< Previous9-24 Safety Management Manual (SMM) commitment to an effective SMS. The training programme should include initial and recurrent training requirements to maintain competencies. Initial safety training should consider, as a minimum, the following: a) organizational safety policies and safety objectives; b) organizational roles and responsibilities related to safety; c) basic SRM principles; d) safety reporting systems; e) the organization’s SMS processes and procedures; and f) human factors. 9.6.4.2 Recurrent safety training should focus on changes to the SMS policies, processes and procedures, and should highlight any specific safety issues relevant to the organization or lessons learnt. 9.6.4.3 The training programme should be tailored to the needs of the individual’s role within the SMS. For example, the level and depth of training for managers involved in the organization's safety committees will be higher than personnel directly involved with delivery of the organization’s product or services. While personnel not directly involved in the operations may require only a high level overview of the organization’s SMS. Training needs analysis 9.6.4.4 For most organizations, a formal training needs analysis (TNA) is necessary to ensure there is a clear understanding of the operation, the safety duties of the personnel and the available training. A typical TNA will normally start by conducting an audience analysis, which usually includes the following steps: a) Every one of the service provider’s staff will be affected by the implementation of the SMS, but not in the same ways or to the same degree. Identify each staff grouping and in what ways they will interact with the safety management processes, inputs and outputs - in particular safety duties. This information should be available from the position/role descriptions. Normally groupings of individuals will start to emerge that have similar learning needs. The service provider should consider whether it is valuable to extend the analysis to staff in external interfacing organizations; b) Identify the knowledge and competencies needed to perform each safety duty and required by each staff grouping. c) Conduct an analysis to identify the gap between the current safety skill and knowledge across the workforce and those needed to effectively perform the allocated safety duties. d) Identify the most appropriate skills and knowledge development approach for each group with the aim of developing a training programme appropriate to each individual or group’s involvement in safety management. The training programme should also consider the staff’s ongoing safety knowledge and competency needs, this need will typically be met through a recurrent training programme. 9.6.4.5 It is also important to identify the appropriate method for training delivery. The main objective is that, on completion of the training, personnel are competent to perform their SMS duties. Competent trainers are usually the single most important consideration, their commitment, teaching skills and safety management expertise will have a significant impact on the effectiveness of the training delivered. The safety training programme should also specify responsibilities for development of training content and scheduling as well as training and competency records management. Chapter 9. Safety Management Systems (SMS) 9-25 9.6.4.6 The organization should determine who should be trained and to what depth and this will depend on their involvement in the SMS. Most people working in the organization have some direct or indirect relationship with aviation safety, and therefore have some SMS duties. This applies to any personnel directly involved in the delivery of the products and services and personnel involved in the organization's safety committees. In addition, some administrative and support personnel still have some limited SMS duties as their work may still have an indirect impact on aviation safety and would still need some SMS training. 9.6.4.7 The service provider should identify the SMS duties of personnel and this should be used to scope the safety training programme and ensure each individual receive training aligned with their involvement with the SMS. The safety training programme should specify the content of safety training for support staff, operational personnel, managers and supervisors, senior managers and the accountable executive. 9.6.4.8 There should be specific safety training for the accountable executive and senior managers that include the following topics: a) specific awareness training for new accountable managers and post holders on their SMS accountabilities and responsibilities; b) importance of compliance with national and organizational safety requirements; c) management commitment; d) allocation of resources; e) promotion of the safety policy and the SMS; f) promotion of a positive safety culture; g) effective inter-departmental safety communication; h) safety objective, SPTs and alert levels; and i) disciplinary policy. 9.6.4.9 The main purpose of the safety training programme is to ensure that personnel, at all levels of the organization, maintain their competence to fulfil their safety roles; therefore competencies of personnel should be reviewed on a regular basis. 