaces recurrent items (training, audits) 90/60/30 days out, so a closed gap doesn’t silently re-open as a stale record.
One-Click Part 5 Evidence Binder
When your FAA principal inspector asks for SMS documentation, FileFlo generates a Part 5-organized evidence binder — indexed by component and section — in seconds, drawn from the same documents that close out your gap register. The same binder supports ACSF, IS-BAO, and ARGUS audit preparation.
Coverage Across the Full Part 135 Stack
Your SMS evidence sits alongside the rest of your Part 135 records. FileFlo classifies 600+ document types against the governing CFR — GOM/GMM revisions, pilot currency, training records, drug & alcohol program records, and more — so the gap register and the broader compliance file live in one audit-ready place.
Starter Plan
$89/mo
Up to 100 documents/month · 3 users
For solo owner-operators and small teams starting their SMS gap register and documentation program.
Professional Plan
$299/mo
Unlimited documents + users · audit trail · employee auto-detection
For Part 135 operators managing the full SMS evidence load across all four components.
Frequently Asked Questions
What is an SMS gap analysis?
An SMS gap analysis is the structured self-assessment a Part 135 operator runs to compare its current operation against every requirement in 14 CFR Part 5 — the four SMS components (Safety Policy in §5.21–§5.27, Safety Risk Management in §5.51–§5.55, Safety Assurance in §5.71–§5.75, and Safety Promotion in §5.91–§5.93) — and document where the operation already complies, partially complies, or does not yet comply. It is the literal first action most operators take after the May 28, 2027 deadline lands on their radar, because you cannot build an implementation plan until you know which of the dozens of Part 5 line items you are missing. The output is a gap register: a line-by-line record mapping each Part 5 requirement to a status (compliant / partial / gap) and an owner. That register, plus the evidence that closes each gap, is itself a compliance document the FAA expects to see.
How do you do an SMS gap analysis for Part 135?
You do an SMS gap analysis in five steps. (1) Build the requirement checklist: list every applicable 14 CFR Part 5 line item across the four components, plus the §5.95 documentation and §5.97 records requirements. (2) Assess current state: for each line, gather what you already have — manuals, training records, reporting processes — and rate it compliant, partial, or gap. (3) Log it in a gap register: one row per requirement with the Part 5 cite, current status, the evidence you found, the corrective action needed, an owner, and a target date. (4) Prioritize: the items with no process at all (a missing accountable executive designation under §5.25, no safety reporting policy under §5.21(a)(4), no hazard-identification process under §5.51) come first. (5) Close and evidence each gap, then retain the close-out proof. The FAA's free Part 5 automation/SAS gap tools (FAA guidance) walk you through the same requirement set; the discipline the operator must add is treating the register and its close-out evidence as tracked, versioned records rather than a spreadsheet that goes stale.
Is there a Part 135 SMS gap analysis checklist?
Yes — a Part 135 SMS gap analysis checklist is simply the full list of 14 CFR Part 5 requirements turned into yes/no/partial questions. A workable checklist has a section for each of the four components: Safety Policy (is there a signed safety policy under §5.21? an accountable executive designated under §5.25? a safety reporting policy under §5.21(a)(4)? an emergency response plan under §5.27?), Safety Risk Management (is there a documented hazard-identification and risk-assessment process under §5.51–§5.55?), Safety Assurance (do you monitor operational processes, audit them, investigate incidents, and run a confidential employee reporting system under §5.71?), and Safety Promotion (is SMS training provided to the personnel identified in §5.23, per §5.91, and are safety communications happening under §5.93?). The FAA publishes a Part 5 automation tool and SAS-based gap guidance (FAA guidance) that operators can use as the source checklist. The point of the exercise is not the checklist itself — it is the gap register you produce from it and the corrective-action evidence you keep.
What is the difference between an SMS gap analysis and a risk assessment?
