Published date: 24 February 2016

General

Civil Aviation Authority advisory circulars contain guidance and information about standards, practices, and procedures that the Director has found to be an acceptable means of compliance with the associated rules and legislation

However, the information in the advisory circular does not replace the requirement for participants to comply with their obligations under the Civil Aviation Rules, the Civil Aviation Act 1990 and other legislation. Advisory circulars reflect the Director’s view on the rules and legislation. They express CAA policy on the relevant matter. They are not intended to be definitive. Consideration will be given to other methods of compliance that may be presented to the Director. When new standards, practices, or procedures are found to be acceptable they will be added to the appropriate advisory circular. Should there be any inconsistency between this information and the rules or legislation, the rules and legislation take precedence.

An advisory circular may also include guidance material generally, including guidance on best practice as well as guidance to facilitate compliance with the rule requirements. However guidance material must not be regarded as an acceptable means of compliance.

Purpose

This advisory circular provides guidance on material in the development and implementation of a system for safety management, to assist organisations in the aviation industry, to meet Civil Aviation Rule Part 100 Safety Management.

Related Rules

This advisory circular relates to Civil Aviation Rule Parts 100, 115, 119 and 121,125,135, 137, 139, 141, 145, 146, 147, 148, 171, 172, 173, 174, and 175.

Change Notice

This advisory circular, AC100-1 Safety Management - Revision 1, has been published to provide acceptable means of compliance, and guidance material on the new Civil Aviation Rule Part 100 that came into force on 01 February 2016.

This advisory circular now incorporates the following revisions—

Revision

Effective Date

0

07 May 2015

0.4

03 December 2015

1.0

01 February 2016

Summary of revisions

Revision 0

This was the initial issue of this advisory circular. It replaced and updated advisory circular AC00-4 that was issued in December 2012 to support proactive implementation of safety management systems. The re-numbering to AC100-1 is to align with the amendments proposed in NPRM 15-02 Safety Management.

Revision 0.4

The advisory circular was revised following NPRM consultation and feedback from industry workshops. Changes were made to the following sections: 1. Introductory information, 2. Elements of an SMS, 3. Implementing an SMS and Annexes A to F.

Revision 1

The advisory circular was revised following the signing of the SMS rules, Part 100 Safety Management that came into force on 01 February 2016 and feedback from industry. A summary of the changes are as follows—

· one SMS evaluation tool (Form CAA24100/02) is being provided by CAA (sections 1.5.1 & 3.1)

· safety policy content updated (section 2.1.1)

· safety goals and safety objective guidance added (sections 2.1.2, 2.7.1 & 2.7.2)

· SMS documentation file formatting guidance added (section 2.3.1)

· requirements for an implementation plan detailed (section 3.1.2 & Annex F)

· SMS implementation plan content updated (section 3.1.2)

· diagram showing implementation timelines for Group 1 and Group 2 Organisations updated (Annex F).


1       Introductory Information

1.1         Glossary of Terms and Definitions

Term

Definition or description

Acceptable level of safety performance (ALoSP)

Source: ICAO

The minimum level of safety performance of civil aviation in a State, as defined in its state safety programme, or of a service provider, as defined in its safety management system, expressed in terms of safety performance targets and safety indicators.

Flight Operational Quality Assurance (FOQA)

Also referred to as ‘Flight Data Monitoring’ or ‘Flight Data Analysis’, FOQA is a programme where flight data is proactively used to identify trends that may result in a reduction in safety, or a gain in efficiency, and using this data to mitigate these risks.

Hazard

Source: ICAO

A condition or an object with the potential to cause or contribute to an aircraft incident or accident.

Line Operations Safety Audits (LOSA)

This is a safety programme focused on the proactive identification of threats and errors in ‘normal’ operational scenarios through observation. Traditionally conducted during flight operations, the LOSA concept has also been applied to cabin, ground, and military operations.

Risk

Source: ISO 31000:2009

The effect of uncertainty on objectives.

Risk management process

Source: ISO 31000:2009

Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk.

Safety culture

Source: Cox & Cox (1991)

The attitudes, beliefs, perceptions and values that employees share in relation to safety.

Safety management systems (SMS)

Source: ICAO

A systematic approach to managing safety, including the necessary organisational structures, accountabilities, policies and procedures.

Safety risk

Source: ICAO

The predicted probability and severity of the consequences or outcomes of a hazard.


1.2        Purpose

This advisory circular provides acceptable means of compliance and guidance material to assist aviation organisations in establishing, implementing and maintaining a safety management system (SMS).

The following information is not intended as a prescriptive formula for the development and implementation of an SMS. A successful system needs to be tailored to an organisation’s individual needs, and it is critical that its scope allows for the systematic management of both strategic and operational risk.

1.3         Structure of this advisory circular

The body of this advisory circular is divided into the 13 elements that the CAA considers make an effective SMS. All elements are important and information has been provided within each for organisations to consider as they look to implement SMS. The elements are derived from the standards and recommended practices (SARPs) published by the International Civil Aviation Organization (ICAO) in Annex 19 Safety Management which is the basis for the Part 100 Safety Management requirements.

1.4         SMS—An Overview

1.4.1      Describing an SMS

The rapid pace of technological change, the growth in global aviation activity and complexity raise new challenges; this is a key reason to move to a risk-based approach to safety. In addition, traditional methods of managing organisational safety may no longer meet rising stakeholder expectations. Different and new ways of understanding and managing safety-related risk are necessary to improve existing aviation safety levels. One such way is for organisations to develop and implement an SMS – a structured and articulated approach to managing safety risks, appropriate to the size and complexity of the organisation and its operations.

An SMS is designed to—

· manage risks within the organisation, with a particular focus on risks which impact safety

· provide for ongoing monitoring and assessment of safety performance

· make continuous improvements to the level of safety in operations

· develop and improve the safety culture within the organisation.

An SMS should be woven into the fabric of an organisation, so that it becomes part of the culture, the way people do their jobs. The concept of developing a ‘positive safety culture’ is an important overall goal for  any organisation.

An SMS is not an added layer of compliance, but is a system that supports the commercial success of the business. It empowers individuals to act safely, and provides the organisational framework to do so. An SMS includes:

· a description of the overall philosophies and principles of the organisation with regard to safety (the safety policy)

· clearly defined lines of responsibility and accountability throughout the organisation, including a direct safety accountability of the chief executive

· identification of aviation safety hazards, their assessment, and the management of associated risks

· personnel that are trained and competent to fulfil their safety responsibilities

· documented management system key processes

· monitoring performance system, including feedback, to ensure effective implementation of corrective actions and continuous improvement.

The following principles should be considered—

· Acknowledging changing the emphasis on what and how the business works is dependent on people changing behaviours and practices (which have often been established over time).

· Inviting the entire organisation to build a common view of the challenge and shared aspirations and be prepared to experiment as the organisation develops new initiatives to achieve the changed state.

· Raising the profile of SMS by discussion, workshops, sharing media articles, safety information and resources from the international experience of implementation.

· Changing behaviours and work practices is dependent on knowledge, skills and attitudes. It requires focus, patience and a clear commitment to the change from those leading the organisation.

Each organisation will need to understand what it will ‘look like’ with an effective SMS in place and then be able to demonstrate this in action. This means having an appreciation of the changes required to be put in place. It is about how personnel will change the way they think and act using the lens of safety management. It is not only thinking about the technical nature of the change required but the adaptive aspects that must happen to implement and sustain the changed approach.

1.4.2      Elements of an SMS

The 13 elements (as derived from ICAO Annex 19 and Safety Management Manual Doc 9859 and supplemented by the CAA’s own existing requirements) are—

1) Safety policy and accountability

2) Coordinated emergency response planning (ERP)

3) Development, control and maintenance of safety management documentation

4) Hazard identification

5) Risk management

6) Safety investigation

7) Monitoring and measuring safety performance

8) Management of change

9) Continuous improvement of the SMS

10) Internal audit programme

11) Management review

12) Safety training and competence

13) Communication of safety-critical information.

1.4.3      Rule structure

The safety management requirements are contained in Civil Aviation Rule Part 100 – Safety Management (Refer Annex A) and the related organisational certification rule parts. These are Civil Aviation Rule Parts: 115, 119 and 121,125,135, 137, 139, 141, 145, 146, 147, 148, 171, 172, 173, 174, and 175.

The SMS rules require most commercial aviation organisations to implement a risk management system in the form of a SMS. This approach maintains many of the same aspects of the QMS approach, but enhances it by requiring aviation organisations to actively identify and manage the safety risks of their operation with agreed safety performance targets.

The high-level, performance-based  principles adopted for Part 100 Safety Management define the management outcomes expected of organisations to achieve increased safety performance; this structure provides the flexibility for organisations to adapt to the future and to scale SMS to their needs and circumstances

Annex B shows the relationship between the ICAO Annex 19 SMS framework, the SMS elements in this advisory circular, and the safety management rules (in this example Part 100 and Part 119).

1.5         Scalability of SMS

Rule reference: 100.3(c)

‘The organisation’s system for safety management must correspond to the size of the organisation, the nature and complexity of the activities undertaken by the organisation, and the hazards and associated risks inherent in the activities undertaken by the organisation’

One of the characteristics of SMS is that no one system fits all organisations. ICAO Annex 19 requires that the SMS of a service providershall be commensurate with the size of the service provider and the complexity of its aviation products or services. The New Zealand aviation industry is characterised by a wide variety of organisations and operations. Each organisation has unique features relating to its operations and the associated safety risks, therefore an SMS should be tailored to meet the needs of the organisation.

Risk is not just a product of the activity that an  organisation undertakes in isolation. It is a product of the relationship between the nature of the operations and systems in the context of the size of the organisation and the complexity of the operations and systems used. Figure 1 shows the inherent hazards and associated risks of those activities connected as a whole within the organisational context and the business and physical environment. It is important to recognise these relationships, which are fundamental to the risk-based approach to SMS.

AC100 1 002

Figure 1: Concept of size, nature and complexity in relation to activity risk

While the size of the organisation can be a starting point, the nature and complexity of its operations and systems (e.g. system for safety reporting, system for rostering etc.) should be equally considered when assessing operational safety risks and the overall complexity of the organisation.

1.5.1      Evaluation at Implementation

For the purpose of assisting organisations in determining how to best assess, develop and implement the various elements of an effective SMS scaled to their organisation, the CAA is providing a SMS Evaluation Tool Form CAA 24100/02. The tool provides guidance during initial implementation and certification for assessing an organisation’s processes and systems for an SMS that is scaled to be commensurate with the organisation’s size, nature and complexity of the its activities, and the hazards and associated risks inherent in the activities

Refer to section 3 of this advisory circular for further information and guidance on implementing an SMS.

1.5.2      Organisation size

An organisation should initially consider their activities as complex when it has a workforce of more than 20 FTEs involved in the certificated activities.

Organisations with less than 20 FTEs may also consider their activities as complex after collectively assessing the size, nature and complexity of the operations against the hazards and associated risks inherent in their activities. It is important to recognise this relationship as fundamental to the risk-based approach to SMS.

1.5.3      Nature of operations and systems

The inherent hazards and associated risks of the operation should be considered in the context of the business and physical environment; examples of which are shown in the table below—

Day VFR

· single engine IFR (SEIFR)

· helicopter emergency medical service (HEMS)

· use of night vision imaging system (NVIS)

· extended diversion time operations (EDTO)

· performance based navigation (PBN)

Local scenic

Charters over hostile terrain (offshore, mountainous, remote, etc.)

Carriage of freight

Carriage of dangerous goods

High relevant experience and competence among management and/or personnel

Low relevant experience and competence among management and/or personnel

Steady workload

Peak seasonal workload

Day shift working

Rostered patterns including night shifts

Multi-crew

Single pilot

1.5.4      Complexity of operations and systems

In terms of complexity, an organisation should consider the scope of activities performed under its certificate, including its systems. Examples of organisational activity that may determine that it is complex in nature, regardless of the number of FTEs, include—

L ess risk

More risk

Single fleet type

Mixed fleet of—

· fixed / rotary wing

· multiple type certificate holders / models

· differing configurations

Aircraft / equipment of simple construction

 (e.g. aircraft of un-pressurised with simple systems)

Aircraft / equipment with complex systems and methods of construction

(e.g. pressurised aircraft with multiple hydraulic / pneumatic / electrical systems)

Domestic operations

International operations

Single base of operation

Multiple bases / stations

In-house services

Multiple third party service providers

Paper-based reporting system for a small organisation

Paper-based reporting system for a large organisation

The need for an SMS to meet individual organisational needs means that flexibility is required. As a result, this advisory circular contains the required elements for an effective SMS, but it does not prescribe how each of these elements should be adopted by an organisation.

Organisations should ask themselves the following questions at all stages of the development, implementation and functioning of their SMS.

· Is it appropriate for the size of the organisation and nature and complexity of the activities undertaken?

· Is it in place – present and suitable?

· Is it operational?

· Is it being used?

· Is it effective and delivering the expected results?

The development and implementation of an SMS is part of driving improved operational integrity. Once the SMS is in place, a programme of continuous improvement is needed to ensure an ongoing commitment to safety.

1.6         SMS Integration with other Management Systems

1.6.1      Relationship between SMS and Quality Management Systems(QMS)

SMS and QMS share a number of common purposes and processes—

· both depend upon measuring and monitoring

· both strive for continual improvement

· some of the same tools, such as auditing and review, are used in both.

However, a QMS does not include all the elements, features and activities of an SMS, as it focuses mainly on compliance, conformance and monitoring. SMS goes further and requires the organisation to identify and manage risk so as to achieve an acceptable level of safety performance. It is not so much a case of replacing QMS by SMS, but instead, realising that they are complementary and inextricably linked - one cannot build an effective SMS without applying QMS principles.

The application of quality management principles to safety management processes helps to ensure that the requisite system-wide safety measures have been taken to support the organisation in achieving its safety objectives. It is the integration of QMS principles into an SMS, establishing a structured approach to monitoring and improving the processes of managing safety risks, that will assist an organisation in managing safety risks to a point considered ‘as low as reasonably practicable’.

1.6.2      Relationship between SMS and other management systems

It is important to integrate management systems where possible, and the introduction of an SMS offers this opportunity. The benefits of integrating systems include a reduction in the duplication of resources, a significant improvement in the collation and analysis of safety-related data, a reduction in potentially conflicting objectives, and recognition of safety as the objective of all systems. A phased approach to integration should be considered; for example, it is not immediately necessary to link existing HSE reporting systems into an operational reporting system, but there may be value in doing so in the future.

The following systems, some of which are already required under existing legislation, can be smoothly integrated within the SMS framework using the founding principles of a risk-based methodology for robust decision making.

Health and safety in employment (HSE)

HSE is a cross-disciplinary system concerned with protecting the safety, health and welfare of people in the workplace. The identification, assessment and management of health and safety hazards and risks is at the heart of the system, and therefore ties in with an SMS.

Security management systems

The purpose of a security management system is to systematically protect against danger, damage, loss or crime. Safety management is closely linked to a security management system.

Environmental management systems (EMS)

The goal of an environmental management system is to identify and improve the environmental impact of an organisation. Where specific legislation exists, organisations are required to demonstrate well-managed environmental practice, but overall, the goal of having an EMS is to positively contribute to the environmental safety of the company and community.

