TP 13881sms

SAFETY MANAGEMENT SYSTEMS
FOR FLIGHT OPERATIONS AND AIRCRAFT MAINTENANCE ORGANIZATIONS
A guide to
implementation
Prepared by the
Commercial and
Business Aviation Branch and
the Aircraft Maintenance and
Manufacturing Branch
TP 13881 E
*TP13881E*
03/2002
©Minister of Public Works and Government Services, Canada, 2002
Permission is granted by the Department of Transport, Canada, to copy and/or

reproduce the contents of this guide or in whole or in part provided that full
acknowledgment is given to the Department of Transport, Canada, and that the
material be accurately reproduced. While use of this material has been authorized,
the Department of Transport, Canada, shall not be responsible for the manner in
which the information is presented, nor for any interpretations thereof.
The information in this copy of this guide may not be updated to reflect amend-
ments made to original content. For up-to-date information contact the Department
of Transport, Canada.
The information in this guide or is to be considered solely as a guide and should not
be quoted as or considered to be a legal authority. It may become obsolete in whole
or in part at any time without notice. Please contact the Civil Aviation
Communications Centre at 1-800-305-2059 (EST) for assistance.
Regulatory
References
This guide applies to proposed

regulatory changes applicable to:
CAR 573.09(11)
CAR 700.xx
CAR 720.xx
CAR 705.07(2)(c)
CAR 725.07(2)(a)(ii)
CAR 725.07(3)
CAR 725.124(5)(o)
CAR 725.135(oo)
CAR 706.07
CAR 726.07
1
Acknowledgement
This guidance material was written by the staff

of the Commercial and Business Aviation Branch and
Maintenance and Manufacturing Branch
of Transport Canada Civil Aviation.
Transport Canada wishes to thank the following individuals,

companies and regulatory authorities for
their assistance in developing this material:
* Professor James Reason, University of Manchester

* Operating Standards Division, the United Kingdom Civil Aviation Authority
* Clifford Edwards, The Royal Dutch/Shell Group of Companies
* Air Canada
* Boeing Commercial Airplane Group
* Safety Services Branch, Transport Canada Civil Aviation
This document is a living document and will be revised at intervals

to take into account changes in regulations, feedback from industry and
recognized best practice. Updates will be noted via the Transport Canada
Civil Aviation website.
2
Contents
REGULATORY REFERENCES ................................................................................................................................1
ACKNOWLEDGEMENTS ........................................................................................................................................2
INTRODUCTION ..........................................................................................................................................................5
Foreword ..................................................................................................................................................................5
What is a Safety Management System? ....................................................................................................6
Key Generic Features Of The SMS Approach ......................................................................................7
Key Features Specific To The Regulatory Requirements: ................................................................8
Why Bother? ..........................................................................................................................................................9
SAFETY MANAGEMENT SYSTEM COMPONENTS ............................................................................10
1. SAFETY MANAGEMENT PLAN ..........................................................................................................11

Safety Policy ..............................................................................................................................................11
Safety Objectives ................................................................................................................................12
Safety Performance Measurement..............................................................................................12
Non-Punitive Disciplinary Policies ..........................................................................................13
Roles And Responsibilities ..............................................................................................................14
Documentation Of Roles And Responsibilities ................................................................15
Individual Roles and Responsibilities ......................................................................................16
Delegation Of Tasks To Effectively Operate the Safety Management System ..18
Safety Office ........................................................................................................................................18
Safety Committee ..............................................................................................................................18
Employee Involvement In The Development And Implementation Of
The System ............................................................................................................................................19
Description of System Components ..........................................................................................19
2. DOCUMENTATION ....................................................................................................................................21
Identification of Applicable Aviation Safety Regulations, Standards
and Exemptions ......................................................................................................................................21
Documentation Describing System Components ............................................................22
Implementing Changes To Company Documentation ..................................................22
Maintenance Of Current, Applicable And Effective Documentation ................22
3. SAFETY OVERSIGHT ................................................................................................................................25

Reactive Processes..................................................................................................................................26
Occurrence and Hazard Reporting ..........................................................................................26
Systems for Reporting Hazards, Events and Safety Concerns ....................................27
Why report? ..........................................................................................................................................28
What should be reported? ............................................................................................................28
3
Contents
Report Investigation and analysis ..............................................................................................28
Event Investigation ............................................................................................................................29
The MEDA Process ..........................................................................................................................30
The PEAT Process ............................................................................................................................31
Pro-Active: Safety Assessment ......................................................................................................32
Hazard Identification ......................................................................................................................32
Assessment frequency ......................................................................................................................33
Common Elements ................................................................................................................................34
Reporting Procedures ......................................................................................................................35
Data Collection ..................................................................................................................................35
Data Collection Systems ................................................................................................................35
Risk Management ..............................................................................................................................36
Corrective Action Plan ....................................................................................................................38
On-Going Monitoring ....................................................................................................................39
Information Dissemination ..........................................................................................................39
4. TRAINING ........................................................................................................................................................41
5. QUALITY ASSURANCE ............................................................................................................................43
6. EMERGENCY RESPONSE PLAN ..........................................................................................................47
CONCLUSION ............................................................................................................................................................48
4
Introduction
[ Foreword ]
In Canada we enjoy an enviable aviation
safety record and our Civil Aviation safety
program has been cited by the International
Civil Aviation Organization as one of the
best in the world. However, with the pre-
dicted increase in air transportation and the operations.i This guidance material provides
probability that this will bring with it an clarification regarding the intent and appli-
attendant increase in the accident rate, we cation of the proposed regulatory require-
clearly cannot afford to maintain the status ments. It is designed as a practical guide for
quo. To remain successful we must constan- the development and implementation of a
ly challenge ourselves to improve the safety safety management system within flight and
standard and work towards achieving a posi- maintenance operations.
tive shift in the accident rate.
The following information is not intended
In response to this challenge, the Commer- as a prescriptive formula for the develop-
cial and Business Aviation Branch and the ment of a company’s safety management
Aircraft Maintenance and Manufacturing system. The material contained herein is for
Branch have promulgated amendments to explanatory purposes only. Where existing
the Canadian Aviation Regulations (CAR) systems or components have been referen-
requiring the establishment of safety mana- ced, the example is used for the purpose of
gement systems (SMS) in certain types of clarity and to demonstrate that there are
existing systems available. It is not the in-
tention of the authors to advocate that any
one particular system be used. In keeping
with performance based regulations, this
guide is intended to provide details of the
various SMS regulatory requirements and
to offer examples of possible ways these ele-
ments can be enabled.
5
Introduction
[ What is a safety
Management System? ]
A safety management system is a systematic,
explicit and comprehensive process for the
management of safety risks, that integrates
operations and technical systems with finan-
cial and human resource management, for
all activities related to an air operator or an how it intends the management of air safety
approved maintenance organization’s certificate. to be conducted as an integral part of the
company’s business management activities.
A safety management system is a business- A Safety Management System is woven
like approach to safety. In common with into the fabric of an organization. It be-
all management systems a safety manage- comes part of the culture; the way people
ment system provides for goal setting, plan- do their jobs.
ning, and measuring performance. It con-
cerns itself with organizational safety rather The organizational structures and activities
than the conventional health and safety at that make up a safety management system
work concerns. A company’s SMS defines are found throughout an organization.
Every employee in every department con-
tributes to the safety health of the organiza-
tion. In some departments safety manage-
ment activity will be more visible than in
others, but the system must be integrated
into “the way things are done” throughout
the establishment. This will be achieved by
the implementation and continuing support
of a safety program based on a coherent
policy, that leads to well designed procedures.
6
Introduction
[ Key Generic Features

of the SMS Approach ]
There is no definitive meaning attached to
the term “safety management system”, every
organization, and industry, for that matter,
has its own interpretation of what it is.
From the Civil Aviation perspective there
are five features that characterise a safety • The use of active monitoring and
management system. These are: audit processes to validate that the
necessary controls identified through
• A comprehensive systematic approach the hazard management process are
to the management of aviation safety in place and to ensure continuing
within the aircraft operating company, active commitment to safety.
including the interfaces between the
company and its suppliers, sub-contrac- • The use of Quality Assurance princi-
tors and business partners. ples, including improvement and feed-
back mechanisms.
• A principal focus on the hazards of the
business and their effects upon those In searching for ways to enable the afore-
activities critical to safety. mentioned features, an organization may
choose to utilize a commercial “off-the-
• The full integration of safety considera- shelf ” system. Whilst this might be appro-
tions into the business, via the applica-
priate for some companies, the program
tion of management controls to all
aspects of the business processes critical should be tailored to meet the requirements
to safety. of the individual organization rather than
assuming that one size fits all. Attention
should also be given to the linkages between
the individual components; they should be
linked in a systematic way, rather than
appearing to be stand alone units.ii
7
Introduction
[ K e y F e a t u r e s To T h e
Regulatory Requirements ]
• A safety management plan;
• Clear authorities, responsibilities and

