交
通
民
部
民
航
用
航
通
空
局
告
主旨：安全管理系統
發行日期：2011.01.25 編號：AC 120-032C 發行單位：飛航標準組
一、目的：
本通告之目的係介紹安全管理系統(SMS Safety Management System)
之概念，並提供航空業者建構安全管理系統之指引。安全管理系統為
我國 07-02A「航空器飛航管理規則」第 9 條及 06-02A「維修廠設立
檢定管理規則」第 27 條之需求，航空器使用人依據本通告建構之安
全管理系統及據此規範所實施之安全管理作為，可滿足前揭法規之需
求。
二、修正說明：
（一）為配合第一次修訂，本局參考 ICAO Doc 9422 及 UK CAA CAP
712 （Safety Management System for Commercial Air Transport
Operations）作文字修訂，取消 AC120-32 版。並取代民國 93
年 9 月 16 日訂定之 AC 120-032。
（二）為配合第二次修訂，本通告係參考美國 FAA AC120-92 訂定。
並取代民國 95 年 9 月 27 日訂定之 AC 120-032A。
（三）為配合第三次修訂，本通告係參考 ICAO Doc 9859 Safety
Management Manual (SMM) 訂定，並取代民國 96 年 3 月 12 日
訂定之 AC 120-32B。
三、背景說明：
1
現代之航空事業為富有更具多變性及複雜商業網路之特殊管理機
構，在快速變遷之航空營運環境中，此等機構仍必須持續適應以保持
生存。雖極少數之商業個體、市場、供應網及其作業仍僅限於本國內，
惟航空事業更趨向於全球化已是無法避免之事實，亦因此該等複雜、
多元及改變之特性更突顯了良好的安全管理之重要性。截至目前為
止，致力於航空安全方面之努力還算相當成功，然在航空市場營運量
及種類快速增加之趨勢下，現有之安全策略及作為仍有必要繼續提
升。在此趨勢下，業者及政府機構可使用之資源將顯不足，因此尋求
未來之安全策略至為重要。在增加航空活動及減少資源問題中最佳的
解決方法是，將安全管理融入飛航作業之正常管理架構中，以達到應
有之安全成效。政府及業者必須將其作有效之管理，以完成其使命並
達成事業永續經營之目標。
『安全管理系統』為創新之名詞，為政府
及業者在監理與事業管理上最佳溝通語言，亦為提升安全最有效之方
法。
（一）安全管理系統之安全效益：安全管理系統為高品質及控制風險
管理之必要措施，其組織架構得以提供支援良好之安全文化，
可為公司安全管理之主軸，亦為與民航局之有效溝通介面，同
時提供公司管理階層監控安全相關流程之詳細路徑。
（二）安全管理系統之商業效益：建構及實施安全管理系統使航空業
者符合法規需求之安全管理架構；藉由安全管理系統融合內部
評鑑及品質保證理念，形成更佳之管理結構及持續改善作業流
程，可獲得明顯之商業效益。本通告所提出之理念已將各種安
全努力融合於航空業者之商業模式中，且融合現行航空業者已
具備或正在建立之品管、職場安全及環境控制系統中。
四、需求說明：
ICAO Annex 6, Part I 3.2.5
07-02A「航空器飛航作業管理規則」第 9 條『航空器使用人應建立安
全管理系統並經報請民航局備查後，於中華民國 98 年 1 月 1 日前實
施』
。
06-02A「維修廠設立檢定管理規則」第 27 條『維修廠應建立安全管
2
理系統並經報請民航局備查後，於中華民國 98 年 1 月 1 日前實施』
。
五、執行要點說明：
有關安全管理系統之建構及施行說明，詳如附錄。
六、相關規定及參考文件：
（一）FAA AC 120-66「Aviation Safety Action Programs（ASAP）」及
後續更新版本。
（二）FAA AC 120-79「Developing and Implementation a Continuing
Analysis and Surveillance System（CASS）」及後續更新版本。
（三）FAA AC 120-82「Flight Operation Quality Assurance」及後續更
新版本。
（四）ICAO Doc 9859「Safety Management Manual (SMM)」及後續更
新版本。
（五）UK CAA「Safety Management Systems－Guidance to
Organizations」及後續更新版本。
簽署：________________
飛航標準組組長張羚悌
3
附錄
安全管理系統之建構及施行說明
AC 120-32C
Safety Management System
25 January, 2011
1
Table of Contents
1.
GENERAL
1.1 Purpose……………………………………………………………………..
2
1.2 Requirements and References……………………………………………
2
1.3 Definitions…………………………………………………………………...
2
1.4 Introduction…………………………………………………………………
3
-
2.
-
Management Systems…………………………………………………
Quality Management System…………………………………………
3
3
-
Safety Management System………………………………………….
4
-
Gap analysis……………………………………………………………
4
-
Safety Management System Implementation………………………
5
SAFETY POLICY AND OBJECTIVES
2.1 Management commitment and responsibility…………………………..
7
2.2 Safety accountabilities…………………………………………………….
9
2.3 Appointment of key safety personnel…………………………………….
10
2.4 Coordination of emergency response planning…………………………
13
2.5 SMS documentation……………………………………………………….
13
3.
4.
5.
SAFETY RISK MANAGEMENT
3.1 Hazard identification………………………………………………………..
16
3.2 Safety risk assessment and mitigation……………………………………
19
SAFETY ASSURANCE
4.1 Safety performance monitoring and measurement……………………..
26
4.2 The management of change……………………………………………….
27
4.3 Continuous improvement of the SMS……………………………………..
28
SAFETY PROMOTION
5.1 Training and education……………………………………………………… 29
2
5.2 Safety communication……………………………………………………….
30
ATTACHMENT 1 SMS IMPLEMENTATION PLAN………………………………..
32
ATTACHMENT 2 SMS GAP ANALYSIS CHECK LIST…………………………...
42
ATTACHMENT 3 GLOSSARY………………………………………………………….. 51
3
1.
GENERAL
1.1 Purpose
This AC has been developed to give sufficient understanding on SMS concepts
and the development of management policies and processes to implement and
maintain an SMS that meets ICAO and CAA requirements. This AC presents
an acceptable means, but not the only means, to show compliance with Article
9 of “Aircraft Flight Operation Regulations” or Article 27 of “Regulations for
Repair Station Certification and Management” for establishing and
implementing a safety management system.
This AC applies to all Civil air transport enterprise certificate holders (Operator)
and repair station certificate holders of CAA, Taiwan.
1.2 Requirements and References
- 01-01A Civil Aviation Act
- 06-02A Regulations for Repair Station Certification and Management
- 07-02A Aircraft Flight Operation Regulations
- CAA State Safety Program, SSP
- CAA AC 00-001A
- ICAO Safety Management Manual (Doc 9859 2nd edition)
- ICAO Annex 1
- ICAO Annex 6
- ICAO Annex 8
1.3 Definitions
The following definitions are used in this document:
Safety
The state in which the possibility of harm to persons or of property
damage is reduced to, and maintained at or below, an acceptable level through
a continuing process of hazard identification and safety risk management.
Hazard
is defined as a condition or an object with the potential to cause
injuries to personnel, damage to equipment or structures, loss of material, or
reduction of ability to perform a prescribed function.
Safety risk is defined as the assessment, expressed in terms of predicted
probability and severity, of the consequences of a hazard, taking as reference
the worst foreseeable situation
Safety risk management
is a generic term that encompasses the
assessment and mitigation of the safety risks of the consequences of hazards
that threaten the capabilities of an organization, to a level as low as reasonably
practicable (ALARP).
Level of safety
is the degree of safety of a system. It represents the
quality of the system, safety-wise. It is expressed through safety indicators;
4
Safety indicators
are the parameters that characterize and/or typify
the level of safety of a system;
Safety targets
are the concrete objectives of the level of safety;
Acceptable level of safety
is the minimum degree of safety that
must be assured by a system in actual practice;
Safety measurement
refers to the quantification of the outcomes of
selected high-level, high-consequence events, such as accident and serious
incident rates.
Safety performance measurement
refers to the quantification of the
outcomes of selected low-level, low consequence processes. It is a non-stop
activity, involving continuous monitoring and measurement, by an organization.
Safety Assurance
means a process of examining an organization’s
SMS and evaluating its effectiveness, based on the SMS components and
elements. This extends from an evaluation for regulatory compliance;
Organization
when used alone means all functions of service
provision of the aircraft operators and repair station certificate holders.
Safety Management System (SMS)
means documented processes for
managing risk that integrates operations and technical systems with the
management of financial and human resources as well as infrastructure and
technology, to ensure aviation safety or the safety of the public.
1.4 Introduction
Management Systems
Aviation organizations are required to develop, implement and operate a
number of different management systems to achieve their production goals
through the delivery of services. Typical management systems an aviation
organization might need to operate include quality management system (QMS),
environment management system (EMS), occupational health and safety
management system (OHSMS), safety management system (SMS), and
security management system (SEMS).
Since it is beneficial for the aviation organizations to integrate all these different
management systems, there is a developing tendency in civil aviation to such
integration.
Aviation organizations should be encouraged to integrate their quality, safety,
security, occupational health and safety, and environmental protection
management systems.
Quality Management System
Quality management has been established in many segments of the aviation
system for a long time. Many aviation organizations have implemented and
operated quality control (QC) and/or quality assurance (QA) for a number of
years.
A few aviation organizations have integrated their QC and QA programs into
quality management systems (QMS).
SMS and QMS share many
commonalities. They both:
5
(a)
have to be planned and managed;
(b)
(c)
depend upon measurement and monitoring;
involve every function, process and person in the organization; and
(d)
strive for continuous improvement.
SMS differs from QMS in that:
(a) SMS focuses on the safety, human and organizational aspects of an
organization (i.e. safety satisfaction); while
(b) QMS focuses on the products and services of an organization (i.e.
customer satisfaction).
Once commonalities and differences between SMS and QMS have been
established, it is possible to establish a synergistic relationship between both
systems. To summarize:
(a) SMS builds partly upon QMS principles;
(b) SMS should include both safety and quality policies and practices; and
(c) The integration of quality principles, policies and practices should be
focused towards the support of the management of safety.
Safety Management System
A Safety Management System (SMS) is a systematic, explicit and proactive
process for managing safety that integrates operations and technical systems
with financial and human resource management to achieve safe operations with
as low as reasonably practicable risk.
