CAR PART X SAFETY MANAGEMENT SYSTEM (SMS) - ISSUE 05-Corrected

CAR PART X
SAFETY MANAGEMENT SYSTEM (SMS)
UNCONTROLLED COPY WHEN DOWNLOADED

Check with GCAA Website to verify current version before using
Issue: 05 Page 1 of 63 Issue date: 8th November 2020

TABLE OF CONTENTS
FOREWORD…………. ....................................................................................................................................... 3
1. SCOPE…………… ...................................................................................................................................... 5
2. FRAMEWORK FOR SMS ......................................................................................................................... 5
2.1 SAFETY POLICY AND OBJECTIVES ...................................................................................................... 6
2.1.1 Management Commitment and responsibilities .................................................................. 6
2.1.2 Safety accountabilities .......................................................................................................... 7
2.1.3 Appointment of key safety personnel .................................................................................. 8
2.1.4 Coordination of emergency response planning .................................................................. 11
2.1.5 SMS Documentation ........................................................................................................... 12
2.2 SAFETY RISK MANAGEMENT ........................................................................................................... 14
2.2.1 Hazard Identification........................................................................................................... 14
2.2.2 Safety Risk Assessment and Mitigations ............................................................................. 16
2.3 SAFETY ASSURANCE ........................................................................................................................ 18
2.3.1 Safety Performance Monitoring and Measurement........................................................... 19
2.3.2 Management of Change...................................................................................................... 22
2.3.3 Continuous Improvement of the SMS ................................................................................ 24
2.4 SAFETY PROMOTION ....................................................................................................................... 24
2.4.1 Training and education ....................................................................................................... 24
2.4.2 Safety Communication ........................................................................................................ 26
APPENDIX 1: DEFINITIONS .................................................................................................................... 27
APPENDIX 2: SAFETY CULTURE AND JUST CULTURE ............................................................................ 30
APPENDIX 3: HAZARD IDENTIFICATION AND RISK MANAGEMENT ...................................................... 31
APPENDIX 4: SAFETY RISK ASSESSMENT MATRIX................................................................................. 32
APPENDIX 5: EMERGENCY RESPONSE PLAN CONTENT ........................................................................ 33
APPENDIX 6: SMS IMPLEMENTATION PLAN......................................................................................... 37
APPENDIX 7: SAFETY PERFORMANCE INDICATOR (SPI) FOR ORGANISATION ..................................... 47
APPENDIX 8: EXAMPLE OF SMS MANUAL CONTENT ........................................................................... 51
APPENDIX 9: SAFETY RISK REGISTER FORM ......................................................................................... 59
APPENDIX 10: ROOT CAUSE ANALYSIS (RCA) ......................................................................................... 60
APPENDIX 11: EXAMPLE OF BOWTIE MODEL......................................................................................... 63

FOREWORD
1. This is issue 05 of CAR PART X. No NPA has been deemed necessary since the change will have
very minor impact on the concerned organisations.

AMENDMENTS HISTORY
Amendment Source(s) Subject(s) Issue Date

Under Section 1:
- GM1 to 1 added to ensure AOC Holders address
other approval such CAR 145 and CAR M
approvals.
Under Section 2:
- GM to 2 renamed GM1 to 2 without further change
- GM2 to 2.0 created to explain how the GCAA will
verify the effectiveness of an SMS
Under Section 2.3.1
- 1st Paragraph reworded without change to the
initial intent.
- 2nd Paragraph: “alert levels and relevant action
plans defined to achieve the target” added.
- 3rd Paragraph: “The actual performance shall be
regularly provided to the GCAA in a form and
manner established by the GCAA for monitoring
Alignment purposes along with statistical data required for
Issue 04
with ICAO the GCAA to establish and monitor the State June 2016
Revision 01
Annex 19 Acceptable Level of Safety Performance (ALoSP).”
added to replace IB 12-2015.
- 5th Paragraph: “If an alert level or a target has
been breached, the organisation shall immediately
report it the GCAA and submit a corrective plan
accordingly.” to ensure that organisations report
when a breach to SPT is achieved.
- AMC1 to 2.3.1 with change to item (a), deletion of
Note 1 (moved as AMC4 to 2.3.1), and renaming of
Note 2 to Note 1.
- AMC2 to 2.3.1 amended with additional changes
as compare to Issue 3 to ensure that the agreed
SPI/SPT should be appropriate the organisation.
- AMC4 to 2.3.1 added adaptation of deleted Note 1
to AMC1 to 2.3.1.
- AMC5 to 2.3.1 added for the quarterly reporting of
safety performance.
November
Issue 05 Reference to CAAPs is replaced by new reference to AMCs
2020

1. SCOPE
This regulation establishes the Safety Management System (SMS) requirements for organisations
approved / certified in accordance with:
- CAR Part IV Operations Regulation (Sections 1 and 3),
- CAR Part IV Special Purpose Operations (Section A) until such a time, organisations approved
under Section A, have implemented CAR –ORA,
- CAR Part V Chapter 3 CAR 145 for UAE based CAR 145 organisations holding Class A or B ratings,
- CAR Part V Chapter 5 CAR 21 (Subparts G, F or J) for UAE based organisations involved in the
design and production of complete aircraft,
- CAR Part VIII Air Navigation Regulations,
- CAR Part IX Aerodrome Regulations.
Where the organisation holds more than one organisation certificate, the Safety Management System
shall be combined and integrated. This includes AOC holders who are at the same time holding flight
training organisation approval in accordance with CAR-ORA.
The SMS shall correspond to the size of the organisation and the nature and complexity of its activities,
taking into account the hazards and associated risks inherent in these activities.
Where the term “periodic” or “periodically” is used, the organisation shall define the timeframe within its
manuals.
GM1 to 1
AOC Holders should include in their safety management system, the activities conducted under their other
approval(s) such as CAR M and CAR 145 Approvals.
2. FRAMEWORK FOR SMS
This section specifies the framework for the implementation and maintenance of a SMS which shall be
met by the applicable organisations and accepted by the GCAA. The framework comprises four
components and twelve elements as the minimum requirements for SMS implementation.

These components shall be verified by the GCAA for adequacy and, upon availability of sufficient data, for
effectiveness.
GM1 to 2
As the establishment of the Safety Management System requires time, new organisations and
organisations that are transitioning from traditional safety programme to an integrated SMS should follow
a phased approach. APPENDIX 6 provides an example of how a phased approach towards SMS
implementation may be established for organisations not having SMS. While sequencing the
establishment of the different elements is left to the organisation, the GCAA expects elements mentioned
under Phase 1 to be provided at the time of application.
Upon completion of the phases, the GCAA will check the SMS for effectiveness.
GM2 to 2
As part of its surveillance system, the GCAA will evaluate the effectiveness of the SMS by the conduct of
regular SMS evaluation using GTF-SMS-002ab. This form includes the approach, methodology to be
followed by the organisation as well as the GCAA for the purpose of completing the evaluation.
2.1 SAFETY POLICY AND OBJECTIVES
Safety policy outlines the principles, processes and methods of the organisation’s SMS to achieve the
desired safety outcomes. The policy establishes senior management’s commitment to incorporate and
continually improve safety in all aspects of its activities. Senior management develops measureable and
attainable organisation wide safety objectives to be achieved.
2.1.1 Management Commitment and responsibilities
The organisation shall define its safety policy which shall:
(a) reflect organisational commitment regarding safety;
(b) include a clear statement about the provision of the necessary resources for the
implementation of the safety policy and achievement of the safety objectives;
(c) establish a non-punitive approach which supports safety reporting and encourages an open
reporting culture for the purpose of safety improvement, not to apportion blame;

(d) clearly indicate that cases of gross negligence, wilful misconduct or a significant continuing
safety concern are unacceptable in relation to the organisation’s aviation activities and include
the circumstances under which disciplinary action would or would not be applicable within the
framework of the Safety Management System;
(e) be signed by the Accountable Manager;
(f) be communicated, with visible endorsement throughout the organisation;
(g) be periodically reviewed to ensure it remains relevant and appropriate to the organisation.
GM to 2.1.1(b)
Safety objectives identify what the organisation intends to achieve in terms of safety management. The
safety objectives are expressed as a top-level statement describing the organisation’s commitment to
achieving safety. The safety objectives are linked with the Safety Performance Indicators, targets and
mitigation plans (For more guidance see also APPENDIX 7 – Safety Performance Indicators).
GM to 2.1.1(c)
Just and Safety culture concept is explained in APPENDIX 2.
2.1.2 Safety accountabilities
The organisation shall:
(a) identify the Accountable Manager who has full control of the resources, final authority over
operations under the certificate approval of the organisation and ultimate responsibility and
accountability for the establishment, implementation and maintenance of the SMS; safety
policies and the resolution of all safety issues.
(b) clearly define lines of safety accountability throughout the organisation, including a direct
accountability for safety on the part of senior management;
(c) identify the accountabilities of all members of management, irrespective of other functions, as
well as of employees, with respect to the safety performance of the SMS;
(d) document and communicate safety responsibilities, accountabilities and authorities throughout
the organisation; and
(e) define the levels of management with authority to make decisions regarding safety risk
tolerability.

AMC1 to 2.1.2(a)
The Accountable Manager’s authorities and accountabilities should include, but are not limited to:
(a) communication and promotion of the safety policy;

(b) establishment of the organisation’s safety objectives and safety targets;
(c) establishment, implementation and maintenance of the organisation’s competence to learn
from the analysis of data collected through its safety reporting system and others Safety Data
Collection and Processes Systems (SDCPS) in place; and
(d) establishment of a just culture which encourages safety reporting. (See APPENDIX 2)
AMC2 to 2.1.2(a)
Depending on the size, structure and complexity of the organisation, the Accountable Manager should be:
(a) the chief executive officer (CEO) of the Organisation; or equivalent;
(b) the chairperson of the board of directors;
(c) A person holding an appropriate delegation by a legally authorised person to act as an
Accountable Manager
(d) a partner; or
(e) the proprietor.
2.1.3 Appointment of key safety personnel

2.1.3.1 Post Holder SMS
The organisation shall appoint a properly educated, trained and experienced person who fulfils the
role of Post Holder SMS for the development and maintenance of an effective Safety Management
System.
The appointed person shall have direct access to the Accountable Manager to ensure that the
Accountable Manager is kept properly informed on safety matters.
The Post Holder SMS shall be accepted by the GCAA.
The Post Holder SMS is a senior management position and shall not hold other positions that may
conflict or impair his role as Post Holder SMS unless specifically approved by the GCAA.
AMC to 2.1.3.1
The Post Holder SMS functions should include but are not limited to:

(a) managing the SMS implementation;
(b) performing/facilitating hazard identification and safety risk analysis;
(c) monitoring corrective actions and evaluating their results;
(d) providing periodic reports on the organisation’s safety performance;
(e) maintaining records and safety documentation;
(f) planning and facilitating staff safety training;
(g) providing independent advice on safety matters;
(h) monitoring safety concerns in the aviation industry and their perceived impact on the
organisation’s operations aimed at service delivery;
(i) managing that processes for SDCPS such as safety reporting, Flight Data Monitoring (FDM) and
other safety data collection methods are established, and ensuring that they are implemented;
and
(j) advising the Safety Review Board on safety issues, in case the organisation has established such
a board.
GM to AMC to 2.1.3.1 (j)
Depending on size, complexity and nature the organisation may need to establish a Safety Review Board
(SRB) which is a high level committee that considers matters of strategic safety importance in support of
the Accountable Manager’s safety accountability.
The SRB provides the platform to achieve the objectives of resource allocation and to assess the
effectiveness and efficiency of risk mitigation strategies. The SRB is chaired by the Accountable Manager
and composed of senior managers, including line managers responsible for functional areas as well as
those from relevant administrative departments. The Post Holder SMS participates in the SRB in an
advisory capacity. The SRB meets periodically.
The SRB:
(a) monitors the effectiveness of the SMS;
(b) monitors that any necessary corrective action is taken in a timely manner;
(c) monitors safety performance against the organisation‘s safety policy and objectives;
(d) monitors the effectiveness of the organisation‘s safety management processes which support
the declared corporate priority of safety management as another core business process;
(e) monitors the effectiveness of the safety supervision of subcontracted operations;
(f) ensures that appropriate resources are allocated to achieve safety performance beyond that
required by regulatory compliance.