Fatigue risk management systems (FRMS)

An FRMS provides organisations with a means to systematically manage the complexities of physical and psychological fatigue-related risks and their effects. There are a number of case studies that demonstrate that the integration of an FRMS within the SMS framework is extremely beneficial, particularly when considered alongside other human factors-related risks Another advantage of integration is that HSE legislation requires organisations to establish formal means to manage fatigue.

Business management systems

An organisation will have in place a number of business management systems to achieve efficient and profitable outcomes. These may include formal financial management systems, project management processes, compliance management systems, and many others. An effective SMS needs to be integrated with these systems also, and not remain a stand-alone solution. This will result in mutually beneficial outcomes such as financial reporting that takes account of safety initiatives, project management processes that incorporate safety processes (such as reporting), and safety management systems that include safety-related legislation, for example.


2       Elements of an SMS

2.1         Element 1—Safety Policy and Accountability

Rule reference: 100.3(a)(1)

The key to a mature and effective SMS is adequate oversight of safety risks and appropriate safety governance.

2.1.1      Safety Policy

A safety policy is a visible endorsement of the organisation’s approach to managing safety. The organisation’s safety policy should be developed in consultation with management and personnel representatives and be signed by the chief executive. With this formal acknowledgement, it is clear to all personnel that the chief executive endorses the SMS. Consideration should be given to where the safety policy sits in relation to other policies and how best to make it visible and available to all personnel. The policy should be effectively communicated, to ensure that all personnel and contractors understand the policy and their responsibilities and obligations in relation to safety management. 

The safety policy should be clearly visible, or available, to all personnel (including significant contracted organisations) and be included in key documentation and communication media. The policy should include—

· senior management commitment and intentions with regard to safety

· establishment of safety as a core value

· a commitment to continuous improvement of the performance of the SMS

· provision of appropriate resources

· non-punitive reporting policy (just culture)

· recognition that compliance with procedures, standards and rules is the duty of all personnel.

The safety policy should be reviewed periodically to ensure it remains current. The organisation should regularly verify that personnel and contractors throughout the organisation are familiar with and have understood the policy.

2.1.2     Management commitment and responsibility

Senior managers, and especially the chief executive, need to have a strong sense of ownership of the SMS. Implementing an effective safety management programme will not succeed without an absolute commitment at all levels of management to champion and strategically manage safety within the organisation. It is the responsibility of senior management to ensure that safety risks are systematically managed.

The first visible action of senior management commitment to safety is to develop and distribute safety related policies, goals and objectives. Goals and objectives are statements that describe what the organisation’s SMS will accomplish, or the results that will be achieved. Ideally, the organisation will have a safety management system that interfaces with other management system functions (e.g. quality, environmental, finance etc.), there is one safety policy used throughout the organisation, and it is implemented at all levels of the organisation.

The policies and procedures promoted within an organisation will shape employees’ attitudes towards safety. Effective safety management engenders a positive safety culture in which trust and respect exist at all levels of the organisation and where personnel feel supported when reporting safety issues. The chief executive and the senior management team promote and demonstrate their commitment to the safety policy through active and visible participation in the system for safety management. This could include evidence of decision making, actions and behaviours that reflect a positive safety culture, recognising positive safety behaviours in others, as well as external activity such as attending relevant industry safety conferences and forums.

Refer to section 2.7 of this advisory circular for further information on safety goals and objectives.

2.1.3     Safety accountabilities

The organisation’s chief executive is the person who, irrespective of other functions, has ultimate responsibility and accountability, on behalf of the organisation, for the implementation and maintenance of the SMS. The corporate commitment statement is a clearly documented declaration of the organisation’s decision makers’ commitment to safety. It sits at the top of any document hierarchy, and should include, as a minimum, the following—

(a) the chief executive has—

(i) corporate authority for ensuring all activities can be financed and carried out to the required standard

(ii) final authority over operational matters

(iii) final accountability for all safety issues

(b) the organisation’s documented procedures are approved by the chief executive and must be complied with at all levels.

The organisation should also identify the safety responsibilities, accountabilities and authorities of all members of senior management, irrespective of other functions, as well as personnel, with respect to the safety performance of the SMS. These should be documented and communicated throughout the organisation, and include a definition of the levels of management with authority to make decisions regarding safety risk tolerability.

In the context of SMS, safety accountability is the obligation of  a person to demonstrate task achievement and safety performance in accordance with agreed expectations, and to be answerable for the performance within their scope. Safety accountability cannot be delegated.

Senior management must set and enforce the standards for safety management, and ensure adequate resources, both in terms of personnel and funding, are allocated to achieve those standards. Senior managers should place strong emphasis on safety as part of the strategy for controlling risks. This clarity should help personnel at all levels of the organisation to have a realistic view of the short-term and long-term risks their organisation may face.

Employee behaviour is directly influenced by organisational culture, which consists of shared beliefs, attitudes and practices set by the actions and behaviours of senior management. If senior management accepts accountability and responsibility for safety management, and is seen to be both proactive and willing to deal with emerging safety issues, the employees throughout the organisation are likely to adopt the same behaviours. However, all personnel have accountability for safety within their area of responsibility. This goes beyond the simple completion of assigned tasks, and instead focuses on the need to actively identify and seek ways of improving safety performance.

The question of safety accountability and responsibility also extends to organisations that engage third parties (agents or contractors) (e.g. ground handling agent, refueller, maintenance provider, cleaner, etc.). In these circumstances it is important to remember that while the third party is responsible for their own actions, the organisation that engages  them is still accountable for the safety outcome to their customers.

2.1.4     Appointment of key safety personnel

Where an organisation is required to have a senior person responsible for the system for safety management ( will be referred to as the safety manager), this safety manager should be responsible for oversight and coordination of all SMS-related policies, procedures and activities, but is not responsible for ensuring or ‘managing safety’. The safety manager should report to or have direct access to the chief executive and senior managers, and should not hold conflicting responsibilities for operational areas.

Note : that previous rule requirements for a senior person for quality assurance are superseded by the new requirement for a senior person responsible for the system for safety management, since quality assurance only forms part of the process for safety assurance.

This is an opportunity for the organisation to look at the division of roles and responsibilities afresh, not just maintaining the status quo. To effectively embed SMS within an organisation requires leadership and communication skills as much as relying upon the operational experience and technical expertise of the individual. The safety manager  needs to be available to provide advice and encouragement to the chief executive and line managers on safety management matters. This may not be as successful, if the organisation relies upon contracted third parties that only visit the organisation periodically. In such cases it may be beneficial to the organisation to appoint an internal senior person as safety manager, while contracting in specialist support such as for audit and investigation activity. For further guidance on training and competencies for safety roles, refer to element 12.

Avoiding the potential for conflict of interest is relatively simple for larger organisations, where typically senior persons are only responsible for one operational function. However, in most small to medium organisations, the senior person responsible for the system for safety management may, subject to acceptance by the Director, combine this role with other senior person roles for operational functions. In such cases it may be appropriate to use an independent person, either employed directly or contracted by the organisation, to maintain system integrity.

An example of conflicting responsibilities might be a small organisation where the senior person responsible for the system for safety management is also responsible for occurrence investigation (Part 12) and crew training and competency assessment. Clearly if an investigation indicates that there may be deficiencies in crew training, there is a potential for conflict of interest. Having an independent competent person conduct or at least review the investigation and recommendations would be appropriate in that case. Similarly if the senior person responsible for the system for safety management (and therefore safety assurance) is also responsible for the control and scheduling of maintenance, performing an audit on their own work would clearly have the potential for conflict of interest. Again, the use of an independent competent person to perform the audit would be appropriate.

Depending upon the size and complexity of the organisation, the safety manager may need to be supported by a safety group. This could consist of representative members of management and operational personnel and may include people from other organisations or groups that the organisation has dealings with or links. Where an  organisation has an existing group addressing occupational safety matters, there may be an opportunity to integrate the activities of both.

2.1.5      Acceptable means of compliance

Management commitment and responsibility Acceptable means of compliance

There is a safety policy endorsed by the CEO, and communicated to all personnel.

The CEO and the senior management team promote and demonstrate their commitment to the safety policy through active and visible participation in the system for safety management.

The safety policy has been developed considering the following—

· senior management commitment and intentions with regard to safety

· establishment of safety as a core value

· a commitment to continuous improvement of the performance of the SMS

· provision of appropriate resources

· non-punitive reporting policy (Just Culture)

· recognition that compliance with procedures, standards and rules is the duty of all personnel.

Evidence of regular review and revision as required.

Guidance notes

There is one safety policy used throughout the organisation and it is implemented at all levels of the organisation.

The organisation has a safety management system that interfaces with other management system functions (e.g. quality, environmental, finance etc.).

Safety policy objectives drive the safety performance of the SMS.

The organisation regularly ensures that personnel throughout the organisation are familiar with and have understood the policy and their safety responsibilities.

The non-punitive reporting (Just Culture) policy is actively endorsed by management and personnel representatives.

There is evidence of decision making, actions and behaviours that reflect a positive safety culture.

Safety accountabilities

Acceptable means of compliance

A chief executive has been appointed with full responsibility and ultimate accountability for the SMS to ensure it is properly implemented and performing effectively.

Safety accountabilities, authorities and responsibilities are defined and documented throughout the organisation.

Personnel at all levels, are aware of, and understand their safety accountabilities, authorities and responsibilities regarding all safety management processes, decisions and actions.

There are documented management organisational diagrams and job descriptions for all personnel.

Safety management is shared across the organisation (and is not just the responsibility of the safety manager and his/her team).

Guidance notes

Key safety activities are clearly described in senior management duties and responsibilities are incorporated into personnel performance targets.

Management recognises positive safety behaviours and contributions to maintain the organisation’s SMS.

There is evidence of personnel involvement and consultation in the establishment and operation of the SMS.

Appointment of key safety personnel

Acceptable means of compliance

A competent person with the appropriate knowledge, skills and experience has been appointed or engaged  to manage the operation of the SMS and fulfils the required job functions and responsibilities.

The organisation has allocated sufficient resources to manage the SMS including, but not limited to, manpower for safety investigation, analysis, auditing and promotion.

Guidance notes

The person responsible for managing the SMS is given appropriate status in the organisation reflecting the importance of the safety role within the organisation and is independent of line management.

If the organisation is  combining the senior person for managing the SMS role with other senior person roles for operational functions, in conflict of interest situations  an independent person is either employed directly or contracted by the organisation to maintain system integrity.

Individuals within the organisation that have a key safety role have their knowledge maintained through additional training and attendance at industry relevant conferences, seminars and workshops.

2.1.6      Further information

For more information on the development of an effective and meaningful safety policy, safety goals and objectives, research using the following key phrases—

· establishing and maintaining safety accountability

· setting safety goals and objectives

· demonstrating accountability and commitment

· Just Culture.


2.2         Element 2—Coordinated Emergency Response Planning(ERP)

Rule reference: 100.3(a)(2)

Some rule parts require organisations to have an ‘emergency situation action plan’ for handling in-air and on-ground emergency situations and minimising risk of injury to persons. SMS builds on and enhances this by encouraging multiple organisations to coordinate their emergency response planning so that the desired safety outcomes from emergency situations can be achieved.

Organisations engaged in aircraft operations should ensure that an emergency response plan that provides for the orderly and efficient transition from normal to emergency operations and the return to normal operations is properly coordinated with the emergency response plans of those organisations it must interface with during the provision of its service.

For service providers not located on an airfield, the emergency response plan might be as simple as documenting actions to be taken in the event that a customer experiences an emergency. Such actions would likely include communication channels and delegated emergency authorities, securing of documents, permitted access by investigators, identification of who can authorise return to normal operations. These may also be integrated with existing business continuity plans.

The organisation’s intentions regarding, and commitment to dealing with, emergency situations and their corresponding recovery controls, should be documented and be commensurate to the size and complexity of the organisation. The emergency response plan (ERP) should have procedures for—

· orderly and efficient transition from normal to emergency situations and return to normal

· delegation of emergency authority

· assignment of emergency responsibilities

· authorisation by key personnel for actions mandated by the plan

· coordination of efforts to handle the emergency

· planned and coordinated action to manage and minimise the risks associated with an incident/accident.

To improve its effectiveness, and to ensure designated emergency response team members are prepared, the plan should periodically be tested by conducting regular exercises. Training in emergency response may take two forms, table-top exercises or full-scale exercises.

Table-top exercise

The table-top exercise is designed to provide training, to evaluate plans and procedures, and to resolve questions of coordination and emergency response team responsibilities in an informal, non-threatening format.

Full-Scale exercise

The full-scale exercise is the most comprehensive test. It is intended to evaluate the operational capability of the emergency management system in a stress environment with actual mobilisation and deployment of resources and personnel. The decision to conduct a full scale exercise should be coordinated with other local organisations and agencies where practicable.

At the conclusion of an exercise or actual emergency, a formal review should take place. It should measure the effectiveness of the plan with feedback from participants and by assessing the impact, this feedback has a flow on effects for  evaluating and revising policies, plans and procedures.

2.2.1      Acceptable means of compliance

Emergency response plan

Acceptable means of compliance

An emergency response plan (ERP) that reflects the size, nature and complexity of the operation has been developed and defines the procedures, roles, responsibilities and actions of the various organisations and key personnel.

Key personnel in an emergency have easy access to the ERP at all times.

The organisation has a process to distribute the ERP procedures and to communicate the content to all personnel.

The ERP is periodically tested for the adequacy of the plan and the results reviewed to improve its effectiveness.

Guidance notes

Emergency authority has been delegated.

Emergency responsibilities during coordinated activities have been assigned.

Processes to record activities during an emergency response have been implemented.

Compatibility with emergency response planning of other stakeholders (e.g. other airfield users, neighbouring aviation operations, alliance partners, etc.) has been established.

The organisation has liaised with emergency service providers and government authorities.

The process for updating change of personnel /organisation and contact lists is in place.

The organisation has implemented a Critical Incident Stress Management programme for its personnel.

2.2.2      Further information

For more information on the development of an effective ERP, research using the following key phrases—

· benefits of implementing an ERP

· initial response actions

· establishing a crisis response centre

· records to be kept during and after an ERP exercise or occurrence

· an operator’s responsibilities at an accident site

· how to handle the media

· family assistance responsibilities

· post critical-incident stress debriefing

· maintaining hardcopy references.


2.3         Element 3—Development, Control and Maintenance of Safety Management Documentation

Rule reference: 100.3(b)

Comprehensive and accurate safety-related information is integral to achieving appropriate control over organisations’ operations. The development, control and maintenance of SMS-related documentation is therefore essential to ensure that the approach to safety is effectively communicated to the whole organisation and remains current and relevant. The size and complexity of the operation will influence the scale of procedure and process documentation and the number and type of records required.

Policies, procedures and processes developed for a SMS should be integrated within existing systems such as Quality Management System (QMS), Human Factor and Error Management System (HFEMS), Environmental Management System (EMS), Occupational Health and Safety (OHS), etc.

Note : that while an implementation plan is required as part of the certification process, it is not required to be contained within the SMS documentation. There is benefit to the organisation in maintaining it as a stand-alone document as SMS becomes embedded; further developing the plan after certification as a means of demonstrating continuous improvement activity.