accountabilities for safety at all levels
within the organization.
• Occurrence and Hazard reporting,
• Data collection procedures • Incident analysis
• Hazard identification and risk

management
• Documentation
• Safety management training

requirements
• Emergency response plan
8
Introduction
[ Why Bother? ]
It’s often said that safety makes economic
sense. Unless a company experiences a loss,
or critically assesses both the direct and
indirect costs of an occurrence, it is often
difficult to relate to this statement. The
direct costs are usually easy to quantify,
they include damage to the aircraft, com-
pensation for injuries and damage to pro- • Time lost by injured person(s) and
perty and are usually settled through an cost of replacement workers;
insurance claim.
• Increased insurance premiums;
The indirect costs are a little more difficult
• Aircraft recovery and clean-up;
to assess, these are often not covered or fully
reimbursed by the company’s insurance and • Fines.
the impact is often delayed. This includes
items such as: The economic argument is even more salient
when one considers the following figures
• Loss of business and reputation; produced by the Boeing Aircraft Corpora-
tion. In 1996, Boeing estimated the average
• Legal fees and damage claims;
cost in U.S. dollars of the following:
• Medical cost not covered by work
man’s compensation; • In-flight shutdown $500, 000
• Flight cancellation $ 50, 000
• Cost of lost use of equipment (loss • Flight delay per hour$ 10, 000
of income);
The cost of implementing and maintain-
ing a safety management system becomes
less significant and well worth the invest-
ment when contrasted with the cost of
doing nothing.
9
SAFETY
MANAGEMENT
SYSTEM
COMPONENTS
1 safety
management plan
In order to implement an effective safety management

system it is necessary to define what the organization’s
safety objectives are, what form the system will take and
who will assume responsibility for the system.
Essentially, this involves defining the organization’s
philosophical approach to integrating safety as a
primary business function.
Safety Management
System Components
[ Safety
Management
Plan ]
An operator's safety managment plan should
contain three principle things:
1. A definition of the fundamental

approach a company will adopt for
managing safety within their organi-
zation. This includes a safety policy
that clearly defines what the company’s Safety Policy
philosophical approach to safety and
the performance goals it has established An operator’s safety policy should clearly
for itself. state the company’s intentions, management
principles and aspirations for continuous im-
2. Clearly defined roles and responsi- provements in the safety level. This can be
bilities for all personnel involved achieved through documented policies des-
in safety. cribing what organizational processes and
structures it will use to achieve the safety
3. A description of the safety manage- management system. This should also con-
ment system components. tain a statement outlining the company’s
objectives and the outcomes it hopes to
achieve through its safety management system.
It is recommended that the safety policy

include a description of each element of the
system as required by the Canadian Avia-
tion Regulations. This would resemble the
description of other systems as detailed in a
maintenance control manual (MCM),
maintenance policy manual (MPM) or a
company operations manual (COM).
11
Safety Management
System Components
Safety Objectives ways of setting and expressing goals. In some
Mission Statement > The safety objectives organizations the goals are not stated very
of the organization should provide a starting explicitly. Other organizations set goals for-
point for the company’s safety policy. It mally and document the process. Regardless
should be accompanied by top level statement of how management goals are set, few
regarding the company’s commitment to organizations are good at developing safety
achieving improvements in safety and should goals. The most common weakness in setting
be widely publicized and distributed. For safety goals is focusing on outcomes. This
example, Transport Canada’s mission is to usually means counting accidents, but we
develop and administer policies, regulations know that safe companies can have accidents
and services for the best possible transportation while less safe operations can be lucky and
system for Canada and Canadians - one that avoid accidents. Although the ultimate goal
is safe, efficient, affordable, integrated and is ‘no accidents’, there are more precise and
environmentally friendly. useful ways of measuring safety, especially in
a safe system, than counting accidents.
A similar type of pronouncement should be
made by the organization. A typical state- It is a never-ending struggle to identify
ment outlining the objectives of a safety and eliminate or control hazards. We will
management program could read: never run out of things to do to make the
system safer. Sound man-
The safety management program aims to continually improve agement requires that we
identify them, decide
the safety of ABC airline’s flight operations by identifying, how to achieve them,
eliminating or mitigating any deficiencies in conditions, and hold ourselves
policies and procedures, and by ensuring that staff consider at accountable for achie-
ving them. Risk manage-
all times the safety implications of their own actions, and
ment procedures can
those of their colleagues. help managers decide
It is important to ensure that the stated where the greatest risks
objectives are achievable and clearly define are and help set priorities. Sound safety goal
the limits within which the company will setting concentrates on identifying systemic
operate. They should be unambiguous, well weaknesses and accident precursors, and
documented, readily accessible and should either eliminating or mitigating them.
be reviewed on a regular basis. Safety Performance Measurement
Safety Goals The safety performance of the operation

needs to be monitored, proactively and
Goal setting is vital to an organization’s per- reactively, to ensure that the key safety goals
formance. All organizations have their own continue to be achieved. Monitoring by
12
Safety Management
System Components
audit forms a key element of this activity objectives. This requires two things: the
and should include both a quantitative and development and implementation of a
qualitative assessment. The results of all coherent set of safety performance measures;
safety performance monitoring should be and, a clear linkage between the safety per-
documented and used as feedback to formance measures and the organization’s
improve the system. business performance measures. This shows
a clear relationship between the company’s
It is widely acknowledged that accident rates safety objectives and the achievement of its
are not an effective measurement of safety.iii organizational and business goals.iv A sim-
They are purely reactive and are only effec- ple example is given in the table below.
Objective Safety Performance measuresv
Business Objective: Reduce Costs Reduction in insurance rates
Safety Objective: Decrease number and • Total number of event

