< Previous7-12 Safety Management Manual (SMM) 7.6.3.6 If the safety data or safety information is proposed for use in an action or proceeding (civil, administrative, criminal or disciplinary), then the potential negative impact of such use may relate to the source of such data or information. Even if safeguards can be put in place to prevent the safety data or safety information from being disclosed outside the confines of the action or proceeding, any negative impact from the use of such data or information during a proceeding may still discourage future reporting or disclosure of safety data and safety information for the purposes of maintaining or improving safety. If the proposed use of the safety data or safety information involves dissemination or publication of such data or information beyond the confines of the proceeding, the competent authority should also consider the potential prejudicial effect on the wider community (domestic and international). 7.6.3.7 On the individual level, making the information public can have prejudicial detriment to the person involved such as the potential loss of livelihood and/or embarrassment. On a broader level, the publication or dissemination of safety data or safety information in a particular case may create a general disincentive for people similarly situated, but not involved in the particular action or proceeding, to report or contribute to the collection of such data and information. 7.6.3.8 In making a determination regarding the first two principles of exception, the competent authority must be satisfied, that: a) in the first case, the content of the safety data or safety information sought to be disclosed or used is necessary in order to decide whether the act or omission constitutes gross negligence, wilful misconduct or criminal activity; or b) in the second case, that such data, information or the related source is necessary for the proper administration of justice. 7.6.3.9 The competent authority will determine whether the safety data, safety information or the identity of the source of such data or information is necessary to the case. If a competent authority can reasonably make a decision without referring to the protected data, information or source, then greater weight must be given to preserving the protection of the safety data, safety information and related sources. There is no need to prejudice the collection and availability of safety data, safety information and related sources when a decision can be made by the competent authority without requiring the disclosure (or use) of such data and information. This will help ensure the continued availability of safety data and safety information for maintaining or improving aviation safety. 7.6.3.10 Adverse consequences might flow from the disclosure or use of safety data, safety information and related sources, such as the reluctance of aviation operational personnel to willingly cooperate with inspectors. If such data, information or details about their sources are not necessary to prove an essential fact in a proceeding, then the future collection and availability of safety data, safety information and related sources should not be jeopardized by unnecessary release under either of these principles of exception. Furthermore, if the required information can practicably be obtained from alternate sources, the competent authority might decide against allowing access to the safety data or safety information until all reasonable alternative avenues to acquire the information have been exhausted. 7.6.3.11 Similarly, if a competent authority in a State that does not have a right-to-know law is asked to decide whether the safety data or safety information should be disclosed to the public (for example, in response to a request from the media), the competent authority would most likely want to know how important it is that the public knows the contents of such data or information. In such a situation, the competent authority might ask a question like, “Without knowing the contents of the data or information, would the public have a proper understanding of the occurrence, or would the event have safety consequences for the travelling public?” Being able to substantiate a view that the public’s knowledge would be compromised without access to the safety data or safety information might give weight to an argument for its disclosure. However, this data or information would not have to be disclosed just because these grounds are established. If disclosure would seriously compromise the continued availability of safety data and safety information by discouraging future safety reporting, the scales may not necessarily be tipped in favour of disclosure. Chapter 7. Protection of Safety Data, Safety Information and Related Sources 7-13 7.6.3.12 The third exception involves cases in which, “after reviewing the safety data or safety information,” the competent authority “determines that its release is necessary for maintaining or improving safety, and that the benefits of its release outweigh the adverse domestic and international impact such release is likely to have on the future collection and availability of safety data and safety information”. This exception applies to the release of safety data or safety information necessary for maintaining or improving safety. It has no application to the use of safety data or safety information in connection with preventive, corrective or remedial action taken by a regulatory authority that is necessary to maintain or improve aviation safety. 7.6.3.13 The circumstances contemplated by Annex 19 involve consideration by a competent authority of the benefits of releasing the safety data or safety information for more general purposes related to the maintenance or improvement of safety, including, for example, training and educational purposes or the publication of safety information and advice for the benefit of the wider community. The analysis for these situations involve the same kind of two-step process described in 7.6.3.5 above: first, requiring the competent authority to decide that the “release is necessary for maintaining or improving safety”, and, second, requiring the competent authority to determine that the benefits of releasing the safety data or safety information outweigh the potential adverse impact such a release will have on the future collection and availability of such data and information. 