SMS is a proactive and integrated approach to Safety. It should be integrated
into the management system of an organization. It should describe the
structure and scope of the organization, available resources, staff
accountabilities, authorities and responsibilities and how decisions are taken
and managed throughout the organization.
By identifying, assessing and eliminating or controlling safety-related hazards
and risks, acceptable levels of safety will be achieved.
Gap analysis
It is apparent that organizations would need to conduct a gap analysis of their
system(s) to determine which components and elements of a safety
management system are currently in place and which components or elements
must be added or modified to meet SMS as well as regulatory requirements.
The review may include comparison of the SMS elements found in this AC
against the existing systems in your organization.
A checklist may be used to account for each of this AC and their respective
sub- elements or an example of a gap analysis checklist in Attachment 2.
Remarks for partial compliance or deviations should be made as well as
actions required in order to meet the criteria. There should be a column for
6
annotating existing company documentation where the requirement is
addressed.
Once the gap analysis is complete and fully documented, the items you have
identified as missing or deficient will form the basis of your SMS project plan.
The first target of the plan should be compilation of the organization’s SMS
manual.
Safety Management System Implementation
An aviation organization should, as part of the SMS documentation, develop,
adhere to and maintain an SMS implementation plan. This SMS
implementation plan shall be endorsed by senior management of the
organization.
The SMS implementation plan shall be the definition of the approach the
organization will adopt for managing safety in a manner that will meet the
organization’s safety objectives.
The SMS implementation plan shall explicitly address the coordination
between the SMS of the aviation organization and the SMS of other
organizations the aviation organization must interface with during the provision
of services.
The first step in the development of any successful SMS is to identify what
elements currently exist within an organization, this can be achieved by carrying
out a thorough gap analysis of the current business, from which an
implementation plan can be developed and delivered.
Attachment 1 of this AC presents a phased-in approach to develop an SMS
implementation. Phases I &II should be completed by June 30, 2011. Phase
III should be completed by June 30, 2012. Phase IV should be completed by
December 31, 2012.
The contents of the implementation plan should include:
(a) Safety policy and objectives;
(b) System description;
(c) Gap analysis;
(d) SMS components;
(e) Safety roles and responsibilities;
(f) Safety reporting policy;
(g) Means of employee involvement;
(h) Safety performance measurement;
(i)
Safety communication;
(j)
Safety training and
(k) Management review of safety performance
The framework for the implementation and maintenance of a safety
management system must include, as a minimum, the following 4 components
and twelve elements:
7
Safety Policy and Objectives
-
Management commitment and responsibility
Safety accountabilities
Appointment of key safety personnel
Coordination of emergency response planning
SMS documentation
Safety Risk Management
- Hazard Identification
- Safety risk assessment and mitigation
Safety Assurance
- Safety performance monitoring and measurement
- The management of change
- Continuous improvement of the SMS
Safety Promotion
- Training and education
- Safety Communication
8
2.
2.1
SAFETY POLICY AND OBJECTIVES
Management commitment and responsibility
Safety Policy
An aviation organization shall identify an Accountable Executive to be
responsible and accountable on behalf of the aviation organization for meeting
the requirements of this regulation. The Accountable Executive should have
full responsibility and accountability for the SMS and should have:
(a) Full authority for human resources issues;
(b) Authority for major financial issues;
(c) Direct responsibility for the conduct of the organization’s affairs;
(d) Final authority over operations under certificate; and
(e) Final responsibility for all safety issues.
An aviation organization shall define the organization’s safety policy which
shall be in accordance with international and national requirements, and which
shall be signed by the Accountable Executive of the organization. The safety
policy shall reflect organizational commitments regarding safety; shall include a
clear statement about the provision of the necessary resources for the
implementation of the safety policy; and shall be communicated, with visible
endorsement, throughout the organization. The safety policy shall include the
safety reporting procedures; shall clearly indicate which types of operational
behaviors are unacceptable; and shall include the conditions under which
disciplinary action would not apply. The safety policy shall be periodically
reviewed to ensure it remains relevant and appropriate to the organization.
In preparing a safety policy, senior management should consult widely with key
staff members in charge of safety-critical areas. Consultation ensures that the
document is relevant to staff and encourages buy-in to the safety policy.
An example of a safety policy is included in Figure 2-1. The safety policy
must include a commitment to:
(a) achieve the highest safety standards;
(b) observe all applicable legal requirements and international standards, and
best effective practices;
(c) provide all appropriate resources;
(d) enforce safety as a primary responsibility of all managers; and
(e) ensure that the policy is understood, implemented and maintained at all
levels.
9
SAFETY POLICY STATEMENT
Safety is one of our core business functions. We are committed to developing,
implementing, maintaining and constantly improving strategies and processes
to ensure that all our aviation activities take place under a balanced allocation
of organizational resources, aimed at achieving the highest level of safety
performance and meeting national and international standards, while
delivering our services.
All levels of management and all employees are accountable for the delivery
of this highest level of safety performance, starting with the [chief executive
officer (CEO)/managing director/or as appropriate to the organization].
Our commitment is to:
- Support the management of safety through the provision of all appropriate
resources, that will result in an organizational culture that fosters safe
practices, encourages effective safety reporting and communication, and
actively manages safety with the same attention to results as the attention to
the results of the other management systems of the organization;
- Enforce the management of safety as a primary responsibility of all
managers and employees;
- Clearly define for all staff, managers and employees alike, their
accountabilities and responsibilities for the delivery of the organization’s
safety performance and the performance of our safety management system;
- Establish and operate hazard identification and risk management
processes, including a hazard reporting system, in order to eliminate or
mitigate the safety risks of the consequences of hazards resulting from our
operations or activities to a point which is as low as reasonably practicable
(ALARP);
- Ensure that no action will be taken against any employee who discloses a
safety concern through the hazard reporting system, unless such disclosure
indicates, beyond any reasonable doubt, an illegal act, gross negligence, or
a deliberate or willful disregard of regulations or procedures;
- Comply with and, wherever possible, exceed, legislative and regulatory
requirements and standards;
- Ensure that sufficient skilled and trained human resources are available to
implement safety strategies and processes;
- Ensure that all staff are provided with adequate and appropriate aviation
safety information and training, are competent in safety matters, and are
allocated only tasks commensurate with their skills;
- Establish and measure our safety performance against realistic safety
performance indicators and safety performance targets;
- Continually improve our safety performance through management
processes that ensure that relevant safety action is taken and is effective;
and
- Ensure externally supplied systems and services to support our operations
are delivered meeting our safety performance standards.
(Signed) ___________________________________
CEO/Managing Director/or as appropriate
Figure 2-1 An example of a safety policy
10
Safety Objectives:
In conjunction with an organization’s overall safety policy statement, there
should be a set of underlying tangible safety objectives. Senior management of
the aviation organization must establish safety objectives, as well as the
standards of safety performance for the SMS. The safety objectives must
identify what the organization wants to achieve, in terms of the management of
safety, and lay out the steps the organization needs to take to achieve the
objectives.
The standards of safety performance allow organizational behavior to be
measured in comparison with safety performance and therefore with reference
to the management of safety. Both safety objectives and the standards of
safety performance must be linked to the safety performance indicators, safety
performance targets and action plans of the SMS.
Examples of such safety objectives are listed below:
- To identify and eliminate hazardous conditions within our aviation related
processes and operations
- To perform hazard and risk assessment for all proposed new equipment
acquisitions, facilities, operations and procedures
- To promulgate an ongoing systematic hazard and risk assessment plan.
- To provide relevant SMS training/ education to all personnel.
- To provide a safe, healthy work environment for all personnel
- To minimize accidents/incidents that is attributable to organizational factors
- To prevent damage and injury to property and people resulting from our
operations
- To improve the effectiveness of the safety management system through a
yearly safety audit that reviews all aspects of the SMS
2.2
Safety accountabilities
The organization should clearly define the lines of safety accountability
throughout the organization. This should include the direct accountability for
safety on the part of the Accountable Executive and senior management.
Safety is everyone’s responsibility and all staff should be aware of their safety
roles and responsibilities.
The safety accountabilities and responsibilities of all relevant departmental
and/or unit managers, and in particular line managers, should be described in
the organization’s Safety Management System Manual. It should include an
accountability chart in terms of the delivery of safety as a core business
process.
It must be emphasized that the primary responsibility for safety outcomes rests
with those who ‘own’ the production processes. It is here where hazards are
directly encountered, where deficiencies in processes contribute to safety risks,
and where direct supervisory control and resource allocation can mitigate the
safety risks to acceptable levels. The line managers are responsible for the
management of an identified safety concern, its mitigation activities and
subsequent performance.
11
2.3
Appointment of key safety personnel
The successful management of safety is a cooperative responsibility that
requires the participation of all relevant management and operational/ support
personnel of the organization. The safety roles and accountabilities between
the organization’s key SMS personnel and the various functional departments
should be established and defined.
Whilst the organizational structure of the SMS should reflect the size, nature
and complexity of the organization, consideration should be given to the:
(a) Appointment of a Safety Manager;
(b) Creation of safety committees.
The Safety Manager
It is important to note that accountability for the SMS lies with the Accountable
Executive not the Safety Manager. Specific safety activities and the functional
or operational safety performance and outcomes are the responsibility of the
relevant operational or functional managers,
The Safety Manager is responsible for, and is the focal point for, the
development, administration and maintenance of the SMS. The safety
manager also must ensure safety promotion throughout the organization.
In order to avoid possible conflict of interest, the safety manager should not
have conflicting responsibility for any of the operational areas. In principle,
integration of aviation safety, occupational safety, quality, environmental
control and security is possible. The safety manager should be at a sufficiently
high level in the management hierarchy to ensure that he or she can have
direct communication with other members of the senior management team.
The Safety Manager should be a full-time employee although in a smaller less
complex organization it may be a part time role shared with other duties.
The Safety Manager should possess:
(a) Operational management experience;
(b) Technical background to understand the systems that support operations;
(c) People skills;
(d) Analytical and problem-solving skills;
(e) Project management skills; and
(f)
Oral and written communications skills.