severity of hangar • Number of damage-only events
incidents • Number of near-miss accidents
• Lessons learned from event analyses
• Number of corrective action plans
developed and implemented
tive when the accident rates are high Non-Punitive Disciplinary Policies
enough. Furthermore, relying on accident The company should strive to develop a
rates as a safety performance measure can non-punitive, disciplinary policy as part of
create a false impression; an assumption its safety management system. Employees
that nil accidents indicate the organization are more likely to report events and cooper-
is safe. In reality, there will always be latent ate in an investigation when some level of
conditions within the system that might, immunity from disciplinary action is
if left unattended, lead to an accident. offered. When considering the application
A more effective way to measure safety of a non-punitive disciplinary policy, the
might be to address the individual areas of company might want to consider whether
concern. For example, an assessment of the the event involved willful intent on the part
improvements made to work procedures of the individual involved and the attendant
might be far more effective than measuring circumstances. For example, has the indivi-
accident rates. dual been involved in an event like this
before and did the individual participate
Performance measurement should be inte- fully in the investigation.
grally linked to the companies stated overall
13
Safety Management
System Components
A typical disciplinary policy might include employee is involved in similar, recurrent
the following statements: events. This might involve the following
steps:
• Safe flight operations are ABC airlines
most important commitment. To ensure • First offense-Verbal warning
that commitment, it is imperative that we
have uninhibited reporting of all incidents • Second offense-Formal written warning
and occurrences that compromise the
safety of our operations. • Third offense-final written warning
(may include suspension)
• We ask that each employee accept the
responsibility to communicate any infor- • Fourth offense-Termination.
mation that may affect the integrity of
flight safety. Employees must be assured Written warnings can remain active for one
that this communication will never result year, after which a letter of recognition for
in reprisal, thus allowing a timely, unin- positive change will be written and attached
hibited flow of information to occur. to the formal written warning in the person-
nel file by the individual’s direct supervisor.
• All employees are advised that ABC Air-
lines will not initiate disciplinary actions
against an employee who discloses an inci Roles And Responsibilities
dent or occurrence involving flight safety.
This policy cannot apply to criminal, An organization should document and
international or regulatory infractions. define the roles and responsibilities of all
personnel in the safety management system.
• ABC Airlines has developed Safety Reports Furthermore, a statement should be made
to be used by all employees for reporting attesting that everyone has a responsibility
information concerning flight safety. They
for safety. This includes a commitment on
are designed to protect the identity of the
employee who provides information. These the part of top management to be accoun-
forms are readily available in your table for safety within the company. The
work area. dedication and involvement of top manage-
ment towards safety and safety practices
• We urge all employees to use this program should be clearly visible. It is important that
to help ABC Airlines continue its leader senior management is seen to provide a
ship in providing our customers and strong and active leadership role in the safe-
employees with the highest level of ty management system. This includes a
flight safety.vi commitment to provide the resources neces-
sary to attain the strategic safety objectives
A non-punitive approach to discipline does
established by the organization. The follow-
not preclude the use of a general progressive
ing is a list of activities that demonstrate
approach to discipline in cases where an
top management’s active commitment to
14
Safety Management
System Components
SMS, these include: Documentation Of Roles And Responsibilities
The following guidelines highlight some of
• Putting safety matters on the agenda the key areas that should be documented:
of meetings, from the Board level
downwards • The safety responsibilities for each
position and task
• Being actively involved in safety activi-
ties and reviews at both local and • The competencies required for each
remote sites position
• Allocating the necessary resources, such • The line of responsibility for ensuring
as time and money, to safety matters all staff are competent and trained for
their duties and for ensuring that train
• Setting personal examples in day-to-day ing takes place, and
work
• The responsibilities of the manager
• Receiving and acting on safety reports responsible for externally supplied
submitted by employees services. All unapproved contracting
companies should meet the company’s
• Promoting safety topics in company own SMS standards or an equivalent
publications.vii to them.
The ideal safety culture embodies a spirit of
openess and should also demonstrate sup-
port for staff and the systems of work.
Senior management should be accessible
and dedicated to making the changes neces-
sary to enhance safety. They should be avail-
able to discuss emerging trends and safety
issues identified through the System. A posi-
tive safety culture reinforces the entire safety
achievement of the company and is critical
to its success.
15
Safety Management
System Components
Figure I demonstrates one possible organizational scenario that would meet the organiza-
tional requirements and reporting relationships, as detailed in the approved notice of pro-
posed amendments to the Canadian Aviation Regulations. The solid lines represent reporting
relationships, whilst the broken line represents lines of communication.
Figure I: Sample SMS Organogram
This diagram shows where existing organi- should safety management considerations.
zational bodies, such as the safety office, fit In SMS, safety is considered to be every-
into the safety management system. To put one’s responsibility and is not unique to the
this in today’s context, in many organiza- safety office.
tions the safety office is considered to be a
stand-alone entity equal to any other opera- Individual Roles and Responsibilities
tional body. The functions specific to the The effective management of safety requires
safety management system are concentrated a clear delineation of all lines of authority
within this silo and are not distributed within the organization. There should be a
throughout the organization. Safety man- clear understanding of the accountability,
agement is a business function comparable responsibility and authority of all individu-
to any other function in the operation. In als involved in the system. An effort should
the same way that financial considerations be made to document and distribute the
are integrated into the organization, so organogram throughout the company,
16
Safety Management
System Components
thereby promoting a common understan- reasonably precludes the application of
ding of everyone’s role in the safety manage- dedicated resources to this activity;
ment system. Figure I offers an example of
how the lines of responsibility might be • The person responsible for the affected
established. In this diagram the safety man- functional area, the Director of Opera-
tions or Maintenance for example, is
agement system functions are performed by
accountable for determining and imple
the quality assurance manager and the flight menting appropriate comprehensive
safety officer. In other organsiations, these corrective actions. The reason for this
functions might be dispersed throughout is threefold:
the technical or operational area, thereby
providing a safety management system that > The functional director, that is the
is fully integrated into all line activities. person with direct line responsibility for
the affected area, is directly involved in
Management’s role, responsibilities and the decision making process. In most
accountabilities for the SMS and organiza- cases, he/she has the knowledge and
tional deficiencies identified through the expertise to recommend effective cor-
system should be well defined and the lines rective and preventative actions and has
of authority clearly understood. As stated in the authority to assign the appropriate
the proposed regulatory requirements, these resources where required.
requirements include:
> The functional director must assume
• The accountable executive is responsible responsibility for safety within his/her
for establishing and maintaining the own area of responsibility. In this way
safety management system; he/she is involved in the “safety” process
and is accountable for issues that arise
• The functional area, that is the area of in his/her functional area.
direct responsibility, maintenance or
flight operations for example, is respon- > A quality assurance function is pro-
sible for the safety program; vided because event investigations and
• Everyone is responsible for safety in the corrective actions, are separate activities.
organization. This includes operations This eliminates the potential for con-
and maintenance personnel as well as flict of interest because the person who
individuals in other non-technical areas identifies the problem is not the person
such as marketing and customer service; who determines what the corrective
action is. This does not preclude discus-
• SMS specific functions must be exerci- sion of safety findings within a safety
sed by an individual employed within committee environment; however, the
the operational area in which he/she final say on any remedial action resides
works. The exception to this rule is in
cases where the size of the operation, with the responsible functional director.
17
Safety Management
System Components
The development of a positive safety culture Safety Office
is predicated on the involvement of all facets There is no regulatory requirement to have
of the organization in the safety process. a safety office. It is recognized, however,
The objective of this requirement, therefore, that larger organizations may choose to
is to involve all parties in the safety manage- employ a safety office as a consultative or
ment system, thereby fostering a company administrative body. In these cases, the safe-
wide commitment to safety management. ty office may act as a repository for safety
related reports and information, occupa-
Delegation Of Tasks To Effectively Operate tional health and safety issues, as well as
the Safety Management System provide risk assessment and data analysis
To ensure that the SMS operates effectively expertise to the functional managers. The
it is essential that the following tasks be dele- safety office may provide data directly to the
gated to company personnel as appropriate. accountable executive regarding major safety
The roles, responsibilities and accountabili- issues identified by the system. It should be
ties of each individual/position should be noted that the responsibility for informing
well defined and the lines of responsibility the accountable executive of major safety
clearly understood. As stated in the pro- deficiencies identified within their responsi-
posed regulatory requirements, he/she is ble area remains with the appropriate func-
responsible for: tional director. Furthermore, whilst the safe-
ty office may be involved in discussions
• Establishing and maintaining a report regarding possible corrective action, it is the
ing system to collect safety related data responsibility of the functional director to
determine what the corrective action will be
• Conducting hazard identification and
and to ensure the outcome is monitored
risk management analysis
and evaluated. The safety office does not
• Conducting periodic reviews to deter have the authority to overturn operational
mine the effectiveness of the program decisions related to safety issues identified
by the system or the safety management
• Developing and evaluating the results of system itself.
safety initiatives
Safety Committee
• Monitoring industry safety concerns
that could affect the organization The use of a safety committee in larger,
more complex organizations can provide
• Determining the adequacy of training benefits to the organization. Safety commit-
programs, and tees provide a forum for discussing safety
related issues from a cross-functional per-
• Advising reporters of the results of event spective and may lead to the inclusion of
analyses. issues that look at safety from a broader
viewpoint. Conventional health and safety
18
Safety Management
System Components
at work concerns are a good example of making process not only fosters ownership
this. Frequently, safety issues are not limited of the system, it also promotes a positive
to one specific area and require inputs and safety culture.
expertise from a variety of different fields.
Safety committees provide a forum for this In effect, the organization is striving to cre-
dialogue and can be utilized to assess the effec- ate a shared vision. As such, it is not suffi-
tiveness of the system from a “big picture” cient for the accountable executive to make
perspective. They also provide a means by a safety policy statement outlining what the
which safety achievements can be reviewed organization is committing to, without first
and safety information broadcast. acquiring feedback from all employees. The
problem with top down vision statements is
The safety office may coordinate and pro- that they reflect management’s vision and
vide administrative assistance to the safety do not always build on the individual’s per-
committee. It can also be a stand-alone sonal vision. The result can be an authori-
entity; meaning, one can exist without the tarian statement that does not inspire the
other. The accountable executive could be achievement of a common goal - in this
the chair of this committee and all parts of case safety. When people truly share a com-
the organization must be represented. This mon vision they are united in a common
does not preclude the existence of sub-com- aspiration, they have a common identity
mittees with specific areas of responsibility. and they have ownership in the system.viii
Employee Involvement In The Development Description of System Components