The SRB is strategic and deals with high-level issues related to policies, resource allocation and
organisational performance monitoring. Once a strategic direction has been developed by the SRB,
implementation of safety strategies should be coordinated throughout the organisation. This can be
accomplished by creating a Safety Action Group (SAG). SAGs are composed of line managers and front-
line personnel and are normally chaired by a designated line manager.
GM1 to 2.1.3.1
Below are examples of which may be considered to meet the proper education, training and experience
requirement:
(a) safety/quality management experience;

(b) operational experience;
(c) technical background to understand the systems that support operations;
(d) people skills;
(e) analytical and problem-solving skills;
(f) project management skills; and
(g) oral and written communications skills.
GM2 to 2.1.3.1
Organisations may establish a Safety Action Group to achieve the established performance, which reports
to and takes strategic direction from the SRB.
(a) A Safety Action Group may be established as a standing group or as an ad hoc group to assist
the Post Holder SMS or Safety Review Board.
(b) More than one Safety Action Group may be established depending on the scope of the task and
specific expertise required.
(c) The Safety Action Group should report to, and take strategic direction from the Safety Review
Board.
(d) The Safety Action Group may, assist the Post Holder SMS in:
1) oversee operational safety performance within the functional areas of the organisation
and ensures that appropriate safety risk management activities are carried out with staff
involvement as necessary to build up safety awareness;

2) coordinate the resolution of mitigation strategies for the identified consequences of
hazards and ensures that satisfactory arrangements exist for safety data capture and
employee feedback;
3) assess the safety impact related to the introduction of operational changes or new
technologies;
4) coordinate the implementation of corrective action plans and ensures that corrective
action is taken in a timely manner;
5) oversee safety promotion activities as necessary to increase awareness of safety issues
among relevant employees, to ensure that employees are provided appropriate
opportunities to participate in safety management activities.
(e) The Safety Action Group may also be tasked with the review the effectiveness of previous safety
actions and safety promotion.
(f) The Post Holder SMS may also be included in the SAG.
2.1.4 Coordination of emergency response planning
The organisation shall ensure that the Emergency Response Plan (ERP) is properly coordinated with the
Emergency Response Plans of those organisations it must interface with during the provision of its
services.
AMC to 2.1.4
The ERP should be documented in the format of a manual or directly integrated into the SMS Manual and
reflect the size, nature and complexity of the activities performed by the organisation. If the Emergency
Response Plan is documented in a separate document, it should be cross-linked to SMS manual.
The ERP should also:
(a) ensure an orderly, safe and efficient transition from normal to emergency operations, and back
to normal;
(b) ensure delegation of emergency authority;
(c) ensure authorisation by key personnel for actions contained in the plan;
(d) ensure coordination of efforts to cope with the emergency;
(e) ensure that the responsibilities, roles and actions of various agencies and personnel involved in
dealing with emergencies are defined and personnel trained;
(f) periodically be tested for the adequacy of the plan and the results reviewed to improve its
effectiveness.

(g) take into account considerations such as:
1) governing policies;
2) organisation;
3) notifications;
4) initial response;
5) additional assistance;
6) Crisis Management Centre (CMC);
7) records;
8) accident site;
9) news media;
10) formal investigations;
11) family assistance;
12) post-critical incident stress counselling; and
13) post-occurrence review.
GM to 2.1.4
The Emergency Response Plan addresses possible or likely emergency/crisis scenarios relating to the
organization’s aviation product or service deliveries.
GM to AMC 2.1.4
APPENDIX 5 provides guidelines for typical contents of an ERP manual.
2.1.5 SMS Documentation
(a) The organisation shall develop an SMS Manual endorsed by the Accountable Manager and
acceptable to the GCAA to demonstrate how the organisation will comply with this PART.
(b) The organisation shall establish a system of record keeping that allows adequate storage and
reliable traceability of all records related to Safety Management System processes.
AMC to 2.1.5(a)
An SMS manual defines the organisation’s approach to the management of safety in a manner that meets
the organisation’s safety policy and the requirements of this PART. The organisation should develop and
maintain SMS documentation that describes how the organisation is going to comply with this regulation;
and describes its:

(a) safety policy and objectives;
(b) SMS requirements;
(c) SMS processes and procedures;
(d) accountabilities, responsibilities and authorities for SMS processes and procedures.; and.
GM to AMC 2.1.5(a)
APPENDIX 8 provides an example of typical contents of an SMS manual.
AMC to 2.1.5(b)
(a) The format of the records should be specified in the organisation’s procedures.
(b) Records should be stored in a manner that ensures protection from damage, alteration, and
theft.
(c) The record keeping system should ensure that all records are accessible whenever needed and
records should be organised in a way that ensures traceability throughout the required
retention period.
(d) Paper systems should use robust material which can withstand normal handling and filing.
Computer systems should have at least one backup system which should be updated within 24
hours of any new entry. Computer systems should include safeguards against the ability of
unauthorised personnel to alter the data.
(e) All computer hardware used to ensure data backup should be stored in a different location from
that containing the working data, and in an environment that ensures they remain in good
condition. When hardware or software changes take place, special care should be taken that all
necessary data continues to be accessible at least through the full period specified in the
relevant provision. In the absence of such indication, all records should be kept for a minimum
period of 5 years.
(f) The records should remain legible throughout the required retention period. The retention
period starts when the record has been created or last amended.
(g) Records related to Safety Management System processes should include but are not limited to:
1) The results of the assessment of the potential adverse consequences or outcome of each
hazard (APPENDIX 10);
2) Safety Performance Indicators, targets and related charts;
3) record of completed or in-progress safety assessments;
4) SMS internal review or audit records;
5) safety promotion records;
6) personnel SMS/safety training records;
7) SMS/safety committee meeting minutes; and

8) SMS implementation plan (during implementation process).
2.2 SAFETY RISK MANAGEMENT
Safety risk management shall include hazard identification, safety risk assessment and mitigation
processes.
GM to 2.2
An example of the safety risk management process is illustrated in APPENDIX 3, in addition, other risk
management methods e.g. BowTie can be useful particularly in the implementation of the mitigations and
controls. APPENDIX 11 shows an Example of BowTie model.
2.2.1 Hazard Identification
The organisation shall develop, implement and maintain a process that ensures that hazards associated
with its aviation products or services are identified.
In order to ensure continuity of data flow through internal safety reporting systems, the organisation shall
ensure that it effectively implements 2.1.1 (c).
In addition to the proactive and reactive methods of safety data collection the organisation should employ
where practical predictive methodologies which could arrest risks from potential hazards.
AMC1 to 2.2.1
Hazards should be identified through proactive methodologies or as a result of accident or incident

investigations (reactive), and where practical through predictive methodologies.
Data sources of hazard identification should be both internal and external to the organisation:
Organisations should establish internal confidential reporting channels to maximise data capturing.
AMC2 to 2.2.1
The internal safety reporting system should contain the following elements:
(a) the collection and evaluation of those errors, near-misses, and hazards reported internally;
(b) corrective and preventive actions are taken internally to address any safety issues and hazards;

(c) feedback to the organisation’s safety training, whilst maintaining appropriate confidentiality;
(d) provision of feedback to the reporter to ensure his support to the occurrence reporting system
and disseminate the results to other relevant parties.
(e) A non-punitive approach which encourages safety reporting within a system that clearly
indicates which types of behaviours are unacceptable.
(f) an investigation process to:
1) identify and address the factors contributing to occurrences in order to reduce the
likelihood of reoccurrence;
2) identify adverse trends;
3) identify those reports which require further investigation; and
4) establish all root causes, including any technical, organisational, managerial, or human
factors issues, and any other contributing factors relating to the event (APPENDIX 10).
GM to AMC1 to 2.2.1
(a) In addition to the internal reporting systems, flight data analysis and internal audits, Internal
hazard identification data sources may include:
1) normal operation monitoring schemes ;

2) safety surveys;
3) feedback from training; and
4) investigation and follow-up reports on accidents/incidents.
(b) External data sources for hazard identification may include:
1) industry accident reports;

2) GCAA mandatory incident reporting systems (ROSI);
3) GCAA audits; and
4) information exchange systems.
GM to 2.2.1
The following may be considered while engaged in the hazard identification process:
(a) design factors, including equipment and task design;

(b) human performance limitations (e.g. physiological, psychological and cognitive);

(c) procedures and operating practices, including their documentation and checklists and their
validation under actual operating conditions;
(d) communication factors, including media, terminology and language;
(e) organisational factors, such as those related to the recruitment, training and retention of
personnel, the compatibility of production and safety goals, the allocation of resources,
operating pressures and the corporate safety culture;
(f) factors related to the operational environment of the aviation system (e.g. ambient noise and
vibration, temperature, lighting and the availability of protective equipment and clothing);
(g) regulatory oversight factors, including the applicability and enforceability of regulations and the
certification of equipment, personnel and procedures;
(h) performance monitoring systems that can detect practical drift or operational deviations; and
human-machine interface factors.
(i) Stem from the existence of complex, (sub-) contract and other operational arrangements.
2.2.2 Safety Risk Assessment and Mitigations
The organisation shall develop, implement and maintain a process that ensures analysis, assessment, and
acceptable control of the safety risks associated with identified hazards.
AMC to 2.2.2
Written procedures for developing and implementing Corrective Actions should be established. These
should:
(a) Result in a specific corrective action plan that addresses the following:
1) Development and proposal of the corrective action.
2) Analysis and final approval level of the corrective action, including who is responsible for
approval of the corrective action.
3) Who will implement the corrective action.
4) How the responsible person will implement the corrective action.
5) When the corrective action completion due date is.

6) Who will evaluate the outcome and how, including identification of data requiring collection,
awareness of the possibility of unintended consequences, and events that should trigger a
response.
7) Who will monitor the status of the corrective action and how.
8) Reporting the status of the corrective action (to whom, with what frequency).
GM to 2.2.2
The process starts with the identification of hazards and their potential consequences. The safety risks are
then assessed in terms of probability and severity, to define the level of safety risk (safety risk index). An
example of a safety risk matrix is illustrated in APPENDIX 4.The completed hazard identification and safety
risk assessment and mitigation process is then documented and approved as appropriate.
Risk acceptance criteria is established based on the organisation’s safety policy and objectives.
Once risks have been assessed, the organisation should engage in a decision-making process to determine
the need to implement risk mitigation measures. Each safety risk mitigation measure should be examined
from the following perspectives:
(a) Effectiveness: The extent to which the measure reduces or eliminates the safety risk.
Effectiveness can be determined in terms of the technical, training and procedural defences
that can reduce or eliminate safety risks.
(b) Cost/benefit: The extent to which the perceived benefits of the mitigation outweigh the costs.
(c) Practicality: The extent to which the mitigation is implementable and appropriate in terms of
available technology, financial and administrative resources etc…
(d) Acceptability: The extent to which the stakeholders willingly adopt and embrace them.
(e) Enforceability: The extent to which compliance with new operating procedures can be
monitored.
(f) Durability: The extent to which the measure will be sustainable and effective.
(g) Residual safety risks: The degree of safety risk that remains subsequent to the implementation
of the initial mitigation, and which may necessitate additional risk control measures.
(h) Unintended consequences: The introduction of new hazards and related safety risks associated
with the implementation of any mitigation alternative.