7.6.3.14 In considering the second step of this analysis, Annex 19 encourages competent authorities to take into account the “consent of the source of the safety data and safety information”. The importance of this recognition underscores the critical distinction discussed in 7.6.3.10 above, differentiating between the release of safety data and safety information for purposes generally related to the maintenance or improvement of safety (in which case this principle of exception will apply), and the use of safety data and safety information for particular preventive, corrective and remedial purposes in support of the maintenance or improvement of safety (in which case it will not be necessary to satisfy the requirements of any principle of exception as this usage is already permitted within the principles of protection). 7.6.3.15 In keeping with the spirit of the principles of protection, when considering the use of safety data or safety information in support of preventive, corrective or remedial actions taken for the purpose of maintaining or improving safety, it may be possible for the competent authority to ascertain whether an appropriate alternative source for such data or information may practicably be available. If so, even this unexceptional use of protected safety data or safety information may be avoided. 7.6.3.16 However, such a consideration of practicability does not require or invite the formal application of a principle of exception called up in Annex 19. This is because the principle of exception applies where the interest of maintaining or improving safety is weighed against some other competing public interest (e.g., the proper administration of justice, providing public access to data or information, or facilitating training or educational processes by allowing for the inclusion of protected data or information). Preventive, corrective or remedial action taken for the purpose of maintaining or improving safety falls within the scope of the principles of protection, and there is no countervailing non-safety related interest against which such use needs to be balanced. 7.6.4 Additional considerations in applying a principle of exception 7.6.4.1 In deciding whether a principle of exception applies in a case, the competent authority should always take into account the consent of the source of the safety data or safety information. If a person has been given assurances of confidentiality in respect of safety data or safety information of which they are the source, then the use, disclosure or release of such data or information in a manner that conflicts with those assurances is likely to have an adverse impact on the safety data and safety information that may be provided by that person in the future. In addition, if safety data or safety information were to be released or used in spite of confidentiality assurances to the source, this may have a similarly adverse impact on any person who may become aware of that fact. 7.6.4.2 To avoid undesirable situations of the kind mentioned in 7.6.4.1 from arising, it will be prudent to ensure that individuals and organizations clearly understand in advance how, when, where and for what purposes the data and information they provide may be used in accordance with the application of the principles of exception. Such an understanding is essential to the establishment and maintenance of a predictable reporting environment based on trust. 7-14 Safety Management Manual (SMM) 7.6.4.3 The following diagram provides general guidelines regarding the application of the principles of exception by the competent authority consistent with the provisions of the Annex 19.6 Figure 18. Guidelines for the application of the principles of exception 7.7 PUBLIC DISCLOSURE 7.7.1 The public has an overarching interest in safety data or safety information. The public’s interest is in openness, transparency and accountability so that it has a general awareness of the safety of the system and can be assured that everything necessary to address safety is being done. Specific individuals or interest groups may also have an interest in the safety data or safety information for reasons other than those directly related to safety. Disclosure may occur voluntarily, as a result of a request for information to the government or through the processes of a judicial proceeding. Whether or not it is appropriate to disclose any safety data or safety information publicly 6 It is important to remember that States shall not be prevented from using safety data or safety information to take any preventive, corrective or remedial action that is necessary to maintain or improve aviation safety. Chapter 7. Protection of Safety Data, Safety Information and Related Sources 7-15 depends on the nature of the safety data and safety information. Such determination is the domain of the competent authority as previously discussed. 7.7.2 If safety data or safety information is disclosed publicly, it is not usually possible to limit how the information would be used. Certainly, openness and transparency should be encouraged but, at the same time, the rights and legitimate expectations of those involved in reporting and analysing the safety data and safety information, and the need to protect them from inappropriate damage to their interests or reputation, must be taken into account. However, this may not always apply to States with right-to-know laws. 7.7.3 Many States have legislation which in effect mandates release of all information held by State institutions. Such laws are sometimes referred to as right-to-know laws. Under these laws, unless there is an exemption for a particular type of information, it must be disclosed by the government upon request. Some examples of exemptions might be classified information, commercially sensitive information or information such as medical records which are protected by privacy laws. Safety data or safety information is not usually exempted. In accordance with Annex 19, States may choose to create exemptions or rules to protect from public disclosure in right-to-know laws or in any other type of laws, including aviation legislation. 