And Implementation Of The System
A successful safety management system The safety management system plan must
requires a focused sense of ownership include a description of each component
throughout the system. Whilst it is essential of the system and should clearly describe
that top management commit to doing the interrelationships between each of
whatever it takes to improve safety, it is these components. This is essential if com-
equally important that all employees feel pany personnel, and the regulator, are to
they have a system that values their input understand how the whole system is inte-
and is responsive to their contributions and grated. The documentary requirements for
ideas. In order to achieve this, all employees this element are discussed under the docu-
should have the opportunity to contribute mentation section.
to the development and implementation of
the safety management system. Employees
are ideally placed to understand the most
efficient and appropriate safety manage-
ment mechanisms for their work environ-
ment. Their involvement in the decision-
19
2 documentation
Safety Management
System Components
[d o c u m e n t a t i o n]
Up to date documentation is essential if the
company is to operate in a safe and efficient
manner in accordance with current aviation
safety regulations, standards and exemp-
tions. For this reason an operator’s Safety
Management System must address the four
following documentary requirements.
Identification of Applicable
• The identification of applicable aviation Aviation Safety Regulations,
safety regulations
Standards and Exemptions
• Consolidated documentation describing The company must have a process for docu-
the systems for each component of the menting the regulations, standards and
safety management system. exemptions by which it is regulated for the
various activities it conducts. This docu-
• The implementation of changes to com-
pany documentation required by changes mentation may reside in the company oper-
to aviation safety regulations, standards ations, maintenance policy manual, main-
and exemptions. tenance control manual or the company
safety management program documentation
• The maintenance of current, applicable as appropriate, but must be available to
and effective documentation. employees. The statement could be as
simple as:
The following paragraphs provide detail as
to how this might be accomplished. This company is governed by the following
aviation safety regulations, standards and
exemptions…(list as appropriate).
The company must provide employees with

access to all pertinent technical and regulato-
ry information. This can be accomplished by
having appropriate documentation on site, or
by having access to the information through
other appropriate means that provides the
same accessibility as on site documentation.
21
Safety Management
System Components
Documentation Describing knowledge as responsible for receiving any
System Components incoming correspondence of a regulatory
nature i.e. CBAACs, AIP amendments,
The requirement for a description of each Airworthiness Notices, etc. These would be
component of the safety management sys- reviewed to identify any changes pertinent
tem was discussed as an element of the safe- to the company operation. If changes were
ty management plan. Consolidated docu- necessary the process would allow for a trig-
mentation describing each component of ger to commence the amendment process to
the system is essential if company person- company documentation as necessary.
nel, and the regulator, are to understand
how the whole system is integrated. Maintenance Of Current,
Applicable And Effective
For air operators, this documentation must
Documentation
reside in the company operations manual.
Current regulation requires that air opera- It is the company’s responsibility to main-
tors have a description of their operational tain current regulatory and company docu-
control systems. The requirement for safety mentation. This includes regulations, stan-
management system components could be dards and exemptions as well as the COM,
addressed in the same fashion. the MPM and the MCM. Any changes in
SMS documentation, if this is contained
Implementing Changes To in a stand-alone manual, should also
Company Documentation be included.
When changes to company documentation Activities that cause company documenta-
are required the company must have a pro- tion to become outdated are mainly due to
cess in place to ensure these changes changes within the company itself or
are implemented. changes to regulatory information. To
address these occurrences the company
It is recommended that the process used must have processes in place to:
identify the individual responsible for the
activity and the procedure to be followed. • Identify any changes within the organi-
The process should provide for early identi- zation that could affect company docu-
fication of amendments. This will allow the mentation.
company to be proactive in addressing any
• Periodically review regulatory informa-
required changes to company documents tion to ensure the most current infor-
and procedures. mation is available.
This process could be as simple as designa- • Periodically review documentation such

ting an individual with the appropriate as the Maintenance Policy Manual,
Company Operations Manual or Safety
22
Safety Management
System Components
Management Program documentation
to ensure compliance with current
regulations.
A process to address changes within the

organization could consist of a trigger to
review company documentation at any time
a change to the company operations or
structure occurs or is planned to occur.
Specific events or dates could trigger

processes for periodic reviews of regulatory
information and company documentation.
These dates could be selected to augment
other company activities.
23
3 safety
oversight
Safety Management
System Components
[ Safety
Oversight ]
Safety oversight is fundamental to the safety
management process. A principal tenet of
safety management policies, principles and
procedures requires an organization to criti-
cally review its existing operations, proposed
operational changes and additions or replace-
ments, for their safety significance. This is
achieved through two principal means:
• Reactive - Occurrence/hazard reporting, and
• Proactive - Safety assessments.
For the most part these are two distinct ele- have already occurred, whilst the proactive
ments in the safety management system: method actively seeks to identify potential
one is reactive, the other proactive. The hazards through an analysis of the everyday
basic difference is the method of discovery: activities of the company. The exception to
the reactive process responds to events that this rule occurs when a potential hazard has
been reported through the company’s safety
reporting program.
Once an occurrence has been reported, or a

hazard identified, the procedures for dealing
with these issues follow the same process, as
shown in figure 2. This section will review
the specifics involved with the reactive and
pro-active processes and will discuss the
commonalities involved.
25
Safety Management
System Components
Figure 2 shows the process flow involved with the collection of data within a safety manage-
ment system.
Figure 2: Safety Management System Process Flow
Reactive Processes organizational and human factors within the

organization, that played a role in the event.
Occurrence and Hazard Reporting
Every event is an opportunity to learn valu- To achieve this, the company should main-
able safety lessons. The lessons will only be tain procedures for the internal reporting
understood, however, if the occurrence is and recording of occurrences, hazards and
analyzed so that all employees, including other safety related issues. The collection of
management, understand not only what timely, appropriate and accurate data will
happened, but also why it happened. This allow the company to react to information
involves looking beyond the event and received, and apply the necessary corrective
investigating the contributing factors, the action to prevent a recurrence of the event.
26
Safety Management
System Components
The key to accomplishing this is to have a The reporting system should be simple,
reporting system that meets the needs of the confidential and convenient to use and
people who will be using it - the employees. should be complemented with a non-puni-
As such, employee input into the develop- tive disciplinary policy. These attributes,
ment of the system is vital. A safety report- accompanied by efficient follow-up mecha-
ing system is worthless if no one uses it; the nisms acknowledging to the reporter that a
importance of the employee in the whole report has been received, investigated and
process, therefore, should not be minimized. acted upon, will encourage the development
An attendant non-punitive discipline policy, of a reporting culture. The results should be
and a real and demonstrated commitment by distributed to the individual involved and
management to achieve the company’s safe- the population at large.
ty goals, will help to foster the development
of a reporting culture within the company. There are many reporting programs in place
for all types of operations. It is important to
An operator’s safety reporting system should establish a system that suits the size and