2.3.1      Development of SMS documentation

A feature of SMS is that all safety management activities are documented and visible and the documentation provides the authoritative basis of the SMS. This can be in the form of a separate safety manual, or integrated within an existing exposition or quality manual. What is important is that all personnel know where to access the documentation and when it has been updated. Robust documentation shows how safety activities integrate with those of other functions and systems in the business, and how these activities link to the organisation’s safety policy. SMS documentation should include, or make reference to, relevant and applicable rules and requirements. Depending upon the complexity of the organisation, a typical safety manual or integrated exposition would include—

· scope of the SMS

· safety policy

· the safety objectives of the organisation (they may be referenced separately)

· non-punitive reporting policy (Just Culture) and supporting processes

· safety accountabilities and responsibilities

· key safety personnel

· the structure of the safety management organisation

· a description of specific templates, such as reporting forms, risk registers and safety performance targets

· details of contracted activities (key service providers)

· procedures for—

o documentation control

o hazard identification

o risk assessment

o safety reporting

o safety investigation

o safety audit

o safety performance monitoring and measurement

o change management

o management review

o safety records management, including identification, access, handling, storage, retrieval and preservation

o safety promotion, including training and communication of safety information; and

o coordination of emergency response planning.      

In common with current exposition amendments, an electronic format is preferred for SMS documentation submitted for review during the certification process and for any subsequent amendments. The preferred file format is PDF, but MS Word, and Open Office are also acceptable. The use of a consistent file naming convention, keeping file names short, and formatting dates using “yyyymmdd” assists with increased efficiency of document management and amendment processing:

· Identify your organisation – this may be the Client ID, or client name.  

· Identify the manual – this may be identified with a rule part number, or an abbreviated form of the manual name e.g. MAINT for Maintenance Manual.

· Include information to identify the exposition revision status – this may be a revision number or date of revision (or both).

· Examples— 

o 12345MELRev6.3.pdf (Client 12345, Minimum Equipment List, Revision 6.3)

o WOW_145_20141205.pdf (Wings of Wind, Maintenance Manual (Part 145), revised 05 Dec 2014)

2.3.2      Control and maintenance of SMS documentation

Robust document control should ensure current versions of relevant documents are available at all locations where operations are performed, and obsolete documents are promptly removed from all points of use.

Each organisation should have a document control process to ensure that the SMS documentation is regularly reviewed and updated. Changes should be approved at the delegated level of authority, assessed for risk impacts, and be accepted by the regulator as part of the exposition as required by the Rules.

SMS documentation includes safety records that require processes for identification, access, handling, storage, retrieval and preservation. A safety record is any information that can be used to demonstrate that the SMS is operating and performing, and to identify and resolve safety issues through a system of risk management. Examples of relevant safety records include: hazard logs, safety reports and investigations, risk assessments and safety cases, audit reports, meeting minutes, training records etc. Documentation and maintenance of safety records should be balanced against the value of the data, and the business needs. In particular, special effort should be made to ensure proper recording and documentation of safety assurance processes (safety surveys, safety monitoring etc.).


2.3.3      Acceptable means of compliance

Development of documentation

Acceptable means of compliance

There is documentation that describes the safety management system and the interrelationships between all of its elements.

Safety system procedures are commensurate with the complexity of the organisation and are available to all personnel.

Guidance notes

Specific templates have been created that support safety risk management and safety assurance activities.

The organisation can demonstrate that safety management processes are integrated into other organisational systems. The organisation has analysed and uses the most appropriate medium for the delivery of documentation at both the corporate and operational levels.

Control and maintenance of documentation

Acceptable means of compliance

SMS documentation is readily available to all personnel.

SMS documentation, including SMS related records, are regularly reviewed and updated with appropriate version control in place.

The SMS documentation details and references the means for the storage of other SMS related records.

Safety records are retained and demonstrate system performance.

2.3.4      Further information

For more information on the development of an effective document control system, research using the following key phrases—

· structuring a safety management manual

· safety records.


2.4         Element 4—Hazard Identification

Rule reference: 100.3(a)(2)

ICAO ( ICAO Annex 19 proposed amendment Ref: AN 8/3-15/46 ) defines hazard as a condition or an object with the potential to cause or contribute to an aircraft incident or accident. The identification of hazards is the first step in safety risk management. Hazards may exist in ongoing activities or be inadvertently introduced into an operation whenever changes are made to the way an organisation operates. Examples of a hazard include—

· adverse weather conditions

· geographical conditions

· expired aeronautical information

· high workload/fatigue

· use of alcohol and other drugs.

2.4.1      Hazard identification in practice

It is important to employ realism and lateral thinking in hazard identification. The organisation should not only identify ‘obvious’ hazards that could affect the operation, but also the potentially complex events. Hazards can be the result of systems that are deficient in their design, technical function, human interface or interactions with other processes and systems. They may also result from a failure of existing processes or systems to adapt to changes in the organisation’s operating environment.

Hazard identification should where practicable, be based on a combination of reactive, proactive and predictive safety data collection. Some of the common hazard identification sources are—

· safety reporting – includes safety occurrence reporting through mandatory and voluntary reporting schemes

· internal investigation of safety occurrences

· the nature of the activities and processes associated with the activities

· safety occurrence trend analysis

· results from operational safety audits carried out internally and by CAA

· analysed data from automated data collecting tools (e.g. flight data analysis (FDA) in the airline industry)

· monitoring of “day-to-day” normal operations and environment

· official State investigation results of accidents and serious incidents

· information exchange practices between operators/service providers.

2.4.2      Selecting the hazard identification technique

The hazard identification technique(s) chosen should be appropriate to the organisation and the activities conducted. The hazard identification process should provide sufficient detail for the organisation to understand fully the nature of each hazard. In selecting a hazard identification process, organisations may wish to consider—

· the size of the organisation

· the nature and complexity of the activities undertaken.

Hazards are diverse, and there are a number of techniques, or combination of techniques that an organisation may choose to apply. Some of the more common hazard identification techniques are listed below—

· Brainstorming – typically an unbounded but facilitated discussion within a group initiated with a thread of discussion. Brainstorming can be effective at identifying obscure hazards of a type that may be overlooked by more systemic methods;

· Task Analysis – developed specifically to identify hazards associated with human factors, procedural errors and the ‘man-machine interface’. By breaking a task down into individual elements, hazards associated with the task can be identified;

· Occurrence Data – having company and/or external incident data at hand can assist in validating  the opinions/experiences of the team;

· Hazard and Operability (HAZOP) Study – is a systematic and structured approach using parameter and deviation guidewords. The technique relies on a very detailed system description being available for study and usually involves breaking down the system into well-defined subsystems and functional or process flows between subsystems.

· Structured What-if (SWIFT) – a technique originally developed as a simpler and more efficient alternative technique to HAZOP. Like HAZOP, SWIFT involves a facilitated multidisciplinary team of experts. It is a facilitated brainstorming group activity but is typically carried out on a higher level system description.

· Failure Modes and Effects Analysis (FMEA) – is a ‘bottom-up’ technique that is used to consider ways in which the basic components of a system can fail to perform their design intent .

2.4.3     Features of a successful hazard identification process

The following factors lead to successful hazard identification—

· the hazard identification process should be appropriate and relevant to the organisation i.e. provides an adequate depth of analysis

· appropriate members of the workforce are actively involved and regular and ongoing consultation occurs

· all methods, results, assumptions and data are fully documented

· the documented identification of hazards is regularly maintained (e.g. updates from alerts and occurrences) and used as a live document

· timely feedback and outcomes provided to the reporter and wider organisation where appropriate

· active and visible engagement from senior management encouraging personnel at all levels to proactively report hazards, errors and near misses

· the adoption of a non-punitive (or Just Culture) reporting policy by the organisation will ensure that personnel are confident in submitting hazard reports.

2.4.4      Developing a hazard system identification process

A hazard identification process enables the collecting, recording, analysing, acting on and generating feedback about hazards that affect the safety of the operational activities of the organisation. In a mature SMS, hazard identification is an ongoing process. The following are some steps for the capture of information identified as hazards, the structure of which will vary depending on the size and complexity of the organisation.

Communicate and consult

In order to achieve the safety objectives of the organisation, an appropriate level of involvement of the workforce is required. Often, members of the workforce are in the best position to understand and articulate the hazards involved in their daily tasks. Their involvement can facilitate effective and accurate identification of new or changed hazards and associated risks, and the identification and development of practical and effective control measures. Therefore, it is important to talk to your stakeholders, both within and outside the organisation and identify the following—

· Who are they?

· What do they want?

· What is the best way to involve them?

Communicating and consulting with the workforce will establish the ideal framework for personnel to submit hazard reports, and enable efficient processing within identified timeframes. Depending on the size and complexity of the organisation, consider the following—

· the hazard types likely to be reported, and the design of a suitable reporting medium around this

· how to make the reporting mechanism accessible, easy to use and as intuitive as possible

· how personnel can most efficiently access and submit reports, given the available technology for on-line reporting.

Identify safety hazards

The methodology chosen by the organisation to identify hazards to aviation safety should meet the objective as efficiently as possible given the available information and expertise. A simple brainstorming technique may satisfactorily identify the majority of hazards for many organisations. However, an organisation may need to apply a combination of different hazard identification techniques to ensure that the full range of factors is properly considered.

Analyse safety hazard reports

The analysis of safety reports is necessary to validate the contents of the reports, establish any trends, (good or bad) and assess the significance of the reported information i.e. the potential to cause or contribute to an aircraft incident or accident. This will assist the organisation in identifying safety risks and their potential consequences, and hence determine priorities for subsequent safety action. The assessment of the consequences of the risk and associated control strategies are part of the risk management process (refer to section 2.5 of this advisory circular). Therefore, effective analysis of safety reports becomes a key source of information for safety risk management.

Collation, storage and distribution of data

The outcomes from hazard identification form the basis of the subsequent steps of the risk management process, namely the risk assessment and control measures. The main requirements are that the hazard identification documentation—

· clearly shows linkages between hazards, hazardous events, underlying causes and control measures where appropriate

· contains a numbering system for hazards and controls to allow easy identification and tracking

· contains sufficient information to support the subsequent steps of risk management

· is easy to administer

· the records of hazard identification can directly accommodate the process of revisiting and updating the knowledge of hazards, details of hazards, incidents, control measures, lessons from incidents and accidents, etc.

· is managed under a document control system. Depending on the size and complexity of the organisation, an electronic system for the management of identified hazards may be easier to use for the maintenance of records.

If organisations need to receive safety reports from a third party, consider using an effective means of information transfer that is appropriate to the organisation’s needs.

2.4.5      Acceptable means of compliance

Hazard identification

Acceptable means of compliance

Documented and demonstrated means that ensure aviation safety hazards, including near misses and errors are identified.

Documented process that ensures identified hazards are recorded, analysed and acted on in a timely manner.

Documented process to provide feedback to the reporter of any actions taken (or not taken) and, where appropriate, how to disseminate this to the rest of the organisation.

Documented process to establish causal contributing factors, i.e. why the event occurred and not just what happened.

Guidance notes

Differentiate between different types of hazards.

Determine a suitable hazard identification process for the organisation.

Determine formal hazard reporting and recording processes.

Determine a suitable hazard control process, including responsibilities.

Determine appropriate monitoring processes.

Ensure that there is a documented trail from identification through to resolution for each hazard identified.

Maintain a register of hazards.

Train all personnel on hazard identification and reporting.

Integrate human factors into hazard identification and reduction.

2.4.6      Further information

For more information on the development of effective hazard management processes, research using the following key phrases—

· Failure Modes and Effects Analysis (FMEA)

· Failure Modes, Effects, and Criticality Analysis (FMECA)

· Hazard and Operability Analysis (HAZOP)

· hazard register development and maintenance

· error management.

2.5         Element 5—Risk Management

Rule reference:100.3(a)(2)

Risk management is the coordination of activities to direct and control an organisation with regard to risk, and provides a basis for identifying, evaluating, defining and justifying the selection (or rejection) of control measures for eliminating or reducing risk, and to lay the foundations for demonstrating that the risks have been reduced to an acceptable level.

The integration of risk management throughout all levels of the organisation improves awareness and understanding of the risks in the operating environment and is therefore an essential tool of the SMS.

2.5.1      Reactive, proactive and predictive risk management

Risk management can be conducted in a combination of reactive, proactive, and predictive manners. The objective is to ensure that ongoing operations remain safe and planned operations can be undertaken safely.

· Reactive risk management responds to events that have already happened, such as serious incidents or accidents. The objective is to avoid the recurrence of the same or similar events.

· Proactive risk management actively seeks to identify safety risks through the analysis of the organisation’s environment, activities and processes. It uses predictive and monitoring techniques. It is especially applicable to new or changing parts of the organisation.

· Predictive risk management is the use of data to identify possible negative future outcomes or events using analytical tools and techniques.

One form of risk management should not preclude any  other. Reactive risk management strategies should be favoured to obtain information on risk and errors in the initial phases of the organisation’s SMS implementation plan, as well as monitoring and follow-up phases. As the reactive risk management gets more mature, the organisation should focus more on proactive risk management. Proactive strategies include a thorough hazard analysis of business processes. After identifying hazards, the organisation can manage the associated risks.

2.5.2      Risk assessment techniques

Organisations should select appropriate techniques for conducting risk assessment. They may include—

· risk matrix

· fault and event trees

· bowtie

· Quantitative Risk Assessment (QRA)

· SWOT analysis (strength, weaknesses, opportunities and threats).

Selection will depend on the level of information required to better understand the risk and to manage it. The main considerations when selecting risk assessment techniques are—

· they should be suitable for the size and complexity of the organisation and the nature of the hazards present

· they should assist in understanding and selecting control measures

· they should adequately differentiate between outcomes on a risk basis (i.e. likelihood and consequence)

· they should help in assessing the potential effect of risk reduction measures.

Depending on the different types of hazards and the potential outcomes of the associated risks, several techniques to develop a complete understanding of the hazards may be needed. No single assessment tool can meet all the requirements for risk assessment, as all tools have limitations and weaknesses. Some of the questions that will need to be answered when planning for risk assessment are—

· What risk analysis method(s) (e.g. qualitative, semi-quantitative, quantitative, etc.) and risk criteria will be used?

· What risk assessment technique(s) will be used (e.g. risk matrix, bowtie, QRA, etc.)?

· What level of detail is required?

· What resources are available?  

SMS ALARP aspect

Risk management is often based on the concept of ALARP or ‘as low as reasonably practicable’. There is wide acceptance that not all risk can be eliminated. There are practical limits to how far the industry or community will go in paying to reduce risks. All efforts should be made to reduce risks to the lowest level possible until a point is reached when the cost of introducing further safety measures significantly outweighs the safety benefit.

Fundamental approaches to consider

There is no prescribed methodology for demonstrating that the necessary control measures have been identified to reduce risks to an acceptable level. However, there are several basic approaches which may be used to provide evidence and justification within the risk management process. Organisations may consider using one or more of the following approaches—

· risk criteria approach—

o define criteria that correspond to an acceptable level of risk

o assess performance quantitatively or qualitatively (e.g. using matrices) and compare against the criteria

· comparative assessment of risks, costs and benefits—

o evaluate risk and associated costs for a range of control measure options

· cost benefit analysis (CBA)—

o the numerical assessment of the costs of implementing a change and the likely reduction in harm that this would be expected to achieve

· comparison with codes and standards—

o compare design, the management system framework and operational procedures against recognised national, international or industry standards, codes of practice, guides etc.

· technical analysis—

o evaluate control measures against the hazards and risks, e.g. assess strengths and weaknesses, effectiveness, functionality, availability, reliability, technical feasibility, etc.

