Safety assurance is the third component of an aviation SMS, defined in 14 CFR Part 5, subpart D (§5.71–§5.75). It is the verification loop: monitor operations, audit your own systems, run a confidential employee reporting system, investigate incidents, measure safety performance, and continuously correct deficiencies. It is the part of the SMS the FAA inspects hardest because it is the only component that produces a continuous, datable record stream that proves the system is real — and under §5.97(b), those safety-assurance records must be retained for a minimum of 5 years. For Part 135 operators the entire SMS, including a working safety-assurance loop, is mandatory by May 28, 2027.
This is the deep dive on one pillar. Need the whole SMS first?
For the full four-component picture, start with the Part 135 SMS requirements overview and the May 28, 2027 deadline guide. For the forward-looking sibling pillar, see safety risk management. This article focuses on safety assurance.
What Safety Assurance Is — in Plain English
Of the four SMS components, safety assurance is the one people understand least and the FAA scrutinizes most. The simplest way to frame it: Safety Risk Management decides what controls you need before a change; safety assurance checks whether those controls are actually working once operations are running — and triggers a fix when they are not. It is the closed-loop, keep-checking half of the system.
The FAA codifies it in 14 CFR Part 5, subpart D, across three sections: §5.71 (Safety performance monitoring and measurement), §5.73 (Safety performance assessment), and §5.75 (Continuous improvement). Read together, they describe a single cycle: monitor and measure what your operation is actually doing, assess that data against your safety objectives, and correct whatever the assessment shows is broken — then start again.
The safety-assurance loop, in four moves
Monitor
Collect operational data — flights, audits, reports, the operating environment.
§5.71(a)
Measure
Analyze the data with defined analytical processes and indicators.
§5.71(b)
Assess
Judge performance against objectives; find ineffective controls and new hazards.
§5.73
Correct
Fix the deficiencies, verify the fix, and feed material change back to SRM.
§5.75 / §5.73(b)
The other three pillars describe intent. Safety assurance produces proof.
Safety Policy is a signed statement and an org chart. Safety Risk Management produces assessments tied to specific changes. Safety Promotion is a training roster. Safety assurance is the only component that is supposed to be running every single day — and that is precisely why it generates the dense, datable record stream an inspector uses to decide whether your SMS is real or just paper.
Why the FAA Inspects Safety Assurance the Hardest
A surveillance inspector has a limited amount of time and a simple question: is this a real SMS, or a binder someone wrote to pass an inspection? Safety assurance is where that question gets answered, because it is the component that cannot be reverse-engineered after the fact. You can write a safety policy in an afternoon. You cannot manufacture a year of internal audits, a populated confidential reporting log, trended performance data, and closed corrective actions retroactively. The records either exist with credible dates, or they do not.
"Show me your last internal audit."
§5.71(a)(3)–(4) require auditing and evaluation of your operational processes and the SMS itself. The inspector looks for a real scope, real findings, and dates that show a recurring cycle — not a single audit dated the week before the visit.
"Show me your confidential reports and how you closed them."
§5.71(a)(7) requires a confidential, reprisal-free employee reporting system. A log with zero reports in a year is itself a red flag — it implies the system is not trusted or not real. Inspectors test that reports come in and get dispositioned.
"Show me your safety performance trend data."
§5.71(b) and §5.73(a) require analytical processes and assessment against objectives. The inspector wants to see indicators that are actually tracked over time and reviewed — evidence the measurement loop runs, not a one-time chart.
"Show me corrective actions and their closure dates."
§5.75 requires processes to correct the deficiencies found in §5.73 assessments. Open-ended findings with no closure, or a corrective-action log that never closes anything, demonstrate the continuous-improvement loop is broken.
This is also why a last-minute SMS fails surveillance even when the manual is perfect. The manual describes the safety-assurance processes; the records prove they ran. For what an evaluation actually probes, see how to prepare for a Part 135 FAA surveillance audit and the most common FAA audit findings for Part 135.
Is your safety-assurance evidence audit-ready?
FileFlo's free FAA readiness score takes about 3 minutes and flags where your audit reports, confidential-report log, performance data, and corrective actions would fall short at a Part 5 surveillance evaluation. It checks your evidence — it does not run your safety-assurance program. No signup required.