encompass the following fundamental technology level of the operational environ-
elements: ment. In smaller operations, reporting
might be achieved through a simple written
1. Systems for reporting hazards, events or form deposited in a conveniently situated,
safety concerns;
secure box. Larger organizations may employ
2. Systems for analyzing data, safety a more sophisticated, on-line safety report-
reports and any other safety related ing system. Under certain conditions it may
information; be more expedient to submit a verbal
3. Methods for the collection, storage and report; without exception, however, this
distribution of data; should be augmented with a written report.
4. Corrective action and risk reduction At a minimum, report forms should allow
strategies; for a full description of the event and pro-
5. On-going monitoring, and vide space for the reporter to offer sugges-
tions as to possible solutions to the problem
6. Confirmation of the effectiveness of being reported. Reports should employ a
corrective action. common and clearly understood taxonomy
for error classification. Simply put, this is
Systems for Reporting Hazards, Events and the division of error types into ordered
Safety Concerns groups or categories. It is important that
Employees must have a means of reporting reporters and investigators share a familiar
all events and emerging hazards to an language to explain and understand the
appropriate manager, as identified in the types of errors that are contributing to
company manual. The manager will then events. This will facilitate more accurate
forward it to the data bank for processing. data inputs and trend analysis.
27
Safety Management
System Components
No matter what reporting system is utilized, • Inadequate tool or equipment control
its effectiveness will depend on four things: • Unruly passengers
• Employees clearly understand what they • Emergency exit paths blocked
should report; • Incorrect or inadequate procedures,
• All reports are confidential; and a failure to adhere to standard
procedures
• Individuals are provided feedback on
their reports in a timely fashion; • Poor communication between opera-
tional areas
• The company as a non-punitive disci-
plinary policy in place. • Lack of up to date technical manuals
• Poor shift changeovers
Why report? • Runway incursions
All events require appropriate investigation
• Lack of adequate training and recurrent
in order to: training.
• Establish their root cause, that is the Report Investigation and analysis
underlying initial contributing factor(s)
that caused the event, and identify Every event should be investigated. The
actions to minimize the chance of extent of the investigation will depend on
recurrence; the actual and potential consequences of the
occurrence or hazard. This can be determined
• Satisfy any regulatory requirements for through a risk assessment (see figure 2).
reporting and investigation as per the Reports that demonstrate a high potential
Canadian Aviation Regulations; should be investigated in greater depth than
• Provide a factual record of the circum- those with low potential.
stances of the event or hazard to allow
others to learn from the situation; and The investigative process should be compre-
hensive and should attempt to address the
• Categorize the underlying causes and factors that contributed to the event, rather
establish the appropriate remedial and
continuous improvement action.ix than simply focusing on the event itself -
the active failure. Active failures are the
What should be reported? actions that took place immediately prior to
the event and have a direct impact on the
Knowing what to report plays a key role in safety of the system because of the immedi-
an active reporting program. As a general acy of their adverse effects. They are not,
rule, any event or hazard with the potential however, the root cause of the event; as
to cause damage or injury should be report- such, applying corrective actions to these
ed. Examples of these issues are: issues may not address the real cause of the
• Excessive duty times problem. A more detailed analysis is required
to establish the organizational factors that
• Crews rushing through checks contributed to the error.
28
Safety Management
System Components
The investigator, or team of investigators tion that is conducted, or a company may
must be technically competent and either employ a predetermined event investigation
possess or have access to background infor- format regardless of the event. It is up to
mation, so the facts and events are inter- the individual company to determine which
preted accurately. The investigator should is the most appropriate method for their
have the confidence of the staff and the organization.
investigation process should be a search to
understand how the mishap happened, not The Maintenance Error Decision Aid
a hunt for someone to blame. (MEDA) and the Procedural Event Analysis
Tool (PEAT) developed by Boeing are
Event Investigation examples of tools designed to investigate
There are many tools that can be utilized to maintenance and operational events. Both
investigate events. An initial risk assessment MEDA and PEAT apply the following
may help determine the type of investiga- process flow:
Figure 3: MEDA/PEAT Process Flow
29
Safety Management
System Components
Boeing developed MEDA and PEAT to The MEDA Process
address the human performance factors that Both MEDA and PEAT employ a basic
must be considered during an event investi- five-step process for operators to follow
gation. There are slight differences with the (see figure 3 for the process flow). As pre-
investigative process employed in MEDA viously stated, there are slight differences
and PEAT. For example, PEAT focuses on in the investigative focus between PEAT
the key event elements and identifies key and MEDA, the process flow, however, is
underlying cognitive factors that contribu- the same. In the MEDA process there are
ted to the procedural deviation. The objec- five steps:
tive of the process is to help the investigator
to arrive at valid, effective recommendations • Event - An event occurs, such as a gate
aimed at preventing the occurrence of simi- return or air turn back. It is the respon-
lar types of procedural deviation. In con- sibility of the of the maintenance organ
trast, MEDA looks at the organizational isation to select the error-caused events
factors that can contribute to human error that will be investigated.
such as poor communication, inadequate • Decision - After fixing the problem
information and poor lighting. and returning the airplane to service,
the operator makes a decision: Was
Both MEDA and PEAT are based on the the event maintenance-related? If yes,
philosophy that traditional efforts to investi- the operator performs a MEDA
gate errors are often aimed at identifying investigation.
the employee who made the error. The usual
• Investigation - Using the MEDA
result is that the employee is defensive and
results form, the operator carries out an
is subjected to a combination of disciplinary investigation. The trained investigator
action and recurrent training. Because uses the form to record general informa-
retraining often adds little or no value to tion about the airplane, when the main-
what the employee already knows, it may be tenance and the event occurred, the
ineffective in preventing future errors. event that began the investigation, the
error that caused the event, the factors
In addition, by the time the employee is that contributed to the error, and a list
identified, information about the factors of possible prevention strategies.
that contributed to the event has been lost.
• Prevention Strategies - The operator
Because the factors that contributed to the
reviews, prioritizes, implements, and
error remain unchanged, the error is likely then tracks prevention strategies
to recur, setting what is called the “blame (process improvements) in order to
and train” cycle in motion again. To break avoid or reduce the likelihood of similar
this cycle, both MEDA and PEAT employ errors in the future.
investigative techniques that look for the
factors that contributed to the error, rather • Feedback - The operator provides feed-
than looking for someone to blame. back to the maintenance workforce so
30
Safety Management
System Components
technicians know that changes have addressing issues revealed by PEAT
been made to the maintenance system analyses and to identify emerging
as a result of the MEDA process. The trends.
operator is responsible for affirming the
effectiveness of employees’ participation • Analysis - using the PEAT tool in a
and validating their contribution to the typical analysis of a procedurally related
MEDA process by sharing investigation event, a trained investigator will consi-
results with them.x der the following areas and assess their
significance in contributing to flight
The PEAT Process crew decision errors:
The primary focus of PEAT is to find out > Flight Phase where error occurred
why a serious event occurred and if a proce- > Equipment factors
dural deviation is involved. As such, PEAT " The role of automation
relies heavily on the investigative philosophy " Airplane deck indications
that professional flight crews very rarely fail " Airplane configuration
to comply with a procedure intentionally, > Other stimuli (beyond indications)

