12/9/20

 

8900.1 CHG 615

VOLUME 17  SAFETY MANAGEMENT SYSTEM

CHAPTER 1  GENERAL

Section 2  Miscellaneous Safety Management System Information

17-1-2-1    SAFETY MANAGEMENT SYSTEMS (SMS) AND SYSTEM SAFETY. Systems can be described in terms of integrated networks of people and other resources performing activities that accomplish some mission or goal in a prescribed environment. Management of the system’s activities involves planning, organizing, directing, and controlling these assets toward the organization’s goals. Several important characteristics of systems and their underlying process are known as process attributes or safety attributes when they are applied to safety-related operational and support processes. These process attributes must have safety concepts built into their design if they are to result in improved safety outcomes. The Federal Aviation Administration’s (FAA) and the Aviation Safety (AVS) safety management, oversight philosophy, and policies are being used to develop the practice of system safety so that it more completely incorporates SMS and Risk‑Based Decision Making (RBDM) in oversight. These principles include the safety attributes. These safety attributes form the basis for all oversight activity and surveillance. As a result, they are integrated into all the Safety Assurance System (SAS) Data Collection Tools (DCT) and questions. These safety attributes apply to all certificate holders, whether they have a formal SMS or not. The concepts behind each attribute should be leveraged into the organization’s processes and procedures. The safety attributes include:

A.    Responsibility. Per Volume 10, Chapter 1, Section 4, the responsibility attribute is “A clearly identified individual who is accountable for ensuring financial and human resources to ensure the safety and quality performance of the certificate holder.” This attribute requires traceability to “where the buck stops” in an organization. In every organization, there must be an individual that is responsible for oversight of the operations and ensuring appropriate resources are available to meet the operational requirements. In an organization with an SMS, this individual is the accountable executive. It is important to note that responsibility cannot be delegated in an organization.

Indicates new/changed information.

B.    Authority. Per Volume 10, Chapter 1, Section 4, the authority attribute is “A clearly identifiable, qualified, and knowledgeable individual who effectively plans, directs, and controls resources; changes procedures; and makes key determinations including safety risk acceptance decisions.” It is important to note that this attribute is not necessarily pointing at regulatory positions required under Title 14 of the Code of Federal Regulations (14 CFR) part 119 or 145. This attribute is focused on the process owners in the organization. They may or may not appear on an organizational chart. The process owners are assigned the authority to oversee, effectively manage and control resources, identify hazards, perform risk assessments, and make changes to processes and procedures within their process areas.

Indicates new/changed information.

C.    Procedures. Per Volume 10, Chapter 1, Section 4, the procedures attribute is “Methods or practices that are written or unwritten, regulatory or nonregulatory, designed into a process that a certificate holder/applicant uses to accomplish a desired result.” Unwritten methods refer to certificate holders/applicants that are not required by regulation to have documented procedures. The lack of written documentation does not indicate a lack of procedures. This attribute looks at the structure of the process to ensure the desired result is achieved. There are no 14 CFR part 5 or Safety Management System Voluntary Program (SMSVP) Standard references for this attribute as it applies to all processes and procedures in an organization, regulatory or not. However, part 5 and the SMSVP Standard do require that Safety Risk Management (SRM) be performed any time one of the triggers in part 5, § 5.51 is met. They also require a certificate holder to document their SMS safety objectives as well as processes and procedures (§ 5.95). It is also important to note that a procedure explains how to accomplish a task and policy defines what should be accomplished.

D.    Controls. Per Volume 10, Chapter 1, Section 4, the controls attribute is “The checks and restraints that exist within a process that ensure the potential effects of risks are reduced to an acceptable level.” Controls will not necessarily remove risk from an identified hazard, but they will reduce the risk to an acceptable level. Controls can be procedural or physical defenses against the risks. Controls are a result of RBDM. They can be proactive, built into a procedure during SRM, or reactive, after identifying a new hazard or condition through the Safety Assurance (SA) processes.