9.6.5 Safety communication 9.6.5.1 The service provider should communicate the organization’s SMS objectives and procedures to all appropriate personnel. There should be a communication strategy that enables safety communication to be delivered by the most appropriate method based on the individual’s role and need to receive safety related information. This may be done through safety newsletters, notices, bulletins, briefings or training courses. The safety manager should also ensure that lessons learned from investigations and case histories or experiences, both internally and from other organizations, are distributed widely. Safety communication therefore aims to: a) ensure that staff are fully aware of the SMS; this is a good way of promoting the organization’s safety policy and safety objectives. b) convey safety-critical information; Safety critical information is specific information related to safety issues and safety risks that could expose the organization to safety risk. This could be from safety information gathered from internal or external sources such as lessons learnt or 9-26 Safety Management Manual (SMM) related to safety risk controls. The service provider determines what information is considered safety critical and the timeliness of its communication. c) raise awareness of new safety risk controls and corrective actions; The safety risks faced by the service provider will change over time and whether this is a new safety risk that has been identified or changes to safety risk controls these changes will need to be communicated to the appropriate personnel. d) provide information on new or amended safety procedures; when safety procedures are updated it is important that the appropriate people are made aware of these changes. e) promote a positive safety culture and encourage personnel to identify and report hazards; safety communication is two-way. It is important that all personnel communicate safety issues to the organization through the safety reporting system. f) provide feedback to personnel submitting safety reports on what actions have been taken to address any concerns identified. 9.6.5.2 Service providers should consider whether any of the safety information listed above needs to be communicated to external organizations. 9.6.5.3 Service providers should assess the effectiveness of their safety communication by checking personnel have received and understood any safety critical information that has been distributed. This can be done as part of the internal audit activities or when assessing the SMS effectiveness. 9.6.5.4 Safety promotion activities should be carried out throughout the life cycle of the SMS, not only at the beginning. 9.7 IMPLEMENTATION PLANNING 9.7.1 System description 9.7.1.1 A system description helps to identify the organizational processes including any interfaces to define the scope of the SMS. This provides an opportunity to identify any gaps related to the service provider’s SMS components and elements and may serve as a starting point to identify organizational and operational hazards. A system description serves to identify the features of the product, the service or the activities so that SRM and safety assurance can be effective. 9.7.1.2 Most organizations are made up of a complex network of interfaces and interactions involving different internal departments as well as different external organizations that all contribute to the safe operation of the organization. The use of a system description enables the organization to have a clearer picture of its many interactions and interfaces. This will enable better management of safety risk and safety risk controls if they are described and help in understanding the impact of changes to the SMS processes and procedures. 9.7.1.3 When considering a system description, it is important to understand that a “system” is a set of things working together as parts of an interconnecting network. In an SMS, it is any of an organization’s products, people, processes, procedures, facilities, services, and other aspects (including external factors), which are related to, and can affect, the organization’s aviation safety activities. Often, a “system” is a system of systems, which may also be viewed as a system with subsystems. These systems and their interactions with one another make up the sources of hazards and contribute to the control of safety risks. The important systems include both those which could directly impact aviation safety and those which affect the ability or capacity of an organization to perform effective safety management. Chapter 9. Safety Management Systems (SMS) 9-27 9.7.1.4 An overview of the system description and the SMS interfaces should be included in the SMS documentation. A system description may include a bulleted list with references to policies and procedures. A graphic depiction, such as a process flow chart or annotated organization chart, may be enough for some organizations. An organization should use a method and format that works for that organization. 9.7.1.5 Because each organization is unique, there is no “one size fits all” method for SMS implementation. It is expected that each organization will implement an SMS that works for its unique situation. Each organization should define for itself how it intends to go about fulfilling the fundamental requirements. To accomplish this, it is important that each organization prepare a system description that identifies its organizational structures, processes, and business arrangements that it considers important to the safety management functions. Based on the system description, the organization should identify or develop policy, processes, and procedures that establish its own safety management requirements. 