The safety manager’s functions include, but are not necessarily limited to:
(a) Managing the SMS implementation plan on behalf of the Accountable
Executive;
(b) Performing/facilitating hazard identification and safety risk analysis;
(c) Monitoring corrective actions and evaluating their results;
(d) Providing periodic reports on the organization’s safety performance;
12
(e) Maintaining records and safety documentation;
(f) Planning and organizing staff safety training;
(g) Providing independent advice on safety matters;
(h) Monitoring safety concerns in the aviation industry and their perceived
impact on the organization’s operations aimed at service delivery;
(i)
Coordinating and communicating (on behalf of the Accountable Executive)
with the State’s oversight authority and other State agencies as necessary
on issues relating to safety; and
(j)
Coordinating and communicating (on behalf of the Accountable Executive)
with international agencies on issues relating to safety.
Safety Review Board (Safety Committees)
The Safety Review Board (SRB) is a high level committee which considers
strategic safety functions. The Board should be chaired by the Accountable
Manager and should normally include the senior management of the
organization. Membership of the Board and frequency of meetings should be
defined. Directors of the organization may be included in the SRB.
The SRB:
(a) Monitors the effectiveness of the SMS implementation plan;
(b) Defining safety performance indicators and set safety performance targets
for the organization
(c) Monitors that any necessary corrective action is taken in a timely manner;
(d) Monitors safety performance against the organization’s safety policy and
objectives;
(e) Monitors the effectiveness of the organization’s safety management
processes which support the declared corporate priority of safety
management as another core business process;
(f) Monitors the effectiveness of the safety supervision of subcontracted
operations;
(g) Ensures that appropriate resources are allocated to achieve safety
performance beyond that required by regulatory compliance; and
(h) Gives strategic direction to the SAG.
Figure 2-2 is an example of a functional chart showing the interfaces and
interrelationships of the SRB among the various sectors of the organization.
13
Figure 2-2 Safety accountabilities:
interfaces and interrelationships among the various sectors of the organization
Safety Action Group
Large organizations that have relatively complex operations could set up
Safety Action Groups (or equivalent sub-committees) accountable to the
Safety Committee. Managers and supervisors from a given functional area
would be members of the SAG for that area and would take strategic directions
from the Safety Committee.
A safety action group should be established as a standing group or as an
ad-hoc group to assist or act on behalf of the SRB. The Safety Action Group
(SAG) reports to and takes strategic direction from the SRB. It is comprised of
managers, supervisors and staff from operational areas. Membership of the
Group and frequency of meetings should be defined. The Safety Manager
may also participate in the SAG.
The SAG:
(a) Oversees operational safety performance within the functional areas and
ensures that hazard identification and safety risk management are carried
out as appropriate, with staff involvement as necessary to build up safety
awareness;
(b) Coordinates the resolution of mitigation strategies for the identified
consequences of hazards and ensures that satisfactory arrangements
exist for safety data capture and employee feedback;
(c) Assesses the impact of operational changes on safety;
(d) Maintenance and review of relevant performance indicators
14
(e) Coordinates the implementation of corrective action plans and convenes
meetings or briefings as necessary to ensure that ample opportunities are
available for all employees to participate fully in management for safety;
(f) Ensures that corrective action is taken in a timely manner;
(g) Reviews the effectiveness of previous safety recommendations; and
(h) Oversees safety promotion and ensures that appropriate safety,
emergency and technical training of personnel is carried out that meets or
exceeds minimum regulatory requirements.
2.4
Coordination of emergency response planning
An Emergency Response Plan (ERP) should be established that provides the
actions to be taken by the organization or individuals in an emergency. The
emergency response plan should be integrated into the SMS and reflect the size,
nature and complexity of the activities performed by the organization.
The ERP should ensure:
(a) An orderly and efficient transition from normal to emergency operations;
(b) Designation of emergency authority;
(c) Assignment of emergency responsibilities;
(d) Authorization by key personnel for actions contained in the plan;
(e) Coordination of efforts to resolve the emergency;
(f) Safe continuation of operations or return to normal operations as soon as
practicable.
(g) Compatibility with other emergency response plans of other organizations.
The ERP should set out the responsibilities, roles and actions for the various
agencies and personnel involved in dealing with emergencies. It may include
checklists and contact details and the ERP should be regularly reviewed and
tested. Key personnel should have easy access to the ERP at all times.
For an AOC holder, a comprehensive ERP would include other aspects of
aircraft accident response such as, crisis management centre, management of
an accident site, news media, coordination with state investigations, family
assistance, post critical incident stress counseling, etc. It should also include
arrangements for emergencies at line stations.
2.5
SMS documentation
SMS documentation must include and make reference to, as appropriate, all
relevant and applicable national and international regulations. It must also
include SMS-specific records and documentation, such as system descriptions,
gap analysis, hazard reporting forms, lines of accountability, responsibility and
authority regarding the management of operational safety, and the structure of
the safety management organization. It must furthermore document explicit
guidelines for records management, including handling, storage, retrieval and
preservation.
15
SMS Manual
The SMS Manual (SMSM) is a key instrument for communicating the
organization’s approach to safety to the whole organization. It documents all
aspects of the SMS, including the safety policy, objectives, procedures and
individual safety accountabilities.
Typical contents of an SMSM include:
(a) Scope of the SMS;
(b) Safety policy and objectives;
(c) Safety accountabilities;
(d) Key safety personnel;
(e) Documentation control procedures;
(f) Coordination of emergency response planning;
(g) Hazard identification and risk management schemes;
(h) Safety assurance;
(i)
Safety performance monitoring;
(j)
Safety auditing;
(k) Management of change;
(l)
Safety promotion; and
(m) Contracted activities.
An SMS Manual should preferably be a manual by itself. For small
organizations, it is possible for the SMS Manual to be incorporated within an
existing organization’s manual. In either case, the various SMS components
and their relevant integration should be adequately and systematically
documented.
Safety Library
In a large organization, operating a SMS generates significant amount of data,
documents and reports. Proper management and record keeping of such data
is crucial for sustaining an effective SMS. Effective safety analysis is totally
dependent upon the availability and competent use of the safety information
management system. To facilitate easy retrieval and consolidation of safety
data/information, it is necessary to ensure that there is relevant integration
between the various sources of such data or reports. This is important where
different departments within the organization have traditionally limited the
scope of safety data distribution to within the department itself. Cross
functional safety data integration becomes important in this case.
It is necessary that the organization maintain a systematic record of all
measures taken to fulfill the objectives and activities of the SMS. Such records
would be required as evidence of ongoing SMS processes including hazard
identification, risks mitigation and safety performance monitoring. These
16
records should be appropriately centralized and maintained in sufficient detail
to ensure traceability of all safety related decisions. Examples of such records
include:
(a)
Hazards Register
(b) Incident/Accident reports
(c) Accident/Accident investigation reports
(d)
(e)
Safety/SMS audit reports
Periodic analyses of safety trends/indicators
(f)
(g)
Minutes of safety committee or safety action group meetings
Hazard and Risk Analysis Reports, etc.
Quality safety data are the lifeblood of safety management. Sound
management of the organization’s databases is fundamental to effective safety
management functions (such as trend monitoring, risk assessment,
cost-benefit analyses and occurrence investigations).
17
3.
SAFETY RISK MANAGEMENT
Safety risk management is a generic term that encompasses the assessment
and mitigation of the safety risks of the consequences of hazards that threaten
the capabilities of an organization, to a level as low as reasonably practicable
(ALARP). The objective of safety risk management is to provide the foundation
for a balanced allocation of resources among all assessed safety risks and
those safety risks the control and mitigation of which are viable. Safety risk
management is therefore a key component of the safety management process.
Its added value, however, lies in the fact that it is a data driven approach to
resource allocation, thus defensible and easier to explain.
The safety risk management of an SMS encompasses two distinct activities:
hazard identification and safety risk assessment and mitigation.
3.1
Hazard identification
A hazard is defined as a condition or an object with the potential to cause
injuries to personnel, damage to equipment or structures, loss of material, or
reduction of ability to perform a prescribed function. Hazard identification is a
process where organizational hazards are identified and managed so that
safety is not compromised.
Sources of hazard identification
There are a variety of sources of hazard identification. Some sources are
internal to the organization while other sources are external to the organization.
Examples of the internal sources of hazard identification available to an
organization include:
(a) flight data analysis
(b) company voluntary reporting system;
(c) safety surveys;
(d) safety audits;
(e) normal operations monitoring schemes;
(f) trend analysis;
(g) feedback from training; and
(h) investigation and follow-up of incidents.
Examples of external sources of hazard identification available to an
organization include:
(a) accident reports;
(b) State mandatory occurrence reporting system;
(c) State voluntary reporting system;
(d) State oversight audits; and
(e) information exchange systems.
Note: Confidential reporting systems should be based on established
human factors principles including an effective feedback process.
All personnel in aviation organizations should receive the appropriate safety
18
management training, at a level commensurate with their responsibilities, so
that everybody in the organization is prepared and able to identify and report
hazards. From this perspective, hazard identification and reporting are
everybody’s responsibility. However, organizations must have designated
personnel with the exclusive charge of hazard identification and analysis. This
would normally be the personnel assigned to the safety services office.
Therefore, broadening the previous perspective, in aviation organizations,
hazard identification is everybody’s responsibility, but accountability for hazard
identification lies with dedicated safety personnel.
Under mature safety management practices, hazard identification is a
continuous, ongoing, daily activity. It never stops or rests. It is an integral part
of the organizational processes aimed at delivering the services that the
organization is in business to deliver. Nevertheless, there are three specific
conditions under which special attention to hazard identification is warranted.
These three conditions should trigger more in-depth and far-reaching hazard
identification activities and include:
(a) any time the organization experiences an unexplained increase in
safety-related events or regulatory infractions;
(b) any time major operational changes are foreseen, including changes to
key personnel or other major equipment or systems; and
(c) before and during periods of significant organizational change,
including rapid growth or contraction, corporate mergers, acquisitions
or downsizing.
The scope of hazard identification is across the operational activities of the
organization with data derived from reactive, proactive and predictive schemes.
Reactive schemes include data from accidents, incidents and mandatory
reports. Proactive schemes include voluntary incident reporting, confidential
reporting schemes, safety surveys, operational safety audits and safety
assessments.
Predictive schemes include flight data analysis, direct
observation systems. Managed group sessions can also be used to identify
hazards.
