12/9/20

 

8900.1 CHG 615

VOLUME 17  SAFETY MANAGEMENT SYSTEM

CHAPTER 1  GENERAL

Section 1  Safety Management System—Overview

17-1-1-1    GENERAL.

A.    Purpose. This volume provides guidance for Federal Aviation Administration (FAA) Flight Standards Service (FS) personnel on the acceptance and continued oversight of Safety Management Systems (SMS) as required under Title 14 of the Code of Federal Regulations (14 CFR) part 5 and the Safety Management System Voluntary Program (SMSVP) Standard.

1)    SMSs required for new 14 CFR part 121 applicants in accordance with 14 CFR part 119, § 119.8(b) are addressed in Volume 2, Chapter 3. The SMSVP Standard is based on the requirements in part 5. This was done to ensure consistency with oversight and harmonization in guidance materials. As such, tools developed for the SMSVP could be used to provide oversight for certificate holders that have a regulatory SMS under part 5.
2)    Advisory Circular (AC) 120-92, Safety Management Systems for Aviation Service Providers, has been developed to provide additional guidance on how certificate holders may comply with the requirements of part 5 and the SMSVP Standard. Information is provided to aid in scaling the SMS to meet the certificate holder’s requirements. The information in the AC is considered to be an acceptable means of compliance with part 5 and the SMSVP Standard. While it is not mandatory, certificate holders are encouraged to work with their Certificate Management Team (CMT) when developing and implementing their SMS.

B.    Scope. This section explains the background for part 5 and the SMSVP Standard and how existing programs such as an Aviation Safety Action Program (ASAP) and Continuing Analysis and Surveillance System (CASS) can be integrated into a certificate holder’s SMS, and provides an overview of SMS implementation strategies.

C.    Background.

1)    The International Civil Aviation Organization (ICAO), in its March 2006 Amendment No. 30 to Annex 6, Part I, International Commercial Air Transport—Aeroplanes, established an international standard requiring Member States to mandate SMS implementation for commercial operators. SMS requirements were later transferred to a new Annex 19, Safety Management, in July 2013.
2)    Congress, through the Airline Safety and Federal Aviation Administration Extension Act of 2010 (Public Law (PL) 111-216, August 1, 2010), directed the FAA to conduct rulemaking to “require all part 121 air carriers to implement a safety management system.” Part 121 certificate holders as of March 9, 2015 were given 3 years to have a fully implemented and accepted SMS under the regulatory requirements of part 5. All new part 121 applicants must have an accepted SMS as a part of their certification requirements prior to issuance of an Air Operator Certificate (AOC) in accordance with § 119.8.

NOTE:  Air Agency or Air Carrier Certificate holders desiring an SMS for international operations where an SMS is required, or for other reasons which require State (FAA) acceptance of the SMS, must comply with the requirements of the SMSVP Standard. These requirements are located in Volume 17, Chapter 3. The SMSVP Standard and part 5 have identical requirements to ensure there is harmonization between standardized FAA assessments of management systems. They also share the same job aids and guidance material.

3)    Part 5 and the SMSVP Standard harmonize U.S. requirements for certificate holders implementing an SMS requiring State acceptance with ICAO SMS standards.1
Indicates new/changed information.

D.    Integration. An SMS is not meant to be a separate system built alongside or on top of other business systems. An SMS must be integrated as an existing business structure that supports the daily operations of the service provider. A properly integrated SMS improves a service provider’s ability to leverage data to make informed decisions and reduces failures associated with implementing new or revised operational processes. Part 5 defines the requirements that service providers must implement to obtain an “FAA-accepted” SMS under a mandatory or voluntary implementation scheme. It must be understood that SMS processes cannot be leveraged by a service provider, in any way, as a substitute for compliance with other applicable regulatory requirements. This prohibition on leveraging an SMS would include: substituting service provider risk acceptance decisions for compliance, thwarting the FAA’s exemption and deviation processes, and/or delaying regulatory compliance actions by the service provider. Therefore, it is not the intent or purpose of an SMS to circumvent regulatory compliance; it is rather a management support mechanism to enhance a service provider’s ability to maintain compliance with applicable regulations and manage its inherent operational risks.