The three generic safety risk mitigation approaches include:
(a) Avoidance. The activity is suspended, either because the associated safety risks are intolerable
or deemed unacceptable vis-à-vis the associated benefits.
(b) Reduction. Some safety risk exposure is accepted, although the severity or probability
associated with the risks are lessened, possibly by measures that mitigate the related
consequences.
(c) Segregation of exposure. Action is taken to isolate the potential consequences related to the
hazard or to establish multiple layers of defences to protect against them.
A risk mitigation strategy may involve one of the approaches described above, or may include multiple
approaches. It is important to consider the full range of possible control measures to find an optimal
solution. The effectiveness of each alternative strategy should be evaluated before a decision can be
taken.
Once the mitigation has been approved and implemented, any associated impact on safety performance
provides feedback to the Organisation‘s safety assurance process. This is necessary to ensure integrity,
efficiency and effectiveness of the defences under the new operational conditions.
The effective implementation of all above mentioned processes, including evidences of its day by day
proper implementation, should be available and used on the internal organisation quality assurance
process, with the aim to accomplish its utmost objectives.
Quality assurance process should be developed in a documented continuous monitoring audit approach.
It should ensure, that investigations are effectively performed to find occurrences’ root causes and issue
targeted and feasible recommendations to implement corrective actions by the accountable managerial
staff on due time.
2.3 SAFETY ASSURANCE
The organisation shall develop, document and maintain safety assurance processes to ensure that the
safety risks controls established as a consequence of the hazard identification and risk management
activities achieve their intended objectives.
GM to 2.3
Safety assurance consists of processes and activities undertaken by the organisation to determine
whether the SMS is operating according to expectations and requirements. The organisation should

continually monitor its internal processes as well as its operating environment to detect changes or
deviations that may introduce emerging safety risks or the degradation of existing risk controls. Such
changes or deviations may then be addressed together with the safety risk management process.
The safety assurance process complements the quality assurance process, with each having requirements
for analysis, documentation, and management reviews to ensure that certain performance criteria are
met. While quality assurance typically focuses on the organisation‘s compliance with regulatory
requirements, safety assurance specifically monitors the effectiveness of safety risk controls.
2.3.1 Safety Performance Monitoring and Measurement
The organisation shall establish safety performance monitoring and measurement processes by the
establishment of Safety Performance Indicators (SPI) and Safety Performance Targets (SPT) to verify its
safety performance and validate the effectiveness of the safety risk controls.
The indicators, targets, alert levels and relevant action plans defined to achieve the targets shall be agreed
with the GCAA.
The actual performance shall be regularly provided to the GCAA in a form and manner established by the
GCAA for monitoring purposes along with statistical data required for the GCAA to establish and monitor
the State Acceptable Level of Safety Performance (ALoSP).
For organisations that do not have sufficient data for the establishment of SPI’s and SPT’s, the organisation
shall establish safety initiatives aiming at continuous improvement in relation to safety standards. These
initiatives shall be in line with the safety objectives of the organisation.
If an alert level or a target has been breached, the organisation shall immediately report it the GCAA and
submit a corrective plan accordingly.
AMC1 to 2.3.1
Safety Performance Monitoring processes and systems should include processes and systems for the
following:
(a) Continuous monitoring of operational processes including establishment and monitoring of SPIs and
SPTs, SPTs, alert levels and the required reporting of safety performance or other statistics data to the
GCAA;
(b) Periodic monitoring of the operational environment to detect changes;

(c) Auditing of operational processes and systems;
(d) Evaluations of the SMS;
(e) Evaluations of safety data; and
(f) Evaluation of contextual data related the organisation environment, conditions, resources and
management.
Note 1: Upon completion of the assessments, evaluations and reviews, if ineffective controls, new hazards,
or potential hazards are identified, the Organisation should use the safety risk management process.
AMC2 to 2.3.1
The continuous acceptance of an SMS requires that the GCAA is satisfied that the proposed SPIs are
appropriate and pertinent to the organisation’s aviation activities prior to be agreement. The agreement
should be between the GCAA Principal Inspector and the organisation. The GCAA Principal Inspector will
review the proposed SPIs, SPTs, and alert levels to ensure that:
- they are appropriate, and relevant to the scope and complexity of the specific operational context; and
- their development has used the appropriate measuring matrix and is dependent on the size and
complexity of the organisation.
The SPIs, SPTs and alert levels should be:

a) a combination of high and lower-consequence SPIs as appropriate;
b) pertinent to the organisation’s aviation activities;
c) consistent with other organisations of the same sector/category;
d) congruent with the State’s SSP aggregate safety indicators for the organisation sector/category.
AMC3 to 2.3.1
The baseline objectives for organisations with insufficient data should target matters of concern for the
organisation such as enhancing the safety culture, just culture, reporting and/or improving the level of
safety. These initiatives have broad spectrum and may range from Intern low consequence events having
a direct bearing on the way activities and processes are implemented; to major possible safety risks,
adoption of best industry practices and maintaining zero occurrence levels for particular events even if
the organisation did not encounter such events. In this sense, these initiatives act as proactive defences
without the presence of actual SPIs. Such defences should be checked for effectiveness as part of the
safety assurance processes.

AMC4 to 2.3.1
For the GCAA to periodically monitor the SPTs and also the State ALoSP, organisations should submit flight
hours, engine hours, cycles, number of movements and other required information to the GCAA.
Form GCAA GTF-SMS-005 should be used and provided by mid-month of following the month for
organisations operating aircraft (i.e. regulated by CAR-OPS 1 and 3 and CAR-ORA).
AMC5 to 2.3.1
The agreed safety performance of an organisation’s SMS should be periodically reviewed to ensure it
remains relevant and appropriate to the organisation. To facilitate this monitoring, the organisation
should provide the GCAA with the actual safety performance for every quarter of year (n) as per the
following schedule:
Due date for “face-to-face”

Safety Performance Monitoring Due date for SPM submission to
review with the Principal
(SPM) Reports of YEAR (n) the Principal Inspector
Inspector
Quarterly SPM Report for Q1 of No later than 31st April of YEAR No later than mid-May of YEAR
YEAR (n) (n) (n)
Quarterly SPM Report for Q2 of No later than 30th July of YEAR No later than mid-August of
YEAR (n) (n) YEAR (n)
Quarterly SPM Report for Q3 of No later than 31st October of No later than Mid-November of
YEAR (n) YEAR (n) YEAR (n)
Quarterly SPM Report for Q4 of No later than 31st January of No later than Mid-February of
YEAR (n) YEAR (n+1) YEAR (n+1)
The Quarterly SPM Reports for every quarter of year (n) should be made using form GTF-SMS-006.
Immediately after submission of a Quarterly SPM Report as per above schedule, the organisation should
coordinate with its GCAA Principal Inspector for a review and agree on the need for adjustments to ensure
SPIs, SPTs and alert levels remain relevant and appropriate to the organisation. Adjustments should be
substantiated by appropriate safety data and duly documented.
GM1 to 2.3.1
APPENDIX 7 provides examples of SPIs and SPTs.

2.3.2 Management of Change
The organisation shall develop, document, implement and maintain a process to identify changes which
may affect the level of safety risk associated with its aviation products or services and to identify and
manage the safety risks or hazards that may arise from those changes.
AMC to 2.3.2
The organisation should demonstrate that:
(a) it has established a process, and conducts formal hazard analyses/risk assessment for major
operational changes, major organisational changes, and changes in key personnel
(b) safety assessment/risk assessments are aviation safety focused;
(c) key stakeholders are involved in the change management process, as appropriate;
GM1 to 2.3.2
Considerations for management of change are:
(a) Unless properly managed, changes in organisational structure, facilities, scope of

work/approval, personnel, documentation, policies and procedures, etc., may result in the
inadvertent introduction of new hazards, exposing the Organisation to new or increased risk.
(b) The management of change should be a process aiming at identifying external and internal
changes that may have an adverse effect on safety before implementation. It should make use
of the organisation’s existing hazard identification, risk assessment, and mitigation processes.
(c) Regardless of the magnitude of change, large or small, there should always be a proactive
consideration for safety implications. This is primarily the responsibility of the team proposing
and/or implementing the change. However, change can only be successful if all personnel
affected by the change are engaged, involved, and participate in the process. The magnitude of
change, its safety criticality, and its potential impact on human performance should be assessed
in any change management process. See GM2 to 2.3.2.
(d) Management of change provides principles and a structured framework for managing all
aspects of the change. Disciplined application of change management can maximise the
effectiveness of the change, engage staff, and minimise the risks inherent in change.
(e) Some examples of change include, but are not limited to:
1) organisational restructuring;
2) acquisition of equipment;

3) new aircraft type included in the approval;
4) additional aircraft or equipment of the same or similar type;
5) significant changes in personnel (affecting key personnel and/or large numbers of
personnel, high turnover);
6) new or amended regulations, procedures;
7) competition;
8) customer base;
9) security;
10) financial status;
11) new schedule(s), location(s), type(s) of maintenance, and/or operational procedures;
12) the generation or alteration of maintenance data; and
13) change of a safety significant subcontractor.
14) changes to risk control, policy, etc.
(f) The change also has the potential to introduce new, or exacerbate pre-existing, human factors
issues. For example, changes in machinery, equipment, technology, procedures, work
organisation, or work processes are likely to affect performance.
(g) The purpose of integrating human factors into the management of change is to minimise
potential risks by specifically considering the impact of the change on the people within a
system.
(h) Special consideration, including any human factors issues, should be given to the ‘transitional
period’. In addition, the activities utilised to manage these issues should be integrated into the
change management plan.
GM2 to 2.3.2
The organisation’s management of change process should take into account the following three
considerations:
(a) Criticality: Criticality assessments determine the systems, equipment or activities that are
essential to the safe operation of aircraft. While criticality is normally assessed during the
system design process, it is also relevant during a situation of change. Systems, equipment and
activities that have higher safety criticality should be reviewed following change to make sure
that corrective actions can be taken to control potentially emerging safety risks.
(b) Stability of systems and operational environments: Changes may be planned and under the
direct control of the organisation. Such changes include organisational growth or contraction,
the expansion of products or services delivered, or the introduction of new technologies.

