Safety Regulation Group

SAFETY MANAGEMENT SYSTEMS – GUIDANCE TO ORGANISATIONS

April 2008 1
Contents
1 Introduction 3

2 Management Systems

2.1 Management Systems Introduction 3

2.2 Quality Management System 3
2.3 Safety Management System 3
2.4 Safety Management System Implementation Plan 4
2.5 Small Organisations 4

3 Components of a Safety Management System 5

4 Safety Policy and Objectives

4.1 Management Commitment and Responsibility 5

4.2 Safety Accountabilities of Managers 6
4.3 Appointment of Key Safety Personnel 6
4.4 The Emergency Response Plan 8
4.5 Documentation 8
4.6 Small Organisations 9

5 Safety Risk Management

5.1 Hazard Identification Processes 10

5.2 Risk Assessment and Mitigation Processes 10
5.3 Internal Safety Investigations 13
5.4 Small Organisations 14

6 Safety Assurance

6.1 Safety Performance Monitoring and Measurement 14

6.2 The Management of Change 15
6.3 Continuous Improvement of the Safety System 15
6.4 Small Organisations 15

7 Safety Promotion

7.1 Training and Education 15

7.2 Safety Communication 16
7.3 Small Organisations 16

Appendix Management System Structure 17

April 2008 2
1 Introduction

The purpose of this document is to provide guidance on the implementation of Safety

Management Systems (SMS) for Air Operator’s Certificate (AOC) holders and
Maintenance Organisations. The guidance is designed to give the reader basic
information on SMS concepts and the development of management polices and
processes. The guidance assumes the reader has a sound understanding of SMS
principles. There is a significant amount of information giving guidance on the structure
and implementation of SMS in various publications, both dealing with aviation and other
industries. While operators are encouraged to review this material, future legislation
governing the mandating of SMS will be based upon ICAO Document 9859 – Safety
Management Manual. Operators are therefore encouraged to use ICAO Document 9859
as their principal source of guidance on SMS.

This guidance takes into account the developing European Aviation Safety Agency
(EASA) Implementing Rules (IR) on Management Systems and will be updated as the IRs
develop.

It is important to recognise that SMS are top down driven systems, which means that the
Accountable Manager of the organisation is responsible for the implementation and
continuing compliance of the SMS. Without the wholehearted support of the Accountable
Manager an SMS will not be effective.

There is no ‘one size fits all’ model of an SMS that will cater for all types of operators.
Complex SMS are likely to be inappropriate for small operators, and such operators
should tailor their SMS to suit the size, nature and complexity of the operation and allocate
resources accordingly. Guidance for small operators is specifically covered in this
document.

2 Management Systems

2.1 Introduction

The management system of an organisation should ideally comprise two separate but
complementary systems, the Quality Management System (QMS) and the SMS. The QMS
and SMS should correspond to the size, nature and complexity of the organisation and
take account of all of the hazards and risks associated with its activities.

A Management System should describe the structure of the organisation, available

resources, staff accountabilities and responsibilities and how decisions are taken and
managed throughout the organisation.

2.2 Quality Management System

The role of the QMS is to monitor compliance with and the adequacy of procedures
required to ensure safe operational practices and airworthy aeroplanes. The QMS and
SMS have complementary but independent functions with the QMS monitoring the SMS.

2.3 Safety Management System

An SMS is an organised approach to managing safety, including the necessary

organisational structures, accountabilities, policies and procedures.

The complexity of the SMS should match the organisation’s requirements for managing
safety.

April 2008 3
 At the core of the SMS is a formal Risk Management process that identifies hazard and
analyses and mitigates risk.

2.4 Safety Management System Implementation Plan

The first step, when introducing SMS into an organisation, is to develop an implementation
plan. This will be a realistic strategy for the implementation of SMS that meets the needs
of the organisation and defines the approach taken for managing safety. The contents of
the plan should include:

(a) safety policy;

(b) safety planning objectives and goals;
(c) system description;
(d) gap analysis;
(e) SMS components;
(f) safety roles and responsibilities;
(g) safety reporting policy;
(h) means of employee involvement;
(i) safety communication;
(j) safety performance measurement;
(k) management review of safety performance; and
(l) safety training.