5-day free trial · No credit card required · Cancel anytime
The Three Sections of Safety Assurance (§5.71–§5.75)
Subpart D breaks safety assurance into three sections that chain together — monitoring and measurement, then assessment, then continuous improvement. Below is what each section requires under the CFR, and the records each one produces for surveillance.
§5.71
Safety Performance Monitoring & Measurement
What it requires: Develop processes to acquire operational data through monitoring, auditing, evaluation, investigation, and confidential reporting — then analytical processes to make sense of that data.
The requirement, by CFR
- Monitoring of operational processes (§5.71(a)(1))
- Monitoring of the operating environment to detect changes (§5.71(a)(2))
- Auditing of operational processes and systems (§5.71(a)(3))
- Evaluations of the SMS and operational processes and systems (§5.71(a)(4))
- Investigations of incidents and accidents (§5.71(a)(5))
- Investigations of reports of potential regulatory non-compliance (§5.71(a)(6))
- A confidential employee reporting system, free of reprisal (§5.71(a)(7))
- Investigations of hazard notifications from external sources (§5.71(a)(8))
- Analytical processes for the data acquired above (§5.71(b))
Records it generates
- Internal audit reports (scope, findings, dates)
- SMS and operational-process evaluation reports
- Operational monitoring data and dashboards
- Incident / accident investigation files
- Confidential employee report log and dispositions
- External hazard-notification investigation records
§5.73
Safety Performance Assessment
What it requires: Assess the data against your safety objectives — including accountable-executive reviews — to confirm controls are working, evaluate the SMS, find ineffective controls, and surface new hazards.
The requirement, by CFR
- Ensure compliance with the safety risk controls you established (§5.73(a)(1))
- Evaluate the performance of the SMS (§5.73(a)(2))
- Evaluate the effectiveness of §5.55(c) controls and identify any ineffective ones (§5.73(a)(3))
- Identify changes in the operating environment that may introduce new hazards (§5.73(a)(4))
- Identify new hazards (§5.73(a)(5))
- Re-enter the subpart C SRM process when an ineffective control or new hazard is found (§5.73(b))
Records it generates
- Safety performance assessment reports against objectives
- Accountable-executive safety performance review minutes
- Safety performance indicator (SPI) trend analysis
- Findings of ineffective risk controls
- New-hazard identification records routed back to SRM
§5.75
Continuous Improvement
What it requires: Establish and implement processes to correct the safety performance deficiencies identified in the §5.73 assessments. Finding a problem is not enough — you must show it was fixed and verified.
The requirement, by CFR
- Establish processes to correct deficiencies found under §5.73 (§5.75)
- Implement those corrective processes — not just document them
- Track corrective actions through to closure with dates
- Verify the correction actually resolved the deficiency
- Feed material changes back into Safety Risk Management
Records it generates
- Corrective and preventive action (CAPA) plans
- Action owner, due date, and closure date for each item
- Effectiveness-verification records for closed actions
- Management-review minutes showing the loop closed
- Trend evidence that recurring deficiencies are declining
Safety assurance at a glance
| Section | CFR title | Core requirement |
|---|---|---|
| §5.71 | Safety performance monitoring & measurement | Eight data-acquisition processes (incl. audits + confidential reporting) plus analysis |
| §5.73 | Safety performance assessment | Assess data vs. objectives; find ineffective controls and new hazards |
| §5.75 | Continuous improvement | Establish + implement processes to correct §5.73 deficiencies |
Safety Risk Management vs. Safety Assurance — the Difference People Get Wrong
These two components are constantly confused, because both involve hazards and risk. The clean distinction is timing and direction. Safety Risk Management is forward-looking and event-driven; safety assurance is continuous and verification-driven. They are two halves of one loop, and §5.73(b) is the explicit hinge between them — when assurance finds an ineffective control or a new hazard, you re-enter the SRM process.
| Safety Risk Management | Safety Assurance | |
|---|---|---|
| CFR | §5.51–§5.55 (subpart C) | §5.71–§5.75 (subpart D) |
| Timing | Before a change goes live | Continuously, while operations run |
| Trigger | New system, revised system, or new procedure | Ongoing monitoring, audits, reports, and data |
| Core question | What controls do we need to make this acceptable? | Are the controls we put in place actually working? |
| Key output | Hazard analyses, risk assessments, risk controls | Audits, performance data, corrective actions |
| Retention | As long as the control is relevant (§5.97(a)) | Minimum 5 years (§5.97(b)) |
For the forward-looking pillar in full, read safety risk management in a Part 135 SMS. For where these two sit in the larger framework, the Part 135 SMS requirements overview maps all four components, and the Part 135 SMS gap analysis shows how to find what is missing before the inspector does.