9.7.1.6 When an organization elects to make a significant or substantive change to the processes identified in the system description, the changes should be viewed as potentially affecting its baseline safety risk assessment. Thus, the system description should be reviewed as part of the management of change processes. 9.7.2 Interface management Safety risks faced by service providers are affected by interfaces. Interfaces can be either internal (e.g. between departments) or external (e.g. other service providers or contracted services,). By identifying and managing these interfaces the service provider will have more control over any safety risks related to the interfaces. These interfaces should be defined within the system description. 9.7.3 Identification of SMS interfaces 9.7.3.1 Initially service providers should concentrate on the interfaces in relation to its business activities. The identification of these interfaces should be detailed in the system description that sets out the scope of the SMS and should include internal and external interfaces. 9.7.3.2 Figure 26 is an example of how a service provider could map out the different organizations it interacts with to identify any SMS interfaces. The objective of this review is to produce a comprehensive list of all the interfaces. The rationale for this exercise being that there may be SMS interfaces which an organization is not necessarily fully aware of. There may be interfaces where there is not a formal agreement. In this case, the power supply or building maintenances are good examples. 9-28 Safety Management Manual (SMM) Figure 26. Example of air traffic service provider SMS interfaces 9.7.3.3 Some of the internal interfaces may be with business areas not directly associated with safety, such as marketing, finance, legal and human resources. These areas can impact safety through their decisions which impact on internal resources and investment as well as agreement and contracts with external organizations, and may not necessarily have regard for safety. 9.7.3.4 Once the SMS interfaces have been identified, the service provider should consider their relative criticality. This enables the service provider to prioritize the management of the more critical interfaces, and their potential safety risks. Things to consider are: a) what is being provided; b) why it is needed; c) whether the organizations involved has an SMS or another management system in place; and d) whether the interface involves the sharing of safety data / information. Assessing safety impact of interfaces 9.7.3.5 The service provider should then identify any hazards related to the interfaces and carry out a safety risk assessment using its existing hazard identification and safety risk assessment processes. 9.7.3.6 Based on the safety risks identified, the service provider may consider working with the other organization to determine and define an appropriate safety risk control strategy. By involving the other organization, they may be able to contribute to identifying hazards, assessing the safety risk as well as determining the appropriate safety risk control. This collaborative effort is needed because the perception of safety risks may not be the same for each organization. The risk control could be carried out by either the service provider or the external organization. 9.7.3.7 It is also important to recognize that each organization involved has the responsibility to identify and manage hazards that affect their own organization. This may mean the critical nature of the interface is different Chapter 9. Safety Management Systems (SMS) 9-29 for each organization as they may apply different safety risk classifications and have different safety risk priorities (in term of safety performance, resources, time etc.). Managing and monitoring interfaces 9.7.3.8 The service provider is responsible for managing and monitoring the interfaces to ensure the safe provision of their services and products. This will ensure the interfaces are managed effectively and remain current and relevant. Formal agreements are an effective way to accomplish this as the interfaces and associated responsibilities can be clearly defined. Any changes in the interfaces and associated impacts should be communicated to the relevant organizations. 9.7.3.9 Challenges associated with the service provider’s ability to manage interface safety risks include: a) one organizations safety risk controls are not compatible with the other organization; b) willingness of both organizations to accept changes to their own processes and procedures; c) insufficient resources or technical expertise available to manage and monitor the interface; and d) number and location of interfaces. 9.7.3.10 It is important to recognize the need for coordination between the organizations involved in the interface. Effective coordination should include: a) clarification of each organization’s roles and responsibilities; b) agreement of decisions on the actions to be taken (e.g. safety risk control actions and timescales); c) identification of what safety information needs to be shared and communicated; d) how and when coordination should take place (task-force, regular meetings, ad-hoc or dedicated meetings); and e) agreeing on solutions that benefit both organizations but that do not impair the effectiveness of the SMS. 9.7.3.11 All safety issues or safety risks related to the interfaces should be documented and made accessible to each organization for sharing and review. This will allow the sharing of lessons learned and the pooling of safety data that will be valuable for both organizations. Operational safety benefits may be achieved through an enhancement of safety reached by each organization as the result of shared ownership of safety risks and responsibility. 