Unplanned changes may include those related to economic cycles, labour unrest, as well as
changes to the political, regulatory or operating environments.
(c) Past performance: Past performance of critical systems and trend analyses in the safety
assurance process should be employed to anticipate and monitor safety performance under
situations of change. The monitoring of past performance will also assure the effectiveness of
corrective actions taken to address safety deficiencies identified as a result of audits,
evaluations, investigations or reports.
2.3.3 Continuous Improvement of the SMS
The organisation shall monitor and assess the effectiveness of its SMS processes to enable continuous
improvement of the SMS.
AMC to 2.3.3
Monitoring and assessment activities conducted for the purpose of this requirement should be conducted
by persons that are functionally independent of the technical processes being evaluated.
GM to 2.3.3
Importance of continuous improvements:
(a) Continuous improvement is measured through the monitoring of an organisation’s Safety

Performance Indicators, evaluations and independent SMS audits and is related to the maturity
and effectiveness of an SMS. Safety assurance processes support improvements to the SMS
through continual verification and follow-up actions.
(b) Internal evaluations/ audits involve assessment of the organisation’s aviation activities that can
provide information useful to the organisation’s decision-making processes.
(c) The internal evaluation function includes evaluation of safety management functions,
policymaking, safety risk management, safety assurance and safety promotion throughout the
organisation.
2.4 SAFETY PROMOTION

2.4.1 Training and education
(a) The organisation shall develop and maintain a safety training programme that ensures that
personnel are trained and competent to perform their duties relevant to the organisation’s
SMS.

(b) The scope of the safety training shall be appropriate to the individual’s involvement in the SMS.
AMC to 2.4.1
The following are elements that should be established and maintained as part of the Safety training
programme:
(a) Safety training and education curricula should consist of the following:
1) organisational safety policies, goals and objectives;
2) organisational safety roles and responsibilities related to safety;
3) basic safety risk management principles;
4) safety reporting systems;
5) safety management support (including evaluation and audit programmes);
6) lines of communication for dissemination of safety information; and
7) initial indoctrination and, if required, recurrent training requirements.
(b) Training requirements should be consistent with the needs and complexity of the organisation.
(c) Training procedures should specify initial and, if required, recurrent safety training standards
for operational personnel, managers and supervisors, senior managers and the Accountable
Manager. The SMS training documentation should also specify responsibilities for development
of training content and scheduling.
(d) Safety training for senior managers should include content related to compliance with national
and organisational safety requirements, allocation of resources and active promotion of the
SMS including effective interdepartmental safety communication. In addition, safety training
for senior managers should include material on establishing Safety Performance Targets and
alert levels.
(e) The Accountable Manager training should be at a high level providing an understanding of the
SMS and its relationship to the organisation’s overall business strategy.

2.4.2 Safety Communication
The organisation shall develop, document, implement and maintain formal means for safety
communication that:
(a) ensures personnel are aware of the SMS to a degree commensurate with their positions in a
timely manner;
(b) conveys safety-critical information in a timely manner;
(c) explains why particular safety actions are taken; and
(d) explains why safety procedures are introduced or changed.
GM1 to 2.4.2
Safety communication is an essential foundation for the development and maintenance of an adequate
safety culture. The modes of communication may include:
(a) newsletters;
(b) presentations;
(c) safety notices;
(d) safety awareness posters;
(e) lectures;
(f) workshops; and
(g) workplace safety oriented meetings between staff and the Accountable Manager or Senior
Managers.

APPENDIX 1: DEFINITIONS
1) Acceptable Level of Safety Performance (ALoSP): The minimum level of safety performance of
civil aviation in a State, as defined in its State safety programme, or of a organisation, as defined
in its Safety Management System, expressed in terms of Safety Performance Targets and Safety
Performance Indicators.
2) Alert Level: An established level or criteria value outside of the normal operating range or out-
of-control region that triggers a warning that an adjustment or evaluation is needed.
3) Consequence: Actual or potential impact of a hazard that can be expressed qualitatively and/or
quantitatively. More than one consequence may evolve from an event.
4) Corrective Action: Action to eliminate the cause of or reduce the effects of a detected hazard
or potentially hazardous situation in order to prevent its recurrence.
5) Defences: Specific mitigating actions, preventive controls or recovery measures put in place to
prevent the realization of a hazard or its escalation into an undesirable consequence.
6) Error: An action or inaction by an operational person that leads to deviations from
organisational or the operational person‘s intentions or expectations.
7) Hazard: A condition that could cause or contribute to an aircraft incident or accident.
8) Hazard Analysis: Analysis performed to identify hazards, hazard effects, and hazard causal
factors used to determine system risk.
9) Hazard Identification: A process to establish a list of hazards relevant to the activity and the
causes/threats that could release them.
10) High-consequence Indicators: Safety Performance Indicators pertaining to the monitoring and
measurement of high-consequence occurrences, such as accidents or serious incidents. High-
consequence indicators are sometimes referred to as reactive indicators.
11) Human Factors: Principles which apply to aeronautical design, certification, training, operations
and maintenance and which seek safe interface between the human and other system
components by proper consideration to human performance.
12) Investigation: A process conducted for the purpose of accident prevention which includes the
gathering and analysis of information, the drawing of conclusions, including the determination
of causes and, when appropriate, the making of safety recommendations.
13) Lower-consequence Indicator: Safety Performance Indicators pertaining to the monitoring and
measurement of lower-consequence occurrences, events or activities such as incidents, non-
conformance findings or deviations. Lower-consequence indicators are sometimes referred to
as proactive/predictive indicators.
14) Open Reporting Culture: An organisational perspective that actively encourages effective safety
reporting by defining acceptable behaviour (often unintended errors) and unacceptable
behaviour (such as recklessness, violations or sabotage), and provides fair protection to
reporters.

15) Operational Personnel: Personnel involved in aviation activities who are in a position to report
safety information.
Note.- Such personnel include, but are not limited to: flight crews; air traffic controllers; aeronautical
station operators; maintenance technicians; personnel of aircraft design and manufacturing
organisations; cabin crews; flight dispatchers, apron personnel and ground handling personnel.
16) Predictive: Any method that continuously analyses current and historical information to
forecast potential future occurrences.
17) Prescriptive Standards: Standards that specify methods for complying with safety
requirements.
18) Preventive Action: Pre-emptive action to eliminate or mitigate the potential cause or reduce
the future consequence of a hazard.
19) Proactive: Any method that actively searches for potential safety risks through the analysis of
an organisation's activities prior to occurrence.
20) Reactive: Any method that responds to past occurrences.
21) Risk: The assessed predicted likelihood and severity of the consequence(s) or outcome(s) of a
hazard.
22) Risk Analysis: Process whereby possible consequences of hazards are objectively characterized
for their severity and probability. The process can be qualitative and/or quantitative.
23) Risk Assessment: The identification, evaluation, and estimation of the level of risk.
24) Risk Control: Activities that ensure that safety policies, procedures, and processes minimize the
risk of an aviation accident or incident.
25) Risk Management: An organisational function that assesses the organisation’s system design
and verifies that the system adequately controls risk. A formal risk management process
describes a system, assesses hazards, analyses those hazards to evaluate the risk, and
establishes controls to manage those risks.
26) Risk Mitigation: The process of incorporating defences or preventive controls to lower the
severity and/or likelihood of a hazard’s projected consequence.
27) Safety: The state in which risks associated with aviation activities, related to, or in direct support
of the operation of aircraft, are reduced and controlled to an acceptable level.
28) Safety Assessment: Documentation that contains hazard descriptions, the related
consequences, the assessed likelihood and severity of the safety risks, and required safety risk
controls.
29) Safety Assurance: Processes used to ensure risk controls developed under the risk management
process achieve their intended objectives throughout the life cycle of a system. This process
may also reveal hazards not previously identified and identify or assess the need for new risk
control, as well as the need to eliminate or modify existing controls. This is one of the four
components of SMS.

30) Safety Culture: An enduring set of values, norms, attitudes, and practices within an organisation
concerned with minimizing exposure of the workforce and the general public to dangerous or
hazardous conditions. In a positive safety culture, a shared concern for, commitment to, and
accountability for safety is promoted.
31) Safety Management System (SMS): A systematic approach to managing safety, including the
necessary organisational structures, accountabilities, policies and procedures.
32) Safety Performance Indicator: A data-based parameter used for monitoring and assessing
safety performance.
33) Safety Performance Target: The planned or intended objective for Safety Performance
Indicator(s) over a given period.
34) Safety Promotion: A combination of safety culture, training, and information sharing activities
that support the implementation and operation of an SMS in an organisation. This is one of the
four components of SMS.
35) Safety Risk: The predicted probability and severity of the consequences or outcomes of a
hazard.
36) Safety Risk Management: A process used to assess system design and verify that the system
adequately controls risk. A formal risk management process describes a system, assesses
hazards, analyses those hazards to evaluate the risk, and establishes controls to manage those
risks. This is one of the four components of SMS.
37) Severity: The extent of loss or harm associated with consequences of a hazard.
38) Severity – Catastrophic: Results in multiple fatalities and/or loss of the aircraft.
39) Severity – Hazardous: A large reduction in safety margins, physical distress, or workload such
that organisations cannot be relied upon to perform their tasks accurately or completely.
Serious injury or death to a small number of aircraft occupants, ground personnel, and/or
general public. Major equipment damage.
40) Severity – Major: A significant reduction in safety margins and a reduction in the ability of
organisations to cope with adverse operating conditions as a result of an increase in workload,
significant discomfort, or conditions impairing their efficiency. Serious incident with physical
distress to occupants of aircraft, injuries, and equipment damage.
41) Severity – Minor: Does not significantly reduce system safety and operator actions are well
within their capabilities. May include slight reduction in safety margins, operating limitations,
slight increase in workload, some physical discomfort, and/or minor equipment damage.
42) Severity – Negligible: Little consequence. Has no effect on safety.
43) State Safety Programme (SSP): An integrated set of regulations and activities aimed at
improving safety.

APPENDIX 2: SAFETY CULTURE AND JUST CULTURE
“Safety Culture is the set of enduring values and attitudes regarding safety issues, shared by every
member of every level of an organization. Safety Culture refers to the extent to which every individual
and every group of the organization is aware of the risks and unknown hazards induced by its
activities; is continuously behaving so as to preserve and enhance safety; is willing and able to adapt
itself when facing safety issues; is willing to communicate safety issues; and consistently evaluates
safety related behaviour.”
To support the assessment and management of Safety Culture, the six main components (called
Characteristics) of Safety Culture are described:
1. Commitment
2. Behaviour
3. Awareness
4. Adaptability
5. Information
6. Justness
Just Culture is clearly an element of [a Safety Culture framework] (in the Justness characteristic or
component).
Just culture is defined as: “‘a culture in which front line operators or others are not punished for actions,
omissions or decisions taken by them that are commensurate with their experience and training, but
where gross negligence, wilful violations and destructive acts are not tolerated.”
An important part of a good just culture depends on how an organization oversees safety reports which
may contain information about potentially unsafe/risky actions, either directly or indirectly taken by its
employees. These may be the result of slips, common mistakes, technical failures or can even be related
to systematic training issues. When reviewing such occurrences, consideration should be given as to
whether the person’s actions were reasonable. It could be that the actions taken were the same as what
another competent person may have reasonably taken in a similar situation. Part of this is ensuring that
the right level of expertise is available to help understand the context and situation surrounding what
occurred. Employees at all levels should be encouraged to report any occurrences or issues that may affect
safety and be open to learning from these.
A safety culture and a just culture should be fostered. However in the rare cases, in which gross
negligence, wilful violations or destructive acts are apparent, such acts/behaviour should not be tolerated.
Through following of clear and proper procedures, anyone involved in cases of possible gross negligence
should receive fair treatment and proportionate remedial action to prevent a reoccurrence.