The Records Safety Assurance Generates — and the 5-Year Clock (§5.97(b))
Safety assurance is the most record-intensive component of the SMS, and its retention rule is the one operators most often underestimate. 14 CFR §5.97(b) requires that the outputs of safety-assurance processes (subpart D) be retained for a minimum of 5 years. That is a far longer horizon than a typical training cycle or a two-year communication record, and it applies to a wide range of artifacts.
| SMS record family | CFR | Retention period |
|---|---|---|
| Safety assurance outputs — audits, evaluations, monitoring data, investigations, CAPAs | §5.97(b) | Minimum of 5 years |
| Safety risk management outputs — hazard analyses, risk assessments, risk-control decisions | §5.97(a) | As long as the control remains relevant |
| SMS training records (per individual, under §5.91) | §5.97(c) | As long as the individual is employed |
| Safety communications (under §5.93 and §5.57) | §5.97(d) | Minimum of 24 consecutive calendar months |
The practical consequence: an internal audit you ran in 2027 is still a discoverable record in 2032. A confidential report and its disposition, a corrective-action plan and its closure verification, a quarter of performance-indicator data — all of it has to remain retrievable for at least five years. This is exactly why a spreadsheet of expiration dates does not satisfy safety assurance: the obligation is to keep the actual artifacts, indexed and produce-on-demand, across a multi-year window — not just to know when something lapses. For the full retention picture across the whole operation, see the aviation records retention schedule and the dedicated Part 135 SMS recordkeeping requirements.
Where this trips operators up
Safety-assurance records are dynamic, not static. A corrective action carries an open/closed status; an audit references prior findings; performance data accumulates every period. That evolving, cross-referencing evidence is exactly the kind that scatters across shared drives, inboxes, and a safety manager's laptop — and then cannot be assembled when the FAA asks for five years of it on demand. The single-pilot relief in §5.9(e) trims the confidential-reporting and communication pieces, but the §5.97(a)–(c) retention clocks still apply.
How Safety-Assurance Records Connect to the Rest of Your Compliance Stack
Safety assurance does not sit in a vacuum — its investigations and audits reach into records you already keep. An §5.71(a)(5) incident investigation intersects with service difficulty reports and your broader maintenance discrepancy history. An audit of operational processes tests the same evidence as the records a Part 135 operator must keep, and the people running the assurance program tie back to your required management personnel. Even a regulated-program audit — for instance a §5.71(a)(6) review of potential non-compliance — will pull your drug-and-alcohol program records into scope.
The same discipline applies on the maintenance side of the house. A repair station that supports a Part 135 operation runs its own audit-and-corrective-action loop under its quality system — which is why the Repair Station and Quality Control Manual (RSQCM) and Part 145 recordkeeping are close cousins of safety assurance, and why an inspector's Part 145 audit-binder request looks so familiar to anyone who has prepped a Part 5 surveillance. (Note: Part 145 stations are not swept into the general Part 5 SMS mandate — but the records discipline is the same one.) Getting in front of all of it starts with knowing what a surveillance evaluation looks for — see how to prepare for a Part 135 FAA surveillance audit.
Where FileFlo Fits: The Safety-Assurance Evidence Layer, Not the Program
FileFlo holds the proof — it does not run your safety-assurance program
FileFlo is a compliance document intelligence platform — a proof layer that sits alongside your SMS software, safety database, and operations stack. It classifies 600+ document types against the governing CFR, version-controls them, tracks expirations, and produces inspector-format audit binders. It does not run your audits, operate your confidential reporting system, build your SMS, write your SMS manual, replace a safety manager, or give legal advice. Its job is to make your §5.71–§5.75 safety-assurance records produce-on-demand and audit-ready for the full five-year window §5.97(b) requires.