· performance data—

o evaluate safety-related performance data as evidence of adequacy or satisfactory levels of performance, e.g. effectiveness of a control measure

· improvement approach—

o demonstrate the extent of relative improvements in performance based on past, present and planned enhancements

· judgement approach—

o present considered judgements as to the suitability of control measures and the management systems, or the perceptions of a cross section of various stakeholders

· practical tests—

o demonstrate that the management system and/or control measures function effectively using event simulations, management system tests, etc.

2.5.3      Risk managementprocess

The Australian/New Zealand Standard on Risk Management AS/NZS ISO 31000:2009 provides a generic framework for establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk. The risk management process outlined in AS/NZS ISO 31000:2009 (see figure 2) can be tailored and applied to any organisation, and at any level of the organisation. The process can be embedded in the policies, processes and culture, thus providing a consistent and systematic approach to managing risk.

AC100 1 003

Figure 2: The risk management process (ISO 31000:2009)

It is critical that the steps of ’communicate and consult’ and ‘monitor and review’ are ongoing throughout the risk management process. These two activities provide validation that the risk management process is effective, is meeting its objectives, and is supported through ongoing interaction with key personnel. It is recommended that readers research each of the above steps to develop an understanding of the risk management process.

The following example shows how the risk management process steps could be used.

An organisation needs to assess the hazard of bird activity in a certain location, to ascertain bird strike risks.

· Setting the context would include identifying the physical location, environmental conditions, etc.

· The risks could then be identified in a meeting with aviation operators in that area, and by a review of safety reporting statistics and information collated by environmental agencies.

· Thirdly, the analysis and evaluation of the risks would take into account the likelihood and consequences of a bird strike. A decision must be made about the tolerability of the risk, whether to commence or continue operations and under what conditions.

· Lastly, treatment strategies for minimising the likelihood, the consequences, or both, could be developed, and implemented. The effectiveness of these decisions could then be tracked through regular subsequent meetings.

2.5.4      Acceptable means of compliance

Risk management procedure

Acceptable means of compliance

Documented process for the management of risk that includes the assessment of risk associated with identified hazards.

Documented process and criteria for evaluating the level of risk the organisation is willing to accept.

Documented method for recording risks and the treatment strategies taken, including timelines and responsibilities.

Documented procedures to review and revise risk management processes on a periodic basis.

Guidance notes

Implementation of different risk identification processes such as conducting risk assessments when operational changes take place (e.g. new aircraft type, new maintenance facility, new air traffic management software systems).

Implementation of risk reporting and recording processes, available to all personnel and involving key personnel in the analysis process.

Development of risk control and monitoring process such as the use of a risk register, and regular meetings to discuss risk treatment strategies.

Development of risk communication processes such as regular alert messages to personnel, training, etc.

Development and implementation of operational risk profiles can be a way to achieve all of the above.

2.5.5      Further information

For more information on the development of an effective risk management system, research using the following key phrases—

· operational risk management

· risk profiling: strategic risk management

· enterprise risk management

· ALARP

· risk management concepts.


2.6         Element 6—Safety Investigation

Rule reference:100.3(a)(3)(i)

The purpose of developing and implementing an SMS is to reduce the risk of accidents, incidents and occurrences. However, complete elimination of risk is not always possible, and there are likely to be occasions when ‘things go wrong’. A process for determining what went wrong, why, and how to prevent a recurrence, is an integral component of the SMS, and includes the conduct of safety investigations.

The purpose of a safety investigation is to—

· identify contributing or causal factors

· identify  and implement the necessary corrective action(s)

· identify and implement controls necessary to avoid a repetition of the occurrence. The safety investigation process should not be undertaken to apportion blame.

2.6.1      Internal safety investigations

For the purposes of this advisory circular, an internal safety investigation is one conducted by the organisation using internal processes to examine the contributing or causal factors behind hazard, incident and accident reports.

Civil Aviation Rule Part 12 defines the requirements for the conduct of safety accident and incident investigations, and advisory circular AC12-2 Incident Investigation details the CAA’s expectation with respect to safety investigations.

Other legislative requirements e.g. those relating to health and safety requirements in the workplace, also require investigation of workplace incidents.

The guidance in this element relates to internal safety investigations that are conducted in response to an accident or incident (e.g. reactive), as well as those conducted in response to adverse trending of hazards and risks, or cases where more in-depth follow-up is required (e.g. proactive).   

2.6.2      Responsibility for conducting safety investigations

Internal safety investigations should be conducted by personnel having competency based training in incident investigation and where practicable be independent of the operation. The duties and responsibilities for the management of internal safety investigations should be documented with consideration of—

· the scope of the investigation and what ‘triggers’ an investigation

· the composition of the investigation team, including specialist assistance if required

· that investigation outcomes are recorded for follow up and trend analysis

· there is a timeframe for completion.

The role of the investigator is to identify where corrective or preventive actions are necessary using appropriate causal analysis methodologies. It is for the organisation’s management to decide what those actions should be and to implement them.

2.6.3      Defining the scope of an investigation

Ideally, all safety reports should be investigated. However, resources can be limited, so the effort expended should be proportional to the perceived benefit in terms of potential for identifying systemic hazards and risks to the organisation. Reports or themes that demonstrate a high risk should be investigated in greater depth than those with low risk.

The extent of the investigation will depend on the actual and potential consequences of the event or risk level associated with a hazard. This can be determined through an initial risk assessment of the actual outcome(s) or potential outcome(s).

Since the level of risk is the product of consequence and likelihood, trying to assign a risk level to an event that has occurred provides little value; the likelihood is irrelevant – it has happened and past events cannot be managed. However, when deciding whether to investigate an event and to what extent, consideration should be given to the other potential outcomes in the same contextual setting. By considering alternative, credible outcomes and considering the effectiveness of existing risk treatments or controls, it is possible to assign a risk level to this and similar events.

While the majority of investigations will focus on cause and effect, the application of a deeper systemic and thematic safety investigation will also complement SMS. Thematic and systemic investigations require a more holistic perspective of how a whole system is performing, to identify potential weaknesses or emerging risks within the system. Typically, the output from this type of safety investigation is information on emerging or potential risks, specifically, information on the characteristics, structure, weaknesses and strengths of the system. Ideally, a systemic and thematic safety investigation will identify the resilience of the system, allowing the level of safety within the system to be measured.  

2.6.4      Steps of an effective safety investigation

Commencing a safety investigation

The following steps should be considered when launching an internal safety investigation—

· a safety investigator should be appointed

· involved personnel and companies should be notified

· a repository of all information relating to the investigation should be established (e.g. a file in the safety reporting dataset)

· the repository for investigation information should be secure and confidential to ensure the integrity of the data.

Gathering evidence

The first step in the investigation process is to gather all factual information about the occurrence. Factual information can come from a number of different sources, depending on the nature of the occurrence. Some of the most common sources in the context of aviation-related occurrences include the following—

· interviews with involved personnel, crew and witnesses

· recordings

· records and documentation, e.g. maintenance logs, manuals, notices and other correspondence.

Interpreting the facts

Once the evidence is gathered, all the information should be analysed to identify ‘what’ happened and, more importantly, ‘why’ it happened. It is often easy to identify ‘what’ happened; the factual information should reveal this. The ‘why’ it happened can be challenging, but this is where the real lessons and safety benefits are. Investigators should keep asking the question ‘why’ until they get to the real cause(s). Advisory circular AC12-2 provides guidance in this area.

It is often worthwhile to use pre-established and proven analytical methodologies to help identify and organise the causal links of an occurrence. This will help to avoid bias, misidentification, or misinterpretation.

Developing recommendations

If faced with a group of similar occurrences or similar causes, it may be appropriate to group the information into emerging themes. The reasons for these trends should be identified from a holistic point of view.

Identifying appropriate findings and recommendations is the key focus of any investigation, and it is vital to remain focused on organisational learning, rather than pinpointing individual failings or corrective measures. When making recommendations consider phraseology that emphasises the safety-related improvements attainable by implementation.

Distributing and presenting the safety investigation report

It is important to consider how the distribution of safety investigation reports is controlled. The final report needs to be presented to all personnel and organisations involved, particularly those who have findings/recommendations assigned to them. It is important to remember that distributing a report with commercially sensitive information may not always be possible. Therefore, summaries of reports may be a more appropriate means of communicating outcomes.

Monitoring safety investigation outcomes

Once the report has been presented, the actions resulting from the findings and recommendations need to be monitored and recorded as a function of ‘closing the loop’.

2.6.5      Selecting and training safety investigators

A competent safety investigator is vital to the outcome of an organisation’s safety investigation. The organisation should identify training needs in relation to performing investigation activities relevant to the complexity and activities of the organisation.  The following are the typical knowledge, experience and skill requirements of a safety investigator—

· trained in safety investigation and have suitable subject matter expertise

· technically competent and have experience in interpreting occurrence information to determine causal factors

· well-developed research and listening skills to gather all necessary evidence and interpret it appropriately

· proficient in written and verbal communication skills

· integrity

· be able to act independently

· present reports which are a clear representation of the facts and causes.

This role is not necessarily required on a full time basis, (either amongst existing personnel/crew or externally)


2.6.6      Acceptable means of compliance

Procedure for investigating occurrences

Acceptable means of compliance

Documented and demonstrated means for conducting internal safety investigations.

Guidance notes

There is a documented trail from identification through to resolution when an investigation is completed.

There is a clear record of the investigation process, findings, and required actions.

There are formal procedures to trigger investigations, processes for gathering evidence and conducting the analysis, processes for developing recommendations, and for distributing the report.

There are processes for monitoring and review of actions taken in response to safety investigation.

Appointment of safety investigator(s)

Acceptable means of compliance

Internal safety investigator(s) appointed and appropriately trained.

Guidance notes

Criteria for the safety investigator skills and knowledge are established and documented.

2.6.7      Further information

For more information on the implementation of an effective safety investigation capability, research using the following key phrases—

· data collection methods and processes

· safety investigation analysis theories and methods

· writing a safety investigation report

· qualities and qualifications of a safety investigator

· human factors

· investigation  and analytical techniques

· cause and effect analysis

· Reason model.


2.7         Element 7—Monitoring and Measuring Safety Performance

Rule reference: 100.3(a)(3)(ii)

The objective of monitoring and measuring the organisation’s safety performance is to achieve continuous improvements in safety. In order to focus on continual improvement, it is important to set safety related goals and objectives. A sound safety performance measurement system indicates how the organisation is performing against its safety objectives; it also helps to establish priorities and opportunities for improvement, to identify where to direct resources, and to assess whether improvement initiatives are working. It supports good decision making.  

A safety performance monitoring and measurement system includes the following components:

· safety goals that help define a coherent set of targets for accomplishing the organisation’s safety objectives

· the safety objectives of the organisation, which reflect the organisation’s  commitment to maintain and continually improve the overall performance of its SMS

· safety performance targets that are specific, measurable and pertinent to the acceptable level of safety determined by the organisation

· safety performance indicators which are the measures and metrics of actual performance used to determine if safety targets have been achieved

· supporting systems and processes which ensure that the monitoring and measuring of data is sound, and that the performance measurement system informs decision making and fosters continuous improvement of safety performance.

2.7.1      Safety goals

Safety goals are high level statements that provide overall context for what the SMS is trying to achieve. Because a goal is set at a high level, it is likely that more than one objective needs to be set; it is most common to have several safety-related objectives. Examples of safety-related goals are: ‘improving the engagement of staff with the SMS’ and ‘ensuring that continual improvement in safety practices is maintained’. Safety goals cannot often be measured on their own, but rather by the achievement of specific objectives.

2.7.2      Safety objectives

Safety objectives describe the specific, tangible products and deliverables against each goal. The safety objectives are qualitative or quantitative statements that define the aspirations and strategic goals of an organisation as they relate to the safety of its operational activities or the services it provides. A well worded objective will be specific, measurable, attainable/achievable, realistic and time-bound (SMART).

An organisation should clearly set out its vision for safety, defining desired outcomes and possibly describing the key elements or milestones to achieve its safety objectives. This should be closely linked to the organisation’s safety policy.

Annex 19 Safety Management Systems requires the State to establish an acceptable level of safety performance (ALoSP) for its civil aviation system; this in turn must be supported by all aviation organisations within that system. The New Zealand Aviation State Safety Programme defines safety objectives for various sectors within the system (air transport, general aviation, etc.) and minimum acceptable safety performance targets to be achieved by those sectors. The State Safety Programme will continue to mature (similar to SMS) and will be amended to reflect changes in safety performance.

The CAA’s SMS acceptance process will consider such factors as the complexity of the operation, the operational context and environment, and the operational risks when assessing an organisation’s safety targets.

A performance-based approach assesses the actual safety performance against the organisation’s safety controls, including those undertaken by third parties on behalf of the organisation. It provides a mechanism for assuring the effectiveness of the SMS in supporting safety objectives and continuous improvement.


2.7.3      Safety performance targets

Safety performance targets define what the organisation wants to achieve.

A safety performance target may be expressed as one or more desired outcomes. Each desired outcome may be expressed in terms of one or more safety performance indicators. When appropriate, separate targets can be established for third party service providers.

Safety performance targets should be set to measure the achievement of the ALoSP for the organisation. A safety performance target can be expressed in absolute or relative terms. A target does not have to be a single value; a range of values may be appropriate.

· An example of an absolute target might be less than one serious incident per 10 thousand flight hours.

· A relative target might be a 10% reduction in serious incidents over the next year.

Setting a number of safety performance targets will allow better measurement of the overall safety performance. Having specific safety targets for a range of the organisation’s activities will also promote continuous improvement of those activities.

Safety performance targets should be periodically reviewed and, if necessary, updated as part of the organisation’s management review.

An organisation should consider the following  factors when setting its safety performance targets—

· the targets should support those set in the State Safety Programme

· the targets should support the safety objectives and ALoSP

· the selection and prioritisation of targets should be based on safety risk

· target setting should take account of new or anticipated developments, both internal and external, that may affect the organisation, in order to measure the organisation’s response to those changes

· the targets should be realistic and take previous performance into account

· target setting should include benchmarking against well-performing organisations

· the target achievement period or date should take safety risk into account. The higher the risk, the more frequently the risk should be monitored.

Organisations should ensure that all risks are below the unacceptable level and strive to drive risk to ‘As Low as Reasonably Practicable’ (ALARP).

2.7.4      Safety performance indicators

Safety performance indicators are used to express the actual level of safety performance achieved by the organisation or by a specific area within it. Safety performance indicators will vary depending on the type of organisation, though some indicators, such as safety occurrences, are common to all aviation organisations.

Safety performance indicators fall into three broad categories—

(1) Reactive or lagging indicators are measures of results of past activities. They include—

o Outcome indicators , which measure the results of the organisation’s activities, such as the number of incidents or accidents over a period and relate directly to the safety objectives. There is often a time lag associated with outcome indicators, and they may hide safety risks (an organisation is not necessarily ‘safe’ just because it has had no accidents)

o Output indicators , which measure activities that are designed to positively affect outcome targets, such as the number of safety audits conducted or the percentage of personnel who have completed risk management training.

