VOLUME 17 SAFETY MANAGEMENT SYSTEM
CHAPTER 1 GENERAL
Section 1 Safety Management SystemOverview
A. Purpose. This volume provides guidance for Federal Aviation Administration
(FAA) Flight Standards Service (FS) personnel on the acceptance and continued
oversight of Safety Management Systems (SMS) as required under Title 14 of the
Code of Federal Regulations (14 CFR) part
the Safety Management System Voluntary Program (SMSVP) Standard.
1) SMSs required for new 14 CFR part
in accordance with 14 CFR part
§ 119.8(b) are
addressed in Volume 2, Chapter 3. The SMSVP Standard is based on the requirements in part
was done to ensure consistency with oversight and harmonization in guidance materials. As such, tools developed
for the SMSVP could be used to provide oversight for certificate holders that have a regulatory SMS under part
2) Advisory Circular (AC)
Management Systems for Aviation Service Providers, has been developed to provide additional guidance on how
certificate holders may comply with the requirements of part
the SMSVP Standard. Information is provided to aid in scaling the SMS to meet the certificate
holder’s requirements. The information in the AC is considered to be an acceptable
means of compliance with part
the SMSVP Standard. While it is not mandatory, certificate holders are encouraged
to work with their Certificate Management Team (CMT) when developing and implementing their SMS.
B. Scope. This section explains the background for part
the SMSVP Standard and how existing programs such as an Aviation Safety Action Program
(ASAP) and Continuing Analysis and Surveillance System (CASS) can be integrated
into a certificate holder’s SMS, and provides an overview of SMS implementation strategies.
1) The International Civil Aviation Organization (ICAO), in its March
2006 Amendment No. 30 to Annex 6, Part I, International Commercial Air TransportAeroplanes, established an
international standard requiring Member States to mandate SMS implementation
for commercial operators. SMS requirements were later transferred to a new Annex 19, Safety Management, in July 2013.
2) Congress, through the Airline Safety and Federal Aviation Administration
Extension Act of 2010 (Public Law (PL) 111-216, August 1, 2010), directed the
FAA to conduct rulemaking to “require all part
carriers to implement a safety management system.” Part
holders as of March 9, 2015 were given 3 years to have a fully implemented and accepted SMS under the
regulatory requirements of part
5. All new
part 121 applicants
must have an accepted SMS as a part of their certification requirements prior to issuance of an Air Operator
Certificate (AOC) in accordance with §
NOTE: Air Agency or Air Carrier Certificate holders desiring an SMS
for international operations where an SMS is required, or for other reasons
which require State (FAA) acceptance of the SMS, must comply with the requirements
of the SMSVP Standard. These requirements are located in Volume 17, Chapter 3.
The SMSVP Standard and part
identical requirements to ensure there is harmonization between standardized
FAA assessments of management systems. They also share the same job aids and guidance material.
the SMSVP Standard harmonize U.S. requirements for certificate
holders implementing an SMS requiring State acceptance with ICAO SMS standards.1
D. Integration. An SMS is not meant to be a separate
system built alongside or on top of other business systems. An SMS must be integrated as an
existing business structure that supports the daily operations of the service provider. A properly integrated
SMS improves a service provider’s ability to leverage data to make informed
decisions and reduces failures associated with implementing new or revised operational processes.
Part 5 defines
the requirements that service providers must implement
to obtain an “FAA-accepted” SMS under a mandatory or voluntary implementation
scheme. It must be understood that SMS processes cannot be leveraged by a service
provider, in any way, as a substitute for compliance with other applicable regulatory
requirements. This prohibition on leveraging an SMS would include: substituting
service provider risk acceptance decisions for compliance, thwarting the FAA’s
exemption and deviation processes, and/or delaying regulatory compliance actions
by the service provider. Therefore, it is not the intent or purpose of an SMS
to circumvent regulatory compliance; it is rather a management support mechanism
to enhance a service provider’s ability to maintain compliance with applicable
regulations and manage its inherent operational risks.