APPENDIX 3: HAZARD IDENTIFICATION AND RISK MANAGEMENT
Hazard Identification and Risk Management

Equipment, procedures, Hazard identification
organisation, etc.
Analyse the likelihood of the Risk assessment probability

consequence occurring
Evaluate the severity of the Risk assessment severity

consequence if it does occur
Is the assessed risk(s)

acceptable & within Risk assessment and tolerability
the organisation’s safety performance criteria?
safety performance
criteria?
Risk control/ mitigation

Yes, accept No, reduce the risk(s)
the risk(s) to an acceptable level

APPENDIX 4: SAFETY RISK ASSESSMENT MATRIX
The following is an example of safety risk assessment matrix
Risk Severity
Catastrophic Hazardous Major Minor Negligible
Risk Probability A B C D E
Frequent 5 5A 5B 5C 5D 5E
Occasional 4 4A 4B 4C 4D 4E
Remote 3 3A 3B 3C 3D 3E
Improbable 2 2A 2B 2C 2D 2E
Extremely improbable 1 1A 1B 1C 1D 1E
Safety risk probability table
Risk Probability Meaning Value
Frequent Likely to occur many times (has occurred frequently) 5

Occasional Likely to occur sometimes (has occurred infrequently) 4
Remote Unlikely to occur, but possible (has occurred rarely) 3
Improbable Very unlikely to occur (not known to have occurred) 2
Extremely improbable Almost inconceivable that the event will occur 1
Using this matrix, risks can be categorised according to an assessment of their potential severity and
probability. Based on this matrix example, risks reflected as being unacceptable (red and yellow
categories) must be mitigated so as to reduce their severity and/or probability. The organisation should
consider suspension of any activities that continue to expose the organisation to intolerable safety risks
in the absence of mitigating actions that reduce the risks to an acceptable level (green).

APPENDIX 5: EMERGENCY RESPONSE PLAN CONTENT
An ERP would normally be documented in the format of a manual that should set out the responsibilities,
roles and actions of the various agencies and personnel involved in dealing with specific emergencies. An
ERP should take account of such considerations as:
(a) Governing policies. The ERP should provide direction for responding to emergencies, such as
governing laws and regulations for investigations, agreements with local authorities, company
policies and priorities.
(b) Organisation. The ERP should outline management’s intentions with respect to the responding
organisations by:
1) designating who will lead and who will be assigned to the response teams;
2) defining the roles and responsibilities of personnel assigned to the response teams;
3) clarifying the reporting lines of authority;
4) setting up an Emergency Management Centre (EMC);
5) establishing procedures for receiving a large number of requests for information, especially
during the first few days after a major accident;
6) designating the corporate spokesperson for dealing with the media;
7) defining what resources will be available, including financial authorities for immediate
activities;
8) designating the company representative to any formal investigations undertaken by State
officials;
9) defining a call-out plan for key personnel.
An organisational chart could be used to show organisational functions and communication

relationships.
(c) Notifications. The plan should specify who in the organisation should be notified of an emergency,
who will make external notifications and by what means. The notification needs of the following
should be considered:
1) management;
2) State authorities (search and rescue, the regulatory authority, the accident investigation
board, etc.);
3) local emergency response services (aerodrome authorities, fire fighters, police, ambulance,
medical agencies, etc.);
4) relatives of victims (a sensitive issue that, in many States, is handled by the police);

5) company personnel;
6) media; and
7) legal, accounting, insurers, etc.
(d) Initial response. Depending on the circumstances, an initial response team may be dispatched to
the accident or crisis site to augment local resources and oversee the organisation’s interests.
Factors to be considered for such a team include:
1) Who should lead the initial response team?

2) Who should be included on the initial response team?
3) Who should speak for the organisation at the accident site?
4) What would be required by way of special equipment, clothing, documentation,
transportation, accommodation, etc.?
(e) Additional assistance. Employees with appropriate training and experience can provide useful
support during the preparation, exercising and updating of an organisation’s ERP. Their expertise
may be useful in planning and executing such tasks as:
1) acting as passengers or customers in exercises;

2) handling survivors or external parties;
3) dealing with next of kin, authorities, etc.
(f) Emergency Management Centre (EMC). An EMC (normally on standby mode) may be established at
the organisation’s headquarters once the activation criteria have been met. In addition, a command
post (CP) may be established at or near the crisis site. The ERP should address how the following
requirements are to be met:
1) staffing (perhaps for 24 hours a day, 7 days per week, during the initial response period);
2) communications equipment (telephones, facsimile, Internet, etc.);
3) documentation requirements, maintenance of emergency activity logs;
4) impounding related company records;
5) office furnishings and supplies; and
6) reference documents (such as emergency response checklists and procedures, company
manuals, aerodrome emergency plans and telephone lists).
The services of a crisis centre may be contracted from an airline or other specialist organisation to
look after the Organisation’s interests in a crisis away from home base. Company personnel would
normally supplement such a contracted centre as soon as possible.

(g) Records. In addition to the organisation’s need to maintain logs of events and activities, the
organisation will also be required to provide information to any State investigation team. The ERP
should address the following types of information required by investigators:
1) all relevant records about the product or service concerned;

2) lists of points of contact and any personnel associated with the occurrence;
3) notes of any interviews (and statements) with anyone associated with the event;
4) any photographic or other evidence.
(h) Accident site. For a major accident, representatives from many jurisdictions have legitimate reasons
for accessing the site: for example, police; fire fighters; medics; aerodrome authorities; coroners
(medical examining officers) to deal with fatalities; State accident investigators; relief agencies such
as the Red Crescent and even the media. Although coordination of the activities of these
stakeholders is the responsibility of the State’s police and/or investigating authority, the
Organisation should clarify the following aspects of activities at the accident site:
1) nominating a senior company representative at the accident site if:
i. at home base;
ii. away from home base;
iii. offshore or in a foreign State;
2) management of surviving victims;

3) the needs of the relatives of victims;
4) security of the wreckage;
5) handling of human remains and personal property of the deceased;
6) preservation of evidence;
7) provision of assistance (as required) to the investigation authorities;
8) removal and disposal of the wreckage; etc.
(i) News media. How the company responds to the media may affect how well the company
recovers from the event. Clear direction is required regarding, for example:
1) what information is protected by statute (FDR data, CVR and ATC recordings, witness
statements, etc.);
2) who may speak on behalf of the parent organisation at head office and at the accident site
(public relations manager, chief executive officer or other senior executive, manager,
owner);

3) prepared statements for immediate response to media queries;
4) what information may be released (what should be avoided);
5) the timing and content of the company’s initial statement;
6) provisions for regular updates to the media.
(j) Formal investigations. Guidance for company personnel dealing with State accident
investigators and police should be provided.
(k) Family assistance. The ERP should also include guidance on the organisation’s approach
to assisting crisis victims or customer organisations. This guidance may include such
things as:
1) State requirements for the provision of assistance services;

2) travel and accommodation arrangements to visit the crisis site;
3) programme coordinator and point(s) of contact for victims/customers;
4) provision of up-to-date information;
5) temporary assistance to victims or customers.
(l) Post-occurrence review. Direction should be provided to ensure that, following the
emergency, key personnel carry out a full debrief and record all significant lessons
learned which may result in amendments to the ERP and associated procedures.

APPENDIX 6: SMS IMPLEMENTATION PLAN
This APPENDIX includes typical guidance of a SMS implementation plan for Organisations that are
transitioning from traditional safety programme in to an integrated SMS or for new Organisations.
A system review and description of the SMS framework and interface with existing systems and processes
is the first step in defining the scope and applicability of the SMS. This can be achieved by conducting a
gap analysis, which provides an opportunity to identify any gaps related to the organisation’s SMS
components and elements, including the interfaces within the organisation. The gap analysis facilitates
development of an SMS implementation plan by identifying the gaps that must be addressed to fully
implement an SMS. Once the gap analysis has been completed and fully documented, the resources and
processes that have been identified as missing or inadequate will form the basis of the SMS
implementation plan.
The SMS Implementation Plan consists of four implementation phases with each phase associated with
various elements (or sub-elements) as per the ICAO framework.
Phase 1
(a) The objective of Phase 1 of SMS implementation is to provide a blueprint of how the SMS
requirements can be met and integrated into the organisation’s control systems, as well as an
accountability framework for the implementation of the SMS.
(b) During Phase 1, basic planning and assignment of responsibilities are established. Central to Phase
1 is the gap analysis. From the gap analysis, an organisation can determine the status of its existing
safety management processes and can begin planning for the development of further safety
management processes. The significant output of Phase 1 is the SMS implementation plan.
(APPENDIX 6 to Chapter 3 of ICAO Doc 9859 - -SMS Acceptance/ Assessment (Example) provides
further guidance).
(c) At the completion of Phase 1, the following activities should be finalized in such a manner that
meets the expectations of the GCAA, as set forth in relevant requirements and guidance material:
Management commitment and responsibility
(a) Identify the Accountable Manager and the safety accountabilities of managers. This activity is based
on Elements 2.1.1 and 2.1.2 of the SMS framework.
(b) Establish an SMS implementation team. The team should be comprised of representatives from the
relevant departments. The team’s role is to drive the SMS implementation from the planning stage

to its final implementation. Other functions of the implementation team will include but not be
limited to:
1) developing the SMS implementation plan;
2) ensuring the adequate SMS training and technical expertise of the team in order to
effectively implement the SMS elements and related processes; and
3) monitoring of and reporting on the progress of the SMS implementation, providing regular
updates and coordinating with the Accountable Manager.
(c) Define the scope of the organisation’s activities (departments/divisions) to which the SMS will be
applicable. The scope of the organisation’s SMS applicability will subsequently need to be described
in the SMS document as appropriate. This activity is based on Element 2.1.5 of the SMS framework.
Guidance on the system description is provided in 2.1.5 of this chapter.
(d) Conduct a gap analysis of the organisation’s current systems and processes in relation to the ICAO
SMS framework requirements (or the relevant SMS regulatory requirements).
Phase 2 (up to 12 Phase 3 (up to 18 Phase 4 (up to 18

Phase 1 (for application)
months) months) months)
1. SMS Element 2.1.1: 1. SMS Element 2.1.1: 1. SMS Element 2.2.1: 1. SMS Element 2.1.1:
a) identify the a) establish the safety a) establish a voluntary a) enhance the existing
Accountable Manager; policy and objectives, hazard reporting disciplinary procedure/
b) establish an SMS 2. SMS Element 2.1.2: procedure. policy with due
implementation team; a) define safety 2. SMS Element 2.2.2: consideration of
c) define the scope of the management a) establish safety risk unintentional errors or
SMS; responsibilities and management procedures. mistakes from deliberate
d) perform an SMS gap accountabilities across 3. SMS Element 2.3.1: or gross violations.
analysis. relevant departments of a) establish occurrence 2. SMS Element 2.2.1:
2. SMS Element 2.1.5: the organisation; reporting and investigation a) integrate hazards
a) develop an SMS b) establish an SMS/safety procedures; identified from occurrence
implementation plan. coordination mechanism/ b) establish a safety data investigation reports with
3. SMS Element 2.1.3: committee; collection and processing the voluntary hazard
a) establish a key c) establish departmental/ system for high- reporting system;
person/office responsible divisional SAGs where consequence outcomes; b) integrate hazard
for the administration and applicable. c) develop high- identification and risk
maintenance of the SMS. 3. SMS Element 2.1.4: consequence SPIs and management procedures
4. SMS Element 2.4.1: a) establish an emergency associated targets and alert with the subcontractor’s
a) establish an SMS response plan. settings. or customer’s SMS where
training programme for 4. SMS Element 2.1.5: 4. SMS Element 2.3.2: applicable.