2.5 Small Organisations

For a small organisation a simplified SMS implementation plan should be developed that
includes:

(a) the organisation’s approach to managing safety in a manner that meets its safety
needs;
(b) coordination with the SMS of other organisations with which it interfaces during the
provision of services; and
(c) endorsement by senior management and communication throughout the
organisation.

Note: For additional information on implementing an SMS refer to the ICAO Safety
Management Systems Implementation Evaluation Guide.

3 The Components of a Safety Management System

An SMS should comprise the following four components:

(1) Safety Policy and Objectives

(2) Safety Risk Management
(3) Safety Assurance
(4) Safety Promotion

April 2008 4
4 Safety Policy and Objectives

The Safety Policy outlines the methods and processes that the organisation will use to
achieve desired safety outcomes. The creation of a positive safety culture begins with a
clear, unequivocal direction from the Accountable Manager.

In preparing a safety policy, Senior Management should consult with key staff members in
charge of safety critical areas. Consultation will ensure that the safety policy and stated
objectives are relevant to all staff and that there is a sense of shared responsibility for the
safety culture in the organisation.

The Safety Policy and Objectives can be divided into the following five areas:

(1) Management Commitment and Responsibility

(2) Safety Accountabilities of Managers
(3) Appointment of Key Safety Personnel
(4) The Emergency Response Plan
(5) Documentation

4.1 Management Commitment and Responsibility

The Accountable Manager should have full responsibility for the SMS and should have:

(a) corporate authority for ensuring all activities can be financed and carried out to the
required standard;
(b) full authority for ensuring adequate staffing levels;
(c) direct responsibility for the conduct of the organisation’s affairs;
(d) final authority over operational matters; and
(e) final responsibility for all safety issues.

Senior Management should:

(a) develop the safety policy, endorsed by the Accountable Manager;

(b) continuously promote the safety policy to all staff and demonstrate their
commitment to it;
(c) provide necessary human and financial resources; and
(d) establish safety objectives and performance standards for the SMS. The safety
objectives and performance standards should be linked to the safety performance
indicators, safety performance targets and safety requirements of the SMS.

4.2 Safety Accountabilities of Managers

The organisation should define the accountabilities of the Accountable Manager and the
safety responsibilities of key personnel.

It is essential that safety management is seen as an integral strategic aspect of the

organisation’s business by assigning the highest priority to safety. With this in mind, there
has to be a demonstrable Board level commitment to an effective SMS.

The Accountable Manager with the Senior Management team set the standard for the
organisation’s safety culture. Without this commitment, an SMS will be ineffective.

April 2008 5
4.3 Appointment of Key Safety Personnel

Whilst the organisational structure of the SMS should reflect the size, nature and
complexity of the organisation, it should take into account the:

(a) appointment of a Safety Manager; and

(b) creation of safety committees.

4.3.1 The Safety Manager

The Safety Manager should be a Senior Management appointment in the organisation in

order to provide the necessary degree of authority when dealing with safety matters and
should report directly to the Accountable Manager of the organisation.

The Safety Manager should possess:

(a) operational management experience and have a technical background sufficient to

understand the systems that support the organisation;
(b) people skills;
(c) analytical and problem solving skills;
(d) project management skills; and
(e) oral and written communication skills.

It is important to note that accountability for the SMS lies with the Accountable Manager
not the Safety Manager.

The Safety Manager is responsible for and is the focal point for the development,
administration and maintenance of an effective SMS.

The Safety Manager should carry out at least the following functions:

(a) manage the SMS implementation plan on behalf of the Accountable Manager;
(b) facilitate the risk management process that should include hazard identification,
risk assessment and risk mitigation;
(c) monitor any corrective action required in order to ensure accomplishment;
(d) provide periodic reports on safety performance;
(e) maintain safety documentation;
(f) plan and organise staff safety training;
(g) provide independent advice on safety matters;
(h) advise Senior Managers on safety matters;
(i) assist Line Managers;
(j) oversee hazard identification systems; and
(k) be involved in occurrence/accident investigations.

April 2008 6
4.3.2 Safety Committees

Safety Review Board

The Safety Review Board (SRB) is a high level committee which considers strategic safety
functions. The board should be chaired by the Accountable Manager and should normally
include the Senior Management of the organisation. If required, directors of the
organisation should be included in the SRB.