E.    Process Measurement. Per Volume 10, Chapter 1, Section 4, the process measurement attribute is “A method to monitor and measure the outputs and performance of a process, and to identify problems, or potential problems, in order to take corrective action.” For certificate holders that have a formal SMS, this attribute focuses on the SA functions of data collection and assessment to ensure safety controls and procedures are working as intended. It also monitors the organization’s safety objectives to ensure progress is being made to achieve them.

F.    Interfaces. Per Volume 10, Chapter 1, Section 4, the interfaces attribute is “Interactions between processes that must be managed in order to ensure desired outcomes.” This is one of the most important attributes, as the certificate holder must ensure that process owners or departments within the organization communicate when processes or procedures are introduced or revised. The communication is critical to ensure no hazards are introduced to other areas or processes within the organization. Early communication can prevent introduction of hazards into the system.

G.    Safety Ownership. Per Volume 10, Chapter 1, Section 4, the safety ownership attribute is “An individual’s understanding of how his or her role contributes to the overall safety of the organization.” This seventh attribute has been added as the FAA moves into a new era in oversight that includes the effects of culture on a system. The FAA is emphasizing RBDM and critical thinking to increase awareness that the culture of an organization plays a role in its management of safety. Both the safety culture and the climate of the workforce make up the overall safety of the organization. This attribute refers to how well the organization promotes the ownership of overall safety of the process to each employee who has some level of responsibility within that process. The goal is to measure the degree to which individuals at all levels in the organization demonstrate understanding or awareness of how their individual actions affect the overall management of safety within the organization as a whole.

17-1-2-3    APPROVING/ACCEPTING MANUALS. Part 5 and the SMSVP Standard both require the certificate holder to document their safety policy and SMS processes and procedures. It is not specified where this documentation must be located. Therefore, inclusion of SMS employee guidance in an aviation certificate holder’s manual system has no impact on Certificate Management Team (CMT) approval or acceptance of required manuals under existing inspector guidance.

A.    Use of a Disclaimer. A disclaimer provides the responsible Flight Standards office a means of identifying inclusion of a certificate holder’s safety management policy, processes, and procedures within its manual system, without impact to the Flight Standards (FS) office’s approval/acceptance process. The disclaimer further clarifies that the office’s approval/acceptance of a manual does not constitute FAA recognition of the certificate holder’s SMS processes under the SMSVP Standard or part 5.

B.    Example Disclaimer. The following disclaimer may be used: “[Approval/Acceptance] of this [manual/document/procedure] does not constitute approval or acceptance of guidance pertaining to the certificate holder’s SMS.”

17-1-2-5    LOADING SMS CUSTOM DATA COLLECTION TOOLS (C DCT) TO AN EXISTING CERTIFICATE IN SAS. The certificate holder’s SMS must be validated by the CMT to determine conformance with the SMSVP Standard. Each CMT establishes its own validation strategy based on the size and complexity of the certificate holder’s organization. SMS validation is recorded in SAS automation when the CMT completes the required design assessments using design validation C DCTs and design demonstration assessments using design demonstration validation C DCTs. The prebuilt C DCTs to be used for SMS validation are available to principal inspectors (PI) in their respective drop-down menus. The C DCTs mirror the job aids in Volume 17, Chapter 3, Section 3.

Indicates new/changed information.

NOTE:  The job aids are used by CMTs that manage a certificate holder using SAS Activity Recording (AR).

Indicates new/changed information.

A.    Validation Project Plan (VPP). The CMT will develop a VPP to define the number of assessments to be accomplished to validate the certificate holder’s SMS implementation. Once the VPP document is complete, the PIs must add the appropriate number of SMS C DCTs to the Configuration Module 1 in the SAS automation by adding a certificate holder-initiated change request. To meet this requirement, the PI can select the National/Divisional SMS C DCTs. The intent is to have a 1:1 ratio of C DCTs to VPP required assessments. This strategy will allow progress monitoring throughout the CMT validation period.