personnel, with priority a) initiate progressive a) establish a management 3. SMS Element 2.3.1:
for the SMS development of an SMS of change procedure that a) enhance the safety data
implementation team. document/manual and includes safety risk collection and processing
5. SMS Element 2.4.2: other supporting assessment. system to include lower-
a) initiate SMS/safety documentation. 5. SMS Element 2.3.3: consequence events;
communication channels. a) establish an internal b) develop lower-
quality audit programme; consequence SPIs and
b) establish an external associated targets/alert
quality audit programme. settings.
4. SMS Element 2.3.3:
a) establish SMS audit
programmes or integrate
them into existing internal
and external audit
programmes;
b) establish other
operational SMS
review/survey
programmes where
appropriate.
a) ensure that the SMS
training programme for all
relevant personnel has
been completed.
a) promote safety
information sharing and
exchange internally and
externally.
SMS Element 2.1.5: SMS documentation (Phases 1 to 4)
SMS Elements 2.4.1 and 2.4.2: SMS training, education and communication (Phases 1 and thereafter)
Note 1.- The implementation period indicated is an approximation. The actual implementation period is
dependent on the scope of actions
required for each element allocated and the size/complexity of the organisation.
Note 2.- The SMS element numbers indicated correspond to the ICAO SMS element numbers. Suffixes such as a),
b) and c) indicate that the element has been subdivided to facilitate the phased implementation approach.
SMS implementation plan — Element 2.1.5

(a) Develop an SMS implementation plan on how the organisation will implement the SMS on the
basis of the identified system and process gaps resulting from the gap analysis.
Appointment of key safety personnel — Element 2.1.3
(a) Identify the key SMS person (safety/quality function) within the organisation who will be
responsible for administering the SMS on behalf of the Accountable Manager.
(b) Establish the safety services office.
Training and education — Element 2.4.1
(a) Conduct a training needs analysis.
(b) Organize and set up schedules for appropriate training of all staff according to their individual
responsibilities and involvement in the SMS.
(c) Develop safety training considering:
1) initial (general safety) job-specific training; and
2) recurrent training.
(d) Identify the costs associated with training.
(e) Develop a validation process that measures the effectiveness of training.
(f) Establish a safety training records system.
Safety communication — Element 2.4.2
(a) Initiate a mechanism or medium for safety communication.
(b) Establish a means to convey safety information through any of:
1) safety newsletters, notices and bulletins;
2) websites;

3) email.
4) workshops, lectures, posters etc..
Phase 2
The objective of Phase 2 is to implement essential safety management processes, while at the same
time correcting potential deficiencies in existing safety management processes. Most organisations will
have some basic safety management activities in place at different levels of implementation. This phase
aims at consolidating existing activities and developing those which do not yet exist.
Management commitment and responsibility — Element 2.1.1
(a) Develop a safety policy.
(b) Have the Accountable Manager sign the safety policy.
(c) Communicate the safety policy throughout the organisation.
(d) Establish a review schedule for the safety policy to ensure it remains relevant and appropriate to
the organisation.
(e) Establish safety objectives for the SMS by developing safety performance standards in terms of:
1) Safety Performance Indicators;
2) Safety Performance Targets and alert levels; and
3) action plans.
f) Establish the SMS requirements for subcontractors:
1) establish a procedure to write SMS requirements into the contracting process; and
2) establish the SMS requirements in the bidding documentation.
Safety accountabilities — Element 2.1.2
(a) Define safety accountabilities and communicate them throughout the organisation.

(b) Establish the Safety Action Group (SAG).
(c) Establish the safety/SMS coordination committee.
(d) Define clear functions for the SAG and the safety/SMS coordination committee.
(e) Establish lines of communication between the safety services office, the Accountable Manager, the
SAG and the safety/SMS coordination committee.
(f) Appoint the Accountable Manager as the chairperson of the safety/SMS coordination committee.
(g) Develop a schedule of meetings for the safety services office to meet with the safety/SMS
coordination committee and SAG as needed.
Coordination of emergency response planning — Element 2.1.4
(a) Review the outline of the ERP related to the delegation of authority and assignment of emergency
responsibilities.
(b) Establish coordination procedures for action by key personnel during the emergency and the
return to normal operations.
(c) Identify external entities that will interact with the organisation during emergency situations.
(d) Assess the respective ERPs of the external entities.
(e) Establish coordination between the different ERPs.
(f) Incorporate information about the coordination between the different ERPs in the organisation’s
SMS documentation.
Note.- Refer to APPENDIX 5 for further guidance on ERP.
SMS documentation — Element 2.1.5
(a) Create an SMS documentation system to describe, store, retrieve and archive all SMS-related
information and records by:

1) developing an SMS document that is either a stand-alone manual or a distinct section within
an existing controlled organisation manual (refer to APPENDIX 8 for guidance on developing
an SMS manual);
2) establishing an SMS filing system to collect and maintain current records relating to the
organisation’s ongoing SMS processes;
3) maintaining records to provide a historical reference as well as the current status of all SMS
processes such as: a hazard register; an index of completed safety assessments; SMS/safety
training records; current SPIs and associated safety objectives; internal SMS audit reports;
SMS/safety committee meeting minutes and the SMS implementation plan;
4) maintaining records that will serve as evidence of the SMS operation and activities during
internal or external assessment or audit of the SMS.
Phase 3
The objective of Phase 3 is to establish safety risk management processes. Towards the end of Phase 3,
the organisation will be ready to collect safety data and perform safety analyses based on information
obtained through the various reporting systems.
Hazard identification — Element 2.2.1
(a) Establish a voluntary reporting procedure.
(b) Establish a programme/schedule for systematic review of all applicable aviation safety-related
processes/equipment that are eligible for the HIRM process.
(c) Establish a process for prioritization and assignment of identified hazards for risk mitigation.
Safety risk assessment and mitigation — Element 2.2.2
(a) Establish a safety risk management procedure, including its approval and periodic review process.
(b) Develop and adopt safety risk matrices relevant to the organisation’s operational or production
processes.

(c) Include adopted safety risk matrices and associated instructions in the organisation’s SMS or risk
management training material.
Safety performance monitoring and measurement — Element 2.3.1
(a) Establish an internal occurrence reporting and investigation procedure. This may include
mandatory or major defect reports (MDR) where applicable.
(b) Establish safety data collection, processing and analysis of high-consequence outcomes.
(c) Establish high consequence safety indicators (initial ALoSP) and their associated target and alert
settings. Examples of high-consequence safety indicators are accident rates, serious incident rates
and monitoring of high risk non-compliance outcomes. Refer to APPENDIX 7 for guidance on
Safety Performance Indicators.
d) Reach an agreement with the GCAA on Safety Performance Indicators and Safety Performance
Targets.
The management of change — Element 2.3.2
(a) Establish a formal process for the management of change that considers:
1) the vulnerability of systems and activities;
2) the stability of systems and operational environments;
3) past performance;
4) regulatory, industry and technological changes.
(b) Ensure that management of change procedures address the impact on existing safety
performance and risk mitigation records before implementing new changes.
(c) Establish procedures to ensure that safety assessment of new aviation safety-related operations,
processes and equipment are conducted (or accounted for) as applicable, before they are
commissioned.
Continuous improvement of the SMS — Element 2.3.3

(a) Develop forms for internal evaluations.
(b) Define an internal audit process.
(c) Define an external audit process.
(d) Define a schedule for evaluation of facilities, equipment, documentation and procedures to be
completed through audits and surveys.
(e) Develop documentation relevant to operational safety assurance.
Phase 4
Phase 4 is the final phase of SMS implementation. This phase involves the mature implementation of
safety risk management and safety assurance. In this phase operational safety assurance is assessed
through the implementation of periodic monitoring, feedback and continuous corrective action to
maintain the effectiveness of safety risk controls.
Management commitment and responsibility — Element 2.1.1
(a) Enhance the existing disciplinary procedure/policy with due consideration of unintentional errors/
mistakes from deliberate/gross violations.
Hazard identification — Element 2.2.1
(a) Integrate the hazards identified from occurrence investigation reports with the voluntary
reporting system.
(b) Integrate hazard identification and risk management procedures with the subcontractor or
customer SMS where applicable.
(c) If necessary, develop a process for prioritizing collected hazards for risk mitigation based on areas
of greater need or concern. Refer to APPENDIX 3 and 4 for guidance.
Safety performance monitoring and measurement — Element 2.3.1
(a) Enhance the safety data collection and processing system to include lower-consequence events.

(b) Establish lower-consequence safety/quality indicators with target/alert level monitoring as
appropriate (mature ALoSP).
(c) Reach an agreement with the GCAA on lower-consequence Safety Performance Indicators and
Safety Performance Target/alert levels.
Continuous improvement of the SMS — Element 2.3.3
(a) Establish SMS audits or integrate them into existing internal and external audit programmes.
(b) Establish other operational SMS review/survey programmes where appropriate.
Training and education — Element 2.4.1
(a) Complete an SMS training programme for all relevant personnel.
Safety communication — Element 2.4.2
(a) Establish mechanisms to promote safety information sharing and exchange internally and
externally.

APPENDIX 7: SAFETY PERFORMANCE INDICATOR (SPI) FOR ORGANISATION
a) Air operators
SMS Safety Performance Indicators (individual Organisation)
High-consequence indicators Lower-consequence indicators (event/activity-

(occurrence/outcome-based) based)
Safety Safety
Alert level Target level Alert level Target level
Performance Performance
criteria criteria criteria criteria
Indicator Indicator
Air operator
__% (e.g. 5%) Operator __% (e.g.
individual fleet Average + Average +
improvement combined fleet 5%)Improvem
monthly serious 1/2/3 SD 1/2/3 SD
between monthly incident ent between
incident rate (annual or 2 (annual or 2
each annual rate (e.g. per 1 each annual
(e.g. per 1000 yearly reset) yearly reset)
mean rate 000 FH) mean rate
FH)
Air operator Operator internal
__% (e.g. 5%)
combined fleet Average + QMS/SMS annual
improvement
monthly serious 1/2/3 SD audit LEI % or Consideratio
between Consideration
incident rate (annual or 2 findings rate n
each annual
(e.g. per 1 000 yearly reset) (findings per
mean rate
FH) audit)
Air operator
__% (e.g. 5%)
engine Average + Operator
improvement
IFSD incident 1/2/3 SD voluntary hazard Consideratio
between Consideration
rate (annual or 2 report rate (e.g. n
each annual
(e.g. per 1 000 yearly reset) per 1 000 FH)
mean rate
FH)
__% (e.g. 5%)
Operator DGR Average +
improvement
incident report 1/2/3 SD
between each
rate (e.g. per 1 (annual or 2
annual mean
000 FH) yearly reset)
rate