especially if doing so is a safety risk. The > Environmental factors
PEAT methodology comprises three > The procedure from which the error
elements: resulted
" The status of the procedure
• A process - PEAT provides an in-depth, " Onboard source of the

structured analytic process consisting of procedure
a sequence of steps that guides the " Procedural factors
investigator through the identification (e.g. negative transfer, imprac-
of key contributing factors and the
tical, complexity, etc)
development of effective recommenda-
" Crew interpretation of the rele-
tions aimed at the elimination of similar
errors in the future. This includes col- vant procedure
lecting information about the event, " Current policies, guidelines/
analyzing the event for errors, classify policies aimed at prevention

ing the error and identifying prelimi- of event)
nary recommendations. > Crew Factors
" Crew intention
• Data storage - to facilitate data analysis " Crew understanding of situa-
PEAT provides a database for the stor- tion at the time of procedure
age of procedurally related event data.
execution
Although designed as a structured tool,
" Situation awareness factors
PEAT also provides the flexibility to
allow for the capture and analysis of (e.g. Vigilance, attention, etc.)
narrative information as needed. This " Factors affecting individual
allows airlines to track their progress in performance (e.g. fatigue,

workload, etc.)
31
Safety Management
System Components
Personal and corporate
" equipment or structures, loss of material, or
stressors, management or peer reduction of the ability to perform a pre-
pressure, etc.) scribed function. In particular, this includes
" Crew coordination/ any conditions that could contribute to the
communication release of an un-airworthy aircraft, or to the
" Technical knowledge/skills/ operation of aircraft in an unsafe manner.
experience This can be achieved through internal
> Other factors… reporting mechanisms, such as flight data
monitoring programs, or through an assess-
PEAT provides consistency in application ment of the processes used to perform a
and results. The PEAT form is designed to specific operation. This involves an on-
facilitate the investigation of specific types going assessment of the functions and sys-
of events, i.e. those involving non-adher- tems, and any changes to them, and the
ence to procedures. As such, it addresses all development of a safety case to proactively
the pertinent elements.xi manage safety. Safety assessments are a core
process in the safety management construct
Pro-Active: Safety Assessment and provide a vital function in evaluating
and maintaining the system’s safety health.
For a safety management system to transi-
tion from a reactive to a proactive, it must Understanding the hazards and inherent
actively seek out potential safety hazards risks associated with everyday activities
and evaluate the associated risks. This can allows the organization to minimize unsafe
be achieved through a safety assessment. A acts and respond proactively, by improving
safety assessment allows for the identifica- the processes, conditions and other systemic
tion of potential hazards and then applies issues that lead to unsafe acts. These include
risk management techniques to effectively - training, budgeting, procedures, planning,
manage the hazard. marketing and other organizational factors
that are known to play a role in many sys-
A certificate holder’s safety assessment sys-
tem should encompass the following basic tems-based accidents.xii In this way, safety
elements: management becomes a core-business func-
tion and is not just an adjunct management
1. Systems for identifying potential hazards task. It is a vital step in the transition from
2. Risk management techniques a reactive culture - one in which the organi-
3. On-going monitoring/quality assurance. zation reacts to an event, to a proactive cul-
ture, in which the organization actively
Hazard Identification seeks to address systemic safety issues before
Hazard identification is the act of identify- they result in an active failure.
ing any condition with the potential of
causing injury to personnel, damage to
32
Safety Management
System Components
Assessment frequency • Workplace opinions - Actively seek
A safety assessment should be undertaken, the input of the workforce. This can be
at a minimum: achieved through focus groups, consul-
ting employee representatives and con-
ducting structured vulnerability analyses
• During implementation of the safety
with subordinate managers and
management system and then at regular
supervisors.
intervals;
• Audit Reports - The company’s internal
• When major operational changes are
audit system should contain a struc-
planned;
tured record of areas of concern in a
prioritized format. A review of audit
• If the organization is undergoing rapid
reports and remedial action plans
change, such as growth and expansion,
(including an assessment of follow-up
offering new services, cutting back on
action completions) should conducted.
existing service, or introducing new
Corporate memories are often much
equipment or procedures; and
shorter than the current incumbents
realize and research beyond 5 to 10 years
• When key personnel change.xiii
could reveal important information.
Information Sources for Determining • Corporate hazard analysis - Records of
Potential Risks > Assessing potential previously conducted formal hazard
risk is often perceived as resource intensive analyses may reveal risk exposures,
and unduly onerous. It doesn’t have to be. which did not appear very significant at
There are numerous sources of readily the time, but do now, in light of the
accessible information that can be utilized changed circumstances.
to better understand potential risk within
an organization. The following list details • Industry generic hazard register -
some of the possible resources: Hazards/risks identified by other orga-
nizations might trigger concerns that
• Company Experience - Existing safety should be addressed by the company.
reports detailing events and near misses.
Minutes of safety meetings and comit- • Safety data recording systems -
tee meetings can also reveal potential Mandatory occurrence reporting pro-
areas of concern. grams such as CADORs and industry
safety data exchange programs like
• Line management Judgement - All line BASIS can be consulted.xiv
managers will have perceptions of where
the greatest risks are in their areas of
accountability.
33
Safety Management
System Components
Active Monitoring Techniques > Checklist Usage > In most quality
There are several active monitoring methods assurance systems, audit checklists are used
that can be employed in safety assessment, to collect data related to the system. The
these include: same type of checklist should be utilized to
provide a safety assessment of the company.
• Inspections - Determines adherence to This will allow the company to develop a
requirements, plans and procedures by safety case, an analysis of safety issues with-
inspection of premises, plant and equip- in the organization that adequately portrays
ment or activities. Usually achieved the safety level of the company.
through detailed inspection of actual
specific target area activities against
planned methods of procedures. Tends Safety Risk Profiling > Once potential
to be focused at the task level. risks have been identified it is useful to fully
understand the impact that they might have
• Management safety inspections - if they remain unchecked. In order to deter-
Determines the effectiveness of systems mine this, a full risk assessment should be
and demonstration of line commitment. conducted. This process is described in
Usually achieved through examination Common Elements below and should be
of managers or teams that focus on peo- applied to both the reactive investigations
ple’s activities and the system they use. and pro-active safety assessments an organi-
zation conducts.
• Audits - Verifies conformance with esta-
blished guidelines and standards.
Usually achieved through systematic Safety risk profiling should look at the
independent review of an organization’s entire organization and identify levels of
systems personnel, facilities, etcetera risk within the company. Examples of areas
using a predetermined targeted scope of that should be considered are:
coverage. Tends to be focused at the
process level. • Operational factors, such as weather
information and approach aids
• Process and practice monitoring -
Identifies whether the procedure in use • Technical factors, such as parts inter-
is relevant and actively used and the changeability and aircraft type
practices employed are in line with the
requirements of the procedures. • Human factors, such as availability of
equipment, working environment and
• Review - Provides an overview of the human resources.
processes involved in a work area or
system for their effectiveness and appro- Common Elements
priateness. Resource allocation is often a
Occurrence and hazard reporting and safety
target of a review.xv
assessment are two individual functions
within the safety management system.
34
Safety Management
System Components
Once a report has been submitted, however, Data Collection
the process flow is the same. The following When producing an occurrence or hazard
represent common element in both ele- report every effort should be made to ensure
ments that should be considered when that the form is easy to understand and user
developing a safety management system. friendly. The company should strive to
make all reporting forms compatible for
Reporting Procedures each area of the operation. This will facili-
The process for reporting an event or a haz- tate data sharing, trend analysis and will
ard should be as simple as possible. Report also make the occurrence or hazard investi-
submission procedures should be well docu- gation process easier.
mented and should include details of where
and to whom reports should be submitted. Depending on the size of the organization,
This will reduce confusion over where safety the most expedient data collection method
reports go and will ensure that all events are might be to utilize existing paperwork, such
brought to the attention of the appropriate as flight and maintenance reports. The use
person. of hand written reports or the information
derived from verbal reports is equally
When designing a safety report form it is acceptable. As previously stated, however,
important to consider that the form may be verbal accounts should always be followed-
used to submit information regarding events up with a written report.
and hazards. The form should be structured
in such a manner that it can accommodate Reporting can also be achieved through the
both the reactive and proactive type of use of a dedicated occurrence and hazard
reporting. Sufficient space should be report. A general off-the-shelf software
allowed for reporters to identify suggested package can be used or a predefined report,
corrective actions related to the issue they generated from integrated systems such as
are reporting. the British Airways Safety Information
System (BASIS), the Aviation Quality
There are many possible ways in which a Database (AQD) report or the Aviation
report can be submitted. The size and com- Events Reports Organiser (AERO). These
plexity of the organization will determine types of system are all inclusive; they gener-
how sophisticated the system is. In some ate reports, collect and store data and can
cases this might involve having a locked be used to provide trend analysis and safety
postbox on the hangar floor, in other cases reports.
it might be more effective to submit reports
directly to the safety office. It is up to the Data Collection Systems
individual organization to determine the BASIS, AQD and AERO are examples of
most suitable method. electronic data collection systems designed
35
Safety Management
System Components
for use in a variety of different sized organi- further by conducting a risk evaluation.
zations. The use of pre-existing electronic Here the probability and severity of the
data collection and storage is not a safety hazard are assessed to determine the level
management system requirement. A simple of risk. Figure 4 shows one example of a
Microsoft ACCESS database or a manual risk assessment matrix. In this diagram the
filing system can be utilized. matrix defines a method to determine the
level of risk.
Risk Management
Risk management is a proactive activity that Figure 4: Risk Analysis Matrix
looks at the risks associated with identified
hazards and assists in selecting actions to
maintain an appropriate level of safety when
faced with these hazards.
Once hazards have been identified, either

through occurrence/hazard reporting, or a
safety assessment the risk management pro-
cess begins. Risk management is an evalua-
tion of the potential for injury or loss due
to a hazard and the management of that
probability. This concept includes both the
likelihood of a loss and the magnitude. The
basic elements of a risk management
process are:
• Risk Analysis
• Risk Assessment To use the risk assessment matrix effectively
• Risk Control it is important that everyone has the same
• Monitoring understanding of the terminology used for
probability and severity. For this reason de-
Risk Analysis is the first element in the risk finitions for each level of these components
management process. It encompasses risk should be provided.
identification and risk estimation. Once a
hazard has been identified the risks associa- It is up to individual company to define
ted with the hazard must be identified and when intervention is required, in other
the amount of risk estimated. words, the company must decide where its
tolerable level of risk is. Figure 5 provides
Risk Assessment takes the work completed an example of what this risk classification
during the risk analysis and goes one step index might look like. The description
36
Safety Management
System Components
should indicate the action required and if ably in their scope and complexity. It is
necessary a timeframe for completion. important that the process selected meets
Figure 5: Risk Analysis Matrix
Values Risk Levels Action
1-6 Minimum Risk Proceed after considering all elements of risk.
6 - 14 Moderate Risk Continue after taking action to manage overall