(2) Proactive or leading indicators use forward-looking activities or predictive information. These indicators are useful to assess the robustness of organisational systems and result from—

o Risk management indicators , which  measure activities related to the management of change and risk, such as the number of risk assessments completed, risk treatment plan acceptance rates, or changes in risk scores.

o Hazard identification indicators, which measure the quality, quantity and spread of hazard reporting. Additional indicators could relate to the proportion of hazard reports which lead to action by the organisation.

o Trend indicators , which measure the changes in various areas that can suggest future performance. Information can come from a variety of sources, including specific occurrence types, FOQA/LOSA information, customer feedback, etc.

(3) Interactive indicators relate to the safety culture of the organisation. They are designed to show the extent to which safety and performance-related issues are both noticed and acted upon prior to undesired events taking place. They could include—

o Safety climate survey results , which can be used to measure personnel attitudes and behaviours, and the correlation between expected performance and real outcomes (how the system is working in practice). They may include qualitative and quantitative metrics.

o Human factors indicators , which reflect human performance, using measures such as competency assessment pass rates, maintenance error rates, and percentage of investigated occurrences with human factors as primary cause.

o Communication and participation indicators , which measure the level of personnel engagement and internal and external reporting, and should include reporting of deviations that fall short of actual incident and accident reporting requirements.

An organisation should select enough reactive, proactive and interactive indicators to provide a measure of the overall performance of the organisation, but not so many that it becomes difficult to focus on important safety issues.   

The selection of safety indicators should address areas relevant to the safety objectives and the precursor forces that lead to failures of concern. When selecting safety performance indicators, organisations should consider whether they are—

· Relevant: are they closely linked with the organisation’s safety performance targets?

· Clearly defined: are they easy to understand; are the applicable activities or organisational areas defined?

· Measurable: can they be measured objectively; is the collection of valid data feasible?

· Action-focused: do they allow important issues to be isolated, and for actions to be taken (rather than just monitoring data for the sake of it)? 

The following examples illustrate the relationship between safety performance indicators and safety performance targets.


Safety Performance Indicator

Safety Performance Target

Indicator Category

Number of major/critical findings per external audit.

No more than one major or critical finding per external audit, with no repeat findings.

Reactive

Hazard reporting rate.

The rate of hazard reporting (per flight hour) increases by 10% in 6 months, with a corresponding average reduction in the risk level of each report.

Reactive

Average number of days to close safety investigation finding.

Within one year, the average number of days to close an internal safety investigation finding reduces to 60 days or less.

Proactive

Percentage of personnel who have completed risk management training.  

In 2 years, 100% of personnel will have completed risk management training (appropriate to their role).

Proactive

LOSA – Successful threat management compared to international benchmarks.

The organisation’s average successful threat management score remains above benchmark.

Proactive

Percentage of internal occurrence investigations which have supervision as a primary cause.

Less than 25%, calculated for a one year period.

Proactive

Percentage of surveys completed by personnel.

At least 60% completed  survey reports at next survey.

Interactive

Percentage of completed surveys which identify procedure deviations.

Less than 10% at next survey.

Interactive

2.7.5      Supporting systems and processes

An effective safety performance system must be supported by the organisation’s systems and processes.

Safety performance monitoring

Data should be collected to support safety performance indicators and may come from a number of sources for any given indicator. Information sources for safety performance monitoring and measurement include—

· safety occurrence reporting

· hazard reporting

· confidential reporting system

· internal safety investigations

· safety studies

· safety reviews, including trend analysis

· internal audits

· external audits

· risk assessments

· personnel surveys (safety and culture)

· personnel improvement suggestions

· interviews and meetings

· customer/ stakeholder feedback

· competency assessment results

Safety performance measurement

The prerequisites for good safety performance measurement are—

· Agreement on goals, objectives and strategies : There is agreement between management, personnel and key stakeholders on safety performance goals, objectives and on the resources, activities and processes required to achieve them.

· System is of sufficient technical quality : Data collection methods and systems are robust and provide sufficiently complete, accurate and documented data to support measurement and decision making. The organisation’s assurance processes evaluate the validity and reliability of the data, as well as the overall quality of the process to deliver its objectives.

· Performance information is clear, understandable, and meaningful : Performance information is clearly documented and presented.

· Performance information is used to manage the organisation : Performance information is actively used for decision making and continuous improvement, including initiatives to improve performance, redesigning management systems, allocation of resources and redirecting the organisation’s activities.

· Accountability and reporting :  The responsibility for actions to improve performance is clear, and safety performance reports are disseminated to key internal and external stakeholders.

Actual safety performance is determined by comparing safety performance indicators against safety performance targets. Any gaps must be assessed to determine the root cause for not achieving a target, and to identify opportunities for improvement. Appropriate safety risk controls can then be applied, and the ongoing safety monitoring and measurement will determine their effectiveness.

Safety assurance

Safety assurance provides management with an overview of the performance of the SMS, which in turn is an indicator of the organisation’s ability to manage safety. Safety assurance can also provide stakeholders, such as the CAA, with an indication of the safety performance of the system.

Assurance can simply be defined as ‘something that gives confidence’. The safety risk management process starts with the organisation understanding its operational processes and environments and progresses through hazard identification, risk assessment and control to culminate in the implementation of safety risk controls. The aim of safety assurance is to provide the confidence that the safety system, in its parts and as a whole, is working effectively.

Safety assurance processes and activities include ongoing examination, analysis and assessment of the controls throughout the daily operation of the system. The safety assurance and quality assurance processes are very similar as both require analysis, documentation, auditing, and a formal review of the system. A comparison with the quality management system “Plan-Do-Check-Act” approach is shown below—

QMS

SMS

Plan

Safety Policy (section 2.1)

Principal safety objective(s) (section 2.7.1)

Safety performance targets (section 2.7.2)

Do

Risk Management (section 2.5)

Check

Monitoring and Measuring Safety Performance (section 2.7)

Internal Audit Programme (section 2.10)

Management Review (section 2.11)

Act

Continuous Improvement of the SMS (section 2.9)

Communication of Safety-critical Information (section 2.13)

2.7.6      Acceptable means of compliance

Monitoring performance

Acceptable means of compliance

Documented and demonstrated means of monitoring safety performance.

Documented process to identify reactive, proactive and interactive sources of safety data.

Guidance notes

Implementation of a safety reporting system.

Surveying of personnel’ perceptions of safety within the organisation (e.g. a safety culture survey).

Systematic capturing of data to help contextualise statistics (e.g. number of occurrences per month, number of defect reports per month, etc.).

Communication of results to all personnel.

Measuring performance

Acceptable means of compliance

Documented and demonstrated means to measure safety performance through set indicators.

Safety performance targets established consistent with the organisation’s safety objectives.

Guidance notes

Developing methods to track how the safety management system is working (e.g. balanced scorecard).

Establishing regular meetings to review safety performance.

2.7.7      Further information

For more information on the development of effective performance monitoring and measuring, research using the following key phrases—  

· Lagging and leading performance indicators.


2.8         Element 8—Management of Change

Rule reference: 100.3(a)(2)

Organisations may experience change due to a number of factors including, but not limited to—

· organisational expansion or contraction

· changes to senior management

· changes to internal systems, processes or procedures that support delivery of product or services

· changes to the organisation’s operating environment

· changes of equipment e.g. aircraft, fire trucks, ground support equipment

· changes to technology supporting business systems

· changes to legislation or regulation approach or requirements (including the rules)

All significant changes should be managed in a structured way to ensure that there is an awareness of impacts and potential consequences, and that these are managed.

Many organisations under estimate the human dimension of managing change. This is demonstrated by past performance in restructuring and adapting to different requirements where the failure rate is surprisingly high not because of strategy but because of underestimating the human factor. Organisations do not change, rather people do. Change requires setting the scene and providing pertinent information about the reality of change and how human actions may impact that reality.

Implementing an SMS is an example of change that requires a new and different perspective to manage the effectiveness of how an organisation operates. It is about considering how to engage personnel with the concept by inviting their involvement in planning the steps by which an organisation transitions to the new way of working. It will not be a single process but a series of stages by which you can develop strategies to ensure the entire organisation will support, use and adopt the revised approach.

Change may affect the appropriateness or effectiveness of existing safety risk controls. All hazards related to the proposed change should be identified beforehand so safety risks can be assessed and controlled. Change always has a human component, so human-factor-related risks including resistance should be assessed during the planning process.

Using the risk management process outlined in Element 5: Risk Management, organisations should formally identify, assess and control any change-related risks.  It is important to outline the nature and scope of change, the stakeholders involved (both internal and external), and the tolerance for risk as part of establishing the context, an essential component of the risk management process.

2.8.1      General considerations

The organisation’s management of change process should take into account the following four considerations—

Criticality of systems and activities

Criticality relates to the potential consequences on safe system operations of systems being improperly operated or an activity being incorrectly executed. Critical systems and activities should be reviewed following change to make sure that risk controls are still effective.

Stability of systems and operational environments

Changes may be the result of programmed activities such as growth, operations to new destinations, changes in fleets, changes in contracted services, or other changes directly under the control of the organisation. Changes in the operational environment are also important, such as economic or financial conditions, changing regulatory requirements, or changes in the physical environment such as cyclical changes in weather patterns.

Past performance

Past performance of critical systems may be an indicator of future performance. Trend analysis in the safety assurance process (see Element 7) should be used to track safety performance measures over time and factored into the planning of future activities under situations of change. While past performance should provide lessons, it should not constrain organisations’ efforts to evolve and improve their safety performance.

Change leadership management

Change leadership is about the phases of change and its impact and emotions associated with each of the phases. It requires leaders and the organisation as a whole to address the mind-sets and to develop the practices and behaviours that support people to adapt to change. Leadership of successful change requires vision, strategy, and the development of a culture of sustainable-shared values to support the vision.  It includes empowering, motivating and inspiring those who are involved and affected. It reflects that underlying dimension of leadership, the cognitive, the spiritual, the emotional and the behavioural.

Change management is the process by which it is applied to realise the benefits and desired outcomes of change. It is about supporting and equipping the individual transitions that are needed to make it happen. It can be taught and learned.

Of particular attention will be the behaviours of personnel and practices within the organisation. While SMS is about an approach, it requires an environment of raising issues without fear of reprisal or punitive and/or disciplinary action. The environment needs to be one where people raise issues and analyse incidents to review decisions and action to achieve better safer outcomes. This will not happen in a culture where fault and blame are the resulting actions.

2.8.2      Acceptable means of compliance

Change management procedure

Acceptable means of compliance

Documented process to conduct aviation safety-related hazard analysis and risk assessments for changes within the organisation, including changes to senior management and operations that may affect safety.

Documented process to ensure appropriate internal and external stakeholders are involved in the management of change process.

Documented management of change process includes the review of previous risk assessments and existing hazards as appropriate.

Documented process to record the outcome of each stage of the plan.

Guidance notes

Processes are established for—

· hazard and risk identification

· risk reporting and recording

· risk control (including responsibilities)

· risk monitoring (including responsibilities)

· communication of risks

2.8.3      Further information

For more information on the development and implementation of change management processes, research using the following key phrases—

· risk management planning

· risk management processes

· change management

· error management.

2.9         Element 9—Continuous Improvement of the SMS

Rule reference: 100.3(a)(3)(iii)

The management of safety is not a ‘do once and forget’ activity. It requires constant attention to, and improvement of, the SMS to achieve a mature system and resilient organisation.

Continuous improvement of the SMS requires a process approach: identifying inputs relevant to the effectiveness of the SMS, analysing and determining the implications of these inputs, and subsequently generating outputs that improve the effectiveness of the SMS and its effect on safety. In other words, once the organisation has assessed its safety performance (Element 7) it needs to act on that information to improve the SMS. Inputs relevant to the effectiveness of the SMS include—

· safety performance indicators

· internal audit reports

· external audit reports

· management review of the SMS.

Continuous improvement approaches used in a QMS are just as relevant for the improvement of an SMS. For example, the ‘Plan, Do, Check, Act’ (PDCA) model is widely used in quality management to achieve greater process effectiveness.

Elements 7, 10 and 11 of the SMS framework are fundamental to safety assurance and consequently to the continuous improvement of the SMS. Internal audits of the SMS are used to give assurance that the structure of the system is sound and to provide a formal process for identifying substandard performance and for measuring and maintaining the effectiveness of the SMS.

The analysis of these inputs and the examination of the continuing suitability, adequacy and effectiveness of the SMS form the core of the management review process. This is addressed in more detail in section 2.11.

The analysis and review could result in changes to organisation design, technology, personnel, training, policies, processes and procedures, and in adjustments to the SMS itself. These actions may require the senior person(s) to make resources available, and will require clear allocation of responsibility for their implementation.

Combining the processes of management review, performance monitoring and internal audits  closes the quality loop;  this will allow the organisation to monitor and review its SMS and to take action to continually improve it.

2.9.1      Acceptable means of compliance

Continu ous improvement

Acceptable means of compliance

Documented process that shows how the organisation uses its performance monitoring and measuring procedures and internal audit programme to inform the management review process so that actions can be taken to improve the effectiveness of the SMS.

Documented action plan and allocation of resources to achieve improvements.

Guidance notes

Surveys or other feedback mechanisms are conducted to gauge the safety performance (e.g. safety climate surveys).

Maintenance of safety management processes and systems is implemented to facilitate continuous improvement.

Quality and safety improvement mechanisms (e.g. suggestion boxes, internal reporting system, safety review teams) are implemented.

2.9.2      Further information

For more information on how to achieve continuous improvement, research using the following key phrases—

· continuous improvement

· stages of safety maturity;

· Kaizen

· ‘Plan, Do, Check, Act’ model.


2.10       Element 10—Internal Audit Programme

Rule reference: 100.3(a)(3)(iii)

An audit is a methodical, planned review to determine how activities are being conducted, and whether they are being conducted in accordance with published procedures. Safety auditing is closely linked with quality management processes. Regular safety auditing determines conformity with safety risk controls, such as operational procedures, and assesses the performance of those controls, including identifying previously unrecognised safety-related risks.

Auditing has traditionally focused on compliance with regulations and conformance with policies and procedures. Organisations are now recognising that there is more value in looking at the effectiveness of those policies and procedures; this is particularly important for safety management systems. Internal safety auditing is a tool used to ensure compliance (the organisation meeting its obligations) and to monitor safety performance.

Managers should ensure that there are regular internal audits of the safety-related functions of operational and support processes. Internal audits should also extend to any subcontractors used to accomplish those functions.

2.10.1    Developing a safety audit programme

The following guidelines are intended to assist organisations in developing an audit capability.

Establishing an audit schedule

A schedule of audits covering one or two years will help the organisation plan its audit activities and resources. The schedule should show the planned date of each audit, a brief scope description and the names of the auditors. Consideration should be given to how, and by whom, this schedule will be maintained, and how relevant personnel can access it.

Setting the scope of the audit programme

The audit scope describes the breadth of operational disciplines or areas to be covered and depends on the focus area for the audit. The nature and scope of audits need to be driven primarily by the safety significance of an operational area.  

Setting audit objectives

Audit objectives define tangible achievements expected from each audit. It is advisable to set out the detailed objectives well in advance of the audit to help the auditors to plan and conduct the audit.

For example, for an audit of Flight Dispatch, one audit objective might be to ‘determine how dispatch errors are identified, managed and reported to ascertain the effectiveness of safety processes.’

Determining the frequency of audits

Determining the frequency of audits should take into consideration—

· the level of risk posed by the part of the operation or organisation to be audited

· any compliance-related considerations (e.g. will external audits be conducted?)

