< Previous9-4 Safety Management Manual (SMM) 9.3.5.5 One of the most effective ways the accountable executive can be involved, and seen to be involved, is by leading regular executive safety meetings. As they are ultimately responsible for the safety of the organization, being actively involved in these meetings allows the accountable executive to: a) review safety objectives; b) monitor safety performance and the achievement of safety targets; c) make timely safety decisions; d) allocate appropriate resources; e) hold managers accountable for safety responsibilities, performance and implementation timelines; and f) be seen by all personnel as an executive who is interested in, and in charge of, safety. 9.3.5.6 The accountable executive is not usually involved in the day-to-day activities of the organization or the problems faced in the workplace and should ensure there is an appropriate organizational structure to manage and operate the SMS. Safety management responsibility is often delegated to the senior management team and other key safety personnel. Although responsibility for the day-to-day operation of the SMS can be delegated, the accountable executive cannot delegate accountability for the system nor can decisions regarding safety risks be delegated. For example, the following safety accountabilities cannot be delegated: a) ensuring safety policies are appropriate and communicated; b) ensuring necessary allocation of resources (financing, personnel, training, acquisition); and c) setting of the acceptable safety risk limits and resourcing of necessary controls. 9.3.5.7 It is appropriate for the accountable executive to have the following safety accountabilities: a) provide enough financial and human resources for the proper implementation of an effective SMS; b) promote a positive safety culture; c) establish and promote the safety policy; d) establish the organization’s safety objectives; e) ensure the SMS is properly implemented and performing to requirements; and f) see to the continuous improvement of the SMS. 9.3.5.8 The accountable executive’s authorities include, but are not limited to having final authority: a) for the resolution of all safety issues; and b) over operations under the certificate/approval of the organization, including the authority to stop the operation or activity. 9.3.5.9 The authority to make decisions regarding safety risk tolerability should be defined. This includes who can make decisions on the acceptability of risks as well as the authority to agree that a change can be implemented. The authority may be assigned to an individual, a management position or a committee. Chapter 9. Safety Management Systems (SMS) 9-5 9.3.5.10 Authority to make safety risk tolerability decisions should be commensurate with the manager's general decision-making and resource allocation authority. A lower level manager (or management group) may be authorized to make tolerability decisions up to a certain level. Risk levels that exceed the manager's authority must be escalated for consideration to a higher management level with greater authority. Accountability and responsibilities 9.3.5.11 Accountabilities and responsibilities of all personnel, management and staff, involved in safety-related duties supporting the delivery of safe products and operations should be clearly defined. The safety responsibilities should focus on the staff member's contribution to the safety performance of the organization (the organizational safety outcomes). The management of safety is a core function, as such every senior manager has a degree of involvement in the operation of the SMS. 9.3.5.12 All defined accountabilities, responsibilities and authorities should be stated in the service provider’s SMS documentation and should be communicated throughout the organization. The safety accountabilities and responsibilities of each senior manager are integral components of their job descriptions. This should also capture the different safety management functions between line managers and the safety manager (see 9.3.6 for further details). 9.3.5.13 Lines of safety accountability throughout the organization and how they are defined will depend on the type and complexity of the organization, and their preferred communication methods. Typically, the safety accountabilities and responsibilities will be reflected in organizational charts, documents defining departmental responsibilities, and personnel job or role descriptions. 9.3.5.14 The service provider should aim to avoid conflicts of interest between staff members’ safety responsibilities and their other organizational responsibilities. They should allocate their SMS accountabilities and responsibilities, in a way that minimizes any overlaps and/or gaps. Accountability and responsibilities and in respect to external organizations 9.3.5.15 A service provider is responsible for the safety performance of external organizations where there is an SMS interface. The service provider may be held accountable for the safety performance of products or services provided by external organizations supporting its activities even if the external organizations are not required to have an SMS. It is essential for the service provider’s SMS to interface with the safety systems of any external organizations that contribute to the safe delivery of their product or services. 9.3.6 Appointment of key safety personnel 9.3.6.1 Appointment of a competent person or persons to fulfil the role of safety manager is essential to an effectively implemented and functioning SMS. The safety manager may be identified by different titles. For the purposes of this manual, the generic term “safety manager” is used and refers to the function, not necessarily to the individual. The person carrying out the safety manager function is responsible to the accountable executive for the performance of the SMS and for the delivery of safety services to the other departments in the organization. 