B.    Scheduling and Completion of C DCTs. The C DCTs may be scheduled during any quarter to balance the workload. The CMT may wish to schedule all the C DCTs during the last quarter of scheduled implementation activity. When a C DCT is ready to be completed, the CMT should complete the assessments on a hard copy document. After this is accomplished, the CMT would then move the appropriate C DCT into the current quarter, record the “yes” answers on the C DCT, and save the C DCT to the SAS database. If validation activity is managed correctly, the VPP and number of SAS C DCTs should match (1:1 ratio) at the end of the validation activities.

C.    Use of Job Aids. During validation activities, the requirement is to get “yes” answers for all questions on each C DCT. Since each C DCT question represents an SMSVP Standard/part 5 requirement, a “yes” answer is the only acceptable response that will allow completion of each validation activity. Therefore, it is recommended that the job aids in Volume 17, Chapter 3, Section 3 be utilized for validation activities. The advantages of utilizing these job aids are twofold. First, documentation can take place on the job aids and then be transferred to the corresponding C DCT when all “yes” answers are attained. Second, and equally important, the Design Demonstration Job Aids provide additional guidance written for the PI on things to consider when completing the design validation activity.

D.    Incomplete Assessments. C DCTs which have been closed out before each question has been validated constitute an incomplete validation assessment. The only way to resolve incomplete assessments is to query the SAS database to identify questions which have not been answered with a “yes” response. Query tools are available in SAS to accomplish this task. Once this has been accomplished, the PI must create a C DCT with the unanswered questions to finish the incomplete validation assessment(s) and update the CMT VPP to reflect the additional assessment (1:1 ratio). Table 17-1-2A lists the C DCTs available for SMS validation activities in SAS. These correspond to the job aids in Volume 17, Chapter 3, Section 3. The table also lists the entry required to be used in the “N/R/L” field when recording C DCT completion in SAS.

Table 17-1-2A.  SMS C DCT Design Validation Tools

C DCT Name

N/R/L Entry

C DCT Type

SMS–Safety Policy Design Validation (AW)

SMSDESVAL

Design Validation

SMS–Safety Policy Design Validation (OP)

SMSDESVAL

Design Validation

SMS–Safety Risk Management Design Validation (AW)

SMSDESVAL

Design Validation

SMS–Safety Risk Management Design Validation (OP)

SMSDESVAL

Design Validation

SMS–Safety Assurance Design Validation (AW)

SMSDESVAL

Design Validation

SMS–Safety Assurance Design Validation (OP)

SMSDESVAL

Design Validation

SMS–Safety Promotion Design Validation (AW)

SMSDESVAL

Design Validation

SMS–Safety Promotion Design Validation (OP)

SMSDESVAL

Design Validation

SMS–Safety Policy Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Safety Policy Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–Emergency Preparedness/Response Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Emergency Preparedness/Response Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–SRM (Process/Department Owner) Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–SRM (Process/Department Owner) Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–Safety Communications Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Safety Communications Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–Records Retention Process Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Records Retention Process Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–SRM (Organizational) Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–SRM (Organizational) Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–Accountable Executive Review Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Accountable Executive Review Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–Continuous Improvement Process Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Continuous Improvement Process Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–Investigation Process Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Investigation Process Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–Audit Process Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Audit Process Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

SMS–Evaluation Process Design Demonstration (AW)

SMSDEMVAL

Design Demonstration

SMS–Evaluation Process Design Demonstration (OP)

SMSDEMVAL

Design Demonstration

17-1-2-7    VOLUNTARY SELF-DISCLOSURE AND MONITORING PROGRAMS.

A.    Aviation Safety Action Program (ASAP). An ASAP is an employee reporting system that certificate holders may use to gather information from employees on safety compliance and performance issues. ASAPs are intended for air carriers that operate under 14 CFR parts 121 and 135, and major domestic repair stations certificated under part 145. The goal of an ASAP is to enhance aviation safety by encouraging voluntary reporting of safety issues and events that come to the attention of employees. The program encourages an employee to voluntarily report safety issues even though they may involve a potential violation(s) of 14 CFR. This program may be used as part of a confidential employee reporting program to meet the requirements of § 5.71(a)(7).