· the resources available to conduct audits (don’t overwhelm what may be limited resources).

For example, an audit on one operational area may only be necessary once every two years, but an area which has known or suspected issues may need auditing once every six months. Audit schedules should be changed to match changing risk levels: if an area is perceived to have increasing risk levels, more frequent or additional audits should be scheduled – and the reasons recorded.

Outlining audit methodology

It is important to outline the policies, processes and methodologies required to conduct internal safety audits. The person managing the audit programme should select and determine the methods for collectively conducting an audit, depending on the defined audit objectives, scope and criteria.

Documentation of processes

All audit processes need to be clearly documented so that they are easy to understand and, most importantly, allow audits to be conducted in a standardised manner.

2.10.2    Conducting safety audits and monitoring outcomes

An audit should include the following steps—

Planning the audit

Careful planning helps the auditor to prepare tools appropriate to the audit objective and scope. One tool is the audit checklist, which should be used to identify the functions to be audited and to ensure that nothing is missed; it might include specific questions to allow the auditor to ascertain the effectiveness of the quality and safety processes. Checklists should never be used merely to show compliance by ticking boxes.

Conducting the audit

To conduct effective audits—

· Focus on how – and if – the documented procedures are practised, and whether the current practices and procedures are conducive to effective and safe operations.

· Use open-ended questions, asked in a neutral manner, and maintain a high level of engagement with personnel in the audited department.

· Provide an initial summary of findings or observations to the auditees at the conclusion of the audit.

Writing the audit report

It is essential that the content of the audit report is accurate, and that findings are supported by robust evidence that can be understood by the reader.

Disseminating and tracking audit findings

The audit report should be formally presented to the auditees so that they can address any findings. Actions to address the findings need to be tracked in a transparent and systematic manner (e.g. agenda item at a monthly safety committee meeting).

2.10.3    Selecting and training auditors

Auditors should receive formal training to develop competence in auditing skills and techniques, and should be encouraged, or even required, to gain formal auditor qualifications. An effective auditor would also be expected—

· to act in a strictly trustworthy and unbiased manner

· to disclose any potential conflicts of interest

· not to accept any gifts, etc.

· not to disclose the findings or any other information gained in the course of the audit to any third party unless authorised to do so.

Operational independence ensures auditors are not put in a position where their objectivity may be affected by conflicting responsibilities or loyalties. Small organisations might consider employing a third party to conduct audits; the third party could be a similar organisation.

2.10.4    Acceptable means of compliance

Safety auditing

Acceptable means of compliance

Documented audit programme.

An internal audit procedure which defines audit types, and associated procedures, and identifies the personnel who will conduct the audit.

Audits performed by trained and independent auditing personnel.

Audit results reported to the personnel responsible for activity.

Preventive or corrective action taken in response to problems identified during the audit. These actions are monitored to ensure they are appropriate, have been implemented in a timely manner, and are effective.

Root cause analysis is utilised to identify the causes of non-conformances or non-compliances.

The operation of the internal audit programme is subject to independent audit.

Guidance notes

Ensure the audit programme has been developed and resourced to be sufficiently flexible so that it can accommodate a risk-based approach.

The person(s) nominated to do the audit should be independent of the function, operation or group being audited.

Take an evaluative approach to auditing, to make the most of the resources and time required.

Ensure that audits are planned, and well documented; all findings and subsequent actions should be tracked and monitored.

Ensure that the personnel conducting audits are adequately trained and experienced and maintain their skills.

Audit reports

Acceptable means of compliance

Documented and communicated.

Guidance notes

Audit reports are easy to read with findings and corrective actions clearly stated.

Timeframes for implementing corrective actions are specified.

2.10.5    Further information

For more information on the development and conduct of an effective audit programme, research using the following key phrases—

· principles and processes of auditing

· audit scheduling

· auditor competency.

2.11       Element 11—Management Review

Rule reference: 100.3(a)(3)(iii)

The purpose of a management review is to ensure continuing suitability, adequacy and effectiveness of the organisation’s safety processes and procedures, and to assess opportunities for improvement and the need for changes to the system of safety management.

2.11.1    Achieving safety oversight

Safety oversight is the means by which an organisation has visibility of its safety risks and the processes it uses to continually monitor and review its strategic and operational functions. While safety oversight is often associated with the regulator or organisations such as ICAO, each organisation is responsible for maintaining oversight of its own operations.

The management review process is a key tool in maintaining oversight. By reviewing the performance of the SMS, it provides the means to determine where improvements can be made and how their implementation will be managed. This can be achieved by reactively monitoring and reviewing operational activity, while proactive monitoring processes will increase the organisation’s ability to make forward-looking safety decisions. A good management review leading to sound decisions will require that decision makers understand data collection sources, risk context and analysis methods.

It is important to consider a broad approach and a variety of actions to address any issues resulting from the review process; for example, procedures may need to be reviewed and changed, targeted educational campaigns may need to be implemented, etc.

2.11.2    The management review process

The input to the management review should consider, among other things, information on–

· results and trends from audits and safety investigations

· status of preventative and corrective actions

· changes that could affect the safety management system

· continuous improvement

· an examination of safety performance indicators and target results

· action points from previous meeting

· appropriateness of existing safety policy and objectives

· planned SMS-related training and resources versus training achieved and resources fielded.

These inputs may then be used to measure the effectiveness of the SMS, and the review team can then decide on any changes that need to be made to improve the SMS, whether it is the processes and procedures, the allocation of resources, or even the basic policies and objectives.

The output of the management review should include clear and documented decisions and actions related to—

· improvement of the effectiveness of the safety management system and its processes

· improvement of product or service related to client requirements

· resource needs.

Accountability for implementing each action should be assigned to an individual with the appropriate responsibility, and the appropriate resources allocated.

2.11.3    Frequency of management reviews

Management reviews should be conducted as often as necessary to ensure the effectiveness of the system is truly tested. This should reflect the size and complexity of the organisation, coupled with the amount of information to be reviewed. The frequency and nature of reviews should also take into consideration the different levels of monitoring that takes place, such as the activities of safety groups or committees. The review should not occur so often that it gets mired down in minutiae that would obscure shortcomings in the larger SMS. On the other hand, it should take place often enough to  avoid situations where decisions are made too late to address threats to the SMS. An ad hoc review could also be conducted after a particular large or unusual event, or ahead of changes.

The organisation should consider the following when setting the frequency of its management reviews—

· anticipated changes or threats to the operations and SMS. New systems require more attention and resource allocation to follow up and close action items

· establishing a list of significant safety items that would trigger a management review between planned sessions.

2.11.4    Acceptable means of compliance

Management review

Acceptable means of compliance

Documented and demonstrated methods of conducting formal and regular reviews by senior management of the effectiveness of the SMS.

Structured agenda.

Documented processes specifying the frequency of management reviews.

Results of the review are evaluated and recorded.

Guidance notes

Processes for documenting meetings, decisions and responsibilities are implemented.

Processes to follow up decisions and actions and to review effectiveness are implemented.

Documented analysis methods are used.

An agenda is published and circulated prior to meetings.

The review includes both reactive and proactive outputs.

2.11.5    Further information

For more information on the process of conducting effective management reviews, research using the following key phrases—

· safety governance and oversight

· safety communication methods

· management accountability.


2.12       Element 12—Safety Training and Competency

Rule reference: 100.3(a)(4)

(Explanation Note – Within this advisory circular the terminology of training has been used for consistency. Other terminology such as education and learning can also be used, sometimes interchangeably and with slightly different meanings. The acceptable means of compliance and guidance material provided here is not intended to be taken as definitive material within the learning field but is specific for SMS competency.)

To ensure that personnel are competent to perform their safety-related duties, they need to be trained in their organisation’s SMS to understand the organisation’s safety objectives and to acquire the skills and knowledge to help achieve them. Safety training is a foundation for the development and maintenance of an organisation’s safety culture.

The Safety Management International Collaboration Group (SMICG) defines a competency as

"A capability that allows a person to perform various processes or tasks and achieve outcomes. It is a combination of relevant knowledge, skills, and attitudes. It is the demonstrated ability to apply knowledge and skills."

The focus of safety training in a SMS should include—

· training for the chief executive in SMS, including safety responsibilities, oversight and governance and its relationship to the organisation’s business strategy and other management systems

· training for senior persons, managers and line supervisors in how to effectively lead the development, implementation and ongoing sustainment of the SMS

· competency for organisational leadership and key safety personnel in the application of risk management practices

· training that provides competency for the senior person for the system for safety management  (safety manager) in the management and administration of the SMS and risk management practices Refer Annex E

· competency-based training for all personnel in the participation and use of the organisation’s SMS that is appropriate to their safety-related duties.  

2.12.1    Developing the content of the safety training programme

It is the responsibility of the chief executive to ensure sufficient resources are allocated, and the safety manager to ensure the programme develops the required individual personnel competencies, so the SMS is understood and effectively applied across the different levels of the organisation, while building a strong safety culture.

Appropriate external training organisations may be used, if required,  to provide the necessary training to meet certain personnel responsibilities. It is the responsibility of the organisation to ensure that any external training is appropriate to the training needs and competency requirements of their SMS.

Conducting a training needs analysis

A training needs analysis (TNA) should be undertaken to identify the appropriate training programme for all personnel, the scope of the training programme should be appropriate to each individual’s role and involvement in the organisation’s SMS. A training needs analysis can be accomplished by—

· Analysing the job—

o start by looking at the specific documentation that describes the job, such as the position description. Identify phrases that specify important skills, processes or areas of knowledge required.

· Determine the skills/ knowledge gaps—

o develop a list of areas where training would be required to improve the effectiveness of the job in question

o decide whether there is a gap in the skills or knowledge, or if some revision is required to improve the general skill set

o obtain feedback from a representative group of individuals doing the job on what areas they consider require addressing.

· Identifying training solutions—

o establish the best way of closing the skills/knowledge gaps identified in the previous step. Different options may include training courses conducted internally or externally, self-directed learning, one-on-one training, or mentoring in the work environment.

· Evaluating performance after training to determine if performance gaps still exist and the training solution selected was appropriate. This can be achieved by—

o asking the personnel and/or their manager to evaluate their effectiveness in the task

o asking  the personnel if the performance gaps that were the reason for the training are still there

o assessing the personnel as they perform tasks to determine whether there is still evidence of skill or knowledge deficiency.

Determining the timeframes of the safety training programme

With respect to timeframes for the training programme, both initial and recurrent training requirements need to be considered, developed and appropriately resourced.

Safety training syllabus

At a minimum a safety training syllabus should include the following high level areas of focus—

· organisational safety policies, goals and objectives

· organisational safety roles and responsibilities related to safety

· SMS fundamentals, including relationship to human factors

· safety risk management principles

· hazard identification and safety reporting

· safety communication.

The training programme should identify the scope and depth of the training syllabus for the various safety related duties and functions consistent with needs and complexity of the organisation. Training programme guidance for the safety manager position is contained in Annex E.

2.12.2    Training programme and qualification documentation

Training and qualification requirements should be documented for each activity area in the organisation. A training file should be developed for all personnel, including management, to identify and record their training and competency requirements and achievements.

2.12.3    Who needs to undertake safety training

All personnel should take part in the organisation’s safety training programme appropriate for their safety responsibilities. In particular, all operational/support personnel, managers, supervisors, senior managers,  senior persons and the chief executive should be trained and be competent to perform their SMS duties.

Subcontractors may also require training on the use of the SMS or how to integrate their practices with the organisation’s SMS, and on the organisation’s expectations regarding safe working practices, hazard identification and safety reporting processes.

2.12.4    Acceptable means of compliance

T raining programme

Acceptable means of compliance

Documented process to identify SMS training requirements so that personnel are competent to perform their duties.

Documented process to measure the effectiveness of training and take appropriate action to improve subsequent training.

Documented process that evaluates the individual’s competence and takes remedial action when necessary.

Training programme includes initial and recurrent training.

Documented process specifying responsibilities for development of training content, scheduling and training record management.

Guidance notes

Training needs analysis (to determine gaps and requirements for all personnel) is regularly reviewed.

A training syllabus that caters to the different safety responsibilities of personnel involved in the SMS is implemented. Refer Annex E.

Training material consistent with the content of the organisation’s SMS is developed.

Depending on personnel requirements, there is consideration of different training delivery methods.

Monitoring of training ensures all personnel are competent to perform their duties.

2.12.5    Further information

For more information on the development of an effective safety training programme, research using the following key phrases—

· training needs analysis (TNA)

· safety training principles

· aviation safety training (including crew resource management/human factors).


2.13       Element 13—Communication of Safety-Critical Information

Rule reference: 100.3(a)(4)

One of the most important components of the SMS is the process for communicating safety-critical information, both within and outside the organisation. Internally, relevant information should be escalated to senior management to ensure appropriate visibility for good decision making.

Communication should supplement training by providing a continuous flow of safety information, and ensures that the SMS is visible and shown to be effective and integrated. Safety communication should be tailored to the organisation and the audience. All safety communication should be positive, clear and relevant.

2.13.1    What to communicate throughout the organisation

The following information needs to be regularly communicated to personnel in a systematic and measurable manner—

· leadership commitment to the SMS, its objectives and safety performance

· safety risk information; risks identified, methods of treatment, residual risks, etc.

· identified hazards and required controls

· personnel feedback on safety report submissions – the feedback loop should be closed

· safety reporting trends and statistics

· dissemination of information to base safety decisions on

· changes to the SMS

· changes to operational activities that may affect safety or existing procedures

· outcomes of safety investigations, audits and associated corrective and preventive actions

· lessons learnt and ‘good-to-know’ safety information.

2.13.2    What to communicate outside of the organisation

The following information should be communicated as required—

· potential hazards, risks or occurrences that may affect others

· lessons learned and solutions to identified hazards and risks

· potential risks associated with change (e.g. new infrastructure, regulatory changes, etc.).

2.13.3    Methods of communication

The methods and the content of safety communication are likely to differ according to the audience. The methods used to escalate information are important in determining how it is received and understood. One common way to achieve this is through regular safety committee meetings, where personnel and managers can proactively and openly discuss safety risks. Examples of external communication can be in the form of case studies that others may relate to, synopses of investigations undertaken, or through presentations at industry meetings.

Information dissemination can be achieved in a number of different ways, and it is important to use more than just one medium, ensuring there is a mixture of both active communication (e.g. the ability to interact and receive feedback) and passive communication. Some examples are—

Active methods of communication

· Rgular safety-related meetings.

· Senior management conveying strategic safety information, goals and objectives (top down).

· Personnel informing management on safety issues (bottom up). This is usually more tactical information about what is going on in functional/ departmental areas.

· Team briefings and ‘road show’ initiatives.

Passive methods of communication

· the publication of an organisational safety magazine or newsletter

· web-based presentation

· forums

· emails.

The methods of communication should be commensurate with the size and complexity of the organisation.

2.13.4    Safety promotion

Safety promotion supports safety communication goals and objectives. It is closely linked with safety training and the dissemination of safety information. It refers to those activities which the organisation carries out to ensure that personnel understand—

· why SMS procedures are in place

· what safety management means

· why particular safety actions are taken, etc.

Safety promotion provides a mechanism through which lessons from safety investigations and other safety-related activities are made available to all affected personnel.   

2.13.5    How to promote safetyeffectively

Safety promotion activities should complement education and communication initiatives. The organisational safety promotion programme should be based on several different communication methods for reasons of flexibility and cost. Typical methods are—

· Spoken word: perhaps the most effective method, especially if supplemented with a visual presentation.