The SRB ensures that appropriate resources are allocated to achieve the established
safety performance and gives strategic direction to the Safety Action Group (SAG).

The SRB monitors:

(a) safety performance against the safety policy and objectives;

(b) effectiveness of the SMS implementation plan;
(c) effectiveness of the safety oversight of sub-contracted organisations;
(d) that necessary corrective or mitigating actions are being taken in a timely manner;
and
(e) effectiveness of the auditing of the SMS.

Safety Action Group

The SAG reports to and takes strategic direction from the SRB. It comprises managers,
supervisors and staff from operational areas. The Safety Manager may also be included in
the SAG.

The safety action group:

(a) oversees operational safety;

(b) resolves identified risks;
(c) assesses the impact on safety of operational changes;
(d) implements corrective action plans; and
(e) ensures that corrective action is achieved within agreed timescales.

The safety action group reviews:

(a) the effectiveness of previous safety recommendations; and

(b) safety promotion.

4.4 The Emergency Response Plan

An Emergency Response Plan (ERP) should be established that provides the actions to
be taken by the organisation or individuals in an emergency. The ERP should be
integrated into the SMS and reflect the size, nature and complexity of the activities
performed by the organisation.

The ERP should ensure:

(a) an orderly and efficient transition from normal to emergency operations;

(b) designation of emergency authority;
(c) assignment of emergency responsibilities;

April 2008 7
 (d) authorisation by key personnel for actions contained in the plan;
(e) coordination of efforts to resolve the emergency; and
(f) safe continuation of operations or return to normal operations as soon as
practicable.

The ERP should set out the responsibilities, roles and actions for the various agencies
and personnel involved in dealing with emergencies.

An ERP should take into account such considerations as:

(a) governing policies;

(b) organisation;
(c) notifications;
(d) initial response;
(e) additional assistance;
(f) Crisis Management Centre (CMC);
(g) records;
(h) accident site;
(i) news media;
(j) formal investigations;
(k) family assistance;
(l) post-critical incident stress counselling; and
(m) post-occurrence review.

4.5 Documentation

Documentation for an SMS should be representative of the nature, scale and complexity
of the organisation and normally consist of:

(a) applicable regulations;

(b) SMS records;
(c) records management; and
(d) SMS manual.

The safety policy should include a commitment to:

(a) achieve the highest safety standards;

(b) observe all applicable legal requirements, standards and best practice;
(c) provide appropriate resources;
(d) enforce safety as one primary responsibility of all Managers; and
(e) ensure that the policy is implemented and understood at all levels both internally
and externally.

April 2008 8
 The organisation’s SMS manual should be the key instrument for communicating the
approach to safety for the whole of the organisation and should document all aspects of
the SMS, including the safety policy, objectives, procedures and individual safety
accountabilities. Contents should include:

(a) scope of the SMS;

(b) safety policy and objectives;
(c) safety accountabilities;
(d) key safety personnel;
(e) documentation control procedures;
(f) hazard identification and risk management schemes;
(g) safety performance monitoring;
(h) emergency response planning;
(i) management of change;
(j) safety promotion; and
(k) contracted activities.

4.6 Small Organisations

The SMS of a small organisation may address the following items in a simplified manner:

4.6.1 Safety Accountabilities of Managers and Staff

(a) The organisation should identify the accountable manager who, irrespective of
other functions, should have ultimate responsibility and accountability, on behalf of
the organisation, for the implementation and maintenance of the SMS.
(b) The organisation should also identify the safety accountabilities of all management
and staff members, irrespective of other functions. Safety accountabilities and
authorities should be documented and communicated throughout the organisation.
(c) In a small organisation one person may exercise both the accountable manager
and senior management functions.

4.6.2 Appointment of Key Safety Personnel

(a) The organisation should identify a manager to be the responsible individual and
focal point for the implementation and maintenance of an effective SMS.
(b) In a small organisation the functions of the SRB and SAG may need to be
devolved to individuals rather than a committee.

4.6.3 Coordination of Emergency Response Planning

The organisation should develop, coordinate and maintain an ERP that ensures orderly
and efficient transition from normal to emergency operations, and return to normal
operations.