7.7.4 Right-to-know laws generally apply to information held by the government. Since most safety data and safety information requiring protection from disclosure is obtained from operational personnel or a service provider, a practical approach would be to allow such data and information to remain with the organization rather than depositing it with a government authority. This way the question of public disclosure does not arise unless some additional government action such as an administrative proceeding is convened. Where the question of public disclosure is faced in an administrative or judicial proceeding, the competent authority should apply the basic principles of protection previously discussed. This approach may not work if service providers are obliged to report safety data and safety information to a government authority, or if the service provider is a governmental authority or agency or part of a governmental authority or agency. 7.7.5 Failure to properly assess the competing claims made for access to safety data or safety information can impact current and future efforts in two ways. Public disclosure of certain data or information can be perceived as a violation of the privacy of individuals or the confidentiality expectations of organizations associated with the safety data or safety information. Use of certain data or information as part of an argument supporting sanctions against involved individuals or organizations can be seen to violate basic principles of fairness. Future availability of safety data and safety information may be impacted by the predictable human behaviour of withholding information that results from anticipating a perceived threat from its disclosure or incriminating use. This can have an obvious impact on both data collection and data analysis functions of safety management. 7.7.6 If a competent authority determines that safety data or safety information may be disclosed to the public, the State is expected to ensure that any public disclosure is made in accordance with applicable privacy laws or in a de-identified, summarized or aggregate form. Further information on authoritative safeguards is contained in 7.5.3 above. 7.8 PROTECTION OF RECORDED DATA 7.8.1 Protection of ambient workplace recordings 7.8.1.1 Ambient workplace recordings should be part of any protection policy or regulation. The use of these recordings as a part of safety management where allowed by regulation or policy should fully respect the principles of protection and exception. The trust of the reporting population is fundamental to an effective safety management. That trust should not be compromised. 7.8.1.2 Provisions contained in Annex 19 are applicable to safety management functions related to, or in direct support of, the safe operation of aircraft. Ambient workplace recordings may be governed by national privacy laws that are not defined in Annex 19. 7.8.1.3 Ambient workplace recordings may include CVRs, AIRs, other flight recorder recordings, or recordings of background communication and the aural environment at air traffic controller work stations. 7-16 Safety Management Manual (SMM) 7.9 SAFETY INFORMATION SHARING AND EXCHANGE 7.9.1 Protection of information shared between States 7.9.1.1 Taking into account that one of the main objectives of sharing and exchange of safety information is to ensure a consistent, fact-based and transparent response to safety concerns at the State and global levels, in the process of sharing and exchange of safety information, States shall act in accordance with the following principles: a) compliance with the Convention on International Civil Aviation (Chicago Convention), its Annexes and other multilateral and bilateral obligations of States; b) sharing and exchange of safety information does not lead to violation by the relevant States’ authorities of national laws relating to the protection of safety information, including but not limited to the national laws and regulations on State secret, personal data protection, commercial (trade) secret as well as violation of the rights of individuals and legal entities; c) safety information shared and exchanged by a State should not be used in a way adversely affecting such State itself, its airlines, its public servants and its citizens as well as for other inappropriate purposes, including for the purpose of gaining economic advantage; d) the sole purpose of protecting safety information from inappropriate use is to ensure its continued availability so that proper and timely preventive actions can be taken and aviation safety improved; and e) sharing and exchange of safety information should be in line with the principles of protection provided in Annex 19. 7.9.1.2 A legal framework for sharing and exchange of information can be based on bilateral arrangements between States inserted, for instance, into their air transport (air services) agreement. For facilitating sharing and exchange of information, States can also agree that such bilateral arrangements apply provisionally, if applicable, pending their ratification and entry into force. 7.9.1.3 States should promote and facilitate the establishment of safety information sharing and exchange networks among users of its aviation system. The sharing and exchange of safety information is fundamental to ensuring a consistent, fact-based and transparent response to safety concerns at the State and global levels. ______________________ 8-1 Chapter 8 STATE SAFETY MANAGEMENT 8.1 INTRODUCTION 8.1.1 Chapter 3 of Annex 19 contains SARPs related to the safety management responsibilities of States. This includes the establishment and maintenance of a State safety programme (SSP) intended to manage safety in an integrated manner. 