Safety assurance is the component most likely to expose a weak document system, precisely because its records are dynamic and accumulate over years. Audit reports reference prior findings; corrective actions carry open/closed status; performance data trends across periods; confidential reports need disposition tracking. That is the evolving evidence that gets lost across shared drives and email threads — and the gap a surveillance evaluation surfaces first.
Classification against 14 CFR Part 5, subpart D
Every safety-assurance artifact — internal audits, evaluations, monitoring data, investigation files, confidential-report dispositions, and corrective-action plans — is classified against the specific §5.71–§5.75 process it satisfies, so nothing is misfiled to the wrong component.
5-year retention tracking built for §5.97(b)
Safety-assurance outputs carry a minimum 5-year clock. FileFlo holds the actual artifacts retrievable across that window and surfaces the periodic records an audit cycle expects — so a five-year-old audit report is still one search away when the inspector asks.
One-click safety-assurance evidence binder
When your FAA principal inspector asks for safety-assurance evidence, FileFlo assembles a subpart D-organized binder — audits, performance data, reports, and corrective actions, indexed by section — in about 60 seconds instead of by hand across multiple systems.
Coverage across the whole Part 135 footprint
Beyond subpart D, FileFlo classifies records against the wider Part 135 stack — operations-manual revision history, pilot currency, recordkeeping, and Part 120 drug-and-alcohol records — so the assurance evidence and the underlying compliance records that audits reach into live in one place.
Starter Plan
$89/mo
Up to 100 documents/month · 3 users
For solo owner-operators and small teams starting their SMS documentation program.
Professional Plan
$299/mo
Unlimited documents + users · audit trail · employee auto-detection
For Part 135 operators managing the full safety-assurance evidence load across a multi-year window.
Frequently Asked Questions
What is safety assurance in an SMS?
Safety assurance is the third of the four components of an aviation Safety Management System, defined in 14 CFR Part 5, subpart D (§5.71–§5.75). It is the verification loop: the set of processes you use to monitor your operations, audit and evaluate your own systems, run a confidential employee reporting system, investigate incidents and accidents, measure safety performance against your objectives, and continuously correct deficiencies. In plain terms, if Safety Risk Management is the engine that controls hazards before a change, safety assurance is the feedback loop that proves those controls actually work — and it is the part of the SMS the FAA inspects hardest, because it generates the most concrete, datable, produce-on-demand records.
What does safety assurance include under 14 CFR Part 5?
Safety assurance is built from three sections. §5.71 (Safety performance monitoring and measurement) requires eight processes to acquire operational data: monitoring operational processes, monitoring the operating environment for change, auditing your operational processes and systems, evaluating the SMS itself, investigating incidents and accidents, investigating reports of potential regulatory non-compliance, operating a confidential employee reporting system, and investigating hazard notifications from external sources — plus analytical processes for the data you collect. §5.73 (Safety performance assessment) requires you to assess that data to confirm risk controls work, evaluate SMS performance, identify ineffective controls, and find new hazards. §5.75 (Continuous improvement) requires you to establish and implement processes to correct any deficiency the §5.73 assessment finds. Together they form a monitor-measure-assess-correct loop.
Why is safety assurance the part of the SMS the FAA inspects hardest?
Because it is the only component that produces a continuous, datable, verifiable record stream. Safety Policy is mostly a signed document and an org chart; Safety Risk Management produces assessments tied to specific changes; Safety Promotion is training rosters. Safety assurance, by contrast, is supposed to be running every day — audits on a schedule, a confidential reporting system that actually receives reports, performance indicators that trend, corrective actions that open and close. An inspector can therefore test whether your SMS is real or just paper by asking for safety-assurance evidence: Show me your last internal audit. Show me the corrective actions and their closure dates. Show me your confidential reports and how you dispositioned them. Show me your safety performance trend data. An SMS manual can be written in a weekend; a year of genuine safety-assurance records cannot be faked. That is why surveillance gravitates here.
What is the difference between safety risk management and safety assurance?