17-1-1-3 DEFINITIONS. This section contains definitions that are used throughout
the SMS guidance in this volume. Additional definitions may be located throughout
this volume to provide clarification when needed.
A. Causal Factors. The set of elements that affect an event’s outcome. A causal
factor is not necessarily a root cause, because whereas
removing a causal factor can benefit an outcome, it does not with certainty
prevent recurrence of an undesirable event (see “Root Cause” and “Root Cause Analysis (RCA)” below).
B. Certificate Holder. For the purposes of the SMSVP, an organization
with an Air Operator or Air Agency Certificate issued by the Administrator.
C. Corporate Safety Management System (SMS). An SMS developed with standardized
processes and procedures to be utilized at the corporate and satellite organizational levels. The
SMS manuals can contain standardized SMS processes and procedures to ensure uniformity
and consistency within the organization. Minor operational differences applicable to the satellite
organizational level are acceptable.
D. Corrective Action. Addresses a nonconformity that has occurred.
E. Conformance. Agreement in nature or form of a presented document, process, or system.
F. Continued Operational Safety (COS). Routine recurring Performance
Assessments (PA) (i.e., routine surveillance through safety inspections). Also
includes certificate management, the management of major changes in operation
(i.e., system configuration changes).
G. Design Demonstration. An activity that demonstrates, for purposes
of validation, that a certificate holder’s design of safety management processes
function in an operational environment.
H. Design Review. Determines if a certificate holder’s safety management processes conform to the
I. Design Validation. CMT activities involving observations, audits,
and certificate management functions that provide sufficient information for
the CMT to assess whether a certificate holder’s system design achieves stated
objectives and meets published SMS standards.
J. Gap Analysis. Reviews and compares existing processes, procedures, programs,
and activities to the SMSVP Standard to identify processes and procedures that meet the
requirements and those requirements that need processes and procedures developed.
K. Hazard. Means a condition that can foreseeably cause or contribute
to an aircraft accident as defined in Title 49 of the Code of Federal Regulations
(49 CFR) part 830, § 830.2.
L. Implementation Plan. A roadmap with defined dates and personnel at
a certificate holder with defined actions to meet the requirements of the SMSVP Standard.
M. Organizational Safety Risk Management (SRM). A process
to identify hazards and associated risks, analyze risks, and
develop new risk controls affecting multiple process owner areas/departments
within the organization. Final risk acceptance for organizational SRM may be
accomplished at a management level above the process owner/department level,
or by a committee.
N. Process Owner. A person who is accountable for oversight of a process
within the organization and has final authority to accept risk which may exist within the process.
O. Preventive Action. Addresses the potential for a nonconformity to occur.
P. Risk. Means the composite of predicted severity and likelihood of
the potential effect of a hazard.
Q. Risk Control. Means a means to reduce or eliminate the effects of hazards.
R. Root Cause. The contributory events, or initiating events, which
started the adverse event flow are considered root causes. Should these causes
be eliminated, the hazardous event would not have occurred. It should be noted that accidents
are the result of many contributors, both unsafe acts and/or unsafe conditions.
S. Root Cause Analysis (RCA). A method for identifying the underlying
causal factor of a nonconformity or undesirable event. A causal factor is considered the root cause if its removal
from the event sequence prevents the undesirable event from recurring.
T. Root Cause Analysis (RCA) Corrective Action Plan (CAP). A formalized
plan to eliminate the causal factor that resulted in a nonconformity or undesirable event by addressing the factor
determined to be the root cause.
U. Safety Management Concepts. The integration of SMS requirements into oversight
methodology (either the Safety Assurance System (SAS) or the National Flight Standards Work
Program Guidelines (NPG)) of service providers/certificate holders to not only
ensure regulatory compliance, but also ensure hazard identification and measurable
risk controls to eliminate unacceptable risk.
V. Safety Assurance (SA). Means processes within the SMS that function
systematically to ensure the performance and effectiveness of safety risk controls
and that the organization meets or exceeds its safety objectives through the
collection, analysis, and assessment of information.