8.1.2 With the First Edition of Annex 19, States were expected to address two sets of provisions, these were the: eight critical elements (CEs) of a State’s safety oversight (SSO) system; and SSP framework. The safety oversight aspect reflected the traditional role of the State, which is to ensure the effective implementation by the aviation industry of prescriptive SARPs, while the SSP framework represented the incorporation of safety management principles. 8.1.3 The safety oversight system and the SSP were closely connected in terms of the safety objectives that each seeks to achieve. Both address the functions and responsibilities of the State. The former primarily with regard to safety oversight and the latter with regard to safety management and safety performance. There are clearly some aspects of safety management within the eight CEs that reflect the transition to a proactive approach in managing safety. For example, surveillance obligations (CE-7) can be considered an element of safety assurance and primary aviation legislation (CE-1) and specific operating regulations (CE-2) were also reflected in the original SSP framework as important safety risk controls. 8.1.4 These responsibilities have been integrated in the Second Edition of Annex 19 and are collectively referred to as the State’s safety management responsibilities. The SARPs related to the State’s safety management responsibilities, which cover both safety oversight and safety management, are interdependent and constitute an integrated approach towards effective safety management. Although the term SSP is still used in the Second Edition of Annex 19, the meaning has changed to encompass the integrated set of SARPs found in Chapter 3. As such, the SSP is no longer described as a framework, but rather as a programme to meet the State’s safety management responsibilities, which includes safety oversight. So, the SSP is part of the broad concept of State safety management. This evolution is illustrated in Figure 19. 8-2 Safety Management Manual (SMM) Figure 19. Integrated State safety programme 8.2 STATE SAFETY PROGRAMME (SSP) 8.2.1 State safety oversight system critical elements The CEs of a State safety oversight (SSO) system form the foundation of the SSP. The Second Edition of Annex 19 emphasizes the importance of a safety oversight system by maintaining the provisions related to the eight CEs at the level of a Standard. The majority of the requirements from the SSP framework have been upgraded to Recommended Practices, with a few upgraded to a Standard. Details on the CEs of an SSO system are addressed in the Safety Oversight Manual, Part A — The Establishment and Management of a State’s Safety Oversight System (Doc 9734). Chapter 8. State Safety Management 8-3 8.2.2 State safety programme overview 8.2.2.1 An SSP is an integrated set of regulations and activities aimed at improving safety. For the establishment and maintenance of the SSP, the ICAO SARPs are structured into the following four components: a) State safety policy, objectives and resources; b) State safety risk management; c) State safety assurance; and d) State safety promotion. 8.2.2.2 The implementation of an SSP requires coordination among multiple authorities responsible for the aviation functions of the State. The implementation of an SSP does not alter the respective roles of the State’s aviation organizations or their normal interaction with one another. Rather, the SSP aims to leverage the collective safety functions and capabilities to further enhance safety within the State. When starting to implement an SSP, most States find they already have existing processes and activities that address many aspects of an SSP. The implementation of an SSP aims to enhance these processes with additional performance and safety risk-based elements, and facilitate the effective implementation of SMS by the aviation industry in the State. 8.2.2.3 The SSP aims to: a) ensure the State has an effective legislative framework in place with supporting specific operating regulations; b) ensure SRM and safety assurance coordination and synergy amongst relevant State aviation authorities; c) support effective implementation and appropriate interaction with service providers’ SMS; d) facilitate the monitoring and measurement of the safety performance of the State’s aviation industry; and e) maintain and/or continuously improve the State’s overall safety performance. 8.2.3 Delegation of safety management functions and activities 8.2.3.1 Some safety management activities require new competencies such as: conducting safety risk assessments; performing safety data analyses; or evaluating the appropriateness of SPIs. 8.2.3.2 A State may choose to delegate some specific functions or tasks under the SSP to another State, regional safety oversight organization (RSOO) or other competent organization, such as a trade association, industry representative organization or private body. Although a State may delegate specific functions, it will still need enough personnel to interface with the delegated entity and to process the information provided by the delegated entity. 8.2.3.3 States should also consider the establishment of appropriate technical and administrative processes to ensure that the delegated functions are carried out to their satisfaction. 8.2.3.4 Regardless of the arrangement, the State retains the responsibility to ensure that any delegated tasks are performed in accordance with their national requirements and SARPs. 8.2.3.5 Delegation may allow States with a relatively low level of aviation activities to collectively gather safety data to identify trends and coordinate mitigation strategies. 8-4 Safety Management Manual (SMM) 8.2.3.6 If a State chooses to receive assistance for the development of surveillance processes it should include the development of organizational safety risk profiles for service providers, the planning and prioritization of inspections, audits and monitoring activities of approved organization/service providers. 8.2.3.7 If a State chooses to delegate the surveillance activities, the State should ensure it retains access to surveillance records with documented outcomes. The State should also periodically monitor and review the safety performance of each service provider and ensure it is clearly established who will monitor and enforce (if needed) the resolution of any safety issues. 