level of risk.
15 - 25 High Risk STOP: Do not proceed until sufficient con

trol measures have been implemented to
reduce risk to an acceptable level.
There are a number of examples of risk the capabilities and requirements of the
assessment and classification matrixes and company in question. Following are only a
their definitions available. Some of these few examples of processes that include the
utilize economic indicators such as dollar required components:
figures to define the level of acceptable risk.
Canadian Standards Association (CSA)
Risk Control addresses any risks identified Standard CAN/CSA-CEI/IEC 300-9-97,
during the evaluation process that require Dependability management - Part 3
an action to be taken to reduce the risks to Application Guide - Section 9: Risk Analysis
an acceptable level. It is here that a correc- of Technological Systems. This document pro-
tive action plan is developed. vides the guidelines for selecting and imple-
menting risk analysis techniques, primarily
Monitoring is essential to ensure that once for risk assessment of technological systems.
the corrective action plan is in place, it is It contains guidelines regarding:
effective in addressing the stated issues or
hazards. > Risk analysis concepts
> Risk analysis processes
Existing Risk Management Processes. > Risk analysis methods
There are a number of existing processes
CSA Standard CAN/CSA-Q850-97 Risk
that can assist a company in meeting the
Management: Guideline for Decision Makers.
regulatory requirements for a risk assess-
This guideline is intended to assist decision
ment component to their safety manage-
makers in effectively managing all types of
ment system. These processes vary consider-
37
Safety Management
System Components
risk issues, including injury or damage to • The third foot is concerned with what
health, property, the environment, or some- has been termed General Failure Types
thing else of value. It describes a process for (GFTs) and addresses system failures, in
acquiring, analyzing, evaluating, and com- part, through the identification of latent
municating information that is necessary for conditions that are associated with past
occurrences (the second foot).
decision-making. The guideline provides a
description of the major components of the In the past most remedial measures were
risk management decision process using a aimed at the first two feet, however, these
step-by-step process as follows: are programmatic fixes and do not necessa-
rily address system failures. By including the
> Initiation
third foot, and minimizing the impact of
> Preliminary Analysis
> Risk Estimation GFTs, exposure in the first area or foot of
> Risk Evaluation hazards and unsafe acts is reduced.xvi
> Risk Control
> Action/Monitoring Commercially available Software Programs. >
There are a number of software programs,
Tripod Delta. > This program is a proac- which advertise a risk analysis component,
tive error management tool that encompass- available to operators. Some are directly
es risk analysis within its overall scope. This focused on the safety management aspect
program was originally designed for the oil within aviation and others are more generic
and gas exploration and production opera- in nature, but may meet individual compa-
tions of Shell Internationale Petroleum ny requirements. Information on these pro-
Mattschappij, however, it has been grams is readily available on the internet.
employed in a wide variety of operations.
Tripod Delta looks at the whole system and Corrective Action Plan
identifies potential hazards. This program Once a safety event report has been investi-
takes its name from the three areas or ‘feet’ gated and analysed, or a hazard identified, a
on which it focuses. Each foot of the tripod safety report outlining the occurrence, and
has an effect on the other. The feet are rela- if available, the results of a hazard assess-
ted as follows: ment, should be given to the appropriate
director for determination of corrective or
• The first foot represents hazards and preventative action. The functional director
unsafe acts. should develop a corrective action plan
(CAP), a plan submitted in response to
• The second foot follows and focuses on findings, outlining how the company pro-
accidents, incidents and losses that poses to correct the deficiencies documen-
result when the performance of unsafe ted in the findings. Depending on the find-
acts penetrate the defenses and produce ings the CAP might include short-term and
bad outcomes. long-term corrective actions. As an example,
Transport Canada’s Inspection and Audit
38
Safety Management
System Components
Manual defines these in the following On-Going Monitoring
manner: In order to ensure the effectiveness of the
remedial measures, the corrective actions
" Short-Term Corrective Action - should be monitored and evaluated on a
This action corrects the specific issue regular basis. Follow-up activity should be
specified in the audit finding and is conducted through the internal audit
preliminary to the long-term action process. This should include comprehensive
that prevents recurrence of the prob- documentation of audit findings, corrective
lem. Short-term corrective action actions and follow-up procedures.
should be completed by the date/
time specified in the corrective Information Dissemination
action plan.
All safety related information should be dis-
seminated throughout the organization.
o Long-Term Corrective Action -
Keeping current on safety provides better
Long-term corrective action has two
background for understanding aspects of
components. The first element
the organization’s safety condition and
involves identifying the root cause of
developing novel solutions to difficult pro-
the problem and indicating the
blems. This can be accomplished by sub-
measures the auditee will take to pre-
scribing to safety related programs, making
vent a recurrence. These measures
relevant Transportation Safety Board (TSB)
should focus on a system change.
reports available, and encouraging staff to
The second component is a timetable
participate in safety related training, semi-
for implementation of the long-term
nars and workshops. Manufacturers can also
corrective action. Long-term correc-
provide important safety information and
tive action should include a proposed
reliability data related to the company’s
completion date.
specific needs.
Some long-term corrective actions Another aspect of information dissemina-
may require time periods in excess of tion is feedback on safety reports submis-
the company’s established acceptable sions. Employees should be notified when a
timeframe, for example where major safety report is received or when a potential
equipment purchases are involved. safety threat is discovered. Further informa-
Where applicable, the company should tion should be provided pursuant to investi-
gation, analysis and corrective action. Infor-
include milestones or progress review
mation dissemination can also be achieved
points not exceeding the established through the publication of a company mag-
timeframe leading up to the proposed azine or through the company website. The
completion date. Where the short- company should endeavor to inform all
term corrective action taken meets employees as to where safety related infor-
the requirements for long-term cor- mation can be found. In this way the entire
rective action, this should be stated company becomes aware of safety issues and
in the long-term corrective action understands that the company is actively
section on the corrective action form.xvii seeking to address these issues.
39
4 training
Safety Management
System Components
[ Tr a i n i n g ]
In order for employees to comply with all
safety requirements, they need the appropri-
ate information, skills and training. To effec-
tively accomplish this, the company should
document the training requirements for
each area of work within the company. It is recommended that a training file be
developed for each employee, including
The type of training to be offered is already management, to assist in identifying and
mandated via regulation for certain posi- tracking employee training requirements.
tions in the company. This includes initial,
recurrent and update training requirements
and, where required, training specific to the
operation of the safety management system.
These regulations will provide a good start-
ing point to identify what training is required.
41
5 quality
assurance
Safety Management
System Components
[ Quality
Assurance ]
A quality assurance system (QAS) defines
and establishes an organization’s quality po-
licy and objectives. It also allows an organi-
zation to document and implement the pro-
cedures needed to attain these goals. A pro-
perly implemented QAS ensures that proce- An effective quality assurance system should
dures are carried out consistently, that pro- encompass the following elements:
blems can be identified and resolved, and
that the organization can continuously 1. Well designed and documented proce-
review and improve its procedures, products dures for product and process control
and services. It is a mechanism for maintain-
ing and improving the quality of products 2. Inspection and testing methods
or services so that they consistently meet or
exceed the organization’s implied or stated 3. Monitoring of equipment including
calibration and measurement
needs and fulfill their quality objectives.xviii
4. Internal and external audits
In a safety management system, these ele-
ments are applied to an understanding of 5. Monitoring of corrective and preventive
the human and organizational issues that action(s), and
can impact safety. In the same way that a
QAS measures quality and monitors com- 6. The use of appropriate statistical
pliance, the same methods are used to mea- analysis, when required.xix
sure safety within the organization. In the
Quality assurance is based on the principle
SMS context, this means quality assurance
of the continuous improvement cycle. In
of the safety management system, which in
much the same way that SMS facilitates
effect includes the entire operation.
continuous improvements in safety, quality
assurance ensures process control and regu-
latory compliance through constant verifica-
tion and upgrading of the system. These
objectives are achieved through the applica-
tion of similar tools: internal and indepen-
dent audits, strict document controls and
on-going monitoring of corrective actions.
43
Safety Management
System Components
Audits > In the case of a quality audit on a compa-
The use of audit functions, to verify com- ny’s safety management system, the check-
pliance and standardization, is an integral list, should provide a detailed account of
part of the quality assurance system. An ini- the following areas:
tial audit, covering all technical activities,
should be conducted, followed by a recur- • Safety policy
ring cycle of further internal audits. Detailed • Safety standards
records of audit findings, including issues of • Safety culture
compliance and non-compliance, corrective • Contractor’s safety organization
• Structure of safety accountabilities
actions and follow-up inspections should be
• Hazard management arrangements
kept. The results of the audit should be • Safety assessment, and
communicated throughout the company. • Safety monitoringxx
Depending on the size of the organization, (Examples of detailed audit checklists are
these functions may be performed by indi- provided in Transport Canada’s Inspection
viduals within the company or assigned to and Audit Manual.)
external agents. Wherever practical, having
regard to the size of the organization, these On-going monitoring >
functions should be undertaken by persons The on-going monitoring of all systems and
who are not responsible for, and have not the application of corrective actions are
been involved in, the certification or per- functions of the quality assurance system.
formance of the tasks and functions being Continuous improvement can only occur
audited. In this way, the quality assurance when the organization displays constant
function remains neutral and is indepen- vigilance regarding the effectiveness of its
dent from the operational aspects of the technical operations and its corrective actions.
organization. Indeed, without on-going monitoring of
corrective actions, there is no way of telling
Checklists > whether the problem has been corrected
Audit checklists should be employed to and the safety objective met. Similarly, there
identify all of the technical functions con- is no way of measuring if a system is fulfil-
trolled by the MPM, the MCM or the ling its purpose with maximum efficiency.
COM. These should be sufficiently detailed
to ensure that all of the technical functions Existing Systems >
performed by the organization are covered. There are many existing quality assurance
Accordingly, the extent and complexity of standards. The most appropriate system
these checklists will vary from company depends on the size and complexity of the
to company. organization and will be tailored to meet
these requirements. ISO 9000, a series of
international standards developed by quality
44
Safety Management
System Components
experts from around the world, is one • Involvement of people - Safety is every
example. ISO 9000 is for use by companies one’s responsibility. It is incumbent on
that either want to implement their own in- all employees therefore to involve them
house quality systems or to ensure that sup- selves and utilize their abilities for the
pliers have appropriate quality systems in organization’s benefit.
place. The standards were developed under • Process Approach - A managed
the auspices of the International Organi- approach is applied to activities and
zation for Standardization (ISO). related resources.
• System Approach to Management -
The current series, ISO 9000:2000, was deve-
Identifying, understanding and mana-
loped to assist all types and size of organiza-
ging interconnected processes as a sys-
tion, to implement and operate effective qua-
tem contributes to the organization’s
lity management systems. ISO standards are
effectiveness and efficiency in achieving
intended to be generic and not specific to
its objectives.
any product or industry. They are intended
to document the elements required for an • Continual Improvement - Continual
effective quality system, however, they do improvement of the organization’s over-
not specify the technology requirements to all performance should be a fixed objec-
be utilized.xxi ISO 9000:2000 works on the tive of the organization.
principal that, to successfully operate an
organization, it is necessary to direct and • Factual Approach to Decision Making -
control it in a systematic and transparent Decisions are made utilizing available
manner. The objective is to continually information and current data.
improve performance whilst addressing the
• Mutually Beneficial Supplier Relations -
needs of all interested parties.xxii
Given that an organization and its sup-
The ISO 9000:2000 standards are com- pliers are interdependent, a mutually
posed of a set of eight quality management beneficial relationship enhances the
principles that contribute to improved ability of both to create value.xxiii
performance: There are several steps and organization
• Customer Focus - Understanding what must take to ensure a successful implemen-
the customer wants and needs. In avia- tation of ISO standards. The organization
tion some of these requirements are a must clearly understand what it hopes to
safe, reasonably priced flight, that departs achieve and what the expectations of the
on time. stakeholders are. Furthermore, it must
identify the gap between where it is now
• Leadership - Leaders set the goals and and where it hopes to be in the future. A
purpose of the organization. They should plan must be developed to close these gaps
establish and maintain the internal envi- and it must be monitored to ensure effec-
ronment in which the individual becomes tiveness. This consists of both internal and
fully involved in attaining the organiza- external audits.xxiv
tion’s objectives.
45
6 emergency
response plan
Safety Management
System Components
[ Emergency
Response Plan ]
An Air operator emergency response plan is
an integral part of the SMS. It must contain
the following items:
• Air Operator Policy
• Air Operator Mobilization And