9.7.4 SMS Scalability 9.7.4.1 The organization’s SMS including the policies, processes and procedures should reflect the size and complexity of the organization and its activities. It should consider: a) the organizational structure and availability of resources; b) size and complexity of the organization (including multiple sites and bases); and 9-30 Safety Management Manual (SMM) c) complexity of the activities and the interfaces with external organizations. 9.7.4.2 The service provider should carry out an analysis of its activities to determine the right level of resources to manage the SMS. This should include the determination of the organizational structure needed to manage the SMS. This would include considerations of who will be responsible for managing and maintaining the SMS, what safety committees are needed, if any, and the need for specific safety specialists. Safety risk considerations 9.7.4.3 Regardless of the size of the service provider, scalability should also be a function of the inherent safety risk of the service provider’s activities. Even small organizations may be involved in activities that may entail significant aviation safety risks. Therefore, safety management capability should be commensurate with the safety risk to be managed. Safety data and safety information and its analysis 9.7.4.4 For small organizations, the low volume of data may mean that it is more difficult to identify trends or changes in the safety performance. This may require meetings to raise and discuss safety issues with appropriate expertise. This may be more qualitative than quantitative but will help identify hazards and risks for the service provider. Collaborating with other service providers or industry associations can be helpful, since these may have data that the service provider does not have. For example, smaller service providers can exchange with similar organizations/operations to share safety risk information and identify safety performance trends. Service providers should adequately analyse and process their internal data even though it may be limited. 9.7.4.5 For service providers with many interactions and interfaces they will need to consider how they gather safety data and safety information from multiple organizations. This may result in large volumes of data being collected to be collated and analysed later. These service providers should utilize an appropriate method of managing such data. Consideration should also be given to the quality of the data collected and the use of taxonomies to help with the analysis of the data. 9.7.5 Integration of management systems 9.7.5.1 Safety management should be considered as part of a management system (and not in isolation). Therefore, a service provider may implement an integrated management system that includes the SMS. An integrated management system may be used to capture multiple approvals or to cover other business management systems such as quality, security, occupational health and environmental management systems. This is done to remove duplication and exploit synergies by managing safety risks across multiple activities. For example, where a service provider has multiple approvals it may choose to implement a single management system to cover all off its activities. The service provider should decide the best means to integrate or segregate its SMS to suit its business or organizational needs. 9.7.5.2 A typical integrated management system may include a: a) quality management system (QMS); b) safety management system (SMS); c) security management system (SeMS), further guidance may be found in the Aviation Security Manual (Doc 8973); d) environmental management system (EMS); e) occupational health and safety management system (OHSMS); Chapter 9. Safety Management Systems (SMS) 9-31 f) financial management system (FMS); g) documentation management system (DMS); and h) fatigue risk management system (FRMS). 9.7.5.3 A service provider may choose to integrate these management systems based on their unique needs. Risk management processes and internal audit processes are essential features of most of these management systems. It should be recognized that the risks and risk controls developed in any of these systems could have an impact on other systems. In addition, there may be other operational systems associated with the business activities that may also be integrated, such as supplier management, facilities management etc. 9.7.5.4 A service provider may also consider applying the SMS to other areas that do not have a current regulatory requirement for an SMS. Service providers should determine the most suitable means to integrate or segregate their management system to suit their business model, operating environment, regulatory, and statutory requirements as well as the expectations of the aviation community. Whichever option is taken, it should still ensure that it meets the SMS requirements. Benefits and challenges of management system integration 9.7.5.5 Integrating the different areas under a single management system will improve efficiency by: a) reducing duplication and overlapping of processes and resources; b) reducing potentially conflicting responsibilities and relationships; c) considering the wider impacts of risks and opportunities across all activities; and d) allowing effective monitoring and management of performance across all activities. 