9.3.6.2 The safety manager advises the accountable executive and line managers on safety management matters, and is responsible for coordinating and communicating safety issues within the organization as well as with external members of the aviation community. Functions of the safety manager include, but are not limited to: a) manage the SMS implementation plan on behalf of the accountable executive (upon initial implementation); b) perform/facilitate hazard identification and safety risk analysis; 9-6 Safety Management Manual (SMM) c) monitor corrective actions and evaluate their results; d) provide periodic reports on the organization’s safety performance; e) maintain SMS documentation and records; f) plan and facilitate staff safety training; g) provide independent advice on safety matters; h) monitor safety concerns in the aviation industry and their perceived impact on the organization’s operations aimed at product and service delivery; and i) coordinate and communicate (on behalf of the accountable executive) with the State’s CAA and other State authorities as necessary on issues relating to safety. 9.3.6.3 In most organizations, an individual is appointed as the safety manager. Depending on the size, nature and complexity of the organization the safety manager role may be an exclusive function or it may be combined with other duties. Moreover, some organizations may need to allocate the role to a group of persons. The organization must ensure that the option chosen does not result in any conflicts of interest. Where possible, the safety manager should not be directly involved in the product or service delivery but should have a working knowledge of these. The appointment should also consider potential conflicts of interest with other tasks and functions . Such conflicts of interest could include: a) competition for funding (e.g. financial manager being the safety manager); b) conflicting priorities for resources; and c) where the safety manager has an operational role and their ability to assess the SMS effectiveness of the operational activities they are involved in. 9.3.6.4 In cases where the function is allocated to a group of persons, (e.g. when service providers extend their SMS across multiple activities) one of the persons should be designated as “lead” safety manager, to maintain a direct and unequivocal reporting line to the accountable executive. 9.3.6.5 The competencies for a safety manager should include, but not be limited to, the following: a) safety/quality management experience; b) operational experience related to the product or service provided by the organization; c) technical background to understand the systems that support operations or the product/service provided; d) interpersonal skills; e) analytical and problem-solving skills; f) project management skills; g) oral and written communications skills; and h) an understanding of human factors. Chapter 9. Safety Management Systems (SMS) 9-7 9.3.6.6 Depending on the size, nature and complexity of the organization, additional staff may support the safety manager. The safety manager and supporting staff are responsible for ensuring the prompt collection and analysis of safety data and appropriate distribution within the organization of related safety information such that safety risk decisions and controls, as necessary, can be made. 9.3.6.7 Service providers should establish appropriate safety committees that support the SMS functions across the organization. This should include determining who should be involved in the safety committee and frequency of the meetings. 9.3.6.8 Additionally, a function of the safety manager is to assess the effectiveness of any risk mitigation strategies used to achieve the safety objectives of the organization. This can be done through the highest-level safety committee such as a safety review board (SRB). The SRB is strategic and deals with high-level issues related to policies, resource allocation and organizational performance monitoring. The SRB should include the accountable executive and senior management who monitor the: a) effectiveness of the SMS; b) timely response of necessary safety risk control actions; c) safety performance against the organization’s safety policy and objectives; d) effectiveness of the organization’s safety management processes which support: i) the declared organization priority of safety management; and ii) promotion of safety across the organization. 9.3.6.9 Once a strategic direction has been developed by the highest-level safety committee, implementation of safety strategies should be coordinated throughout the organization. This may be accomplished by creating a safety action group (SAG) that is more operationally focused. SAGs are normally composed of managers and front-line personnel and are chaired by a designated manager. SAGs are tactical entities that deal with specific implementation issues per the direction of the SRB. The SAG: a) monitors operational safety performance within the functional areas of the organization and ensures that appropriate SRM activities are carried out; b) reviews available safety data and identifies the implementation of appropriate safety risk control strategies and ensures employee feedback is provided; c) assesses the safety impact related to the introduction of operational changes or new technologies; d) coordinates the implementation of any actions related to safety risk controls and ensures that actions are taken promptly; and e) reviews the effectiveness of the safety risk controls. 