They are two different halves of the same loop. Safety Risk Management (subpart C, §5.51–§5.55) is forward-looking and event-driven: before you introduce a new system, revise an existing one, or develop a new operational procedure, you identify the hazards, assess the risk, and apply controls so the residual risk is acceptable. Safety assurance (subpart D, §5.71–§5.75) is backward- and continuous-looking: once those controls are in place and operations are running, you monitor and audit to confirm the controls actually work, measure performance, and feed any failure back into the SRM process. Put simply: SRM decides what controls you need; safety assurance checks whether they are working and triggers a fix when they are not. §5.73(b) is the explicit hand-off — when assurance finds an ineffective control or a new hazard, you re-enter the SRM process in subpart C.
How long must safety assurance records be retained?
14 CFR §5.97(b) requires that the outputs of safety assurance processes (subpart D) be retained for a minimum of 5 years. That is the single most important retention number for this component, and it is longer than most operators expect. It covers internal audit reports, SMS and process evaluations, monitoring data and safety performance indicator trends, investigation files, confidential employee report dispositions, and the records of corrective actions and their closure. By contrast, Safety Risk Management outputs under §5.97(a) are kept as long as the control remains relevant, training records under §5.97(c) for as long as the individual is employed, and safety communications under §5.97(d) for a minimum of 24 consecutive calendar months. The five-year clock on assurance records is why a simple expiration spreadsheet is not enough — you have to keep the actual artifacts, retrievable, for years.
What are safety performance indicators (SPIs) and does the FAA require them?
A safety performance indicator is a measurable parameter you track to gauge whether your safety risk controls are working and whether safety performance is trending in the right direction — for example, unstable-approach rate, go-around rate, maintenance discrepancy trends, or the volume and severity of confidential reports. 14 CFR §5.71(b) requires you to develop and maintain processes to analyze the data acquired under §5.71(a), and §5.73(a) requires you to conduct assessments of safety performance against your safety objectives. The regulation does not hand you a list of mandatory SPIs or numeric targets; it requires that you measure performance, assess it against objectives, and act on what you find. The FAA examines your SPI data and trend analysis as primary evidence that the safety-assurance loop is operating, not just documented.
Does the FAA SMS rule require a confidential employee reporting system?
Yes. 14 CFR §5.71(a)(7) requires a confidential employee reporting system in which employees can report hazards, issues, concerns, occurrences, and incidents — and propose solutions and safety improvements — without concern of reprisal for reporting. It is a hard requirement, not a best practice, and it sits inside the safety-assurance component. In surveillance, inspectors frequently ask to see that the system exists, that employees actually use it, and that reports are dispositioned and closed. A reporting system that has received zero reports in a year is itself a finding, because it suggests the system is not trusted or not real. (Note: §5.9(e) relieves a single-pilot operator, who is the sole individual in the organization, from the §5.71(a)(7) confidential-reporting requirement and from §5.93 communication, because there is no second person to report to — but the rest of safety assurance still applies.)
When is the deadline to have safety assurance running for Part 135?
The compliance date is May 28, 2027 — a single date that applies to every Part 135 certificate holder and to §91.147 air-tour Letter of Authorization holders, with no aircraft-count threshold. Safety assurance is the component that is hardest to stand up at the last minute, because it depends on having actually run audits, collected monitoring data, received confidential reports, and closed corrective actions over a period of time. An operator who waits until early 2027 to build the SMS manual can produce a policy and a process description by the deadline but will have little or no real safety-assurance record history to show — which is exactly the gap a surveillance evaluation surfaces. The practical implication: stand up the monitoring, auditing, and reporting processes early so that by the deadline you have a track record, not just a procedure on paper.
Chad Griffith
Founder, FileFlo — compliance document intelligence
This article is written from a compliance-document perspective: what 14 CFR Part 5, subpart D requires and the records each requirement produces. It is not legal advice, and it is not safety-program or SMS-design advice. FileFlo classifies and proves compliance records audit-ready; it does not build, author, or operate your SMS or your safety-assurance program. Confirm your individual requirements and compliance date with your assigned FSDO principal inspector and qualified aviation counsel.
Make your safety-assurance evidence inspection-proof
FileFlo classifies every safety-assurance record against the correct §5.71–§5.75 process, holds it retrievable across the full five-year §5.97(b) window, and produces a complete FAA-organized evidence binder in about 60 seconds. It proves your safety-assurance records on demand — it does not run your program. Starter at $89/mo · Professional at $299/mo · No credit card required.
5-day free trial · No credit card required · Cancel anytime