17-1-1-3    DEFINITIONS. This section contains definitions that are used throughout the SMS guidance in this volume. Additional definitions may be located throughout this volume to provide clarification when needed.

A.    Causal Factors. The set of elements that affect an event’s outcome. A causal factor is not necessarily a root cause, because whereas removing a causal factor can benefit an outcome, it does not with certainty prevent recurrence of an undesirable event (see “Root Cause” and “Root Cause Analysis (RCA)” below).

B.    Certificate Holder. For the purposes of the SMSVP, an organization with an Air Operator or Air Agency Certificate issued by the Administrator.

C.    Corporate Safety Management System (SMS). An SMS developed with standardized processes and procedures to be utilized at the corporate and satellite organizational levels. The SMS manuals can contain standardized SMS processes and procedures to ensure uniformity and consistency within the organization. Minor operational differences applicable to the satellite organizational level are acceptable.

D.    Corrective Action. Addresses a nonconformity that has occurred.

E.    Conformance. Agreement in nature or form of a presented document, process, or system.

F.    Continued Operational Safety (COS). Routine recurring Performance Assessments (PA) (i.e., routine surveillance through safety inspections). Also includes certificate management, the management of major changes in operation (i.e., system configuration changes).

G.    Design Demonstration. An activity that demonstrates, for purposes of validation, that a certificate holder’s design of safety management processes function in an operational environment.

H.    Design Review. Determines if a certificate holder’s safety management processes conform to the SMSVP Standard.

I.    Design Validation. CMT activities involving observations, audits, and certificate management functions that provide sufficient information for the CMT to assess whether a certificate holder’s system design achieves stated objectives and meets published SMS standards.

J.    Gap Analysis. Reviews and compares existing processes, procedures, programs, and activities to the SMSVP Standard to identify processes and procedures that meet the requirements and those requirements that need processes and procedures developed.

K.    Hazard. Means a condition that can foreseeably cause or contribute to an aircraft accident as defined in Title 49 of the Code of Federal Regulations (49 CFR) part 830, § 830.2.

L.    Implementation Plan. A roadmap with defined dates and personnel at a certificate holder with defined actions to meet the requirements of the SMSVP Standard.

M.    Organizational Safety Risk Management (SRM). A process to identify hazards and associated risks, analyze risks, and develop new risk controls affecting multiple process owner areas/departments within the organization. Final risk acceptance for organizational SRM may be accomplished at a management level above the process owner/department level, or by a committee.

N.    Process Owner. A person who is accountable for oversight of a process within the organization and has final authority to accept risk which may exist within the process.

O.    Preventive Action. Addresses the potential for a nonconformity to occur.

P.    Risk. Means the composite of predicted severity and likelihood of the potential effect of a hazard.

Q.    Risk Control. Means a means to reduce or eliminate the effects of hazards.

R.    Root Cause. The contributory events, or initiating events, which started the adverse event flow are considered root causes. Should these causes be eliminated, the hazardous event would not have occurred. It should be noted that accidents are the result of many contributors, both unsafe acts and/or unsafe conditions.

S.    Root Cause Analysis (RCA). A method for identifying the underlying causal factor of a nonconformity or undesirable event. A causal factor is considered the root cause if its removal from the event sequence prevents the undesirable event from recurring.

T.    Root Cause Analysis (RCA) Corrective Action Plan (CAP). A formalized plan to eliminate the causal factor that resulted in a nonconformity or undesirable event by addressing the factor determined to be the root cause.

Indicates new/changed information.

U.    Safety Management Concepts. The integration of SMS requirements into oversight methodology (either the Safety Assurance System (SAS) or the National Flight Standards Work Program Guidelines (NPG)) of service providers/certificate holders to not only ensure regulatory compliance, but also ensure hazard identification and measurable risk controls to eliminate unacceptable risk.

V.    Safety Assurance (SA). Means processes within the SMS that function systematically to ensure the performance and effectiveness of safety risk controls and that the organization meets or exceeds its safety objectives through the collection, analysis, and assessment of information.