· Written word: the most popular method because of speed and economy, the printed safety promotion material also competes for attention with considerable amounts of other printed material.

· Electronic media: the use of the internet offers significant potential for improvement in the promotion of safety. This could include electronic newsletters, blogs, feedback tools such as surveys, etc.


2.13.6    Acceptable means of compliance

Safe ty communication and promotion

Acceptable means of compliance

Demonstrated and documented means for safety communication that ensures personnel are aware of the SMS commensurate with their safety responsibilities, conveys safety critical information, and explains why particular safety actions are taken and why safety procedures are introduced or changed.

Guidance notes

Regular safety communication processes (e.g. safety magazine, newsletters, regular emails, safety committee meetings, etc.) are developed and implemented.

Methods for personnel to provide feedback on safety issues are developed.

An awareness of the importance of communicating relevant safety information is fostered at all levels of the organisation and to external companies where appropriate. Targeted safety promotion activities are conducted, not only within one’s own organisation but with other relevant third party organisations.

2.13.7    Further information

For more information on the process of conducting effective safety promotion and communication processes, research using the following key phrases—

· effective aviation safety promotion strategies

· processes for communicating safety-critical information

· determining effectiveness of safety communication and promotion activities.


3       Implementing an SMS

3.1         Implementation

Unless an organisation has already implemented a system of safety management, there will be a need to make a planned transition from the organisations current system (e.g. internal quality assurance) to safety management. This shift cannot be instantaneous, as it involves changes such as the way organisations approach and manage risk, gather and analyse data, and set and measure safety performance. Consequently, it will take some time for organisations to adjust current processes, establish new ones where necessary, and make them effective.

The overall measure of success of an organisation’s SMS that has been adapted to the organisation’s requirements will be determined by the effective implementation of all elements tailored to the organisation. The CAA has developed an evaluation tool, Form CAA 24100/02 to assist organisations in determining how to best assess, develop and implement the various elements of an effective SMS so that it corresponds to the size of the organisation, the nature and complexity of the activities undertaken by the organisation, and the hazards and associated risks inherent in the activities undertaken by the organisation.

The tool has been developed from guidance material published by the Safety Management International Collaboration Group (SM ICG). To help assess the the maturity and effectiveness of an organisation’s SMS, the tool uses the concept of different levels of performance in respect to the organisation’s safety management capability. These are described in the figure below—

Present

There is evidence that the ‘indicator’ is clearly visible and is documented within the organisation’s SMS documentation.

Suitable

The indicator is suitable based on the size, nature, complexity of the organisation and the inherent risk in the activity, including consideration of the industry sector.

Operating

There is evidence that the indicator is in use and an output is being produced.

Effective

There is evidence that the indicator is effective and achieving the desired outcome.

Best Practice

Organisations seeking to continually improve can use the best practice indicators to achieve a higher level of safety performance.

Figure 3: Description of Individual Performance Indicators

The tool can assist organisations assess whether the required elements of an SMS are ‘present and suitable’ during implementation and at a later stage ‘operating and effective’ also recognising ‘best practice’. The tool is based on a series of indicators for each SMS element.

The following figure has been developed by the Safety Management International Collaboration Group (SM ICG) and shows the different levels of SMS maturity as an organisation implements and develops its SMS.

AC100 1 004

Figure 4: The SMS Journey

An organisation may consider phasing the implementation activities over a reasonable timeframe to suit its ability to manage the implementation process. The benefits of a phased implementation of an SMS include—

· a manageable series of steps for the organisation to follow with clearly defined expectations for each phase

· continuous improvement through lessons learned

· the effective implementation of the elements.

3.1.1      Gap analysis

A gap analysis compares the organisation’s existing management processes and procedures with the required SMS elements. The establishment of an SMS should build upon the existing organisational structures and systems. The gap analysis facilitates development of an SMS implementation plan by identifying the gaps that must be addressed to fully implement an SMS. Once the gap analysis has been completed and documented, the resources and processes that have been identified as missing or inadequate will form the basis of the implementation plan. Links to additional resource materials to assist with identifying the required content for each element may be found in Annex C.

A gap analysis can be conducted by first identifying the objectives that are to be achieved. For each of the objectives, the current situation can be analysed by considering the following questions—

· Who has the knowledge needed?

· Who will the organisation need to speak with to get a good understanding of the current situation?

· Is the information required in people’s heads?

· What is the best way to get this information? Consider the following—

o brainstorming workshops

o one-on-one interviews

o reviewing documentation

o observing project activities.

Once the current situation and future state are known, consideration can then be given to what is required to bridge the gap to achieve the objectives.

Unless the organisation is implementing SMS from square one, it is likely that at least some (or possibly all) of the elements may be present in some form. Perhaps not so likely, is that they integrate with each other and the organisation’s other management systems. When developing an implementation plan it is important to take a look at the existing elements from a perspective of continuous improvement, not merely to limit the amount of change by defending the status quo.

The order in which the gaps are addressed can be influenced by unique drivers for each organisation such as the ability to link with other existing processes (e.g. management of occupational safety risks) or the planned introduction of business initiatives such as lean methodology. Another option is to use continuous improvement tools such as the ‘four blocker’ to identify high impact/low effort changes to make – early wins will improve engagement and communication opportunities. As described at the beginning of this advisory circular, one of the aims of SMS is to “develop and improve the safety culture within the organisation”. The gap analysis will identify what is required to build the structural elements of the system; it is just as important to consider what may be required to change the organisation’s culture. These activities will be part change management, part safety promotion and heavily dependent upon safety leadership throughout all levels of the organisation. To foster effective safety performance, an organisation requires a safety management system and a positive safety culture – both require planning and implementation strategies.

It is important that as part of the process that once the gaps have been identified and a plan established to implement the missing component, the organisation should also demonstrate through its implementation plan that it has the resources to build its system in accordance with the plan.

3.1.2      Implementation plan

Evaluation Process

As part of the transition provisions in each of the organisation certification rules, organisations are required to submit an implementation plan to CAA that describes how the system for safety management will be implemented, along with application Form CAA 24100/01.  As part of the requirements for submitting the plan organisations are required to include a proposed date for implementation.

These transitional rule provisions allow for existing organisational certificate holders to submit an implementation plan for SMS within a prescribed period, since in most cases, there will be some form of management system already in place.

Applications for a new organisational certificate (not an organisation applying for certificate renewal) submitted after 01 February 2016, to which Part 100 applies, must include an implementation plan for SMS. The organisation may elect to either seek certification with a SMS that meets the requirements of Part 100, or proceed under transitional rule provisions with a management system (where it is required) such as QMS or OMS, and propose a date for implementation of SMS that is acceptable to the Director.  

Refer Annex F for an overview of the implementation plan, and date for implementation timelines and process .

The CAA will evaluate the plan and provide feedback to the organisation. CAA will if acceptable approve the organisation’s implementation plan and set the date for implementation (certification) having regard to the following—

· the capability of the organisation

· the complexity of the organisation

· the risks inherent in the activities  of the organisation

· the date of any certificate renewal

· any resource or scheduling impacts on the organisation or the Authority or both

the date for implementation must not be later than; 1 February 2018 for Group 1, or 1 February 2021 for Group 2.

The implementation date will be recorded through an amendment to the conditions (Operations Specifications, Approvals Specifications, Exposition Acceptance etc.) associated with the organisation’s certificate(s).

Content of the Plan

The implementation plan is a roadmap describing how the organisation intends to implement processes that meet the requirements of Part 100 and associated organisation certification rules. Therefore, the implementation plan should be a strategy for managing SMS implementation including adequate resourcing and realistic timeline. Like any business change, SMS implementation will require some level of investment to address training, documentation changes, development time and possibly system tools to manage data streams and assist with analysis. The changes that are necessary to implement SMS should be managed in a structured way to ensure that there is an awareness of impacts and potential consequences, and that these are managed appropriately.

The implementation plan need not be complex. However, there should be sufficient detail to ensure that the organisation has identified how it will meet the overall objective of successfully implementing a SMS. This means that each element is present and suitable in the context of the activities the organisation undertakes.

The implementation plan should be developed in consultation with the chief executive and individuals who are responsible for functions within the organisation. Application Form CAA 24100/01 includes a declaration by the chief executive that the plan is appropriate, achievable, and adequately resourced in addition to a proposed date for implementation. The implementation plan should be documented in a format that is appropriate to the content and complexity, and should address the following

· the tasks identified during the gap analysis process, consistent with the requirements of   the size of the organisation and the complexity of its products or services

· timelines and milestones for each task or group of tasks from the planning stage, to the entire implementation of SMS

· for a phased implementation approach e.g. ICAO  Doc. 9859, Chapter 5 – Phased Implementation Approach, the tasks are sorted according to the phase allocation of their related elements

· information as to who is responsible for completion of the identified task or group of tasks, including overall governance for the implementation plan

· a process identified whereby the status and performance of the SMS implementation plan is regularly monitored, and steps taken to mitigate substandard performance

· information showing how coordination of integrating safety related third party contractors and suppliers without an SMS, into the scope of the organisation’s SMS

· resource requirements

· risk management associated with implementation of SMS.

Any material changes made by the organisation to an approved implementation plan must be documented and submitted on Form CAA 2400-03 to the CAA for approval. A material change in this context is any change that could impact upon the organisation’s ability to demonstrate acceptable performance by the date for implementation and/or consistent slippage of task due dates, such as—

· changes to who is responsible for task completion

· a significant reduction in available resource

· re-scheduling owing to under-estimating the complexity of the required changes

· changes to the scope of operational activity being undertaken.

3.1.3      Multiple certificates

Many organisations hold multiple certificates. The CAA would expect that these organisations implement safety management across all of their certificates at the same time and in the same transition period . This should be addressed through the implementation plan.

3.2         Implementation Guide

These steps provide a guideline to implementing an SMS.

Step 1:

Conduct a gap analysis

A gap analysis is used to identify what an organisation has in place, and what it still needs. The contents of this advisory circular and the rule requirements for an SMS provide information which will enable an organisation to develop a list of what is needed, what is already in place, and what is required to fill any gaps.

Step 2:

Develop a management plan

Management should develop an SMS management plan which could include—

· safety-related goals, objectives, and performance measures

· identification of implementation team membership and reporting lines

· provisional resource allocation.

This will assist in determining the priorities of the organisation for the implementation of an SMS.

Step 3:

Develop an implementation plan

The implementation plan may be documented in different forms, varying from a simple spreadsheet to specialised project software. It should be developed by extracting the list of required tasks from the gap analysis, ordering them in terms of the priority of implementation, and listing the resources required and the individuals responsible for completing them. The implementation plan should include milestones and a timeline consistent for each of the tasks that will require regular monitoring to assist in keeping the implementation plan on track.

Submit Implementation Plan to the CAA for approval along with Application Form 24100/01

This may include a completed CAA Safety Management System Evaluation Tool Form CAA 24100/02 if used for gap analysis.

Step 4:

Assign accountability and responsibility

It is essential that the roles and responsibilities of personnel in the implementation of an SMS are defined, clearly communicated and their involvement assured. Recommended individual responsibilities of executives, managers, and individual personnel should be included in their job descriptions.

Step 5:

Develop policies, processes / procedures and other documentation

It is essential in ensuring that there is an integrated, well-understood and well-communicated SMS.

A safety policy statement designed by senior management and endorsed by the chief executive outlining their commitment to safety is required.

The exposition should cover the processes, actions and work flows that are involved.

Step 6:

Establish the SMS toolkit

A toolkit contains the actions, processes, and supporting tools that are the heart of an SMS. It can include any or all of the following—

· hazard identification processes including those resulting from safety investigations

· risk assessment processes and supporting templates

· internal safety reporting processes (including a database that an organisation may use to capture reports)

· internal safety investigation procedures

· an internal auditing system

· safety communication processes, such as a safety committee meetings, and how safety-related information is escalated and disseminated

· safety training programme.

Step 7:

Implement an SMS training programme

(Ref 2.12 - Element 12)

Once the plans, policies, procedures and toolkit are in place, the rationale for implementing an SMS should be communicated to all personnel. This can be done through a structured training programme which may include a presentation to all personnel, a web-based package, or a series of informative newsletters or emails.

Consider the level of training required by those with safety responsibilities (e.g. the executives, the safety manager, team leaders and, and operational personnel).

Step 8:

SMS Certification -

Date for Implementation

Prior to the set date for implementation (at least 60 days) submit all relevant documentation along with appropriate organisation certification form(s).

This should include a completed SMS Evaluation Tool Form CAA 24100/02.

Step 9:

Monitor and review

Once the components of a safety management system have been implemented, it is important to gain assurance that they are actually working. The performance measures originally outlined in the management plan can be used to track the success of the SMS. The way to track them could be through a safety committee meeting, or through periodic management review of the SMS.


3.3         SMS Certification - Date for implementation

3.3.1      General

Current CAA certification processes will be used for certification of an organisation’s SMS. It will consist of an assessment of the exposition and supporting documentation, followed by an on-site inspection and demonstration.

CAA acceptance of an organisation’s SMS is required by the date for implementation set at the approval of the implementation plan. The date being no later than the date(s) prescribed in the transitional provisions of each organisation certification rule.

Refer Annex F for an overview of the implementation plan, and date for implementation timelines and process.

3.3.2     Assessment and review

As part of the assessment process, the exposition and supporting documentation will be reviewed to confirm that the organisation has developed and implemented its SMS. While this advisory circular provides the framework for an acceptable means of compliance with the Rules, it is not intended to provide the only means of compliance and consideration will be given to other methods of compliance that may be presented to the Director. Applicants must submit documentation that demonstrates to the Director that they have addressed all the SMS elements. This is best achieved using a CAA Safety Management System Evaluation Tool Form CAA 24100/02 that CAA will use to assist in evaluating the capability of the organisation’s SMS. The SMS processes and procedures may be documented in an SMS manual or incorporated in other manuals.

Organisational changes such as the nomination of a safety manager (the person responsible for facilitating and administering the organisation’s SMS) should also be submitted at the same time. Changes to an organisation’s senior persons associated with the implementation of SMS will be subject to the normal CAA senior person assessment process. Senior person interviews may be undertaken as part of the CAA’s on-site activities. For senior person’s transitioning from a similar role, or subject to acceptance by the Director, combining the role for the system for safety management with other senior person roles for operational functions, the focus will be on satisfying section 9 and section12 of the Civil Aviation Act – qualifications and experience, and having sufficient resources as is applicable to that role.

Where applicable, the integration of safety management processes with quality management processes should be clearly established and documented.

3.3.3     Inspection and demonstration

Following the documentation assessment CAA will conduct an on-site inspection to ensure that the documented policies, processes, procedures and systems are present and suitable, and to validate any observations from the documentation review. Where possible, the CAA may require the organisation to demonstrate, as much as practicable, actual performance of the SMS.

Once the CAA has evaluated that the organisation has satisfactorily achieved their implementation plan for certification and the capability and performance of the SMS is at a maturity of ‘present’ and ‘suitable’ (refer 3.1) , it will provide written confirmation of approval of the SMS. This will include an amendment to the conditions (Operations Specifications, Approvals Specifications, Exposition Acceptance etc.) associated with the organisation’s certificate(s).    