9.3.7 Coordination of emergency response planning 9.3.7.1 By definition, an emergency is a sudden, unplanned situation or event requiring immediate action. Coordination of emergency response planning refers to planning for activities that take place within a limited period of time during an unplanned aviation operational emergency situation. An emergency response plan (ERP) is an integral component of a service provider’s SRM process to address aviation related emergencies, crises or events. Where 9-8 Safety Management Manual (SMM) there is a possibility of a service provider’s aviation operations or activities being compromised by emergencies such as a public health emergency/pandemic, these scenarios should also be addressed in its ERP as appropriate. The ERP should address foreseeable emergencies as identified through the SMS and include mitigating actions, processes and controls to effectively manage aviation-related emergencies. 9.3.7.2 The overall objective of the ERP is the safe continuation of operations and the return to normal operations as soon as possible. This should ensure an orderly and efficient transition from normal to emergency operations, including assignment of emergency responsibilities and delegation of authority. It includes the period of time required to re-establish “normal” operations following the emergency. The ERP identifies actions to be taken by responsible personnel during an emergency. Most emergencies will require coordinated action between different organizations, possibly with other service providers and with other external organizations such as non-aviation related emergency services. The ERP should be easily accessible to the appropriate key personnel as well as to the coordinating external organizations. 9.3.7.3 Coordination of emergency response planning applies only to those service providers required to establish and maintain an ERP. Annex 19 does not require the creation or development of an ERP; emergency response planning is applicable only to specific service providers as established in the relevant ICAO Annexes (different terms for provisions related to dealing with emergency situations may be used in other Annexes). This coordination should be exercised as part of the periodic testing of the ERP. 9.3.8 SMS Documentation 9.3.8.1 The SMS documentation should include a top-level “SMS manual”, which describes the service provider’s SMS policies, processes and procedures to facilitate the organization’s internal administration, communication and maintenance of the SMS. It should help personnel to understand how the organization’s SMS functions, and how the safety policy and objectives will be met. The documentation should include a system description that provides the boundaries of the SMS. It should also help clarify the relationship between the various policies, processes, procedures and practices, and define how these link to the service provider’s safety policy and objectives. The documentation should be adapted and written to address the day-to-day safety management activities that can be easily understood by personnel throughout the organization. 9.3.8.2 The SMS manual also serves as a primary safety communication tool between the service provider and key safety stakeholders (e.g. CAA for the purpose of regulatory acceptance, assessment and subsequent monitoring of the SMS). The SMS manual may be a stand-alone document, or it may be integrated with other organizational documents (or documentation) maintained by the service provider. Where details of the organization’s SMS processes are already addressed in existing documents, appropriate cross-referencing to such documents is enough. This SMS document will need to be kept up to date. As a controlled manual, CAA agreement may be required before significant amendments are made. 9.3.8.3 The SMS manual should include a detailed description of the service provider’s policies, processes and procedures including: a) safety policy and safety objectives; b) reference to any applicable regulatory SMS requirements; c) system description; d) safety accountabilities and key safety personnel; e) voluntary and mandatory safety reporting system processes and procedures; f) hazard identification and safety risk assessment processes and procedures; Chapter 9. Safety Management Systems (SMS) 9-9 g) safety investigation procedures; h) procedures for establishing and monitoring safety performance indicators; i) SMS training processes and procedures and communication; j) safety communication processes and procedures; k) internal audit procedures; l) management of change procedures; m) SMS documentation management procedures; and n) where applicable, coordination of emergency response planning. 9.3.8.4 SMS documentation also includes the compilation and maintenance of operational records substantiating the existence and ongoing operation of the SMS. Operational records are the outputs of the SMS processes and procedures such as the SRM and safety assurance activities. SMS operational records should be stored and kept in accordance with existing retention periods. Typical SMS operational records should include: a) hazards register and hazard/safety reports; b) SPIs and related charts; c) record of completed safety risk assessments; d) SMS internal review or audit records; e) internal audit records; f) records of SMS/safety training records; g) SMS/safety committee meeting minutes; h) SMS implementation plan (during the initial implementation); and i) gap analysis to support implementation plan. 9.4 COMPONENT 2: SAFETY RISK MANAGEMENT 9.4.1 Service providers should ensure they are managing their safety risks. This process is known as safety risk management (SRM), which includes hazard identification, safety risk assessment and safety risk mitigation. 9.4.2 The SRM process systematically identifies hazards that exist within the context of the delivery of its products or services. Hazards may be the result of systems that are deficient in their design, technical function, human interface or interactions with other processes and systems. They may also result from a failure of existing processes or systems to adapt to changes in the service provider’s operating environment. Careful analysis of these factors can often identify potential hazards at any point in the operation or activity lifecycle. 