April 2008 9
4.6.4 Documentation

(a) The organisation should develop and maintain SMS documentation to describe the
safety policy and objectives, the SMS requirements, the SMS procedures and
processes, the accountabilities, responsibilities and authorities for procedures and
processes, and the SMS outputs.
(b) As part of the SMS documentation, the organisation should develop and maintain
a safety management manual (SMM), to communicate its approach to safety
throughout the organisation.
(c) The SMM may be a chapter in the organisation manual.

5 Safety Risk Management

The Safety Risk component of an SMS can be divided into three areas:

(1) Hazard identification processes.

(2) Risk assessment and mitigation processes.
(3) Internal safety investigation.

Safety is a condition in which the risk of harm or damage is limited to an acceptable level.
Safety management is centred on a systematic approach to hazard identification and risk
management. The hazards creating risk can be identified through SMS processes. The
process of moving from hazard identification to risk assessment and risk mitigation is a
risk management process.

5.1 Hazard Identification Process

A hazard is any situation or condition that has the potential to cause adverse
consequences. A hazard identification process is the formal means of collecting,
recording, analysing, acting on and generating feedback about hazards that affects the
safety of the operational activities of the organisation. In a mature SMS hazard
identification is an ongoing process.

The scope of hazard identification is across the operational activities of the organisation
with data derived from reactive and proactive schemes. Reactive schemes include data
from accidents, incidents and flight data monitoring. Proactive schemes include voluntary
incident reporting, confidential reporting schemes, safety surveys, operational safety
audits and safety assessments. Managed group sessions can also be used to identify
hazards.

5.2 Risk Assessment and Mitigation Process

Following the identification of a hazard a form of analysis is required to assess its potential
for harm or damage. This involves three considerations;

(a) Probability: The probability of the hazard causing adverse consequences.

(b) Severity: The severity of the potential adverse consequences.
(c) Exposure: The rate of exposure to the hazard.

Risk Assessment and Mitigation Processes analyse and eliminate or mitigate to an

acceptable level risks that could threaten the capabilities of an organisation.

A diagram showing the hazard analysis and risk assessment process is shown below:

April 2008 10
 Hazard Identification Identify the hazards to equipment, property, personnel or the
organisation.

Risk Assessment Evaluate the seriousness of the consequences of the hazard

Severity of occurrence occurring.

Risk Assessment What is the possibility of it happening?

Probability of occurrence

Risk Assessment Is the consequent risk acceptable and within the organisation’s
Acceptability safety performance criteria?
YES NO

Take action to reduce the risk to an

Accept the risk.
acceptable level.

A system should be developed for assessing and analysing the data collected or derived
from the actions outlined above. Information provided by analysis should be distributed to
those with a responsibility for operational safety in the organisation.

Confidential reporting systems should be based on established human factors principles

including an effective feedback process.

5.2.1 Risk

Risk is the assessed potential for adverse consequences resulting from hazard if its
potential to cause harm is realised. A hazard has the potential to cause harm, while risk is
the likelihood of that harm being realised within a specific time-scale.

5.2.2 Risk Assessment

Risk Assessment involves taking into account the probability and severity of any adverse
consequences resulting from an identified hazard. Mathematical models may give credible
results but typically these analyses are supplemented qualitatively by subjective critical
and logical analysis of the inter-related facts. A Risk Matrix is useful for assessing hazard.
While the severity of the consequences can be defined, the probability of occurrence may
be more subjective, based on the maturity of the organisation’s operational activities. The
assessment process should be recorded at each stage to form a substantive record.

April 2008 11
Risk Assessment Matrix

Severity
Catastrophic 5 10 15 20 25
5
Review Unacceptable Unacceptable Unacceptable Unacceptable
Hazardous 4 8 12 16 20
4
Acceptable Review Unacceptable Unacceptable Unacceptable
Major 3 6 9 12 15
3
Acceptable Review Review Unacceptable Unacceptable
Minor 2 4 6 8 10
2
Acceptable Acceptable Review Review Unacceptable
Negligible 1 2 3 4 5
1
Acceptable Acceptable Acceptable Acceptable Review
Extremely
Improbable Remote Occasional Frequent
improbable
1 2 3 4 5
Probability