W. Safety Management System (SMS). Means the formal, top-down, organization-wide
approach to managing safety risk and assuring the effectiveness of safety risk controls. It includes
systematic procedures, practices, and policies for the management of safety risk.
X. Safety Objective. Means a measurable goal or desirable outcome related to safety.
Y. Safety Performance. Means realized or actual safety accomplishment
relative to the organization’s safety objectives.
Z. Safety Policy. Means the certificate holder’s documented commitment
to safety, which defines its safety objectives and the accountabilities and responsibilities of its employees
in regards to safety.
AA. Safety Promotion. Means a combination of training and communication
of safety information to support the implementation and operation of an SMS in an organization.
BB. Safety Risk Management (SRM). Means a process within the SMS composed
of describing the system, identifying the hazards, and analyzing, assessing, and controlling safety risk.
CC. System. A group of interacting, interrelated, or interdependent elements
forming a complete whole.
DD. Validation Project Plan (VPP). A forecast of CMT resources needed
to perform applicable assessments to confirm a certificate holder’s safety management activities and processes.
17-1-1-5 SMS FUNDAMENTALS.
A. What is an SMS? An SMS does not have to be an extensive, expensive,
or sophisticated array of techniques to meet the requirements of part
the SMSVP Standard. Rather, an SMS is developed by including the processes and procedures
that the organization is already accomplishing into the four components: safety
policy, SRM, SA, and safety promotion. Management system processes are utilized
in the certificate holder’s decision-making activities. A brief description
of these components is provided below.
1) Safety Policy. Safety policy consists of defining measurable safety
objectives, assigning employee responsibilities, and setting organizational
standards. It is also where management conveys to its employees its commitment
to the safety performance of the organization. As SRM and SA processes are developed,
executive management shall review the safety policy to ensure that the commitments
and objectives are being met and that the standards are being maintained.
2) SRM. The SRM component provides a proactive decision-making process
for identifying hazards and mitigating risk based on a thorough understanding
of the organization’s processes and procedures and their operating environment
prior to commencing operations with the newly developed processes
or procedures. SRM includes decision making regarding the process owner’s acceptance
of risk to operations. The SRM component is the organization’s way of addressing
unacceptable risk in the design of a process to reduce it to an acceptable level.
3) SA. SA provides the organization with the necessary processes to
analyze data to give confidence that the system performance meets the organization’s
safety objectives and that risk controls developed under SRM are effective. This includes
monitoring to ensure safety objectives are being met, thus improving the level of
safety performance. The data collected during SA will yield information used to
correct process performance and give input to design change requirements under SRM.
4) Safety Promotion. The last component, safety promotion, is designed
to ensure that an organization’s employees have a solid foundation regarding
their safety responsibilities, the organization’s safety policies and expectations,
reporting procedures, and a familiarity with risk controls that affect them.
Thus, training and communication are the two key areas of safety promotion.
B. Summary. SMS requirements need to be scalable to the organization’s
size and operational requirements. They should encourage involvement from employees
at all levels of the organization to identify hazards in the operational environment,
which will lead to improvements in processes and procedures to further improve
safety. A more detailed discussion of the SMS components and their processes is in Chapter 3 of
AC 120-92, Safety
Management System (SMS) Components Explained.
17-1-1-7 CONCEPTUAL OVERVIEW OF SRM AND SA.
A. Graphical Overview of SRM and SA Processes. Figure 17-1-1A,
Safety Management Decision‑Making Processes, provides an expanded
view of the two key components of the SMS: SRM and SA. The SRM and SA processes
follow a set of “Decision Steps,” which define specific activities that must
be accomplished. These decision steps are specified in part
in the SMSVP Standard. References are provided in the right-hand column of Figure 17-1-1A.
1) Step 1Description and Context. Requires the user of the process
to gain an overall understanding of the operation that is being developed or
to be performed. This is one of the most critical steps in the process as this is
where the system is defined and all operational aspects are identified.