9-10 Safety Management Manual (SMM) 9.4.3 Understanding the system and its operating environment is essential for the achievement of high safety performance. Having a detailed system description that defines the system and its interfaces will help. Hazards may be identified throughout the operational lifecycle from internal and external sources. Safety risk assessments and safety risk mitigations will need to be continuously reviewed to ensure they remain effective. Note.— Detailed guidance on hazard identification and safety risk assessment procedures is addressed in Chapter 2. Figure 24. Hazard identification and risk management process 9.4.4 Hazard identification Hazard identification is the first step in the SRM process. The service provider should develop and maintain a formal process to identify hazards that could impact aviation safety in all areas of operation and activities. This includes equipment, facilities and systems. Any aviation safety-related hazard identified and controlled is beneficial for the safety of the operation. It is important to also consider hazards that may exist as a result of the SMS interfaces with external organizations. Sources for Hazard Identification 9.4.4.1 There are a variety of sources for hazard identification, internal or external to the organization. Some internal sources include: • Normal operations monitoring; this uses observational techniques to monitor the day to day operations and activities such as line operations safety audit (LOSA). • Automated monitoring systems; this uses automated recording systems to monitor parameters that can be analysed such as flight data monitoring (FDM). • Voluntary and mandatory safety reporting systems; this provides everyone, including staff from external organizations, with opportunities to report hazards and other safety issues to the organization. Chapter 9. Safety Management Systems (SMS) 9-11 • Audits; these can be used to identify hazards in the task or process being audited. These should also be coordinated with organizational changes to identify hazards related to the implementation of the change. • Feedback from training; training that is interactive (two way) can facilitate identification of new hazards from participants. • Service provider safety investigations; hazards identified in internal safety investigation and follow-up reports on accidents/incidents. 9.4.4.2 Examples of external sources for hazard identification include: • Aviation accident reports; reviewing accident reports, this may be related to accidents in the same State or to a similar aircraft type, region or operational environment. • State mandatory and voluntary safety reporting systems; some States provide summaries of the safety reports received from service providers. • State oversight audits and third-party audits; external audits can sometimes identify hazards. These may be documented as an unidentified hazard or captured less obviously within an audit finding. • Trade associations and information exchange systems; many trade associations and industry groups are able to share safety data that may include identified hazards. Safety Reporting System 9.4.4.3 One of the main sources for identifying hazards is the safety reporting system, especially the voluntary safety reporting system. Whereas the mandatory system is normally used for incidents that have occurred the voluntary system provide an additional reporting channel for potential safety issues such as hazards, near misses or errors. They can provide valuable information to the State and service provider on lower consequence events. 9.4.4.4 It is important that service providers provide appropriate protections to encourage people to report what they see or experience. For example, enforcement action may be waived for reports of errors, or in some circumstances, rule-breaking. It should be clearly stated that reported information will be used solely to support the enhancement of safety. The intent is to promote an effective reporting culture and proactive identification of potential safety deficiencies. 9.4.4.5 Voluntary safety reporting systems should be confidential, requiring that any identifying information about the reporter is known only to the custodian to allow for follow-up action. The role of custodian should be kept to a few individuals, typically restricted to the safety manager and personnel involved in the safety investigation. Maintaining confidentiality will help facilitate the disclosure of hazards leading to human error, without fear of retribution or embarrassment. Voluntary safety reports may be de-identified and archived once necessary follow-up actions are taken. De-identified reports can support future trending analyses to track the effectiveness of risk mitigation and to identify emerging hazards. 9.4.4.6 Personnel at all levels and across all disciplines are encouraged to identify and report hazards and other safety issues through their safety reporting systems. To be effective, safety reporting systems should be readily accessible to all personnel. Depending on the situation, a paper-based, web-based or desktop form can be used. Having multiple entry methods available maximizes the likelihood of staff engagement. Everyone should be made aware of the benefits of safety reporting and what should be reported. 9.4.4.7 Anybody that submits a safety report should receive feedback on what decisions or actions have been taken. The alignment of reporting system requirements, analysis tools and methods can facilitate exchange of 9-12 Safety Management Manual (SMM) safety information as well as comparisons of certain safety performance indicators. Feedback to reporters in voluntary reporting schemes also serves to demonstrate that such reports are considered seriously. This helps to promote a positive safety culture and encourage future reporting. 