W.    Safety Management System (SMS). Means the formal, top-down, organization-wide approach to managing safety risk and assuring the effectiveness of safety risk controls. It includes systematic procedures, practices, and policies for the management of safety risk.

X.    Safety Objective. Means a measurable goal or desirable outcome related to safety.

Y.    Safety Performance. Means realized or actual safety accomplishment relative to the organization’s safety objectives.

Z.    Safety Policy. Means the certificate holder’s documented commitment to safety, which defines its safety objectives and the accountabilities and responsibilities of its employees in regards to safety.

AA.    Safety Promotion. Means a combination of training and communication of safety information to support the implementation and operation of an SMS in an organization.

BB.    Safety Risk Management (SRM). Means a process within the SMS composed of describing the system, identifying the hazards, and analyzing, assessing, and controlling safety risk.

CC.    System. A group of interacting, interrelated, or interdependent elements forming a complete whole.

DD.    Validation Project Plan (VPP). A forecast of CMT resources needed to perform applicable assessments to confirm a certificate holder’s safety management activities and processes.

17-1-1-5    SMS FUNDAMENTALS.

A.    What is an SMS? An SMS does not have to be an extensive, expensive, or sophisticated array of techniques to meet the requirements of part 5 or the SMSVP Standard. Rather, an SMS is developed by including the processes and procedures that the organization is already accomplishing into the four components: safety policy, SRM, SA, and safety promotion. Management system processes are utilized in the certificate holder’s decision-making activities. A brief description of these components is provided below.

1)    Safety Policy. Safety policy consists of defining measurable safety objectives, assigning employee responsibilities, and setting organizational standards. It is also where management conveys to its employees its commitment to the safety performance of the organization. As SRM and SA processes are developed, executive management shall review the safety policy to ensure that the commitments and objectives are being met and that the standards are being maintained.
2)    SRM. The SRM component provides a proactive decision-making process for identifying hazards and mitigating risk based on a thorough understanding of the organization’s processes and procedures and their operating environment prior to commencing operations with the newly developed processes or procedures. SRM includes decision making regarding the process owner’s acceptance of risk to operations. The SRM component is the organization’s way of addressing unacceptable risk in the design of a process to reduce it to an acceptable level.
3)    SA. SA provides the organization with the necessary processes to analyze data to give confidence that the system performance meets the organization’s safety objectives and that risk controls developed under SRM are effective. This includes monitoring to ensure safety objectives are being met, thus improving the level of safety performance. The data collected during SA will yield information used to correct process performance and give input to design change requirements under SRM.
4)    Safety Promotion. The last component, safety promotion, is designed to ensure that an organization’s employees have a solid foundation regarding their safety responsibilities, the organization’s safety policies and expectations, reporting procedures, and a familiarity with risk controls that affect them. Thus, training and communication are the two key areas of safety promotion.

B.    Summary. SMS requirements need to be scalable to the organization’s size and operational requirements. They should encourage involvement from employees at all levels of the organization to identify hazards in the operational environment, which will lead to improvements in processes and procedures to further improve safety. A more detailed discussion of the SMS components and their processes is in Chapter 3 of AC 120-92, Safety Management System (SMS) Components Explained.

17-1-1-7    CONCEPTUAL OVERVIEW OF SRM AND SA.

A.    Graphical Overview of SRM and SA Processes. Figure 17-1-1A, Safety Management Decision‑Making Processes, provides an expanded view of the two key components of the SMS: SRM and SA. The SRM and SA processes follow a set of “Decision Steps,” which define specific activities that must be accomplished. These decision steps are specified in part 5 and in the SMSVP Standard. References are provided in the right-hand column of Figure 17-1-1A.

1)    Step 1—Description and Context. Requires the user of the process to gain an overall understanding of the operation that is being developed or to be performed. This is one of the most critical steps in the process as this is where the system is defined and all operational aspects are identified.
2)    Step 2—Specific Information. Requires the process user to obtain information about aspects of the systems and environments involved that may present risk.
3)    Step 3—Analysis. Requires the user to analyze or make sense of that information.
4)    Step 4—Assessment. Requires the user to make decisions regarding the acceptability or risk of system performance.
5)    Step 5—Action: Problem Resolution. Requires the user to take the necessary action to include a determination of action effectiveness.