b) Aerodrome operators
High-consequence indicators (occurrence/outcome-

Lower-consequence indicators (event/activity-based)
based)
Safety Performance Alert level Target level Safety Performance Alert level Target level
Indicator criteria criteria Indicator criteria criteria
Aerodrome
operator quarterly
Aerodrome
ground __% (e.g. 5%) __% (e.g. 5%)
operator internal Average +
accident/serious Average + 1/2/3 improvement improvement
QMS/SMS annual 1/2/3 SD
incident rate — SD (annual or 2 between each between each
audit LEI % or (annual or 2
involving any yearly reset) annual mean annual mean
findings rate yearly reset)
aircraft (e.g. per 10 rate rate
(findings per audit)
000 ground
movements)
Aerodrome Aerodrome
operator quarterly __% (e.g. 5%) operator quarterly __% (e.g. 5%)
Average +
runway excursion Average + 1/2/3 improvement runway foreign improvement
1/2/3 SD
incident rate — SD (annual or 2 between each object/debris between each
(annual or 2
involving any yearly reset) annual mean hazard report rate annual mean
yearly reset)
aircraft (e.g. per 10 rate (e.g. per 10 000 rate
000 departures) ground movements)
Aerodrome
operator quarterly __% (e.g. 5%) Operator voluntary __% (e.g. 5%)
Average +
runway incursion Average + 1/2/3 improvement hazard report improvement
1/2/3 SD
incident rate — SD (annual or 2 between each rate(per operational between each
(annual or 2
involving any yearly reset) annual mean personnel per annual mean
yearly reset)
aircraft (e.g. per 10 rate quarter) rate
000 departures)
Aerodrome
operator quarterly
aircraft ground
__% (e.g. 5%)
foreign object Average +
improvement
damage incident 1/2/3 SD
between each
report rate — (annual or 2
annual mean
involving damage to yearly reset)
rate
aircraft (e.g. per 10
000 ground
movements)

c) ATS operator

based)
Safety
Alert level Target level Safety Performance Alert level Target level
Performance
criteria criteria Indicator criteria criteria
Indicator
ATS operator
__% (e.g. ATS operator
quarterly FIR __% (e.g. 5%)
Average + 5%) quarterly FIR TCAS RA Average +
serious incident improvement
1/2/3 SD improvemen incident rate — 1/2/3 SD
rate — involving between each
(annual or 2 t between involving any aircraft (annual or 2
any aircraft (e.g. annual mean
yearly reset) each annual (e.g. per 100.000flight yearly reset)
per 100 000 flight rate
mean rate movements)
movements)
Assuming
Assuming the
ATS operator the
historical ATS operator
quarterly FIR historical __% (e.g. 5%)
annual quarterly FIR level Average +
TCAS RA incident annual improvement
average rate bust (LOS) incident 1/2/3 SD
rate — involving average rate between each
is3, the rate — involving any (annual or 2
any aircraft (e.g. is3, the annual mean
possible alert aircraft (e.g. per 100 yearly reset)
per 100.000 flight possible rate
rate could be 000 flight movements)
movements) target rate
5.
could be 2.
ATS operator internal
QMS/SMS annual
audit LEI % or findings Consideration Consideration
rate (findings per
audit)

d) DOA, POA or MRO organisation

based)
Safety
Alert level Target level Safety Performance Alert level Target level
Performance
criteria criteria Indicator criteria criteria
Indicator
MRO/POA __% (e.g. 5%) MRO/POA/DOA
Average +
quarterly rate of improvement internal QMS/SMS
1/2/3 SD
component between each annual audit LEI % Consideration Consideration
(annual or 2
technical annual mean or findings rate
yearly reset)
warranty claims rate (findings per audit)
POA/DOA
MRO/POA/DOA
quarterly rate of
quarterly final
operational
inspection/testing
products which Consideration Consideration Consideration Consideration
failure/rejection
are the subject of
rate (due to internal
ADs)/ASBs (per
quality issues)
product line)
MRO/POA
quarterly rate of MRO/POA/DOA
component voluntary hazard
mandatory/major report rate (per
Consideration Consideration Consideration Consideration
defect reports operational
raised (due to personnel per
internal quality quarter)
issues)

APPENDIX 8: EXAMPLE OF SMS MANUAL CONTENT
1. Document control
Describe how the manual(s) will be kept up to date and how the organisation will ensure that all
personnel involved in safety-related duties have the most current version.
(a) Hard copy or controlled electronic media and distribution list.

(b) The correlation between the SMS manual and other existing manuals such as the maintenance
control manual (MCM) or the operations manual.
(c) The process for periodic review of the manual and its related forms/documents to ensure their
continuing suitability, adequacy and effectiveness.
(d) The manual’s administration, approval and regulatory acceptance process.
Cross-reference documents
Quality manual, engineering manual, etc.
2. SMS regulatory requirements
Address current SMS regulations and guidance material for necessary reference and awareness by all
concerned.
(a) Spell out the current SMS regulations/standards. Include the compliance timeframe and advisory
material references as applicable.
(b) Where appropriate, elaborate on or explain the significance and implications of the regulations to
the organisation.
(c) Establish a correlation with other safety-related requirements or standards where appropriate.
SMS regulation/requirement references, SMS guidance document references, etc.
3. Scope and integration of the Safety Management System
Describe the scope and extent of the organisation’s aviation-related operations and facilities within
which the SMS will apply. The scope of the processes, equipment and operations deemed eligible for the
organisation’s hazard identification and risk management (HIRM) programme should also be addressed.

(a) Spell out the nature of the organisation’s aviation business and its position or role within the
industry as a whole.
(b) Identify the major areas, departments, workshops and facilities of the organisation within which
the SMS will apply.
(c) Identify the major processes, operations and equipment which are deemed eligible for the
organisation’s HIRM programme, especially those which are pertinent to aviation safety. If the
scope of the HIRM-eligible processes, operations and equipment is too detailed or extensive, it
may be controlled under a supplementary document as appropriate.
(d) Where the SMS is expected to be operated or administered across a group of interlinked
organisations or contractors, define and document such integration and associated
accountabilities as applicable.
(e) Where there are other related control/management systems within the organisation, such as
QMS, OSHE and SeMS, identify their relevant integration (where applicable) within the aviation
SMS.
Quality manual, engineering manual, etc
4. Safety policy
Describe the organisation’s intentions, management principles and commitment to improving aviation
safety in terms of the product or Organisation. A safety policy should be a short description similar to a
mission statement.
(a) The safety policy should be appropriate to the size and complexity of the organisation.
(b) The safety policy states the organisation’s intentions, management principles and commitment
to continuous improvement in aviation safety.
(c) The safety policy is approved and signed by the Accountable Manager.
(d) The safety policy is promoted by the Accountable Manager and all other managers.
(e) The safety policy is reviewed periodically.
(f) Personnel at all levels are involved in the establishment and maintenance of the Safety
Management System.
(g) The safety policy is communicated to all employees with the intent that they are made aware of
their individual safety obligations.

OSHE safety policy, etc.
5. Safety objectives
Describe the safety objectives of the organisation. The safety objectives should be a short statement
that describes in broad terms what the organisation hopes to achieve.
Criteria
(a) The safety objectives have been established.

(b) The safety objectives are expressed as a top-level statement describing the organisation’s
commitment to achieving safety.
(c) There is a formal process to develop a coherent set of safety objectives.
(d) The safety objectives are publicized and distributed.
(e) Resources have been allocated for achieving the objectives.
(f) The safety objectives are linked to safety indicators to facilitate monitoring and measurement
where appropriate.
Safety Performance Indicators document, etc.
6. Roles and responsibilities
Describe the safety authorities, responsibilities and accountabilities for personnel involved in the SMS.
(a) The Accountable Manager is responsible for ensuring that the Safety Management System is
properly implemented and is performing to requirements in all areas of the organisation.
(b) An appropriate safety manager (office), safety committee or Safety Action Groups have been
appointed as appropriate.
(c) Safety authorities, responsibilities and accountabilities of personnel at all levels of the
organisation are defined and documented.
(d) All personnel understand their authorities, responsibilities and accountabilities with regard to all
safety management processes, decisions and actions.
(e) An SMS organisational accountabilities diagram is available.

Company exposition manual, SOP manual, administration manual, etc.
7. Safety reporting
A reporting system should include both reactive (accident/incident reports, etc.) and proactive/
predictive (hazard reports). Describe the respective reporting systems. Factors to consider include:
report format, confidentiality, addressees, investigation/evaluation procedures, corrective/ preventive
actions and report dissemination.
Criteria
(a) The organisation has a procedure that provides for the capture of internal occurrences including
accidents, incidents and other occurrences relevant to SMS.
(b) A distinction is to be made between mandatory reports (accidents, serious incidents, major
defects, etc.), which are required to be notified to the GCAA, and other routine occurrence
reports, which remain within the organisation.
(c) There is also a voluntary and confidential hazard/occurrence reporting system, incorporating
appropriate identity/data protection as applicable.
(d) The respective reporting processes are simple, accessible and commensurate with the size of
the organisation.
(e) High-consequence reports and associated recommendations are addressed to and reviewed by
the appropriate level of management.
(f) Reports are collected in an appropriate database to facilitate the necessary analysis.
8. Hazard identification and risk assessment
Describe the hazard identification system and how such data are collated. Describe the process for the
categorization of hazards/risks and their subsequent prioritization for a documented safety assessment.
Describe how the safety assessment process is conducted and how preventive action plans are
implemented.
(a) Identified hazards are evaluated, prioritized and processed for risk assessment as appropriate.
(b) There is a structured process for risk assessment involving the evaluation of severity, likelihood,
tolerability and preventive controls.

(c) Hazard identification and risk assessment procedures focus on aviation safety as their
fundamental context.
(d) The risk assessment process utilizes worksheets, forms or software appropriate to the
complexity of the organisation and operations involved.
(e) Completed safety assessments are approved by the appropriate level of management.
(f) There is a process for evaluating the effectiveness of the corrective, preventive and recovery
measures that have been developed.
(g) There is a process for periodic review of completed safety assessments and documenting their
outcomes.
9. Safety performance monitoring and measurement

Describe the safety performance monitoring and measurement component of the SMS. This includes the
organisation’s SMS Safety Performance Indicators (SPIs).
(a) The formal process to develop and maintain a set of Safety Performance Indicators and their
associated performance targets.
(b) Correlation established between the SPIs and the organisation’s safety objectives where
applicable and the process of regulatory acceptance of the SPIs where required.
(c) The process of monitoring the performance of these SPIs including remedial action procedure
whenever unacceptable or abnormal trends are triggered.
(d) Any other supplementary SMS or safety performance monitoring and measurement criteria or
process.
10. Safety-related investigations and remedial actions
Describe how accidents/incidents/occurrences are investigated and processed within the organisation,
including their correlation with the organisation’s SMS hazard identification and risk management
system.
(a) Procedures to ensure that reported accidents and incidents are investigated internally.
(b) Dissemination of completed investigation reports internally as well as to the CAA as applicable.
(c) A process for ensuring that corrective actions taken or recommended are carried out and for
evaluating their outcomes/effectiveness.
(d) Procedure on disciplinary inquiry and actions associated with investigation report outcomes.

(e) Clearly defined conditions under which punitive disciplinary action would be considered (e.g.
illegal activity, recklessness, gross negligence or wilful misconduct).
(f) A process to ensure that investigations include identification of active failures as well as
contributing factors and hazards.
(g) Investigation procedure and format provides for findings on contributing factors or hazards to be
processed for follow-up action by the organisation’s hazard identification and risk management
system where appropriate.
11. Safety training and communication
Describe the type of SMS and other safety-related training that staff receive and the process for assuring
the effectiveness of the training. Describe how such training procedures are documented.
Describe the safety communication processes/channels within the organisation.
(a) The training syllabus, eligibility and requirements are documented.