Hazard identification process
The hazard identification process shall include the following steps:
(a) reporting of hazards, events or safety concerns;
(b) analysis of the safety data, develop control and mitigation strategies;
(c) implementation and re-evaluate strategies
(d) collection and storage of safety data (safety library);
(e) distribution of the safety information distilled from the safety data.
Hazard analysis
Hazard analysis is, in essence, a three-step process:
(a) First step. Identify the generic hazard (also known as top level
hazard(TLH)).
— airport construction
19
(b) Second step. Break down the generic hazard into specific hazards.
— construction equipment
— closed taxiways, etc.
(c) Third step. Link specific hazards to potentially specific consequences.
— aircraft colliding with construction equipment (construction
equipment)
— aircraft taking off into the wrong taxiway (closed taxiways), etc.
Documentation of Hazards
Appropriate documentation management regarding hazard identification is
important as a formal procedure to translate raw operational safety information
into hazard-related knowledge. Continuous compilation and formal
management of this hazard-related knowledge becomes the “safety library” of
an organization. In order to develop knowledge on hazards and thus build the
“safety library”, it must be remembered that tracking and analysis of hazards
are facilitated by standardizing:
a) definitions of terms used;
b) understanding of terms used;
c) validation of safety information collected;
d) reporting (i.e. what the organization expects);
e) measurement of safety information collected; and
f) management of safety information collected.
The following flowchart illustrates the process of hazard management and
documentation.
Figure 3-1
The safety risk management process
20
3.2
Safety risk assessment and mitigation
Following the identification of a hazard a form of analysis and mitigation of risks
is required to assess its potential for harm or damage. Risk assessment uses
conventional breakdown of risk in its two components. This involves two
considerations:
(a) Probability: The
consequences.
probability
of
the
hazard
causing
adverse
(b) Severity: The severity of the potential adverse consequences.
Risk assessment and mitigation processes analyze and eliminate or mitigate to
an acceptable level risks that could threaten the capabilities of an organization.
A system should be developed for assessing and analyzing the data collected
or derived from the actions outlined above. Information provided by analysis
should be distributed to those with a responsibility for operational safety in the
organization.
Safety Risk Probability
The process of bringing the safety risks of the consequences of hazards under
organizational control starts by assessing the probability that the
consequences of hazards materialize during operations aimed at delivery of
services. This is known as assessing the safety risk probability.
Safety risk probability is defined as the likelihood that an unsafe event or
condition might occur. The definition of the likelihood of a probability can be
aided by questions such as:
(a) Is there a history of similar occurrences to the one under consideration,
or is this an isolated occurrence?
(b) What other equipment or components of the same type might have
similar defects?
(c) How many personnel are following, or are subject to, the procedures in
question?
(d) What percentage of the time is the suspect equipment or the
questionable procedure in use?
(e) To what extent are there organizational, management or regulatory
implications that might reflect larger threats to public safety?
21
Figure 3-2 presents a typical safety risk probability table. The table includes
five categories to denote the probability of occurrence of an unsafe event or
condition, the meaning of each category, and an assignment of a value to each
category.
Probability of
occurrence
Meaning
Value
Frequent
Likely to occur many times
(has occurred frequently)
5
Occasional
Likely to occur sometimes
(has occurred infrequently)
4
Remote
Unlikely to occur, but possible
(has occurred rarely)
3
Improbable
Very unlikely to occur
(not known to have occurred)
2
Extremely
improbable
Almost inconceivable that the event will
occur
1
Figure 3-2 Safety risk probability table
Safety Risk Severity
Once the safety risk of an unsafe event or condition has been assessed in
terms of probability, the second step in the process of bringing the safety risks
of the consequences of hazards under organizational control is the
assessment of the severity of the consequences of the hazard if its damaging
potential materializes during operations aimed at delivery of services. This is
known as assessing the safety risk severity.
Safety risk severity is defined as the possible consequences of an unsafe
event or condition, taking as reference the worst foreseeable situation. The
assessment of the severity of the consequences of the hazard if its damaging
potential materializes during operations aimed at delivery of services can be
assisted by questions such as:
(a) How many lives may be lost (employees, passengers, bystanders and
the general public)?
(b) What is the likely extent of property or financial damage (direct property
loss to the operator, damage to aviation infrastructure, third-party
collateral damage, financial and economic impact for the State)?
(c) What is the likelihood of environmental impact (spillage of fuel or other
hazardous product, and physical disruption of the natural habitat)?
(d) What are the likely political implications and/or media interest?
22
Figure 3-3 presents a typical safety risk severity table. The table includes five
categories to denote the probability of occurrence of an unsafe event or
condition, the meaning of each category, and an assignment of a value to each
category.
Severity of
occurrence
Catastrophic
Hazardous
Major
Minor
Negligible
Meaning
- Equipment destroyed
- Multiple deaths
- A large reduction in safety margins, physical
distress or a workload such that the operators
cannot be relied upon to perform their tasks
accurately or completely.
- Serious injury
- Major equipment damage
- A significant reduction in safety margins, a
reduction in the ability of the operators to cope
with adverse operating conditions as a result of
increase in workload, or as a result of conditions
impairing their efficiency.
- Serious incident
- Injury to persons
- Nuisance
- Operating limitations
- Use of emergency procedures
- Minor incident
- Little consequences
Value
A
B
C
D
E
Figure 3-3 Safety risk severity table
Safety Risk Tolerability
Once the safety risk of the consequences of an unsafe event or condition has
been assessed in terms of probability and severity, the third step in the process
of bringing the safety risks of the consequences of the unsafe event or
condition under organizational control is the assessment of the tolerability of
the consequences of the hazard if its damaging potential materializes during
operations aimed at delivery of services. This is known as assessing safety risk
tolerability. This is a two-step process.
First, it is necessary to obtain an overall assessment of the safety risk. This is
achieved by combining the safety risk probability and safety risk severity tables
into a safety risk assessment matrix, an example of which is presented in
Figure 3-4. Each composite of probability and severity is the safety risk of the
consequences of the hazard under consideration. The color coding in the
matrix in Figure 3-4 reflects three tolerability regions: red for Intolerable region,
yellow for tolerable region, and green for acceptable region, respectively.
23
Risk severity
Risk
probability
Catastrophic
Hazardous
Major
Minor
Negligible
A
B
C
D
E
5C
Frequent
5
5A
5B
Occasional
4
4A
4B
Remote
3
3A
Improbable
2
Extremely
improbable
1
1A
3E
1B
1C
2D
2E
1D
1E
Figure 3-4 Safety risk assessment matrix
Second, the safety risk index obtained from the safety risk assessment matrix
must then be exported to a safety risk tolerability matrix in Figure 3-5, which
describes the tolerability criteria.
Risk Level
Intolerable
region
Risk index
Suggested criteria
5A, 5B, 5C,4A
4B, 3A
Unacceptable under the existing
circumstances Do not permit any
operation until sufficient control
measures have been implemented to
reduce risk to an acceptable level.
Acceptable based on risk mitigation. It
may require management decision.
Acceptable
region
3E, 2D, 2E, 1A
1B, 1C, 1D, 1E
Acceptable
Figure 3-5 Safety risk tolerability matrix
If the safety risk falls in the intolerable region, the safety risk of the
consequences of the hazard is unacceptable. The organization must:
(a) allocate resources to reduce the exposure to the consequences of the
hazards;
(b) allocate resources to reduce the magnitude or the damaging potential of
the consequences of the hazards; or
(c) cancel the operation if mitigation is not possible.
Safety risks assessed as initially falling in the intolerable region are
unacceptable under any circumstances. The probability and/or severity of the
consequences of the hazards are of such a magnitude, and the damaging
potential of the hazard poses such a threat to the viability of the organization,
that immediate mitigation action is required.
Safety risks assessed as initially falling in the tolerable region are acceptable,
provided mitigation strategies already in place guarantee that, to the
24
foreseeable extent, the probability and/or severity of the consequences of
hazards are kept under organizational control. The same control criteria apply
to safety risks initially falling in the intolerable region and mitigated to the
tolerable region. A safety risk initially assessed as intolerable that is mitigated
and slides down to the tolerable region must remain “protected” by mitigation
strategies that guarantee its control.
Risk Control/Mitigation
In the final step of the process of bringing the safety risks of the consequences
of an unsafe event or condition under organizational control, control/mitigation
strategies must be deployed. Generally speaking, control and mitigation are
terms that can be used interchangeably. Both are meant to designate
measures to address the hazard and bring under organizational control the
safety risk probability and severity of the consequences of the hazard.
For example If the safety risk of the consequences of the hazard under
analysis has been assessed as 4B (“unacceptable under the existing
circumstances”). Resources must then be allocated to slide it down the triangle,
into the tolerable region, where safety risks are ALARP. If this cannot be
achieved, then the operation aimed at the delivery of services which exposes
the organization to the consequences of the hazards in question must be
cancelled. Figure 3-6 presents the process of safety risk management in
graphic format.
Equipment, procedures, organization, etc.
Hazard
identification
Analyze the likelihood of the consequence occurring
Risk analysis
probability
Evaluate the seriousness of the consequence if it does occur
Risk analysis
severity
Is the assessed risk acceptable and within the organization’s
safety performance criteria?
Risk assessment
and tolerability
Yes, accept the risk
Risk control/
mitigation
No, take action to reduce the
risk to an acceptable level
Figure 3-6 The process of safety risk management
There are three generic strategies for safety risk control/mitigation:
(a) Avoidance. The operation or activity is cancelled because safety risks
exceed the benefits of continuing the operation or activity. Examples of
avoidance strategies include:
25
(1) operations into an aerodrome surrounded by complex geography
and without the necessary aids are cancelled;
(2) operations in RVSM airspace by non-RVSM equipped aircraft are
cancelled.
(b) Reduction. The frequency of the operation or activity is reduced, or
action is taken to reduce the magnitude of the consequences of the
accepted risks. Examples of reduction strategies include:
(1) operations into an aerodrome surrounded by complex geography
and without the necessary aids are limited to daytime, visual
conditions;
(2) operations by non-RVSM equipped aircraft are conducted above or
below RVSM airspace.