Figure 17-1-1A.  Safety Management Decision-Making Processes

Figure 17-1-1A. Safety Management Decision-Making Processes

B.    SRM.

1)    In SRM, the first step, System Description (Analysis), is used to define and understand the aspects of the operation that are being designed or redesigned. This is the most structured and time-consuming part of the process, but as a result it yields the greatest returns. Areas to consider include, but are not limited to:

    Ambient environment (e.g., physical conditions, weather);

    Equipment (hardware and software);

    External services (e.g., contract support, electric, telephone lines);

    Human–machine interface;

    Human operators;

    Maintenance procedures;

    Operating environment (e.g., airspace, air route design);

    Operational procedures;

    Organizational culture;

    Organizational issues; and

    Policies/rules/regulations.

2)    The system description and analysis should identify and consider activities and resources necessary for the system to function. Since hazard identification flows from this system analysis, it is important to be very thorough when performing this step. Hazard identification requires the responsible person (process owner) within an organization to ask:

    What hazards exist in the operational environment?

    What are the human factors issues of the operation (e.g., workload, distraction, fatigue, system complexity)?

    What are the limitations of the hardware, software, procedures, etc.?

a)    When developing a system description defining how a system currently functions (system description (analysis)), hazards will often become evident and identifiable (steps 1 and 2).
b)    The hazard identification process then progresses to the next step, risk analysis, where the severity and likelihood of the identified risks define the potential consequences of operations. This culminates in an assessment of the acceptability of operating with these hazards and their associated risk (risk assessment) or whether or not the risk of such operations can be mitigated to an acceptable level (risk control). Operational managers, also referred to as process owners, must be the persons who are accountable for these decisions.

NOTE:  If controls are added to the system for risk mitigation, this constitutes a change in design, meeting one of the four triggers for SRM. Part 5, § 5.55(d) requires running SRM again with a monitoring period assigned before releasing the process to SA. This is to gain assurance that the risk has been mitigated to acceptable levels.

C.    SA and Interactions With SRM. After a system has been designed or revised using the SRM process, special attention should be given to the new or revised system using the SA process. These short-term assessments aid in determining if the mitigation had the desired result. It should not be surprising to find at this time that there are still things that were not considered or that there are changes in the operational environment introducing new hazards to the process or procedure, requiring a return to SRM. Thus, the SRM and SA processes operate in a continuous exchange.

1)    In SA, the process continues with measuring and monitoring the performance of the system (system monitoring) with the designed risk controls in place. This involves a variety of data sources. As in SRM, the data needs to be analyzed for it to be useful in decision making (risk analysis). In the case of SA, the decision making (system assessment) can result in several decision paths. If the data and analysis show that the system and its risk controls are functioning as intended, system monitoring continues and management can have confidence in system safety performance.
2)    If this is not the case, the analysis needs to continue to determine if the shortfall is due to controls not being used as intended (e.g., required training not accomplished, procedures not followed, improper tools or equipment provided, etc.). If this is identified as a problem, this is a performance issue and a corrective action should be taken to ensure the risk controls are utilized as intended. If a new hazard is identified, or the system is not operating as expected, the system design needs to be reevaluated using the path back to SRM.
3)    The path back to SRM is an important part of the SA process. The SA process monitors daily system operations. This might be the first time operational systems have a hazard identified, which requires a review utilizing the SRM processes for identified hazards and associated risks.
4)    Managers who are responsible for operational processes and procedures are the process owners. They are also responsible for assuring that the processes and procedures are performing as intended from a safety, as well as an operational, perspective. Correct design, expected performance, and effective risk controls are key concerns of executive management, specifically, the accountable executive.

17-1-1-9    SMS SUPPORT. The following offices and points of contact (POC) are available to provide assistance with question or issues that arise during SMS development, implementation, and acceptance processes.