2) Step 2Specific Information. Requires the process user to obtain information
about aspects of the systems and environments involved that may present risk.
3) Step 3Analysis. Requires the user to analyze or make sense of that information.
4) Step 4Assessment. Requires the user to make decisions regarding
the acceptability or risk of system performance.
5) Step 5Action: Problem Resolution. Requires the user to take the
necessary action to include a determination of action effectiveness.
Figure 17-1-1A. Safety Management Decision-Making Processes
1) In SRM, the first step, System Description (Analysis), is used to
define and understand the aspects of the operation that are being designed or
redesigned. This is the most structured and time-consuming part of the process,
but as a result it yields the greatest returns. Areas to consider include, but are not limited to:
• Ambient environment (e.g., physical conditions, weather);
• Equipment (hardware and software);
• External services (e.g., contract support, electric, telephone lines);
• Humanmachine interface;
• Human operators;
• Maintenance procedures;
• Operating environment (e.g., airspace, air route design);
• Operational procedures;
• Organizational culture;
• Organizational issues; and
2) The system description and analysis should identify and consider
activities and resources necessary for the system to function. Since hazard
identification flows from this system analysis, it is important to be very thorough
when performing this step. Hazard identification requires the responsible person
(process owner) within an organization to ask:
• What hazards exist in the operational environment?
• What are the human factors issues of the
operation (e.g., workload, distraction, fatigue, system complexity)?
• What are the limitations of the hardware, software, procedures, etc.?
a) When developing a system description defining how a system currently
functions (system description (analysis)), hazards will often become evident and identifiable (steps 1 and 2).
b) The hazard identification process then progresses to the next step, risk
analysis, where the severity and likelihood of the identified risks define the potential consequences
of operations. This culminates in an assessment of the acceptability of operating with these hazards and
their associated risk (risk assessment) or whether or not the risk of such operations can be mitigated
to an acceptable level (risk control). Operational managers, also referred to
as process owners, must be the persons who are accountable for these decisions.
NOTE: If controls are added to the system for risk mitigation, this
constitutes a change in design, meeting one of the four triggers for SRM. Part
running SRM again with a monitoring period assigned before
releasing the process to SA. This is to gain assurance that the risk has been
mitigated to acceptable levels.
C. SA and Interactions With SRM. After a system has been designed or
revised using the SRM process, special attention should be given to the new
or revised system using the SA process. These short-term assessments aid in
determining if the mitigation had the desired result. It should not be surprising to find at this time that there are
still things that were not considered or that there are changes in the operational
environment introducing new hazards to the process or procedure, requiring a
return to SRM. Thus, the SRM and SA processes operate in a continuous exchange.
1) In SA, the process continues with measuring and monitoring the performance
of the system (system monitoring) with the designed risk controls in place.
This involves a variety of data sources. As in SRM, the data needs to be analyzed
for it to be useful in decision making (risk analysis). In the case of SA, the
decision making (system assessment) can result in several decision paths. If
the data and analysis show that the system and its risk controls are functioning
as intended, system monitoring continues and management can have confidence
in system safety performance.
2) If this is not the case, the analysis needs to continue to determine
if the shortfall is due to controls not being used as intended (e.g., required
training not accomplished, procedures not followed, improper tools or equipment
provided, etc.). If this is identified as a problem, this is a performance issue
and a corrective action should be taken to ensure the risk controls are utilized
as intended. If a new hazard is identified, or the system is not operating as expected,
the system design needs to be reevaluated using the path back to SRM.
3) The path back to SRM is an important part of the SA process. The
SA process monitors daily system operations. This might be the first time operational
systems have a hazard identified, which requires a review utilizing the SRM processes for identified hazards and
4) Managers who are responsible for operational processes and procedures
are the process owners. They are also responsible for assuring that the processes
and procedures are performing as intended from a safety, as well as an operational,
perspective. Correct design, expected performance, and effective risk controls
are key concerns of executive management, specifically, the accountable executive.