Severity of Consequences

Aviation Definition Meaning Value

Catastrophic Equipment destroyed. Multiple deaths. 5
A large reduction in safety margins, physical distress or a
workload such that organisations cannot be relied upon to
Hazardous 4
perform their tasks accurately or completely. Serious injury
or death to a number of people. Major equipment damage.
A significant reduction in safety margins, a reduction in the
ability of organisations to cope with adverse operating
Major conditions as a result of an increase in workload, or as a 3
result of conditions impairing their efficiency. Serious
incident. Injury to persons.
Nuisance. Operating limitations. Use of emergency
Minor 2
procedures. Minor incident.
Negligible Little consequence. 1

Probability of Occurrence

Qualitative Definition Meaning Value

Frequent Likely to occur many times.
5
(1 to 10-3 per hour)
Occasional Likely to occur sometimes.
4
(10-3 to 10-5 per hour)
Remote Unlikely, but possible to occur.
3
(10-5 to 10-7 per hour)
Improbable Very unlikely to occur.
2
(10-7 to 10-9 per hour)
Extremely improbable Almost inconceivable that the event will occur.
1
(<10-9 per hour)

April 2008 12
Risk Classification

Acceptable The consequence is so unlikely or not severe enough to be of concern;

the risk is tolerable. However, consideration should be given to
reducing the risk further to as low as reasonably practicable in order to
further minimise the risk of an accident or incident.
Review The consequence and/or probability is of concern; measures to mitigate
the risk to as low as reasonably practicable should be sought. Where
the risk is still in the review category after this action then the risk may
be accepted, provided that the risk is understood and has the
endorsement of the individual ultimately accountable for safety in the
organisation.
Unacceptable The probability and/or severity of the consequence is intolerable. Major
mitigation will be necessary to reduce the probability and severity of the
consequences associated with the hazard.

5.2.3 Risk Mitigation

Risks should be managed to be as low as reasonably practicable. Risk must be balanced

against the time, cost and difficulty of taking measures to reduce or eliminate the risk. The
level of risk can be lowered by reducing the severity of the potential consequences,
reducing the probability of occurrence or by reducing exposure to that risk. Corrective
action will take into account any existing defences and their inability to achieve an
acceptable level of risk. Corrective action should be subject to further risk assessment as
outlined in paragraph 5.2.2 above, in order to determine that the risk is now acceptable
and that no further risk has been introduced into operational activities.

5.3 Internal Safety Investigations

The scope of internal safety investigations should include occurrences that are not
required to be investigated or reported to the CAA. Though often of a supposed minor
nature, they could be indicative of a potential hazard that would only be revealed through
a systematic investigation.

5.3.1 Scope of Safety Investigations

The scale and scope of any investigation should be suitable to determine and validate the
underlying hazards. A systems approach is useful to provide a broad appreciation of the
context of any occurrence. Effort expended should be proportional to the perceived benefit
to the organisation in terms of identifying hazard and risk.

5.3.2 Investigation Methodology

Investigations follow an iterative process that may require going back and repeating steps
as new data is acquired or new conclusions are reached. Information sources will include:

(a) documentation;
(b) operational data monitoring;
(c) interviews;
(d) simulations; and
(e) safety databases.

April 2008 13
5.3.3 Safety Recommendations

An organisation should have procedures to communicate the results of any safety

investigations and where appropriate to address hazards as outlined in paragraph 5.2
above.

5.4 Small Organisations

The Safety Risk Management System for small organisations should include a hazard
identification, risk analysis and mitigation process, but may do so in a simplified manner.

The Hazard Identification and Risk Analysis Process may involve a risk profiling process
that has been developed for activities of the type being conducted, and that leads to
commonly accepted mitigation strategies which in turn are tracked by the organisation to
ensure that they are appropriate to the circumstances and that they are effective.

The Safety Risk Management System may also use hazard checklists or similar risk
management processes, which are integrated into the activities of the organisation.

6 Safety Assurance

The three aspects of safety assurance are:

(a) safety performance monitoring, measurement and review;

(b) the management of change; and
(c) continuous improvement of the safety system.

6.1 Safety Performance Monitoring and Measurement

Safety performance monitoring and measurement should be the process by which the
safety performance of the organisation is verified in comparison to its safety policies and
objectives. This process should include;

(a) safety reporting;

(b) safety studies;
(c) safety reviews including trends reviews;
(d) safety audits; and
(e) surveys.

Safety audits are used to ensure that the structure of the SMS is sound in terms of:

(a) adequate staff levels;

(b) compliance with approved procedures and instructions; and
(c) level of competency and training to operate equipment and facilities and maintain
their levels of performance.