3.3.4      Ongoing monitoring

An organisation’s SMS will be subject to routine CAA surveillance to verify that the SMS’s capability and performance is maturing towards ‘operating’ and ‘effective’ (refer 3.1). CAA safety oversight activities are based on the safety risks identified through analysis. Regulatory decisions and interventions are based on the assessment of the organisation’s safety performance. Ongoing monitoring is used to obtain assurance of the organisation’s safety management capability and its ability to deliver on its safety performance objectives.

3.3.5      Changes to certificate holder’s organisation

Individual operating rules specify the changes that require prior acceptance by the Director; this includes changes to the system for safety management, if the change is a material change. With the exception of changes to the senior person responsible for safety management (already listed within the operational rules as a notifiable change), material changes are considered to be those affecting the performance of a fundamental process or system underpinning the safety management system, examples of which include—

· Methodologies for—

o setting safety goals, objectives and performance measures ( note: only the process methodology, not the individual measures)

o hazard identification and risk management

o audit programme development

o management review.

· Changes to the safety training program e.g. high level changes to the safety training syllabus.

Changes should be directed to the appropriate CAA operational unit, as is currently the case for other exposition changes requiring prior approval by the Director.


Annex A—Civil Aviation Rule Part 100 Safety Management

Part 100        Safety Management

100.1    Applicability

This Part applies to an organisation that is required by the Civil Aviation Rules to establish, implement, and maintain a system for safety management.

100.3    System for safety management

(a) An organisation to which this Part applies must have a system for safety management that includes—

(1) a safety policy on which the system for safety management is based; and

(2) a process for risk management that identifies hazards to aviation safety, and that evaluates and manages the associated risks; and

(3) safety assurance measures that ensure—

   (i)      hazards, incidents, and accidents are internally reported and analysed and action is taken to prevent recurrence; and

   (ii)     goals for the improvement of aviation safety are set and the attainment of these goals is measured; and

   (iii)    there is a quality assurance programme that includes conducting internal audits and regular reviews of the system for safety management; and

(4) training that ensures personnel are competent to fulfil their safety responsibilities.

(b) The organisation must document all processes required to establish and maintain the system for safety management.

(c) The organisation’s system for safety management must correspond to the size of the organisation, the nature and complexity of the activities undertaken by the organisation, and the hazards and associated risks inherent in the activities undertaken by the organisation


Annex B—Part 100 Safety Management relationship to AC100-1 Elements and ICAO Annex 19SMS

The following diagram depicts the relationships between the Civil Aviation Rule Part 100-1 requirements, AC100-1 SMS elements, and the ICAO Annex 19 SMS Appendix 2 SMS framework. It will assist organisations with an overview of the safety management requirements and where to find the acceptable means of compliance and guidance material in the advisory circular that correspond to the rule requirements.

It demonstrates how the Civil Aviation Authority’s SMS elements are consistent with the ICAO SMS framework specified in Appendix 2 of Annex 19 Safety Management.

Key to the colours used in the diagram—

Blue text

Text from Civil Aviation Rules, Part 100 Safety Management

Red text

Text from Civil Aviation organisation certification rules that specify safety management requirements.

Examples from Civil Aviation Rules, Part 119 are used in the diagram.

Green text

Text from Civil Aviation operations rules that specify other requirements that are relevant to safety management.

Examples from Civil Aviation Rules, Part 121 are used in the diagram.


AC100 1 005



Annex C—Referencesand further information

ARMS

Aviation Risk Management Solutions (ARMS) Working Group (2010); The ARMS Methodology for Operational Risk Assessment in Aviation Organisations, 2007-2010; ARMS Working Group.

ATSB

Australian Transport Safety Bureau (2008); Analysis, Causality and Proof in Safety Investigations, Aviation Research and Analysis Report AR-2007-053, Australian Transport Safety Bureau, Canberra, Australia.

CAAS

Civil Aviation Authority of Singapore (2013); Advisory Circular 1-3(4) – Safety Management System; Civil Aviation Authority of Singapore.

CASA Australia

Civil Aviation Safety Authority, Australia (2008); Managing change in the aviation industry; Civil Aviation Safety Authority, Australia.

Civil Aviation Safety Authority, Australia (2009); Civil Aviation Advisory Publication CAAP SMS-1(0) Safety management systems for regular public transport (RPT) operations; Civil Aviation Safety Authority, Australia.

Civil Aviation Safety Authority of Australia (2009); Civil Aviation Advisory Publication CAAP SMS-2(0) Integration of human factors (HF) into safety management systems (SMS); Civil Aviation Safety Authority of Australia.

Civil Aviation Safety Authority, Australia (2014); Safety management systems for aviation – A practical guide, 2 nd edition December 2014; Retrieved March 9, 2015, from http://www.casa.gov.au/scripts/nc.dll?WCMS:STANDARD::pc=PC_101005 (external link)

FAA

Federal Aviation Administration (2015); Advisory Circular AC 120-92B Safety management systems for aviation service providers; Federal Aviation Administration.

Federal Aviation Administration Flight Standards Service (2010); SAFETY MANAGEMENT SYSTEM (SMS) IMPLEMENTATION GUIDE For: Safety Management System (SMS) Pilot Project Participants and Voluntary Implementation of Service provider SMS Programs; Federal Aviation Administration Flight Standards Service - SMS Program Office Revision 3 June 1, 2010.

ICAO

International Civil Aviation Organization (ICAO) (2013); Annex 19 to the Convention on International Civil Aviation; Safety Management, First edition July 2013; ICAO.

International Civil Aviation Organization (ICAO) (2013); Doc 9859; Safety Management Manual, 3rd edition 2013; ICAO.

IHST

International Helicopter Safety Team. US Joint Helicopter Safety Team (2009); Safety management system toolkit, 2nd edition; International Helicopter Safety Team, Alexandria, Virginia.

ISO

International Organization for Standardization (2009); ISO31000:2009 Risk management – principles and guidelines; International Organization for Standardization, Geneva.

International Organization for Standardization (2009); IEC/ISO31010:2009 Risk Management: Risk Assessment Techniques; International Organization for Standardization, Geneva.

SACAA

South African Civil Aviation Authority (2013); Advisory Circular Safety Management Systems – A guide to implementation. CA AOC-AC-FO-017; South African Civil Aviation Authority.

SM ICG

Safety Management International Collaboration Group (2012); Safety management system evaluation tool; Safety Management International Collaboration Group.

Safety Management International Collaboration Group (2013); Measuring safety performance guidelines for service providers; Safety Management International Collaboration Group.

Safety Management International Collaboration Group (2013); How to support a successful SSP and SMS implementation – Recommendations for regulators; Safety Management International Collaboration Group.

Transport Canada

Transport Canada (2008); Advisory Circular 107-001 –Guidance on safety management systems development; Transport Canada, Ottawa.

Transport Canada (2008); Advisory Circular 107-002 –Safety management systems development guide for small operators/organizations; Transport Canada, Ottawa.

UK CAA

United Kingdom Civil Aviation Authority, Safety Regulation Group (2010); Safety management systems – Guidance to organisations (3); United Kingdom Civil Aviation Authority, London.

United Kingdom Civil Aviation Authority, Safety Regulation Group (2013); Safety management systems – Guidance for small, non-complex organisations; United Kingdom Civil Aviation Authority, London.

Individuals

Dekker, SWA (2005); Ten questions about human error: A new view of human factors and system safety; Lawrence Erlbaum Associates, Mahwah, New Jersey.

Hudson, P. December (1999); Safety Culture – Theory and Practice; Universiteit Leiden, The Netherlands.

Lowe, C (2008); ‘A human factors perspective on safety management systems’, In Redmill, F & Anderson, T (Eds), Improvements in System Safety, Springer, London.

Reason, J (1997); Managing the risks of organisational accidents; Ashgate Publishing Limited, Aldershot, England.

Stolzer, AJ, Halford, CD & Goglia, JJ (2008); Safety management systems in aviation; Ashgate Publishing Limited, Aldershot, England.


Annex D—Example Gap Analysis and Implementation Plans

Example Gap Analysis

Ref

Gap analysis question

Answer

(Yes/No/ Partial)

Description of gap

Action/task required

to fill the gap

Assigned person

Manual reference

Action/Task

(Open/WIP/ Closed)

1.1-1

Is there a safety policy in place?

Partial

The existing safety policy addresses OHS only

a) enhance the existing safety policy to include aviation SMS objectives

b) have the safety policy approved and signed by the CEO.

safety Manager

Chapter 1

section 1.3

WIP

Etc.

4.1-1

Is there a reporting system to capture, errors, hazards and near misses?

Partial

The incident reporting system is not being used to report hazards. A separate OHS system is used for reporting workplace hazards and does not include operational hazards.

a) Combine the safety reporting systems to include all hazards.

b) Ensure all stakeholders for occupational and operational safety reporting are agreed upon the report design and processing.

c) Communicate the reporting changes to all personnel and contractors.

operations manager

Chapter 3

section 3.6

Open

Etc.


Example Implementation Plan

Action/Task required to fill the gap

Manual ref.

Assigned person

Status of action / task

1st Q  2016

2nd Q 2016

3rd Q  2016

4th Q  2016

1st Q  2017

2nd Q  2017

3rd Q  2017

4th Q  2017

Est M/hours

Est cost $

1.1-1 a) Enhance the existing safety policy to include aviation SMS objectives and policies .

Chapter 1

section 1.3

safety manager

WIP

first draft in review

16

1.1-1 b) Require the safety policy to be approved and signed by the CEO.

Chapter 1

section 1.3

safety manager

Open

2

Etc.

4.1-1 a) Combine the safety reporting systems to include all hazards.

Chapter 3

section 3.6

operations manager / OHS co-ordinator

WIP

80

500

4.1-1 b) Ensure all stakeholders for occupational and operational safety reporting are agreed upon the report design and processing.

N/A

operations manager / OHS co-ordinator

Open

12

4.1-1 c) Communicate the reporting changes to all personnel and contractors.

Chapter 3

section 3.12

HR (Training)

Open

2

Etc.

Notes:

1. Progress reviewed at each monthly management meeting.

2. Emergency response plan being developed in conjunction with Airport Safety Committee; first table top exercise planned for 2 nd Q 2017

3. Maintenance Manager has identified four key service providers for inclusion in element 7 – third party safety risks and element 10 – requirement for safety related service providers’ SMS.


  Annex E—Training and Competency Guidance Material

Safety Manager(senior person responsible for the system for safety management)

The safety manager is the senior person responsible for the development, implementation, operation and continuous improvement of the organisation’s SMS. They should act as a focal point for safety in the organisation.

Typically the safety manager is required to be competent and responsible for the following—

· management of the SMS implementation plan on behalf of the chief executive

· facilitate the risk management process (hazard identification, risk assessment and risk control)

· management of safety performance processes

· monitor corrective and preventative actions to ensure their accomplishment

· maintain safety documentation

· ensure appropriate safety management training is provided

· provide independent advice on safety matters

· oversee safety management processes

· appropriate involvement in safety investigations

· monitoring safety concerns in the aviation industry and their perceived impact on the organisation‘s operations

· coordinating and communicating (on behalf of the chief executive) with the CAA as necessary on issues relating to safety.

Alongside the above, understanding of the organisation’s operation and related safety critical tasks and systems, and competency in regard of safety management principles, some key skills/experience should be taken into consideration to complement the professional expertise of the safety manager—

· professional knowledge of the organisation’s specific operations and environment

· analytical thinking and problem-solving abilities

· inter and intra-organisation project management skills

· people-oriented skills such as, objectivity, fairness etc.

· communication skills, both written and oral.

The following table outlines a sample content of the safety training for the position of safety manager. The syllabus for training should take account of the complexity of the organisation and the training needs analysis for the position.


Sample Content for Safety Management Training for Safety Manager

Safety management principles and practices in the aviation environment—

· the need for SMS

· what is different about SMS

· relationship / integration with other management systems

· key principles and processes

· regulatory requirements

The organisation’s SMS including—

· safety policy, goals and objective

· safety roles and responsibilities

· emergency response planning

· documentation

· risk management

· safety assurance and measurement

· safety reporting

· safety communication and training

Safety risk management principles

· hazard identification, risk assessment and control

Safety investigation principles

Human performance

· human factors

· understanding the role of the human in safety

· human behaviour and performance

· error management

Safety culture


Annex F—Implementing an SMS

Timeline - SMS Implementation Plan and Date for Implementation

SMS implementation is divided into two groups to provide organisations with sufficient time to develop and implement an SMS appropriate to the size of the organisation, the nature and complexity of the activities undertaken, and the hazards and associated risks inherent in their activities

The first group requiring implementation over a 2-year period comprises Part 121 and Part 125 air operators, and the associated supporting organisations e.g. maintenance, international aerodromes and Air Traffic Service providers.

The second group comprises the remainder of the certificated organisations that are required to have a SMS with implementation over a five year period.

The dates for submission of an organisation’s Implementation Plan and the Date for Implementation (SMS certification) are prescribed in the transitional provisions of each organisation certification rule. For explanation the two groups of organisational certificate holders are referred to as Group 1 and Group 2.

Note: Applications for a new organisational certificate (not an organisation applying for certificate renewal) submitted after 01 February 2016, to which Part 100 applies, must include an implementation plan for SMS.   The organisation may elect to either seek certification with a SMS that meets the requirements of Part 100, or proceed under transitional rule provisions with a management system (where it is required) such as QMS or OMS, and propose a date for implementation of SMS that is acceptable to the Director.

Group 1

Group 2

Implementation Plan to be submitted by -

(at approval of Implementation Plan CAA set the Date for Implementation)

30 July 2016

30 July 2018

Date for Implementation, no later than -

01 February 2018

01 February 2021

 The diagram below shows the timelines for Group 1 and Group 2 Organisations

AC100 1 006Figure 5: SMS Implementation Plan and Date of Implementation Timeline

Process - SMS Implementation Plan and Date for Implementation

1. Implementation Plan

Applicant – to submit

Existing certificate holders: by 30 July 2016 for Group 1 or 30 July 2018 for Group 2

New applicants (not renewals) after 01 February 2016: included with certificate application

CAA Process

Implementation Plan, including—

· Gap Analysis / Tasking

· Timelines

· Resource requirements

· Responsibilities

Assess and approve Implementation Plan

Set Date for Implementation, having regard to—

· the capability of the organisation

· the complexity of the organisation

· the risks inherent in the activities of the organisation

· the date of any certificate renewal

· any resource or scheduling impacts on the organisation or the Authority or both

· the date for implementation must not be later than;

 01 Feb 2018 for Group 1, or 01 Feb 2021 for Group 2

Amend Organisational Certificate’s supporting conditions document (e.g. Operations Specification) to include set Date for Implementation

Application for approval of SMS Implementation Form

- CAA 24100/01

· Proposed Date for Implementation

· Proposed Senior Person for safety management

· Declaration by chief executive

2. SMS Certification - Date for Implementation

Applicant – to submit

at least 60 days prior to set Date for Implementation

CAA Process

Application for Amendment to Certificate Forms

Amendment form applicable to Organisational Certificate Rule Part & Senior Person change(s)

SMS Certification

· Assessment and Review

· Inspection and Demonstration

· Senior Person interview(s)

Amend Organisational Certificate’s supporting conditions document (e.g. Operations Specification) to reflect approval of SMS

Completed CAA SMS Evaluation Tool

Amended Exposition

Rules Matrices–Part 100 and associated organisational certification rules