(b) There is a validation process that measures the effectiveness of training.
(c) The training includes initial, recurrent and update training, where applicable.
(d) The organisation’s SMS training is part of the organisation’s overall training programme.
(e) SMS awareness is incorporated into the employment or indoctrination programme.
(f) The safety communication processes/channels within the organisation.
12. Continuous improvement and SMS audit
Describe the process for the continuous review and improvement of the SMS.
(a) The process for regular internal audit/review of the organisation’s SMS to ensure its continuing
suitability, adequacy and effectiveness.
(b) Describe any other programmes contributing to continuous improvement of the organisation’s
SMS and safety performance, e.g. MEDA, safety surveys, ISO systems.
13. SMS records management

Describe the method of storing all SMS-related records and documents.
(a) The organisation has an SMS records or archiving system that ensures the retention of all records
generated in conjunction with the implementation and operation of the SMS.
(b) Records to be kept include hazard reports, risk assessment reports, Safety Action Group/safety
meeting notes, Safety Performance Indicator charts, SMS audit reports and SMS training records.
(c) Records should be traceable for all elements of the SMS and be accessible for routine
administration of the SMS as well as internal and external audits purposes.
14. Management of change
Describe the organisation’s process for managing changes that may have an impact on safety risks and
how such processes are integrated with the SMS.
(a) Procedures to ensure that substantial organisational or operational changes take into
consideration any impact which they may have on existing safety risks.
(b) Procedures to ensure that appropriate safety assessment is performed prior to introduction of
new equipment or processes which have safety risk implications.
(c) Procedures for review of existing safety assessments whenever there are changes to the
associated process or equipment.
Company SOP relating to management of change, etc.
15. Emergency/contingency response plan
Describe the organisation’s intentions regarding, and commitment to dealing with, emergency situations
and their corresponding recovery controls. Outline the roles and responsibilities of key personnel. The
Emergency Response Plan can be a separate document or it can be part of the SMS manual.
Criteria (as applicable to the organisation)
(a) The organisation has an emergency plan that outlines the roles and responsibilities in the event
of a major incident, crisis or accident.

(b) There is a notification process that includes an emergency call list and an internal mobilization
process.
(c) The organisation has arrangements with other agencies for aid and the provision of emergency
services as applicable.
(d) The organisation has procedures for emergency mode operations where applicable.
(e) There is a procedure for overseeing the welfare of all affected individuals and for notifying next
of kin.
(f) The organisation has established procedures for handling the media and insurance-related
issues.
(g) There are defined accident investigation responsibilities within the organisation.
(h) The requirement for preservation of evidence, securing the affected area, and mandatory/
governmental reporting is clearly stated.
(i) There is emergency preparedness and response training for affected personnel.
(j) A disabled aircraft or equipment evacuation plan has been developed by the organisation in
consultation with aircraft/equipment owners, aerodrome operators or other agencies as
applicable.
(k) A procedure exists for recording activities during an emergency response.
ERP manual, etc.

APPENDIX 9: SAFETY RISK REGISTER FORM

APPENDIX 10: ROOT CAUSE ANALYSIS (RCA)
1. Introduction
Principles of RCA are closely related to those of risk assessment, particularly in terms of the
thoroughness of the analysis. Both processes consider not simply the person involved in an
issue, but all aspects of the organisation and each individual in that organisation where that
person works. This approach has the premise that human error is a consequence rather than a
deliberate action and, as such, proactive measures and continuous reform of different aspects
of the processes and organization can address latent conditions in the system and increase the
system’s resistance to operational hazards. The term “latent conditions” refers to flawed
procedures or organizational characteristics capable of creating hazards if the right conditions or
actions occur.
Therefore, RCA treats errors as defects in the system rather than in an individual. RCA looks
beyond the symptom to find the organizational defect that permitted an error to occur. The
more thorough the analysis, the greater the likelihood you will uncover why the system
deficiency could occur, and how your organization can respond definitively.
An effective RCA can be as simple as asking and answering a question (five times) about why
something happened. A superficial analysis might have led to disciplinary action against one
individual, which is indicative of a blame culture, and would, most likely, lead to a recurrence of
the same error by a different individual.
2. Considerations for the RCA process
(a) RCA should consider two major areas:
1) Systems analysis plays an increasingly important role because of the increasing

aviation complexity and variety of organisation activities, equipment and
multicultural environment issues. Systems analysis emphasizes a harmonized
approach to an enterprise, including specific written procedures and planning for
all activities, clearly established authority and responsibilities, communications
processes, and methods of measuring results, detecting system errors, and
preventing recurrence. This harmonized approach recognizes the wide range of
interrelated issues that are potentially associated with a problem in the system.
2) Human factors analysis begins with the field organization itself where the
occurrence happens (flight operations, ground operations, training, maintenance,
ATS, etc. Each of those organisations
i. Defines the environment where staff conducts their tasks.
ii. Defines the policies and procedures that staff must follow and respect.

iii. Allocates the resources that staff needs to achieve the safety and production
goals.
(b) Within the field organisation, human factors analysis looks at how their staffs communicate
and perform in the work environment and then seeks to incorporate that knowledge into the
design of equipment, processes, and organisations. This enhances safety and maximizes the
human contribution, partly by designing systems to anticipate the inevitability of human
error. The human factors discipline addresses a wider range of issues affecting how people
interface with technology and the operational system; how people learn about new or
changed equipment, technology, and documentation; and how people adapt to the general
workplace environment.
(c) Any organisation should be aware that knowledge gained from human factors can help to
avoid operational staff errors, ensure that individuals’ initial skill sets match task
requirements, ensure that individuals maintain and improve their skills, and enhance the
work environment.
GCAA expects that any RCA consider a human factors is part of the investigation of individual events
by any personnel designated to respond to safety related occurrences. Otherwise, data reviewed in
a quality assurance process could be incomplete
(d) A proper implementation of RCA, need a suitable and sustainable “Just Culture” environment,
which should discourage the temptation to quick fixes by blaming operational and looking for
corrective actions on unrealistic and unachievable human performance.

(START)
Determine Cause Describe Solution
RCA ANALYSIS
Did tools exist to NO Describe proposed
prevent failure? additional tools.
YES
a. Is an additional
procedure or policy
Did procedure or policy NO necessary?
exist to prevent failure? b. If yes, Describe
proposed additional
procedure or policy
YES
Did employee claim to NO Had employee received NO Describe steps taken to

have knowledge of formal training / information? maintain trained and
procedure or policy? informed workforce
YES
Describe steps taken to

Had employee received NO
provide OJT and
sufficient OJT and feedback
feedback.
regarding job performance?
YES
Had employee received NO Describe steps taken to

communication regarding provide employee
YES procedure or policy changes? communication.
YES
Had employee performed NO Describe steps taken to

function correctly in last 90 establish and maintain
days? employee proficiency.
YES
NO
Was violation done evaluate process to
routinely? identify deficiency
leading to violation.
prevent employee’s disregard
YES
of procedure or policy Describe steps taken to
Was violation done provide necessary
with supervisor’s NO supervisory oversight.
knowledge?
YES Describe steps taken to

prevent employee and
supervisory disregard of
procedure or policy.
APPENDIX 11: EXAMPLE OF BOWTIE MODEL
Definitions related to the BowTie Model:
Threats A possible direct cause that will potentially release a hazard by producing a top event.
Consequences A potential event resulting from the release of a Hazard, which directly results in loss or
damage.
Top Event A point in time which describes the release or loss of control over a Hazard (the undesired
system state).
Hazard: The condition, object or activity with the potential of causing injuries to personnel, damage to
equipment or structures, loss of material or reduction of ability to perform a prescribed function.
Escalation Factors: A condition that leads to increased risk by defeating or reducing the effectiveness of
controls (a control decay mechanism).
Escalation Factor Control: A control that manages the conditions which reduce the effectiveness of
other controls
Threat Barrier: Measures that are considered to reduce the likelihood of the top event to occur.
Recovery Measure: Measures that are considered to reduce the likelihood of the top event developing
into a consequence as well as mitigating the severity of the consequence.

CAR PART X SAFETY MANAGEMENT SYSTEM (SMS) - ISSUE 05-Corrected

Uploaded by

Copyright:

Available Formats

CAR PART X SAFETY MANAGEMENT SYSTEM (SMS) - ISSUE 05-Corrected

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CAR PART X SAFETY MANAGEMENT SYSTEM (SMS) - ISSUE 05-Corrected

Uploaded by

Copyright:

Available Formats

CAR PART X

SAFETY MANAGEMENT SYSTEM (SMS)

UNCONTROLLED COPY WHEN DOWNLOADED

Issue: 05 Page 1 of 63 Issue date: 8th November 2020

Issue: 05 Page 2 of 63 Issue date: 8th November 2020

very minor impact on the concerned organisations.

Issue: 05 Page 3 of 63 Issue date: 8th November 2020

Amendment Source(s) Subject(s) Issue Date

Issue: 05 Page 4 of 63 Issue date: 8th November 2020

- CAR Part IV Operations Regulation (Sections 1 and 3),

- CAR Part VIII Air Navigation Regulations,

- CAR Part IX Aerodrome Regulations.

2. FRAMEWORK FOR SMS

Issue: 05 Page 5 of 63 Issue date: 8th November 2020

2.1 SAFETY POLICY AND OBJECTIVES

2.1.1 Management Commitment and responsibilities

The organisation shall define its safety policy which shall:

(a) reflect organisational commitment regarding safety;

Issue: 05 Page 6 of 63 Issue date: 8th November 2020

(e) be signed by the Accountable Manager;

(f) be communicated, with visible endorsement throughout the organisation;

Just and Safety culture concept is explained in APPENDIX 2.

2.1.2 Safety accountabilities

The organisation shall:

Issue: 05 Page 7 of 63 Issue date: 8th November 2020

(a) communication and promotion of the safety policy;

2.1.3 Appointment of key safety personnel

The Post Holder SMS shall be accepted by the GCAA.

Issue: 05 Page 8 of 63 Issue date: 8th November 2020

GM to AMC to 2.1.3.1 (j)

Issue: 05 Page 9 of 63 Issue date: 8th November 2020

(a) safety/quality management experience;

Issue: 05 Page 10 of 63 Issue date: 8th November 2020

2.1.4 Coordination of emergency response planning

The ERP should also:

Issue: 05 Page 11 of 63 Issue date: 8th November 2020

APPENDIX 5 provides guidelines for typical contents of an ERP manual.

2.1.5 SMS Documentation

Issue: 05 Page 12 of 63 Issue date: 8th November 2020

APPENDIX 8 provides an example of typical contents of an SMS manual.

Issue: 05 Page 13 of 63 Issue date: 8th November 2020

2.2 SAFETY RISK MANAGEMENT

2.2.1 Hazard Identification

Hazards should be identified through proactive methodologies or as a result of accident or incident

Issue: 05 Page 14 of 63 Issue date: 8th November 2020

1) normal operation monitoring schemes ;

(b) External data sources for hazard identification may include:

1) industry accident reports;

(a) design factors, including equipment and task design;

Issue: 05 Page 15 of 63 Issue date: 8th November 2020

2.2.2 Safety Risk Assessment and Mitigations

1) Development and proposal of the corrective action.

3) Who will implement the corrective action.

4) How the responsible person will implement the corrective action.

5) When the corrective action completion due date is.

Issue: 05 Page 16 of 63 Issue date: 8th November 2020

Issue: 05 Page 17 of 63 Issue date: 8th November 2020

2.3 SAFETY ASSURANCE