NOTE:  While ASAP originally was limited to pilots and flight engineers, the program can be expanded to include flight attendants (F/A), dispatchers, and mechanics.

B.    Continuing Analysis and Surveillance System (CASS). A CASS is a currently required system for part 121 and part 135 (10 or more) certificate holders that is used to ensure the performance and effectiveness of maintenance and inspection programs, to identify deficiencies, and to determine and implement appropriate action under part 121, § 121.373 and part 135, § 135.431. A typical CASS includes internal auditing of the maintenance and inspection programs, analysis of the resulting data, and development of corrective actions to those programs. This system would be an appropriate process required under part 5 subpart D and would be accepted as one means of complying with the provisions of § 5.71(a)(1), (2), (3), (5), and (7).

C.    Voluntary Disclosure Reporting Program (VDRP). The VDRP is an FAA program designed for certificate holders to promptly report regulatory violations and show that corrective actions were taken to address the violations. As used in SA, the certificate holder could track the reports submitted through the VDRP, analyze the reports to identify compliance trends, and develop and report corrective actions. This program may be used to meet a portion of the requirements of § 5.71(a)(6).

D.    Flight Operations Quality Assurance (FOQA). FOQA, also known as flight data monitoring or Flight Data Analysis (FDA), is a method of capturing, analyzing, and/or visualizing the data generated by an aircraft moving through the air from one point to another. FOQA is a formal voluntary program which may be implemented by aircraft operators. If implemented, it could require installation of extensive flight data recording systems which facilitate rapid transfer of recorded data, de-identification of that data, and agreements between pilot organizations and the certificate holders, which defines how this information may be used. Data received from an FOQA program would be used as part of the information inputs under § 5.71(a)(3) and (5).

NOTE:  The United States does not require FOQA as a part of an SMS at this time, but many foreign countries have mandated it as part of the International Civil Aviation Organization (ICAO) SMS requirements.

E.    Line Operations Safety Audits (LOSA). A LOSA is an observational program for collecting safety-related data during normal operations. Monitoring routine operations identifies at-risk behaviors so that they can be proactively managed. It is a means for a company to self-assess its safety margins by utilizing trained observers during normal operations. A LOSA is one way to meet the requirements of § 5.71(a)(1) and (2). Managing risks has become increasingly important in modern organizations. The aviation industry is maturing in its preference for proactive intervention over post-accident remediation. Systems such as the National Aeronautics and Space Administration’s (NASA) Aviation Safety Reporting System (ASRS) and the maintenance ASAP encourage air carrier and repair station employees to voluntarily report unsafe conditions. However, those systems are used reactively following adverse events. LOSAs address aviation safety proactively.

F.    Advanced Qualification Program (AQP). An AQP is a voluntary alternative to the traditional regulatory requirements under parts 121 and 135 for pilot training and checking. Under an AQP, the FAA is authorized to approve significant departures from traditional requirements, subject to justification of an equivalent or higher level of safety. The program entails a systematic front-end analysis of training requirements from which explicit proficiency objectives for all facets of pilot training are derived. It seeks to integrate the training and evaluation of cognitive skills at each stage of a curriculum. For pass/fail purposes, pilots must demonstrate proficiency in scenarios that test both technical and Crew Resource Management (CRM) skills together. Air carriers participating in the AQP must design and implement data collection strategies, which are diagnostic of cognitive and technical skills. In addition, they must implement procedures for refining curricula content based on quality control data. Data generated from an AQP can be utilized in an SMS program to improve safety as a part of the SA monitoring processes.

17-1-2-9    FLOW-DOWN OF REQUIREMENTS.