(c) Segregation of exposure. Action is taken to isolate the effects of the
consequences of the hazard or build in redundancy to protect against
them. Examples of strategies based on segregation of exposure include:
(1) operations into an aerodrome surrounded by complex geography
and without the necessary aids are limited to aircraft with specific
performance navigation capabilities;
(2) non-RVSM equipped aircraft are not allowed to operate into
RVSM airspace.
The following shows a sample flowchart of the risk mitigation process and a
sample risk mitigation worksheet.
Figure 3-7 The safety risk mitigation process
26
Type of
operation
or
activity
Generic
hazard
Specific
components
of the
hazard
Hazard-related
consequences
Existing defenses to
control safety risks,
and safety risk index
Further action to reduce
safety risks, and resulting
safety risk index
Airport
operation
Airport
construction
Construction
vehicles
crossing
primary
runway
a) Construction
vehicles may
deviate from
prescribed
procedures
and cross
the primary
runway
without an
escort.
a) The SAG
assessment leads
to the conclusion
that there is a
remote probability
that a construction
vehicle will deviate
from prescribed
procedures and
cross the primary
runway without an
escort.
a) The SAG decides to
control the safety risk by
using an existing
aerodrome perimeter road
to gain access to the
construction site. All
construction vehicles will
be escorted on the
perimeter road.
b) Aircraft could
conflict with
a crossing
vehicle.
b) There are night air
carrier operations
at the airport, so
there is a remote
probability that an
aircraft could
conflict with a
crossing vehicle.
c) While the
probability of an
aircraft/
construction
vehicle conflict is
remote, the SAG
assesses that,
should such
conflict occur, the
severity of the
occurrence could
be catastrophic.
d) The SAG assesses
existing defenses
(driver training
program, use of
escorts for
construction
vehicles, signs,
markings and
lighting)
e) Using the safety
risk assessment
matrix (Chapter 3,
Figure 3-4) and the
safety risk
tolerability matrix
(Chapter 3, Figure
3-5), the SAG
assesses:
Safety risk index:
3A
Safety risk
tolerability:
Unacceptable
under the existing
circumstances.
b) With this mitigation, the
SAG reassesses the
probability of construction
vehicles crossing the
primary runway without an
escort, or that aircraft
could conflict with a
crossing vehicle, as being
extremely improbable.
Nevertheless, should an
aircraft/construction
vehicle conflict occur, the
severity of such an
occurrence could still be
catastrophic.
c) Use of the perimeter road
as mitigation may delay
construction vehicles due
to the added driving
distance, but in the
assessment of the SAG:
while it does not entirely
remove the possibility of
the consequences of the
hazard from occurring
(construction vehicles
may still cross the primary
runway due to a number
or combination of
circumstances), it
nevertheless brings the
safety risks of the
consequences
(construction vehicle
deviating from prescribed
procedures and crossing
the primary runway
without an escort; and
aircraft in conflict with a
crossing vehicle) to an
acceptable level.
d) Using the safety risk
assessment matrix
(Chapter 3, Figure 3-4)
and the safety risk
tolerability matrix (Chapter
3, Figure 3-5), the SAG
reassesses:
Safety risk index: 1A
Safety risk tolerability:
Acceptable.
e) The SAG documents this
decision process for future
follow-up with the Any city
International Airport safety
manager.
Table 3-1 Hazard identification and safety risk management
27
4
SAFETY ASSURANCE
Safety assurance can be defined as activities designed to gain confidence that
risk controls established during safety risk management continue to be
effective. The safety assurance function applies the activities of safety
assurance and internal evaluation to ensure that risk controls, once designed,
continue to conform to their expectations and that they continue to be effective
in maintaining risk within acceptable levels. These assurance and evaluation
functions also provide a basis for continuous improvement.
The safety assurance activities should include procedures that ensure that
corrective actions are developed in response to findings of reports, studies,
surveys, audits, evaluations and so forth, and to verify their timely and effective
implementation.
Organizational responsibility for the development and
implementation of corrective actions should reside with the operational
departments cited in the findings. If new hazards are discovered, the safety risk
management process should be employed to determine if new safety risk
controls should be developed. Safety assurance, utilizes auditing, analysis,
review and similar techniques, in line with those utilized by quality
management systems.
4.1
Safety performance monitoring and measurement
Safety Performance Indicators and Safety Performance Targets provide a
measurable way of ensuring and demonstrating the effectiveness of an SMS
beyond regulatory compliance. Such safety performance measurements
should express or link to the safety objectives of the aviation organization.
Safety performance measurements have to be agreed between CAA and the
aviation organization.
Safety performance monitoring is the process by which safety performance
indicators of the organization are reviewed in relation to safety policies and
objectives. Such monitoring would normally be done at the safety committee
and where applicable safety action group level. Any significant abnormal
trend would warrant appropriate investigation into potential hazards or risks
associated with such deviation.
The following provides a list of generic aspects or areas to be considered to
“assure safety” through safety performance monitoring and measurement:
(a) Responsibility. Who is accountable for management of the
operational activities (planning, organizing, directing, controlling) and
its ultimate accomplishment.
(b) Authority. Who can direct, control or change the procedures and who
cannot as well as who can make key decisions such as safety risk
acceptance decisions.
(c) Procedures. Specified ways to carry out operational activities and that
translate the “what” (objectives) into “how” (practical activities).
(d) Controls. Elements of the system, including, hardware, software,
special procedures or procedural steps, and supervisory practices
designed to keep operational activities on track.
(e) Interfaces. An examination of such things as lines of authority between
departments, lines of communication between employees, consistency
of procedures, and clear delineation of responsibility between
organizations, work units and employees.
28
(f) Process measures. Means of providing feedback to responsible
parties that required actions are taking place, required outputs are
being produced and expected outcomes are being achieved.
Safety Performance Indicators
Safety performance indicators (parameters) are generally data based
expressions of the frequency of occurrence of some safety/ quality related
events, incidents or reports. These occurrence data may be reactive,
proactive or predictive in nature. There is no single safety performance
indicator that is appropriate to all organizations. The indicator(s) chosen
should correspond to the organization’s relevant safety objectives.
Safety Performance Targets
Safety performance targets are quantifiable and have time components. They
should be achievable and realistic. These safety performance targets should
be measured and monitored with the use of safety performance indicators
where applicable.
Safety Reporting Systems
Confidential reporting systems should be based on a just culture providing
appropriate protection for the reporter including an effective feedback process.
This approach should encourage staff at all levels to proactively report near
misses and hazards. More guidance on safety reporting systems may be
found in CAA AC 00-001A.
4.2
The management of change
Aviation organizations experience constant change due to expansion and
introduction of new equipment or procedures. Changes can introduce new
hazards or risks which can impact the appropriateness or effectiveness of
previous risk mitigation. External changes would include change of regulatory
requirements, security status/level or re-arrangement of air traffic
control/provisions,
etc.
Internal
changes
can
involve
management/organizational changes, major new equipment introduction or
new procedures, etc.
A formal management of change process should identify changes within or
from outside the organization which may affect established processes and
services from a safety viewpoint. Prior to implementing such changes, the new
arrangements should be assessed using the SMS hazard and risk analysis
protocol or in relation to previously completed risk mitigation as applicable.
Activities with safety risks should be scheduled for a baseline hazard analysis
in accordance with the organization’s safety risk management process.
Periodically, such activities should be reviewed for any changes to the
operational environment which may affect the continued validity of the previous
baseline analysis.
The procedure for routine review of completed safety assessments should be
established as appropriate. The interval for such scheduled review may be on
a case by case basis or as a standard interval, for example annually. Such
scheduled review may take into consideration previously unidentified hazard/
risks based on operational or industry incident/ accident investigation findings.
Likewise, any modification or change subsequent to the initial safety
29
assessment done should be evaluated for any possible effect on the existing
safety assessment.
4.3
Continuous improvement of the SMS
Internal SMS Audit
Internal safety (SMS) audits are used to ensure that the structure of an SMS is
sound. It is also a formal process to ensure continuous improvement and
effectiveness of the SMS. The protocol for conducting a SMS audit (from
planning to final corrective action closure) should be no different from any other
system audit. Audits should involve the use of appropriate checklists. The
overall scope of an SMS audit should include:
-
Regulatory SMS requirements
Structure of safety accountabilities
Organizational safety policies and standards
Documentation, including SMS manual and SMS records
Compliance with SMS hazard/ risk evaluation procedures
Adequacy of staff training for their SMS roles
Safety Performance indicators
Compliance with safety assessment plan or schedule
Effective SMS integration with other control systems
SMS integration with contractors where applicable
Continuing assessments and management of change
Review completed safety assessments for any that may be obviously
sub-standard or inadequate
Safety Reviews
Over and above SMS audits, safety reviews or surveys may be employed as a
proactive procedure for examining particular elements, processes or a specific
operation for any safety concerns or sub-standard performance. Such targeted
safety surveys may be initiated as a follow up to informal feedback or
voluntary/confidential reports to identify issues that may contribute to
generation of hazard/risks or their escalation factors, such as:
- Problem areas or bottlenecks in daily operations
- Perceptions and opinions about personnel’s competency with possible
safety implications
- Poor Teamwork and cooperation between employee groups or
departments
(especially
involving
safety/operational/technical
functions)
- Areas of dissent or perceived confusion (especially involving
safety/operational/technical functions)
- Unsafe working procedures or conditions
- Prolonged working hours or long-term manpower shortfall, etc
30
5.
SAFETY PROMOTION
An organizational safety effort cannot succeed by mandate or strictly though
mechanistic implementation of policies. Safety promotion sets the tone that
predisposes both individual and organizational behavior and fills in the blank
spaces in the organization’s policies, procedures and processes, providing a
sense of purpose to safety efforts.
Many of the processes and procedures specified in the safety policy and
objectives and safety risk management and safety assurance components of
the SMS provide the structural building blocks of an SMS. However, the
organization must also set in place processes and procedures that allow for
communication among operational personnel and with the organization’s
management. Organizations must make every effort to communicate their
objectives, as well as the current status of the organization’s activities and
significant events. Likewise, organizations must supply a means of upward
communication in an environment of openness.
Safety promotion includes:
(a) training and education, including safety competency; and
(b) safety communication.
