IOSA compliance software:
ISARPs, evidence, CAPA.

See the highlighted block above the contents list. The rest of this article walks through what IOSA compliance software should do and the load-bearing capabilities.

The IOSA (IATA Operational Safety Audit) programme is an aviation audit framework run by IATA. Operators undergoing IOSA renewal are audited against ISARPs — IOSA Standards and Recommended Practices — covering flight operations, dispatch, maintenance, cabin operations, ground operations, cargo, security and organisation. Compliance is demonstrated by documented evidence.

IOSA compliance software should reduce the renewal effort and increase the defensibility of the audit. Specifically:

1. Track every ISARPagainst the operator's compliance posture, with current state visible at a glance.
2. Link ISARP to evidence. Each Standard links to the specific manual section, training record, procedure or operational document that satisfies it.
3. Manage the audit cycle from auditor entry through finding through closure.
4. Hold CAPA effectiveness verification as a hard gate. Closure requires a verifier signature, not a checkbox.
5. Maintain document control with revision tracking, distribution lists, and evidence-link integrity (a revision breaks the link until re-verified).
6. Render an audit-grade trail from policy through evidence to outcome, replayable by the auditor three years later.

Operators who treat IOSA compliance as a separate workflow tool typically end up duplicating effort with their SMS and QMS systems. The 2026 standard is one operational graph spanning SMS, QMS, IOSA, CAPA and document control.

ISARPs are the requirement statements. Each ISARP is structured as a Standard (mandatory) or Recommended Practice (best practice), with an intent statement and an auditor action that describes how compliance is evidenced.

Compliance posture.For each ISARP the operator records a current state — compliant, partial compliance, not compliant, not applicable — with the supporting evidence. The state changes when documents are revised, findings are raised, or operations evolve.

Evidence types. Operators present manual sections, training records, audit records, operational procedures, technical publications and inspection reports as evidence. A serious platform models evidence as typed records, not free-text descriptions.

Auditor entry. During the audit cycle, the IOSA auditor enters observations against ISARPs. Each observation is either closed at audit (compliance demonstrated) or becomes a finding requiring corrective action.

Link integrity.The most underrated capability. When a manual section is revised, every ISARP that links to that section should be flagged for re-verification. A platform that maintains link integrity prevents the “the manual changed but the IOSA compliance dashboard still says green” failure mode.

Every IOSA finding becomes a CAPA. The CAPA pipeline runs the same as for occurrence-driven CAPA: open → in progress → verify → closed, with effectiveness verification as a hard gate.

Root cause analysis. Each finding is investigated for root cause before the corrective action is drafted. The root cause is recorded as a typed record linked to the finding.

Corrective action. The action targets the root cause, not the symptom. A finding that a checklist did not match the equipment is closed by updating the checklist (and the relevant manual section), not by re-briefing the crew.

Effectiveness verification.The verifier reads the evidence that the action produced its intended outcome before signing closure. For IOSA renewal, the verifier signature is the load-bearing control — the next audit will test whether previous findings closed effectively.

Trail to renewal.When the next IOSA renewal arrives, the auditor walks the previous audit's findings forward: was the corrective action implemented, was effectiveness verified, has the issue recurred. A platform that ships this walk in two clicks per step makes renewal substantially easier; a platform that requires assembling the walk from five exports makes renewal substantially harder.

Document control is structurally entangled with IOSA compliance. ISARPs reference the operator's manuals; the manuals are the evidence the auditor reads; revisions break that evidence until re-verified.

Manual lifecycle.Operations Manual, Maintenance Manual, Cabin Manual, Security Manual and others have controlled lifecycles — revision number, effective date, distribution list, acknowledgement tracking by relevant roles, archival of superseded revisions.

Section-level granularity. Manuals are too large to be evidence units. A platform should link ISARPs to specific sections (or even paragraphs) rather than to whole manuals. When section 4.2.3 is revised, the ISARPs that link to it are flagged; the rest are untouched.

Distribution and acknowledgement. The roles that need to read a revision are notified. The platform records who acknowledged what revision when. Overdue acknowledgements surface as a list, not a footnote.

Traceability for the audit three years later.The auditor asks: which version of the OM was in force on this date, and what was the relevant section's text? A platform that answers this in two clicks is the bar.

eAviora is designed to ship IOSA-aware compliance on the same operational graph as SMS, QMS, CAPA, SPI, SRP and document control. ISARPs link to manual sections, training records and operational evidence. Findings open CAPAs with effectiveness verification gates. Document revisions break and reset evidence links.

Relevant surfaces:

• Compliance module— ISARP coverage, evidence links, finding lifecycle.
• Documents module— manual lifecycle, section-level granularity, distribution and acknowledgement.
• CAPA / Actions module— the action layer with effectiveness verification as a hard gate.
• QMS module— quality audits with findings flowing into the same CAPA pipeline.

Cohort-01 design partners receive direct access to the founder. See the Buyer's Guide for the full evaluation framework, or contact us to discuss IOSA renewal preparation.