A.    Part 5/SMSVP Requirements. The SMS requirements of part 5 and the SMSVP Standard are intended to be applied to individual certificate holders. This rule/standard does not require the certificate holder to require SMSs on the part of contractors, code-share partners, or other business affiliates. This rule/standard permits the use of contractors as a data source, but will not mandate this requirement. Associated policy and advisory documents will not specify or imply these requirements as conditions of acceptance. A certificate holder may include an SMS in its negotiated business arrangements, consistent with the common practice in industry where air carriers require registration under such programs as SAE AS9100, International Air Transport Association (IATA) Operational Safety Audit (IOSA), and Coordinating Agency for Supplier Evaluation (C.A.S.E.) audits. Contractual requirements for arrangements do not relieve the certificate holder from its responsibilities under this rule/standard. The SMSVP Standard and part 5 require SMS SRM processes be applied anytime one of four triggers is met. The four triggers are defined as:

    Implementation of new systems,

    Revision of existing systems,

    Development of operational procedures, and

    Identification of hazards or ineffective risk controls through the SA processes.

B.    Common Misconceptions About Operator and Vendor Interactions.

1)    One of the questions routinely received is how should certificate holders address updated vendor guidance that is brought into their organization. One question asks, “Do individuals or groups that accept supplier guidance materials into their process area(s) understand that updates or changes to these materials requires SRM be conducted before it is used in the system?” This question is used to determine if the certificate holder is performing SRM on vendor guidance prior to incorporating it into their processes and procedures.
2)    If a certificate holder uses a manufacturer’s maintenance program and the manufacturer makes changes, their process has not changed. They are still using the manufacturer’s maintenance program, so the system has not changed. Therefore, they have not met one of the four triggers and do not have to do SRM.
3)    Under an SMS, while the certificate holder is using the manufacturer’s maintenance program, the task cards, manuals, etc., these are considered part of the certificate holder’s maintenance “system.” If they are revised, a competent individual must review the changes to determine if any new hazards have been introduced into the system. The certificate holder can use a high-level review of the revision pages to make this determination. In other words, the certificate holder would not be expected to read every task card word for word.
4)    There is an operational control issue in our above question that we expect certificate holders to manage. The certificate holder has an obligation to protect all operational processes and procedures that affect aircraft operations. Any contractor providing a service, whether physical or digital, to the certificate holder should be treated the same. The product provided, whether manuals, spare parts, or training has to be accepted into the system by someone who is authorized to accept risk on behalf of the certificate holder. As a result, a certificate holder must accept the risk for the product a vendor is providing and must document a “no hazard – risk acceptance decision.”
5)    Since many vendors, especially those providing flight information, happen to be very reliable, the method of risk acceptance can be as easy as the certificate holder wishes to make it. This is a requirement for both part 5 and the SMSVP Standard. This demonstrates operational control over the supplier materials. Once a certificate holder agrees to use vendor-supplied materials, it becomes the certificate holder’s responsibility to ensure no new risks are introduced.
6)    The issue of electronic downloads might create a new problem for the certificate holder. For example, if the downloads are purchased and come directly from the vendor to the flightcrew Electronic Flight Bags (EFB), an employee of the certificate holder no longer needs to coordinate distribution. The issue to be evaluated is, “did a change of distribution methods change the certificate holder’s responsibilities for the product?” Just because the handling and distribution got easier, did the responsibility for operational control disappear with convenience? Before the download occurs, the certificate holder has to accept it into their system. Many certificate holders have “special airports” training and if a procedural change occurs at that airport, vendors are not expected to send an alert to the operator that their training department must revise training. Blindly accepting supplier products into the certificate holder’s safety system is not acceptable: someone has to sign for them, even if they consciously decide to not consider the change or impact it might have on the operation. This is an issue of decision making and accountability: when employees have to sign for something, they are normally more cautious. The same vendor argument could be made about an aircraft manufacturer’s maintenance work cards. Work cards tend to be developed to meet the manufacturer’s lawyer’s needs, and not the needs of the average Airframe and Powerplant (A&P) or repairman. This is an example where the certificate holder has to rewrite the work cards so they are useful to their workforce. The certificate holder should not trust anyone or anything entering their system without its passing through a risk acceptance process first. The certificate holder needs to understand their responsibility to fulfill their obligation to control their system. Acceptance of a new manual or revision of an existing manual meets the requirements of a trigger from § 5.51 and, therefore, requires that an SRM be conducted on the revision.

17-1-2-11 through 17-1-2-29 RESERVED.