9.4.4.8 There may be a need to filter reports on entry when there are a large number of safety reports. This may involve an initial safety risk assessment to determine whether further investigation is necessary and what level of investigation is required. 9.4.4.9 Safety reports are often filtered through the use of a taxonomy, or a classification system. Filtering information using a taxonomy can make it easier to identify common issues and trends. The service provider should develop taxonomies that cover their type(s) of operation. The disadvantage of using a taxonomy is that sometimes the identified hazard does not fit cleanly into any of the defined categories. The challenge then is to use taxonomies with the appropriate degree of detail; specific enough that hazards are easy to allocate, yet generic enough that the hazards are valuable for analysis. Some States and international trade associations have developed taxonomies that could be used. Chapter 5 contains additional information on taxonomies. 9.4.4.10 Other methods of hazard identification include workshops or meetings in which subject matter experts conduct detailed analysis scenarios. These sessions benefit from the contributions of a range of experienced operational and technical personnel. Existing safety committee meetings (SRB, SAG, etc.) could be used for such activities; the same group may also be used to assess associated safety risks. 9.4.4.11 Identified hazards and their potential consequences should be documented. This will be used for safety risk assessment processes. 9.4.4.12 The hazard identification process considers all possible hazards that may exist within the scope of the service provider’s aviation activities including interfaces with other systems, both within and external to the organization. Once hazards are identified, their consequences (i.e. any specific events or outcomes) should be determined. Investigation of hazards 9.4.4.13 Hazard identification should be continuous and part of the service provider’s ongoing activities. Some conditions may merit more detailed investigation. These may include: a) instances where the organization experiences an unexplained increase in aviation safety-related events or regulatory non-compliance; or b) significant changes to the organization or its activities. 9.4.5 Service provider safety investigation 9.4.5.1 Effective safety management depends on quality investigations to analyse safety occurrences and safety hazards, and report findings and recommendations to improve safety in the operating environment. 9.4.5.2 There is a clear distinction between accident and incident investigations under Annex 13 and service provider safety investigations. Investigation of accidents and serious incidents under Annex 13 are the responsibility of the State, as defined in Annex 13. This type of information is essential to disseminate lessons learned from accidents and incidents. Service provider safety investigations are conducted by service providers as part of their SMS to support hazard identification and risk assessment processes. There are many safety occurrences that fall outside of Annex 13 that could provide a valuable source of hazard identification or identify weaknesses in risk controls. These problems might be revealed and remedied by a safety investigation led by the service provider. 9.4.5.3 The primary objective of the service provider safety investigation is to understand what happened, and how to prevent similar situations from occurring in the future by eliminating or mitigating safety deficiencies. This Chapter 9. Safety Management Systems (SMS) 9-13 is achieved through careful and methodical examination of the event and applying the lessons learned to reduce the probability and/or consequence of future recurrences. Service provider safety investigations are an integral part of the service provider's SMS. 9.4.5.4 Service provider investigations of safety occurrences and hazards are an essential activity of the overall risk management process in aviation. The benefits of conducting a safety investigation, include: a) gaining a better understanding of the events leading up to the occurrence; b) identifying contributing human, technical and organizational factors; c) identifying hazards and conducting risk assessments; d) making recommendations to reduce or eliminate unacceptable risks; and e) identifying lessons learnt that should be shared with the appropriate members of the aviation community. Investigation triggers 9.4.5.5 A service provider safety investigation is usually triggered by a notification (report) submitted through the safety reporting system. Figure 25 outlines the safety investigation decision process and the distinction between when a service provider safety investigation should take place and when an investigation under Annex 13 provisions should be initiated. 9.4.5.6 Not all occurrences or hazards can or should be investigated, the decision to conduct an investigation and its depth should depend on the actual or potential consequences of the occurrence or hazard. Occurrences and hazards considered to have a high-risk potential are more likely to be instigated and should be investigated in greater depth than those with lower risk potential. Service providers should use a structured decision-making approach with defined trigger points. These will guide the safety investigation decisions: what to investigate and the scope of the investigation. This could include: a) the severity or potential severity of the outcome b) regulatory or organizational requirements to carry out an investigation; c) safety value to be gained; d) opportunity for safety action to be taken; e) risks associated with not investigating; f) contribution to targeted safety programmes; g) identified trends; h) training benefit; and i) resources availability. Next >