Safety surveys examine particular elements or processes of a specific operation and may
involve the use of:

(a) checklists;
(b) questionnaires; and
(c) informal confidential interviews.

April 2008 14
 Survey information is subjective and should therefore be verified before any corrective
action is initiated but may provide an inexpensive source of safety information.

6.2 The Management of Change

The Management of Change should be a formal process that identifies external and
internal change that may affect established processes and services. It utilises the
organisation’s existing risk management process to ensure that there is no adverse effect
on safety. Change can introduce new hazards that could impact the appropriateness and
effectiveness of any existing risk mitigation.

6.3 Continuous Improvement of the Safety System

Continuous Improvement:

(a) should determine the immediate causes of below-standard performance and their
implications in the operation of the SMS; and
(b) should rectify situations involving below-standard performance identified through
safety assurance activities.

Continuous Improvement should be achieved through:

(a) evaluation of facilities, equipment, documentation and procedures through safety

audits and surveys;
(b) evaluation of an individual’s performance to verify the fulfilment of their safety
responsibilities;
(c) reactive evaluations in order to verify the effectiveness of the system for control
and mitigation of risk, e.g. incidents, accidents and investigations; and
(d) tracking changes to ensure that they are effective.

6.4 Small Organisations

The Safety Assurance Process in a small organisation may consist of periodic external
safety audits that assist the organisation in verifying safety performance and rectifying any
identified instances of sub-standard SMS performance.

7 Safety Promotion

7.1 Training and Education

All staff should receive safety training as appropriate for their safety responsibilities. In
particular all Operational Staff, Managers, Supervisors, Senior Managers and the
Accountable Manager should be trained and be competent to perform their SMS duties.

Operational Staff - Operational staff should have an understanding of the organisation’s

safety policy and an overview of the fundamentals of SMS.

Managers and Supervisors - Managers and supervisors should understand the safety
process, hazard identification, risk management and the management of change.

Senior Managers - Senior Managers should understand organisational safety standards,

safety assurance and the regulatory requirements for their organisation.

Accountable Manager - The Accountable Manager should have an awareness of SMS

roles and responsibilities, safety policy, SMS standards and safety assurance.

April 2008 15
7.2 Safety Communication

Safety communication is an essential foundation for the development and maintenance of

an adequate safety culture. The modes of communication may include:

(a) safety policies and procedures;

(b) newsletters;
(c) presentations;
(d) safety notices; and
(e) informal workplace meetings between staff and the Accountable Manager or
Senior Managers.

Safety communication should:

(a) ensure that all staff are fully aware of the SMS and the organisation’s safety
culture;
(b) convey safety critical information;
(c) explain why certain actions are taken;
(d) explain why safety procedures are introduced or changed;
(e) complement and enhance the organisation’s safety culture; and
(f) contain a process for assessing the suitability of safety communication and its
effect on the organisation.

7.3 Small Organisations

7.3.1 Training

(a) All staff should receive safety training as appropriate for their safety
responsibilities.
(b) The safety training programme may consist of e-learning or similar training
provided by training service providers.

7.3.2 Communication

(a) The organisation should establish communication about safety matters that:
(i) ensures that all staff are fully aware of the SMS;
(ii) conveys safety critical information, and especially that related to assessed
risks and analysed hazards;
(iii) explains why particular actions are taken; and
(iv) explains why safety procedures are introduced or changed.
(b) Regular staff meetings where information, actions and procedures are discussed
may be used for the purpose of communications on safety matters.

April 2008 16
Appendix The Management System

Accountable Manager sets SMS and Quality policy

Safety Management System Quality Management

System

Safety Manager
Quality Manager
Safety Review Board
Identified Quality Assurance
Hazards Cycle
ASRs, MORs,
Safety Action Group
Safety Audits,
Incidents, Quality System monitors
Accidents, AAIB
compliance

Risk Management
Process Planning

Assess Risk
Audit

Risk accepted
Findings
Record Fact Yes No
Safety issues
highlighted or
mitigation control
failed
Establish Risk Mitigation

Responsible Department/individual implement Rectification

risk control/measure

Performance review by Safety Review

Board

Performance finds risk mitigation controlled

hazard

No Yes Record Fact

April 2008 17