5.1
Training and Education
The safety manager provides current information and training related to safety
issues relevant to the specific operations and operational units of the
organization. The provision of appropriate training to all staff, regardless of
their level in the organization, is an indication of management’s commitment to
an effective SMS. Safety training and education should consist of the following:
(a) a documented process to identify training requirements;
(b) a validation process that measures the effectiveness of training;
(c) initial (general safety) job-specific training;
(d) indoctrination/initial training incorporating SMS, including Human
Factors and organizational factors; and
(e) recurrent safety training.
Training requirements and activities should be documented for each area of
activity within the organization. A training file should be developed for each
employee, including management, to assist in identifying and tracking
employee training requirements and verifying that personnel have received the
planned training. Training programs should be adapted to fit the needs and
complexity of the organization.
Safety training within an organization must ensure that personnel are trained
and competent to perform their safety management duties. The SMS Manual
(SMSM) should specify initial and recurrent safety training standards for
operational personnel, managers and supervisors, senior managers and the
Accountable Executive. The amount of safety training should be appropriate to
the individual’s responsibility and involvement in the SMS. The SMSM should
also specify safety training responsibilities, including contents, frequency,
validation and safety training records management.
Safety training should follow a building-block approach. Safety training for
operational personnel should address safety responsibilities, including
following all operating and safety procedures, and recognizing and reporting
hazards. The training objectives should include the organization’s safety policy
31
and SMS fundamentals and overview. The contents should include the
definition of hazards, consequences and risks, the safety risk management
process, including roles and responsibilities and, quite fundamentally, safety
reporting and the organization’s safety reporting system(s).
Safety training for managers and supervisors should address safety
responsibilities, including promoting the SMS and engaging operational
personnel in hazard reporting. In addition to the training objectives established
for operational personnel, training objectives for managers and supervisors
should include a detailed knowledge of the safety process, hazard identification
and safety risk assessment and mitigation, and change management. In
addition to the contents specified for operational personnel, the training
contents for supervisors and managers should include safety data analysis.
Safety training for senior managers should include safety responsibilities
including compliance with national and organizational safety requirements,
allocation of resources, ensuring effective inter-departmental safety
communication and active promotion of the SMS. In addition to the objectives
of the two previous employee groups, safety training for senior managers
should include safety assurance and safety promotion, safety roles and
responsibilities, and establishing acceptable levels of safety.
Lastly, safety training should include special safety training for the Accountable
Executive. This training session should be reasonably brief (it should not
exceed one-half day), and it should provide the Accountable Executive with a
general awareness of the organization’s SMS, including SMS roles and
responsibilities, safety policy and objectives, safety risk management and
safety assurance.
5.2
Safety Communication
The organization should communicate SMS objectives and procedures to all
operational personnel, and the SMS should be visible in all aspects of the
organization’s operations supporting the delivery of services. The safety
manager should communicate the performance of the organization’s SMS
program through bulletins and briefings.
The safety manager should also ensure that lessons learned from
investigations and case histories or experiences, both internally and from other
organizations, are distributed widely. Communication should flow between the
safety manager and operational personnel throughout the organization. Safety
performance will be more efficient if operational personnel are actively
encouraged to identify and report hazards. Safety communication therefore
aims to:
(a) ensure that all staff are fully aware of the SMS;
(b) convey safety-critical information;
(c) explain why particular actions are taken;
(d) explain why safety procedures are introduced or changed; and
(e) convey “nice-to-know” information.
Examples of organizational communication include:
(a) safety management systems manual (SMSM);
(b) safety processes and procedures;
(c) safety newsletters, notices and bulletins; and
32
(d) websites or email.
Confidential safety reporting systems should be established. These reporting
systems should be based on a just culture providing appropriate protection for
the reporter including an effective feedback process. This approach should
encourage staff at all levels to proactively report near misses and hazards.
More guidance on safety reporting systems may be found in CAA AC 00-001A.
33
ATTACHMENT 1
SMS IMPLEMENTATION PLAN
Phases I &II should be completed by June 30, 2011. Phase III should be completed
by June 30, 2012. Phase IV should be completed by December 31, 2012.
1. PHASE I — PLANNING SMS IMPLEMENTATION
1.1
The Accountable Executive
Identify the Accountable Executive and the person or planning group to
develop the SMS implementation plan.
1.2
System description and gap analysis.
System description
Perform the system description, which is the first prerequisite activity for the
development of an SMS in an organization. It should include the interfaces
within the system, as well as the interfaces with other systems in the air
transportation system.
Gap analysis
(a) Perform a gap analysis, against the four components and twelve elements
of the ICAO SMS framework, to identify existing safety arrangements
within the organization and those that are missing.
(b) Based upon the results of the gap analysis, the person or planning group
should be able to develop the SMS implementation plan taking into
consideration:
—
the identification of
implementation; and
potential
gaps
that
may
hinder
SMS
— the development of strategies to address such gaps.
1.3
Safety policy and objectives
Safety policy
- Develop a safety policy.
- Have the Accountable Executive sign the safety policy.
- Communicate the safety policy, with visible endorsement, throughout the
organization.
- Establish a review schedule for the safety policy to ensure it remains
relevant and appropriate to the organization.
Safety objectives
34
Establish safety objectives for the SMS, by developing safety performance
standards in terms of:
- safety performance indicators;
- safety performance targets; and
- action plans.
Establish the SMS requirements for subcontractors:
- establish a procedure to write SMS requirements into the contracting
process; and
- establish the SMS requirements in the bidding documentation.
1.4
Safety accountabilities and appointment of key safety personnel
SMS organizational structure
- Establish the safety services office.
- Appoint a safety manager as the responsible individual and focal point
for the development and maintenance of an effective SMS.
- Assess and establish lines of communication between the safety
services office and the Accountable Executive, the Safety Action Group
(SAG) and the Safety Review Board (SRB).
- Ensure that the functional lines of communication are commensurate
with the size of the organization and complexity of the services provided.
- Establish the Safety Review Board (SRB) chaired by the Accountable
Executive.
- Appoint senior managers, including line managers responsible for
functional areas, to the SRB.
- Assign appropriate strategic functions to the SRB.
- Establish the Safety Action Group (SAG).
- Appoint line managers and representatives of front-line personnel to the
SAG.
- Assign appropriate tactical functions to the SRB.
- Document all safety responsibilities, accountabilities and authorities and
communicate those throughout the organization, including a definition of
the levels of management with authority to make decisions regarding
safety risk tolerability.
- Develop a schedule of meetings for the safety services office to meet
with the SRB and SAG as needed.
1.5
Coordination of the emergency response plan (ERP)
Internal coordination
- Review the outline of the ERP related to the delegation of authority and
35
assignment of emergency responsibilities.
- Establish coordination procedures for action by key personnel during the
emergency and the return to normal operations.
External coordination
- Identify external entities that will interact with the organization during
emergency situations.
- Assess their respective ERPs.
- Establish coordination between the different ERPs.
- Incorporate the coordination among different ERPs in the organization’s
safety management systems manual (SMSM).
1.6
SMS documentation
- Establish the mechanism to collect and store the SMS-specific records
and documentation.
- Refer to all relevant and applicable national regulations and international
standards.
- Develop guidelines for records management that includes the SMS
implementation plan and the SMSM.
SMS implementation plan
- Appoint the person, or establish the planning group, responsible for the
development of the SMS implementation plan.
- Collect all applicable documents that form the SMS implementation plan.
- Conduct regular meetings with senior management to assess progress.
- Allocate resources (including time for meetings) commensurate with the
tasks at hand.
- Include significant items of the SMS implementation plan in the business
plan of the organization.
- Identify the costs associated with the training and planning required for
SMS implementation.
- Allocate time for the development and deployment of the SMS
implementation plan among the different management layers of the
organization.
- Draft a budget for SMS implementation.
- Approve the initial budget for SMS implementation.
- Submit the SMS implementation plan for endorsement by senior
management.
Safety management systems manual (SMSM)
36
- Draft the SMSM to communicate the organization’s approach to safety to
the whole organization.
- Expand, review and amend the contents of the SMSM (which is a living
document) as the phased approach of the SMS evolves.
1.7
Safety promotion — Training
Safety training
- Develop a documented process to identify training requirements.
- Develop a validation process that measures the effectiveness of training.
- Develop safety training considering:
＞initial (general safety) job-specific training;
＞ indoctrination/initial training incorporating SMS, including Human
Factors and organizational factors;
＞ recurrent training.
- Identify the costs associated with training.
- Organize and set up schedules for appropriate training for all staff
according to their individual responsibilities and involvement in the SMS.
- Develop training files for each employee, including management.
1.8
Safety promotion — Safety communication
Establish a means to convey organizational information on Phase I, including:
- safety newsletters, notices and bulletins;
- websites;
- email.
1.9
Time frame for implementation, and deliverables
The estimated time frame for implementation of Phase I could take from 1 to 6
months, depending on the size of the organization and complexity of the
services provided.
Deliverables
(1) Safety policy signed by the Accountable Executive.
(2) Safety policy communicated to all staff.
(3) System description completed.
(4) Gap analysis completed.
(5) SMS organizational structure in place.
(6) SMS implementation plan approved.
37
(7) Training on SMS planning phase delivered.
(8) Initial draft of SMSM published.
(9) Means to communicate safety issues established.
2.
PHASE II — REACTIVE SAFETY MANAGEMENT PROCESSES
2.1
Hazard identification and analysis based on reactive processes
Hazard identification
- Identify the internal and external sources to be used in collecting reactive
information on hazards.
- Implement a structured approach to the reactive identification of
hazards.
2.2
Safety risk management based on reactive processes
Safety risk assessment
- Develop and adopt a safety risk matrix relevant to the organization’s
operational environment.
- Develop safety risk matrix instructions and include them in the training
program.
2.3
Training
Develop a safety training program for front-line personnel, managers and
supervisors on:
- the relevant SMS implementation plan components;
- hazard identification and safety risk management based on reactive
processes (front-line personnel are trained on identification and
reporting of hazards from triggering events, and supervisors are trained
on hazard and safety risk management);
- the hazard reporting form/template.
2.4
Documentation on reactive processes
- Establish a safety library.
- Add information on reactive safety risk management processes to the
SMSM. (Information on reactive safety risk management processes will be
used at a later phase to establish safety performance indicators and
targets.)
- Write requirements for hazard identification and safety risk management
based on reactive processes into the bid documentation for contractors, if
necessary, and notify contractors and subcontractors in writing.