8.2.3.8 Delegation is a means for States with limited resources to ensure they have access to the appropriate expertise. Guidance on the establishment of an RSOO can be found in Safety Oversight Manual, Part B — The Establishment and Management of a Regional Safety Oversight Organization (Doc 9734). 8.3 COMPONENT 1: STATE SAFETY POLICY, OBJECTIVES AND RESOURCES 8.3.1 The first SSP component defines how a State will manage safety throughout its aviation system. It includes determining the requirements, obligations, functions and activities of the different State aviation authorities related to the SSP, as well as the broad safety objectives to be achieved. The State safety policy and objectives should be documented to provide clear expectations and keep the safety management efforts of the State’s CAA, and those of other State aviation authorities, focused on maintaining and improving safety performance. This enables the State to provide clear safety guidelines to support an air transportation system that is continuing to grow and becoming more complex. 8.3.2 The State’s legal framework dictates how aviation safety will be managed. Service providers are legally responsible for the safety of their products and services. They must be in compliance with safety regulations established by the State. The State should ensure that aviation authorities involved with the implementation and maintenance of the SSP have the necessary resources for the SSP to be implemented effectively. 8.3.3 Component 1 of the SSP, State safety policy, objectives and resources, is composed of the following elements: a) primary aviation legislation; b) specific operating regulations; c) State system and functions; d) qualified technical personnel; and e) technical guidance, tools and provision of safety-critical information. 8.3.4 Primary aviation legislation 8.3.4.1 Guidance on primary aviation legislation (CE-1) can be found in Doc 9734, Part A. Note.— Throughout this manual, the term “legislation” is used as a generic term to include primary aviation legislation and specific operating regulations. 8.3.4.2 There may be a need for legislative provisions that empower the various State aviation authorities (e.g. CAA or Accident Investigation Authority) to perform their roles. Whether or not the primary aviation legislation needs to specifically mention SSP implementation as a role of the CAA depends on the legal system of the State. Some States may consider that SSP implementation is implied in the functions already mentioned in their primary aviation legislation. In that case, amendment of the primary aviation legislation may not be necessary. Evidence of Chapter 8. State Safety Management 8-5 SSP implementation should be clearly available in formal State documents. The State should also be able to demonstrate its commitment to address its safety management responsibilities, as outlined in Annex 19. 8.3.4.3 As part of its SSP, a State is expected to establish an enforcement policy that: a) supports and encourages a positive safety culture; b) describes how the State assures protection of safety data and safety information and related sources, especially if information provided is self-incriminating; and c) specifies the conditions and circumstances under which service providers with an SMS are allowed to deal with and resolve events involving certain safety issues internally, within the context of their SMS and to the satisfaction of the relevant State authority, provided that the SMS is in accordance with the SMS framework and shown to be effective and mature. 8.3.4.4 By using safety management principles, the relationship between a State and its service providers should evolve beyond compliance and enforcement, to a partnership aimed at maintaining or continuously improving safety performance. 8.3.5 Specific operating regulations 8.3.5.1 Guidance on specific operating regulations (CE-2), including adapting or adopting regulations from another State can be found in Doc 9734, Part A. Prescriptive and performance-based regulations 8.3.5.2 Safety regulations are an important tool that can be used by States to control safety risks. With the transition to safety management, there has also been a trend toward introducing performance-based regulations. To understand what performance-based regulations are, one must first understand prescriptive regulations. Prescriptive regulations are regulations that explicitly spell out what must be done and how it must be done. The expectation is that compliance with these regulations will achieve the desired level of safety. Many prescriptive regulations were developed following an accident and are based on lessons learned and the desire to avoid an accident taking place for the same causes in the future. From the service provider’s perspective, meeting prescriptive requirements entails implementing the regulations without deviation. No further analysis or justification is expected from the service provider or from the authority. 8.3.5.3 Up until recently ICAO SARPs have focussed on prescriptive requirements as a means of identifying minimum standards and ensuring interoperability. However, increasingly there is a need to enable performance-based regulations to support innovative implementation approaches that may improve efficiencies and that can meet or exceed the safety objectives. 8.3.5.4 ICAO Annexes provide examples of Standards that enable both prescriptive and performance-based regulations. The following is an example of a Standard from Annex 14 — Aerodromes, Volume I — Aerodrome Design and Operations, that enables prescriptive regulations: 3.3.1 Where the end of a runway is not served by a taxiway or a taxiway turnaround and where the code letter is D, E or F, a runway turn pad shall be provided to facilitate a 180-degree turn of aeroplanes. 8.3.5.5 The example above enables a prescriptive regulation as it identifies only one way of demonstrating compliance if the runway is of the specified criteria: that is, to provide a runway turn pad. Deviation from prescriptive regulations is generally granted by means of exemption from the regulations. Next >