A.    CMT. The CMT, which could also be known as a certificate management unit (CMU) or responsible Flight Standards office, is comprised of FAA aviation safety inspectors (ASI) and other professionals from various specialties assigned to the certificate holder’s certificate for oversight. These offices are the primary interfaces for questions and concerns which might arise during SMS implementation and validation activities. As the FAA personnel with the closest relationship with the certificate holder, they are in the best position to answer questions and provide guidance in a timely manner consistent with CMT office policy. During SMS implementation, the CMT will periodically review the certificate holder’s progress and provide feedback. They will also conduct most of the validation activities that are required to accept a certificate holder’s SMS. This communication between the certificate holder and the CMT ensures that requirements in the SMSVP Standard are addressed in a timely manner to allow timely corrections during the implementation process. Part 121 applicants will follow the procedures in Volume 2.

B.    Office of Safety Standards POC, Air Carrier and General Aviation Safety Assurance Within the Foundational Business Organizations. The Safety Standards POCs within the Office of Foundational Business’ staff, with the assistance of the Safety Management System Program Office (SMSPO), stay abreast of the latest SMS developments and information. They are appointed subject matter experts (SME) and resources for the CMTs.

Indicates new/changed information.

C.    SMSPO. This office provides policy and guidance on FS internal and external SMS requirements and interfaces. The SMSPO complies with Aviation Safety’s (AVS) related SMS orders and policy. The office provides direction, guidance, and coordination with POCs in the Office of Safety Standards and Safety Assurance offices as it develops SMS policies, procedures, and work instructions. The SMSPO also develops and maintains SMS policy and guidance for FAA-certificate holder advisory material, interfaces with oversight systems, and provides management of the SMSVP. The SMSPO develops and uses standardized outreach, familiarization, and orientation materials for SMS.

D.    Implementation Support Team (IST). As part of the SMSPO, the IST is the primary interface between the SMSPO and principal inspectors (PI), CMT personnel, Safety Standards and Safety Assurance offices, and divisional SMS specialists. The IST provides briefings, orientation sessions, meetings, and/or workshops to support a certificate holder’s CMTs with SMS implementation activities. SMS IST members will provide guidance, facilitation, and suggestions on SMS issues to both the CMT and certificate holder. The IST is available as a resource throughout SMS implementation. SMSPO IST assistance can be obtained by emailing the SMSPO National Coordinator at 9-NATL-SMS-ProgramOffice@faa.gov.

17-1-1-11    GENERAL CONSIDERATIONS DURING SMS IMPLEMENTATION.

A.    Scalability. Section 5.3(a) requires that “The SMS must be appropriate to the size, scope, and complexity of the certificate holder’s operation.” This means that resource commitment to SMS by different-sized organizations may vary, as those organizations develop different ways to satisfy the requirements of part 5 or the SMSVP Standard. An effective SMS must include all parts of the organization that have a direct impact on aviation safety, including operational lines of business (LOB) (e.g., flight operations, maintenance, cabin, and cargo) as well as the organizational leadership (e.g., corporate, divisional, and departmental). As the certificate holder develops and implements an SMS into its organization, it is necessary that part 5 or the SMSVP Standard requirements exist across all LOBs and leadership that have a direct effect on aviation safety. AC 120-92, chapter 3, provides additional discussion and examples of scalability for the SMS requirements. Corporate SMSs, where multiple FAA certificate holders operate under one corporate umbrella, are being developed for future inclusion in Volume 17, Chapter 4.