38
2.5
Safety promotion — Safety communication
Establish a means to convey organizational information on Phase II:
- safety newsletters, notices and bulletins;
- websites;
- email.
2.6
Time frame for implementation, and deliverables
The estimated time frame for implementation of Phase II could take from 9 to
12 months, depending on the size of the organization and complexity of the
services provided.
Deliverables
(1) Safety library established.
(2) Reactive safety management processes implemented.
(3) Training relevant to SMS implementation plan components and safety risk
management on reactive processes completed.
(4) Safety-critical information based on safety data captured from reactive
processes distributed to the organization.
3.
PHASE III — PROACTIVE AND PREDICTIVE SAFETY MANAGEMENT
PROCESSES
3.1
Hazard identification and analysis based on proactive and predictive
processes
Hazard identification
- Identify the internal and external sources to be used in collecting
proactive and predictive information on hazards.
- Implement a structured approach to the proactive and predictive
identification of hazards.
3.2
Safety risk management based on proactive and predictive processes
Safety risk assessment
- Develop and adopt a safety risk matrix relevant to the organization’s
operational environment.
- Develop safety risk matrix instructions and include them in the training
program.
3.3
Training
- Train staff of the safety services office on specific proactive and predictive
means of collecting safety related data.
39
- Brief supervisors and front-line personnel on proactive and predictive
processes.
- Develop a safety training program for front-line personnel, managers and
supervisors on:
＞ the relevant SMS implementation plan components;
＞ hazard identification and safety risk management based on proactive
and predictive processes (frontline personnel are trained on
identification and reporting of hazards from less serious triggering events
or during real-time normal operations, and supervisors are trained on
hazard and safety risk management based on proactive and predictive
processes).
3.4
Documentation on proactive and predictive processes
- Store information from safety risk management based on proactive and
predictive processes in the safety library.
- Add information on proactive and predictive safety risk management
processes to the SMSM.
- Develop safety performance indicators and safety performance targets.
- Write requirements for hazard identification and safety risk management
based on proactive and predictive processes into the bid documentation for
contractors, if necessary, and notify contractors and subcontractors in
writing.
3.5
Safety promotion — Safety communication
Establish a means to convey organizational information on Phase III:
- safety newsletters, notices and bulletins;
- websites;
- email.
3.6
Time frame for implementation, and deliverables
The estimated time frame for implementation of Phase III could take from 12 to
16 months, depending on the size of the organization and complexity of the
services provided.
Deliverables
(1) Initial testing period for proactive and predictive means to collect hazard
identification established.
(2) Proactive and predictive safety management processes implemented.
(3) Training relevant to SMS implementation plan components and safety risk
management based on proactive and predictive processes completed.
(4) Safety performance indicators and safety performance targets developed.
40
(5) Critical safety information based on safety data captured by reactive,
proactive and predictive processes distributed to the organization.
4.
PHASE IV — OPERATIONAL SAFETY ASSURANCE
4.1
Safety performance of the SMS
- Establish safety performance indicators.
- Establish safety performance targets.
- Establish action plans.
- Define measures of reliability, availability and/or accuracy related to action
plans, as required.
- Agree on safety performance measurement with the State oversight
authority.
4.2
Safety performance monitoring and measurement
Define and develop information sources for safety performance and
monitoring.
4.3
The management of change
- Establish a formal process for the management of change that considers:
＞ criticality of systems and activities;
＞ stability of systems and operational environments;
＞ past performance.
- Identify changes that might affect established processes, procedures,
products and services.
- Prior to implementing changes, define arrangements to ensure safety
performance.
4.4
Continuous improvement of the SMS
- Develop forms for internal evaluations and ensure independence from
technical processes being evaluated.
- Define an internal audit process.
- Define an external audit process.
- Define a schedule for proactive evaluation of facilities, equipment,
documentation and procedures, to be completed through audits and
surveys.
- Define a schedule for proactive evaluation of an individual’s performance.
-
Develop documentation relevant to operational safety assurance.
41
4.5
Training
Develop training relevant to operational safety assurance for staff involved in
the safety assurance phase.
4.6
Safety promotion — Safety communication
Establish a means to convey organizational information on Phase IV:
- safety newsletters, notices and bulletins;
- websites;
- email.
4.7
Time frame for implementation and deliverables
The estimated time frame for implementation of Phase IV could take from 9 to
12 months, depending on the size of the organization and complexity of the
services provided.
Deliverables
(1) Agreement reached with the State oversight authority on safety
performance indicators and safety performance targets.
(2) Training on safety assurance for operational personnel, managers and
supervisors completed.
(3) Documentation relevant to operational safety assurance placed in the
safety library.
5.
ADDITIONAL GUIDANCE
5.1
Non-Punitive
Information)
Reporting
Policy
(Protection
of
Sources
of
Safety
Although not required in Phase 1, it is important to encourage safety reporting
and to protect safety information sources. It is therefore recommended that in
the early stages of deployment, the organization considers the development of
a written policy to set the parameters for the circumstances in which safety
reporting would be rewarded versus the circumstances in which safety
reporting could lead to possible punitive action against individuals.
An effective safety reporting system (and positive organizational safety culture)
allows employees the freedom (and protection) to report safety concerns
without apportioning blame or affect punishment to those involved. However, in
instances where the safety reports filed indicate the existence of gross
negligence or repeat violations in a certain area, a thorough investigation is
required to establish the root cause of the behavior. Depending on the outcome
of the investigation, based on the facts involved that explained the ‘why’ and
‘how’ questions behind the specific behavior, the organization might decide to
take punitive action against the individuals involved.
An error-tolerant SMS requires appropriate responsibility and accountability
42
from all involved to safe-guard the abuse of the system for personal gain. Even
within a non-punitive reporting environment there are certain acts that should
require disciplinary action (for example, willful gross negligence, criminal intent
or use of illicit substances).
5.2
Human Error:
All unsafe acts indicating human error will be logged into a database including
the root cause (main reason) and other reasons that contributed to the errors
being made.
The following errors should not be punished:
· Errors made as a result of deficiencies in procedures, requirements or
standards;
· Errors made as a result of poor or ineffective supervision;
· Errors induced by the environment;
· Errors induced by the organizational culture; and
·
5.3
Violations:
All unsafe acts indicating violations will be logged into a database including the
root cause (main reason) and other reasons that contributed to the violations
being made.
43
ATTACHMENT 2
SMS GAP ANALYSIS CHECK LIST
The gap analysis checklist that follows can be used as a template to conduct a gap analysis. Each
question is designed for a “Yes” or “No” response. A “Yes” answer indicates that the service provider
already has the component or element of the SMS framework in question incorporated into its system
and that it either matches or exceeds the requirement. A “No” answer indicates that a gap exists between
the component/element of the SMS framework and the service provider’s system.
Organization Name:
Analyzed by:
Date of Analysis:
Reference:
Items
Aspect to be analyzed or question to be answered
Answer
Component 1 — SAFETY POLICY AND OBJECTIVES
Element 1.1 — Management commitment and responsibility
1
� Yes
Is there a safety policy in place?
� No
2
3
4
Does the safety policy reflect organizational commitments regarding
safety management?
� Yes
Does the safety policy include a clear statement about the provision
of the necessary resources for the implementation of the safety
policy?
� Yes
Does the safety policy include the safety reporting procedures?
� Yes
� No
� No
� No
5
6
7
Does the safety policy clearly indicate which types of operational
behaviors are unacceptable?
� Yes
Does the safety policy include the conditions under which
disciplinary action would not apply?
� Yes
Is the safety policy signed by the Accountable Executive?
� Yes
� No
� No
� No
8
9
10
11
Is the safety policy communicated, with visible endorsement,
throughout the [organization]?
� Yes
Is the safety policy periodically reviewed to ensure it remains
relevant and appropriate to the [organization]?
� Yes
Is there a formal process to develop a coherent set of safety
objectives?
� Yes
Are the safety objectives linked to the safety performance indicators,
safety performance targets and action plans?
� Yes
44
� No
� No
� No
Status of
implementation
Items
Aspect to be analyzed or question to be answered
Answer
� No
12
Are the safety objectives publicized and distributed?
� Yes
� No
Element 1.2 — Safety accountabilities
13
14
15
16
17
18
19
20
21
Has the [organization] identified an Accountable Executive who,
irrespective of other functions, shall have ultimate responsibility and
accountability, on behalf of the [organization], for the implementation
and maintenance of the SMS?
� Yes
Does the Accountable Executive have responsibility for ensuring that
the safety management system is properly implemented and
performing to requirements in all areas of the [organization]?
� Yes
Does the Accountable Executive have full control of the financial
resources required for the operations authorized to be conducted
under the operations certificate?
� Yes
Does the Accountable Executive have full control of the human
resources required for the operations authorized to be conducted
under the operations certificate?
� Yes
Does the Accountable Executive have direct responsibility for the
conduct of the organization’s affairs?
� Yes
Does the Accountable Executive have final authority over operations
authorized to be conducted under the operations certificate?
� Yes
Has the organization identified the accountabilities of all members of
management, irrespective of other functions, as well as of
employees, with respect to the safety performance of the SMS?
� Yes
Are the safety responsibilities, accountabilities and authorities
documented and communicated throughout the [organization]?
� Yes
Has the [organization] included a definition of the levels of
management with authority to make decisions regarding safety risk
tolerability?
� Yes
� No
� No
� No
� No
� No
� No
� No
� No
� No
Element 1.3 — Appointment of key personnel
22
23
24
Has the organization appointed a qualified person to manage and
oversee the day-to-day operation of the SMS?
� Yes
Does the person overseeing the operation of the SMS fulfill the
required job functions and responsibilities?
� Yes
Are the safety authorities, responsibilities and accountabilities of
personnel at all levels of the organization defined and documented?
� Yes
� No
� No
� No
Element 1.4 — Coordination of emergency response planning
25
Does the [organization] have an emergency response/contingency
plan appropriate to the size, nature and complexity of the
45
� Yes
Status of
implementation
Items
26
27
Aspect to be analyzed or question to be answered
Answer
organization?
� No
Does the [organization] coordinate its emergency
response/contingency procedures with the emergency/response
contingency procedures of other organizations it must interface with
during the provision of services?