They are different documents that get confused because both appear in Part 5 work. A gap analysis (a one-time, then periodically repeated, implementation activity) compares your organization against the Part 5 requirements and asks “what parts of the regulation am I missing?” A risk assessment (an ongoing operational activity required by the Safety Risk Management component, §5.51–§5.55) analyzes a specific hazard or operational change and asks “how likely and how severe is this risk, and what controls do I need?” Put simply: the gap analysis tells you whether you have a hazard-identification process at all; the risk assessment is the output of running that process on a real hazard. The gap analysis is how you start your SMS; the risk assessment is something a mature SMS produces continuously. Both are tracked records — the gap register closes out once gaps are remediated, while risk assessments are retained for as long as the related control remains relevant to the operation under §5.97(a).
Who can perform an SMS gap analysis?
An SMS gap analysis can be performed in-house by the operator — typically the accountable executive (§5.25), the person designated to manage the SMS, or a director of safety — or by an outside aviation safety consultant. There is no FAA requirement that a third party run it; many small and single-pilot Part 135 operators complete the self-assessment internally using the FAA's Part 5 automation tool and SAS gap guidance (FAA guidance). What matters to the FAA is not who ran the analysis but that the operation actually meets the Part 5 requirements by May 28, 2027 and can produce the documentation under §5.95 and records under §5.97. Whoever performs it, the gap register and the corrective-action close-out evidence should be retained as compliance records — a consultant's slide deck that is not version-controlled and tied to the underlying evidence does not survive a surveillance evaluation.
Is there a free FAA SMS gap analysis tool?
Yes. The FAA provides a Part 5 SMS framework and supporting automation/self-evaluation guidance (often referenced alongside the Safety Assurance System, SAS) that operators can use to walk through each Part 5 requirement — this is FAA guidance, not a separate regulation. It is genuinely useful for building your requirement checklist and seeing the four components laid out. What a free assessment tool does not do is keep your gap register and corrective-action evidence audit-ready over the two-plus years between starting your analysis and your first surveillance evaluation. A tool that produces a point-in-time report still leaves you with the harder problem: version-controlling the register as gaps close, tracking the documents that prove each close-out, and retaining everything per §5.97. That ongoing document-and-proof job is where a compliance document platform fits alongside — not instead of — the FAA's free tool.
How much does an SMS gap analysis cost for a Part 135 operator?
The cost of an SMS gap analysis varies widely. Running it yourself with the FAA's free Part 5 tools (FAA guidance) costs only staff time — often a few days of focused work for a small operator to inventory current state against the Part 5 requirements. Hiring an aviation safety consultant to perform the gap analysis and draft the gap register commonly runs into the low-to-mid four figures for a small Part 135 certificate and higher for larger fleets, depending on scope and whether they also help build the SMS manual. We don't publish a fixed market price because it depends on fleet size, how much SMS infrastructure already exists, and whether the consultant also implements. The recurring cost most operators underestimate is not the one-time analysis — it is keeping the gap register and the corrective-action evidence current and retrievable through 2027 and beyond. FileFlo's role addresses that recurring document cost ($89/mo Starter, $299/mo Professional), not the consulting fee.
Do single-pilot Part 135 operators have to do an SMS gap analysis?
Yes. Single-pilot Part 135 operators are subject to the same May 28, 2027 compliance date as every other Part 135 certificate holder — there is no later deadline for single-pilot operations. Under §5.9(e), a single-pilot operator (where one pilot performs all necessary functions) is exempted from several specific Part 5 line items — including §5.21(a)(4), §5.21(a)(5), §5.23(a)(2), §5.23(a)(3), §5.27(a) and (b), §5.71(a)(7), §5.93, and §5.97(d). That exemption shapes the gap analysis: a single-pilot operator's gap register will mark those specific items as not-applicable rather than as gaps, but every other Part 5 requirement still applies and must be assessed and closed. So single-pilot operators absolutely run a gap analysis — it is simply a scoped-down version. See our dedicated guide on single-pilot Part 135 SMS for the full applicability detail.
Your gap analysis is only as good as the evidence behind it
FileFlo classifies every document that closes out your SMS gap register against the correct Part 5 section, tracks retention under §5.97, and generates an FAA-organized evidence binder on demand. Run the gap analysis with the FAA's free tools — keep the proof audit-ready with FileFlo. Starter at $89/mo · Professional at $299/mo · No credit card required.
5-day free trial · No credit card required · Cancel anytime