B.    Oversight Considerations.

1)    Part 121 New Applicants–Certification Project Team (CPT) Oversight. The CPT is responsible for the certification process of the applicant. Therefore, the CPT manager is responsible for accepting the applicant’s SMS as required by part 5 as part of the initial certification. Certification of new part 121 applicants is addressed in Volume 2, Chapter 3.
2)    SMSPO Oversight. The SMSPO is responsible for the SMSVP. The SMSPO will approve, with CMT recommendations, the certificate holder’s SMS implementation plan and ultimately accept the certificate holder’s SMS as required by the SMSVP in accordance with Volume 17. They also provide guidance to the CPTs working with new applicant certifications concerning SMS issues and concerns.
3)    During SMS Implementation. During the SMS implementation process, the existing certificate holders must continue to comply with all applicable regulations. The CMT will continue its normal oversight and certificate management duties while also performing SMS oversight and validation activities. Once the certificate holder’s SMS implementation plan is approved, the certificate holder will follow that plan and begin to design, develop, modify, and align SMS processes and procedures into their business model and operational environment. Any changes to the implementation plan will have to be submitted to the CMT for review and reapproval. This reapproval process is necessary to ensure FAA resources are properly forecast and scheduled. This process is further defined in Volume 17, Chapter 3.
4)    Evaluation of Compliance. CMTs will assess the certificate holder’s SMS implementation to include monitoring of adherence to the implementation plan’s schedule, evaluating needs for changes to the plan, and evaluation of compliance with the SMSVP Standard. Evaluation of the certificate holder’s SMS processes will utilize the FAA’s SAS SMS Custom Data Collection Tools (C DCT) or job aids located in Volume 17, Chapter 3.
Indicates new/changed information.
5)    Non-SAS Certificate Holders. For certificate holders not managed under SAS, the CMT should record completion in SAS Activity Recording (AR) using the appropriate codes for the “National Use” field utilizing the data entry process in Volume 17, Chapter 3, Section 2, paragraph 17-3-2-9. Activity codes 1045, 3045, and 5045 will be used as appropriate.
6)    After the SMS is Implemented. COS will incorporate assessment of the certificate holder’s safety management design and performance utilizing guidance in Volume 10 for certificate holders managed under SAS. If a certificate holder is not managed under SAS, inspectors will use the job aids in Volume 17, Chapter 3.

17-1-1-13    INTEGRATION OF EXISTING PROGRAMS. Certificate holders are encouraged to integrate their existing programs into their SMS. By conducting a thorough gap analysis, certificate holders can see which existing programs can be adopted or slightly modified to meet the SMSVP Standard. Any programs that do not satisfy the requirements of part 5 or the SMSVP Standard should be identified and revised as necessary. Integration of existing programs is discussed in AC 120-92. Additional information may be found in the preamble text of part 5.

17-1-1-15    REFERENCES, FORMS, AND JOB AIDS.

A.    References. The current editions of the following documents may be helpful in developing and validating an SMS.

1)    FAA Documents:

    AC 120-92, Safety Management Systems for Aviation Service Providers.

    Information for Operators (InFO) 08022, FAA Safety Management System (SMS) developments—No. 1.

    FAA Order 8000.368, Flight Standards Service Oversight.

    FAA Order 8000.369, Safety Management System.

    FAA Order VS 8000.367, Aviation Safety (AVS) Safety Management System Requirements.

    FAA Order VS 8000.370, Aviation Safety (AVS) Safety Policy.

    FAA Order 8040.4, Safety Risk Management Policy.

2)    International Publications:

    Annex 19 to the Convention on International Civil Aviation, Safety Management.

    ICAO Document 9859, Safety Management Manual (SMM).

3)    Additional Guidance. The following references may be of value to users of this document:

    AC 00-46, Aviation Safety Reporting Program.

    AC 00-58, Voluntary Disclosure Reporting Program.

    AC 120-54, Advanced Qualification Program.

Indicates new/changed information.

    AC 120-59, Internal Evaluation Programs.

    AC 120-66, Aviation Safety Action Program.

    AC 120-79, Developing and Implementing an Air Carrier Continuing Analysis and Surveillance System.

    AC 120-82, Flight Operational Quality Assurance.

    AC 120-90, Line Operations Safety Audits.

B.    Forms. None.

C.    Job Aids. This task may require access to the following job aids:

    SMSVP Design Validation and Design Demonstration Job Aids in Volume 17, Chapter 3, Section 3, Figures 17-3-3B through R.

    SMS COS Job Aids in Volume 17, Chapter 3, Section 3, Figures 17-3-3S through V.

    SAS SMS C DCTs.

    SMS Voluntary Program Gap Analysis Tool.

17-1-1-17 through 17-1-1-29 RESERVED.



1 ICAO SMS standards require operators of airplanes weighing over 27,000 kg to include a Flight Data Analysis (FDA) program as part of their SMS. Part 5 and the SMSVP Standard do not require these programs. However, operators desiring to implement a flight operations quality assurance (FOQA) program (the FAA equivalent to an FDA) on a voluntary basis can obtain FAA approval for these programs.