9.7.5.6 Possible challenges of management system integration include: a) existing systems may have different functional managers that resist the integration that could result in conflict; b) there may be resistance to change for personnel impacted by the integration as this will require greater cooperation and coordination; c) impact on the overall safety culture within the organization as there may be different cultures in respect of each system that create conflicts; d) regulations may prevent such an integration or the different regulators and standards bodies may have diverging expectations on how their requirements should be met; and e) integrating different management systems (such as QMS and SMS) may create additional work to be able to demonstrate that the separate requirements are being met. 9.7.5.7 To maximize the benefits of integration and address the related challenges, senior management commitment and leadership is essential to manage the change effectively. It is important to identify the person who has overall responsibility for the integrated management system. 9-32 Safety Management Manual (SMM) 9.7.6 SMS and QMS integration 9.7.6.1 Some service providers have both an SMS and QMS. These sometimes are integrated into a single management system. The QMS is generally defined as the organizational structure and associated accountabilities, resources, processes and procedures necessary to establish and promote a system of continuous quality assurance and improvement while delivering a product or service. 9.7.6.2 Both systems are complementary; the SMS focuses on managing safety risks and safety performance while the QMS focuses on compliance with prescriptive regulations and requirements to meet customer expectations and contractual obligations. The objectives of an SMS are to identify hazards, assess the associated safety risk and implement effective safety risk controls. In contrast, the QMS focuses on the consistent delivery of products and services that meet relevant specifications. Nonetheless, both the SMS and the QMS: a) should be planned and managed; b) involve all organizational functions related to the delivery of aviation products and services; c) identify ineffective processes and procedures; d) strive for continuous improvement; and e) have the same goal of providing safe and reliable products and services to customers. 9.7.6.3 The SMS focuses on: a) identification of safety-related hazards facing the organization; b) assessment of the associated safety risk; c) implementation of effective safety risk controls to mitigate safety risks; d) measuring safety performance; and e) maintaining an appropriate resource allocation to meet safety performance requirements. 9.7.6.4 The QMS focuses on: a) compliance with regulations and requirements; b) consistency in the delivery of products and services; c) meeting the specified performance standards; and d) delivery of products and services that are “fit for purpose” and free of defects or errors. 9.7.6.5 Monitoring compliance with regulations is necessary to ensure that safety risk controls, applied in the form of regulations, are effectively implemented and monitored by the service provider. The causes and contributing factors of any non-compliance should also be analysed and addressed. Chapter 9. Safety Management Systems (SMS) 9-33 9.7.6.6 Given the complementary aspects of SMS and QMS, it is possible to integrate both systems without compromising each function. This can be summarized as follows: a) an SMS is supported by QMS processes such as auditing, inspection, investigation, root cause analysis, process design, and preventive actions; b) a QMS may identify safety issues or weakness in safety risk controls; c) a QMS may foresee safety issues that exist despite the organization’s compliance with standards and specifications; d) quality principles, policies and practices should be aligned with the objectives of safety management; and e) QMS activities should consider identified hazards and safety risk controls for the planning and performance of internal audits. 9.7.6.7 In conclusion, in an integrated management system with unified goals and decision-making that considers the wider impacts across all activities, quality management and safety management processes will be highly complementary and will support the achievement of the overall safety goals. 9.7.7 SMS gap analysis and implementation 9.7.7.1 Before implementing an SMS, the service provider should carry out a gap analysis. This compares the service provider’s existing safety management processes and procedures with the SMS requirements as determined by the State. It is likely that the service provider already has some of the SMS functions in place. The development of an SMS should build upon existing organizational policies and processes. The gap analysis identifies the gaps that should be addressed through an SMS implementation plan that defines the actions needed to implement a fully functioning and effective SMS. 9.7.7.2 The SMS implementation plan should provide a clear picture of the resources, tasks and processes required to implement the SMS. The timing and sequencing of the implementation plan may depend on a variety of factors that will be specific to each organization, such as: a) regulatory, customer and statutory requirements; b) multiple certificates held (with possibly different regulatory implementation dates); c) the extent to which the SMS may build upon existing structures and processes; d) the availability of resources and budgets; e) interdependencies between different steps (a reporting system should be implemented before establishing a data analysis system); and f) the existing safety culture. Next >