Agencies Notification
• Passenger and Crew Welfare
• Casualty and Next Of Kin Coordination • Air Operator Team’s Response To The
Accident Site
• Accident Investigation On Behalf Of
The Air Operator • Preservation Of Evidence
• Media Relations
• Claims And Insurance Procedures
• Aeroplane Wreckage Removal
• Emergency Response Training
47
Conclusion
The implementation of safety management systems represents a

fundamental shift in the way we all do business. Safety management
systems require organizations’ to adopt the elements detailed in this
document and to incorporate them into their everyday business
practices. In effect, safety becomes an integral part of the every-
day operations of the organization and is no longer considered an
adjunct function belonging to the safety office.
If SMS is to be a success, however, Transport Canada, like the

industry we regulate, must establish a disciplinary/enforcement
policy that promotes and rewards the behaviors we are striving to
achieve. SMS involves a transferal of some of the responsibility for
aviation safety issues, from the regulator to the individual organiza-
tion. A role shift, in which the regulator oversees the effectiveness
of the safety management system and withdraws from a day-to-day
involvement in the companies’ it regulates. The day-to-day issues
are discovered, analysed and corrected internally, with minimal
intervention from Transport Canada. From the company perspec-
tive the success of the system will hinge on the development of a
safety culture that promotes open reporting, through non-punitive
disciplinary policies and continual improvement through, proactive
safety assessments and quality assurance.
The safety management system philosophy requires that responsibi-

lity and accountability for safety be retained within the manage-
ment structure of the organization. The directors and senior man-
agement are ultimately responsible for safety, as they are for other
aspects of the enterprise. The responsibility for safety, however,
resides with every member of the organization; in safety manage-
ment everyone has a role to play.
48
References
i
In Approved Maintenance Organizations the requirement for safety
management programs is limited to AMOs holding ratings in respect
of aircraft types eligible for commuter or airline operations. In Air
Operator Certificate holders, safety management programs are
required in the following types of operations:
(a) Subpart 702 – date and applicability to be determined;
(b) Subpart 703 – date and applicability to be determined;
(c) Subpart 704 – date and applicability to be determined;
(d) Subpart 705 – by 28 March 2004.
ii
Alan Waring, Safety Management Systems,
(UK: Chapman & Hall, 1996)
iii
See James Reason, Managing the Risks of Organizational Accidents,
(UK: Ashgate, 1987) and
(UK: Chapman & Hall, 1996) for a more detailed
discussion of this subject.
iv
(UK: Chapman & Hall, 1996)
v
For additional examples of performance measurement see
(UK: Chapman & Hall, 1996).
vi
Reproduced by permission of Air Canada.
vii
Shell Aircraft Aviation Safety Management Guidelines, Part 2, p.8.
viii
Peter M. Senge, The Fifth Discipline,
(New York: Doubleday, 1990).
ix
Shell Aircraft Aviation Safety Management Guidelines, Part 2: Safety
Management System Guidelines,
January 2000.
x
Reproduced By permission of the Boeing Company,
AERO no.3, 1998.
xi
R. Curtis Graeber and Mike Moodi, Understanding Flight Crew
Adherence to Procedures: The Procedural Event Analysis Tool (PEAT).
Flight Safety Foundation, IFA/IASS, South Africa 1998.
49
References
xii
James Reason, Managing the Risks of Organizational Accident,
(UK: Ashgate, 1997)
xiii
Transport Canada, Introduction to Safety Management Systems.
TP 13739 E (04/2001)
xiv
Shell Aircraft Aviation Safety Management Guidelines, part 4, page 21.
xv
Shell Aircraft Aviation Safety Management Guidelines, part 2,
appendix 1, page 2.
xvi
James Reason, Managing the Risks of Organizational Accident,
(UK: Ashgate, 1997)
xvii
Inspection and Audit Manual, Transport Canada website:
www.tc.gc.ca/civilaviation/maintenance/aarpf/menu.htm
xviii
The Standards Council of Canada
xix
James R. Evans and William M. Lindsay, The Management and
Control of Quality,
(USA: South-Western College Publishing, 1999)
xx
Shell Aircraft Aviation Safety Management Guidelines, part 2,
appendix 1, page 3.
xxi
Quality Assurance Planning, Course Manual, P.213,
University of Manitoba.
xxii
National Standard of Canada CAN/CSA-ISO 9000-00, Quality
Management Systems-Fundamentals and Vocabulary.
xxiii
Ibid.
xxiv
International Organization for Standardization.
50

TP 13881sms

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TP 13881sms

Uploaded by

Copyright:

Available Formats

SAFETY MANAGEMENT SYSTEMS

FOR FLIGHT OPERATIONS AND AIRCRAFT MAINTENANCE ORGANIZATIONS

Permission is granted by the Department of Transport, Canada, to copy and/or

This guide applies to proposed

This guidance material was written by the staff

Transport Canada wishes to thank the following individuals,

* Professor James Reason, University of Manchester

This document is a living document and will be revised at intervals

1. SAFETY MANAGEMENT PLAN ..........................................................................................................11

3. SAFETY OVERSIGHT ................................................................................................................................25

5. QUALITY ASSURANCE ............................................................................................................................43

6. EMERGENCY RESPONSE PLAN ..........................................................................................................47

[ Key Generic Features

• Clear authorities, responsibilities and

• Occurrence and Hazard reporting,

• Data collection procedures • Incident analysis

• Hazard identification and risk

• Safety management training

• Emergency response plan

In order to implement an effective safety management

1. A definition of the fundamental

It is recommended that the safety policy

Safety Goals The safety performance of the operation

Objective Safety Performance measuresv

Business Objective: Reduce Costs Reduction in insurance rates

Safety Objective: Decrease number and • Total number of event

Figure I: Sample SMS Organogram

Employee Involvement In The Development Description of System Components

The company must provide employees with

This process could be as simple as designa- • Periodically review documentation such

A process to address changes within the

Specific events or dates could trigger

• Reactive - Occurrence/hazard reporting, and

• Proactive - Safety assessments.

Once an occurrence has been reported, or a

Figure 2: Safety Management System Process Flow

Reactive Processes organizational and human factors within the

Figure 3: MEDA/PEAT Process Flow

relies heavily on the investigative philosophy " Airplane deck indications

to comply with a procedure intentionally, > Other stimuli (beyond indications)

• A process - PEAT provides an in-depth, " Onboard source of the

analyzing the event for errors, classify policies aimed at prevention

allows airlines to track their progress in performance (e.g. fatigue,

Once hazards have been identified, either

Figure 5: Risk Analysis Matrix

Values Risk Levels Action

1-6 Minimum Risk Proceed after considering all elements of risk.

6 - 14 Moderate Risk Continue after taking action to manage overall

15 - 25 High Risk STOP: Do not proceed until sufficient con

• Air Operator Policy

• Air Operator Mobilization And

• Passenger and Crew Welfare

• Claims And Insurance Procedures

• Aeroplane Wreckage Removal

• Emergency Response Training

The implementation of safety management systems represents a

If SMS is to be a success, however, Transport Canada, like the

The safety management system philosophy requires that responsibi-

You might also like