17-1-1-9 SMS SUPPORT. The following offices and points of contact (POC) are available
to provide assistance with question or issues that arise during SMS development,
implementation, and acceptance processes.
A. CMT. The CMT, which could also be known as a certificate management
unit (CMU) or responsible Flight Standards office, is comprised of FAA aviation
safety inspectors (ASI) and other professionals from various specialties assigned
to the certificate holder’s certificate for oversight. These offices are the
primary interfaces for questions and concerns which might arise during SMS implementation
and validation activities. As the FAA personnel with the closest relationship
with the certificate holder, they are in the best position to answer questions
and provide guidance in a timely manner consistent with CMT office policy. During
SMS implementation, the CMT will periodically review the certificate holder’s
progress and provide feedback. They will also conduct most of the validation
activities that are required to accept a certificate holder’s SMS. This communication between the certificate
holder and the CMT ensures that requirements in the SMSVP Standard are addressed
in a timely manner to allow timely corrections during the implementation process. Part
will follow the procedures in Volume 2.
B. Office of Safety Standards POC, Air Carrier and General Aviation Safety
Assurance Within the Foundational Business Organizations. The Safety Standards
POCs within the Office of Foundational Business’ staff, with the assistance
of the Safety Management System Program Office (SMSPO), stay abreast of the
latest SMS developments and information. They are appointed subject matter experts
(SME) and resources for the CMTs.
C. SMSPO. This office provides policy and guidance on FS internal and
external SMS requirements and interfaces. The SMSPO complies with Aviation Safety’s (AVS) related SMS
orders and policy. The office provides direction, guidance, and coordination
with POCs in the Office of Safety Standards and Safety Assurance offices as
it develops SMS policies, procedures, and work instructions. The SMSPO also
develops and maintains SMS policy and guidance for FAA-certificate holder advisory
material, interfaces with oversight systems, and provides management of the SMSVP. The SMSPO develops and uses standardized
outreach, familiarization, and orientation materials for SMS.
D. Implementation Support Team (IST). As part of the SMSPO, the IST
is the primary interface between the SMSPO and principal inspectors (PI), CMT
personnel, Safety Standards and Safety Assurance offices, and divisional SMS
specialists. The IST provides briefings, orientation sessions, meetings, and/or
workshops to support a certificate holder’s CMTs with SMS implementation activities. SMS
IST members will provide guidance, facilitation, and suggestions on SMS issues to both the CMT and certificate
holder. The IST is available as a resource throughout SMS implementation. SMSPO
IST assistance can be obtained by emailing the SMSPO National Coordinator at
17-1-1-11 GENERAL CONSIDERATIONS DURING SMS IMPLEMENTATION.
A. Scalability. Section
that “The SMS must be appropriate to the size, scope, and complexity of the certificate holder’s operation.” This
means that resource commitment to SMS by different-sized organizations may vary,
as those organizations develop different ways to satisfy the requirements of part
the SMSVP Standard. An effective SMS must include all parts of the
organization that have a direct impact on aviation safety, including operational
lines of business (LOB) (e.g., flight operations, maintenance, cabin, and cargo)
as well as the organizational leadership (e.g., corporate, divisional, and departmental).
As the certificate holder develops and implements an SMS into its organization, it is necessary that part
the SMSVP Standard requirements exist across all LOBs and leadership that have a direct effect on aviation safety. AC
chapter 3, provides additional discussion and examples of scalability for the SMS requirements. Corporate SMSs,
where multiple FAA certificate holders operate under one corporate umbrella,
are being developed for future inclusion in Volume 17, Chapter 4.
B. Oversight Considerations.
ApplicantsCertification Project Team (CPT) Oversight. The CPT
is responsible for the certification process of the applicant. Therefore, the CPT manager is responsible
for accepting the applicant’s SMS as required by part
part of the initial certification. Certification of new part
is addressed in Volume 2, Chapter 3.