� Yes
Does the [organization] have a process to distribute and
communicate the coordination procedures to the personnel involved
in such interaction?
� Yes
� No
� No
Element 1.5 —SMS documentation
28
29
30
31
32
33
34
35
36
37
38
39
40
Has the [organization] developed and does it maintain a safety
library for appropriate hazard documentation and documentation
management?
� Yes
Has the [organization] developed and does it maintain SMS
documentation in paper or electronic form?
� Yes
Is the SMS documentation developed in a manner that describes the
SMS and the consolidated interrelationships between all the SMS
components?
� Yes
Has the organization developed an SMS implementation plan that
ensures that the SMS meets the organization’s safety objectives?
� Yes
Has the SMS implementation plan been developed by a person or a
planning group which comprises an appropriate experience base?
� Yes
Has the person or planning group received enough resources
(including time for meetings) for the development of the SMS
implementation plan?
� Yes
Is the SMS implementation plan endorsed by the senior
management of the [organization]?
� Yes
Is the SMS implementation plan regularly reviewed by the senior
management of the [organization]?
� Yes
Does the SMS implementation plan propose implementation of the
SMS in phases?
� Yes
Does the SMS implementation plan explicitly address the
coordination between the organization’s SMS and the SMS of other
organizations the [organization] must interface with during the
provision of services?
� Yes
Has the organization developed a safety management systems
manual (SMSM) as a key instrument for communicating the
organization’s approach to safety to the whole [organization]?
� Yes
Does the SMSM document all aspects of the SMS including, among
others, the safety policy, objectives, procedures and individual safety
accountabilities?
� Yes
Does the SMSM clearly articulate the role of safety risk management
� Yes
46
� No
� No
� No
� No
� No
� No
� No
� No
� No
� No
� No
� No
Status of
implementation
Items
41
42
43
44
Aspect to be analyzed or question to be answered
Answer
as an initial design activity and the role of safety assurance as a
continuous activity?
� No
Are relevant portions of SMS-related documentation incorporated
into approved documentation, such as company operations manual,
maintenance control/policy manual and airport operations manual,
as applicable?
� Yes
Does the organization have a records system that ensures the
generation and retention of all records necessary to document and
support operational requirements?
� Yes
Is the organization’s records system in accordance with applicable
regulatory requirements and industry best practices?
� Yes
Does the records system provide the control processes necessary to
ensure appropriate identification, legibility, storage, protection,
archiving, retrieval, retention time, and disposition of records?
� Yes
� No
� No
� No
� No
Component 2 — SAFETY RISK MANAGEMENT
Element 2.1 — Hazard identification
45
46
47
48
49
50
51
52
53
54
Does the organization have a formal safety data collection and
processing system (SDCPS) for effectively collecting information
about hazards in operations?
� Yes
Does the organization SDCPS include a combination of reactive,
proactive and predictive methods of safety data collection?
� Yes
Does the organization have reactive processes that provide for the
capture of information relevant to safety and risk management?
� Yes
Has the organization developed training relevant to reactive methods
of safety data collection?
� Yes
Has the organization developed communication relevant to reactive
methods of safety data collection?
� Yes
Is reactive reporting simple, accessible and commensurate with the
size of the organization?
� Yes
Are reactive reports reviewed at the appropriate level of
management?
� Yes
Is there a feedback process to notify contributors that their reports
have been received and to share the results of the analysis?
� Yes
Does the organization have proactive processes that actively look for
the identification of safety risks through the analysis of the
organization’s activities?
� Yes
Is there training relevant to proactive methods of safety data
collection?
� Yes
47
� No
� No
� No
� No
� No
� No
� No
� No
� No
� No
Status of
implementation
Items
Aspect to be analyzed or question to be answered
55
Has the organization developed communication relevant to proactive
methods of safety data collection?
� Yes
Is proactive reporting simple, accessible and commensurate with the
size of the organization?
� Yes
Does the organization have predictive processes that provide the
capture of system performance as it happens in real-time normal
operations?
� Yes
Is there training relevant to predictive methods of safety data
collection?
� Yes
Has the organization developed communication relevant to
predictive methods of safety data collection?
� Yes
Is the predictive safety data capture process commensurate with the
size of the organization?
� Yes
56
57
58
59
60
Answer
� No
� No
� No
� No
� No
� No
Element 2. 2 — Safety risk assessment and mitigation
61
62
63
64
65
Has the [organization] developed and does it maintain a formal
process that ensures analysis, assessment and control of the safety
risks in the [organization] operations?
� Yes
Does the [organization] SMS documentation clearly articulate the
relationship between hazards, consequences and safety risks?
� Yes
Is there a structured process for the analysis of the safety risks
associated with the consequences of identified hazards, expressed
in terms of probability and severity of occurrence?
� Yes
Are there criteria for assessing safety risks and establishing safety
risk tolerability (i.e. the acceptable level of safety risk the
organization is willing to accept?
� Yes
Does the organization have safety risk mitigation strategies that
include corrective/preventive action plans to prevent recurrence of
reported occurrences and deficiencies?
� Yes
� No
� No
� No
� No
� No
Component 3 — SAFETY ASSURANCE
Element 3.1 — Safety performance monitoring and measurement
66
67
Has the [organization] implemented an internal process to verify the
safety performance of the organization and to validate the
effectiveness of safety risks controls?
Are the following tools included in those processes?
Safety reporting systems � Yes � No
Safety studies
� Yes � No
Safety reviews
� Yes � No
Safety audits
� Yes � No
48
� Yes
� No
Status of
implementation
Items
Aspect to be analyzed or question to be answered
Safety surveys
� Yes �No
Internal safety investigations
68
69
Answer
� Yes � No
Is the safety performance of the [organization] verified in reference to
the safety performance indicators and safety performance targets of
the SMS?
� Yes
Are safety reports reviewed at the appropriate level of management?
� Yes
� No
� No
70
71
72
73
74
75
76
77
78
79
80
81
82
Is there a feedback process to notify contributors that their reports
have been received and to share the results of the analysis?
� Yes
Are corrective and preventive actions generated in response to
hazard identification?
� Yes
Are there procedures in place for the conduct of internal
investigations?
� Yes
Is there a process to ensure that occurrences and deficiencies
reported are analyzed to identify all associated hazards?
� Yes
Does the organization have a process for evaluating the
effectiveness of the corrective/preventive measures that have been
developed?
� Yes
Does the organization have a system to monitor the internal
reporting process and the associated corrective actions?
� Yes
Is there an audit function with the independence and authority
required to carry out effective internal evaluations?
� Yes
Does the audit system cover all functions, activities and
organizations within the organization?
� Yes
Are there selection/training processes to ensure the objectivity and
competence of auditors as well as the impartiality of the audit
process?
� Yes
Is there a procedure for reporting audit results and maintaining
records?
� Yes
Is there a procedure outlining requirements for timely corrective and
preventive action in response to audit results?
� Yes
Is there a procedure to record verification of action(s) taken and the
reporting of verification results?
� Yes
Is there a process in place to monitor and analyse trends?
� Yes
� No
� No
� No
� No
� No
� No
� No
� No
� No
� No
� No
� No
� No
Element 3.2 — The management of change
49
Status of
implementation
Items
Aspect to be analyzed or question to be answered
83
Has the [organization] developed and does it maintain a formal
process to identify changes within the organization which may affect
established processes and services?
� Yes
Does the formal process for the management of change analyse
changes to operations or key personnel for safety risks?
� Yes
Has the [organization] established arrangements to ensure safety
performance prior to implementing changes?
� Yes
Has the [organization] established a process to eliminate or modify
safety risk controls that are no longer needed due to changes in the
operational environment?
� Yes
84
85
86
Answer
� No
� No
� No
� No
Element 3.3 — Continuous improvement of the SMS
87
88
89
90
91
Has the [organization] developed and does it maintain a formal
process to identify the causes of substandard performance of the
SMS?
� Yes
Has the [organization] established a mechanism(s) to determine the
implications of substandard performance of the SMS on operations?
� Yes
Has the organization established a mechanism(s) to eliminate or
mitigate the causes of substandard performance of the SMS?
� Yes
Does the organization have a process for the proactive evaluation of
facilities, equipment, documentation and procedures (through audits
and surveys, etc.)?
� Yes
Does the organization have a process for the proactive evaluation of
an individual’s performance, to verify the fulfillment of that
individual’s safety responsibilities?
� Yes
� No
� No
� No
� No
� No
Component 4 — SAFETY PROMOTION
Element 4.1 — Training and education
92
93
94
95
96
Is there a documented process to identify training requirements so
that personnel are trained and competent to perform their SMS
duties?
� Yes
Is the safety training appropriate to the individual’s involvement in
the SMS?
� Yes
Is the safety training incorporated into indoctrination training upon
employment?
� Yes
Is there emergency response/contingency training for affected
personnel?
� Yes
Is there a process that measures the effectiveness of training?
� Yes
� No
� No
� No
� No
� No
50
Status of
implementation
Items
Aspect to be analyzed or question to be answered
Answer
Element 4.2 — Safety communication
97
98
99
100
101
Are there communication processes in place within the [organization]
that permit the safety management system to function effectively?
� Yes
Are there communication processes (written, meetings, electronic,
etc.) commensurate with the size and scope of the organization?
� Yes
Is safety-critical information established and maintained in a suitable
medium that provides direction regarding relevant SMS documents?
� Yes
Is safety-critical information disseminated throughout the
[organization] and is the effectiveness of safety communication
monitored?
� Yes
Is there a procedure that explains why particular safety actions are
taken and why safety procedures are introduced or changed?
� Yes
51
� No
� No
� No
� No
� No
Status of
implementation
ATTACHMENT 3
GLOSSARY
ALARP As low as reasonably practicable
ALoS
Acceptable level of safety
AMO
Approved maintenance organization
AOC
Air operator certificate
EMS
environment management system
ERP
Emergency response plan
OHSMS occupational health and safety management system
QA
Quality assurance
QC
Quality control
QMS
Quality management system
SA
Safety assurance
SAG
Safety action group
SARPs
Standards and Recommended Practices (ICAO)
SEMS
Security Management System
SMM
Safety management manual
SMS
Safety management system(s)
SMSM
Safety management systems manual
SOPs
Standard operating procedures
SRB
Safety review board
SRM
Safety risk management
SSP
State safety program
52