2) SMSPO Oversight. The SMSPO is responsible for the SMSVP. The SMSPO
will approve, with CMT recommendations, the certificate holder’s SMS implementation
plan and ultimately accept the certificate holder’s SMS as required by the SMSVP
in accordance with Volume 17. They also provide guidance to the CPTs working
with new applicant certifications concerning SMS issues and concerns.
3) During SMS Implementation. During the SMS implementation process,
the existing certificate holders must continue to comply with all applicable
regulations. The CMT will continue its normal oversight and certificate management
duties while also performing SMS oversight and validation activities. Once the
certificate holder’s SMS implementation plan is approved, the certificate holder will follow that plan and begin
to design, develop, modify, and align SMS processes and procedures into their
business model and operational environment. Any changes to the implementation
plan will have to be submitted to the CMT for review and reapproval. This reapproval
process is necessary to ensure FAA resources are properly forecast and scheduled.
This process is further defined in Volume 17, Chapter 3.
4) Evaluation of Compliance. CMTs will assess the certificate holder’s
SMS implementation to include monitoring of adherence to the implementation
plan’s schedule, evaluating needs for changes to the plan, and evaluation of
compliance with the SMSVP Standard. Evaluation of the certificate holder’s SMS
processes will utilize the FAA’s SAS SMS Custom Data Collection Tools (C DCT)
or job aids located in Volume 17, Chapter 3.
5) Non-SAS Certificate Holders. For certificate holders not
managed under SAS, the CMT should record completion in SAS Activity Recording (AR) using
the appropriate codes for the “National Use” field utilizing the data entry process in
Volume 17, Chapter 3, Section 2,
paragraph 17-3-2-9. Activity codes 1045, 3045, and 5045 will be used as appropriate.
6) After the SMS is Implemented. COS will incorporate assessment of
the certificate holder’s safety management design and performance utilizing
guidance in Volume 10 for certificate holders managed under SAS. If a certificate holder is not managed under SAS,
inspectors will use the job aids in Volume 17, Chapter 3.
17-1-1-13 INTEGRATION OF EXISTING PROGRAMS. Certificate holders are encouraged to integrate their
existing programs into their SMS. By conducting a thorough gap analysis, certificate
holders can see which existing programs can be adopted or slightly modified
to meet the SMSVP Standard. Any programs that do not satisfy the requirements of part
the SMSVP Standard should be identified and revised as necessary.
Integration of existing programs is discussed in AC
information may be found in the preamble text of part
17-1-1-15 REFERENCES, FORMS, AND JOB AIDS.
A. References. The current editions of the following documents may be
helpful in developing and validating an SMS.
1) FAA Documents:
Management Systems for Aviation Service Providers.
• Information for Operators (InFO) 08022, FAA Safety
Management System (SMS) developmentsNo. 1.
• FAA Order
Standards Service Oversight.
• FAA Order
• FAA Order
VS 8000.367, Aviation
Safety (AVS) Safety Management System Requirements.
• FAA Order
VS 8000.370, Aviation
Safety (AVS) Safety Policy.
• FAA Order
Risk Management Policy.
2) International Publications:
• Annex 19 to the Convention on International Civil Aviation,
• ICAO Document 9859, Safety Management Manual (SMM).
3) Additional Guidance. The following references may be of value to users of this document:
Safety Reporting Program.
Disclosure Reporting Program.
Safety Action Program.
and Implementing an Air Carrier Continuing Analysis and Surveillance System.
Operational Quality Assurance.
Operations Safety Audits.
B. Forms. None.
C. Job Aids. This task may require access to the following job aids:
• SMSVP Design Validation and Design Demonstration Job Aids in
Volume 17, Chapter 3, Section 3,
Figures 17-3-3B through R.
• SMS COS Job Aids in
Volume 17, Chapter 3, Section 3,
Figures 17-3-3S through V.
• SAS SMS C DCTs.
• SMS Voluntary Program Gap Analysis Tool.
17-1-1-17 through 17-1-1-29 RESERVED.