SAFETY MANAGEMENT SYSTEM (SMS)

FRAMEWORK
For:

AVIATION SERVICE PROVIDERS

(For use by aviation service providers participating in the Safety Management System Pilot Project (SMSPP) and for voluntary implementation of Safety Management Systems)

Federal Aviation Administration Flight Standards Service - SMS Program Office

Revision 1 February 6, 2009

This page intentionally left blank.

FAA: SMS Framework Table of Contents

1. 2. 3. Introduction: Background ................................................................................................... 1 Purpose of This Framework ................................................................................................ 2 Scope and Applicability........................................................................................................ 2 3.1 Scope............................................................................................................................... 2 3.2 Applicability ................................................................................................................... 2 References.............................................................................................................................. 2 Definitions.............................................................................................................................. 4 5.1 Terms and Acronyms...................................................................................................... 4 5.2 Process Outputs............................................................................................................. 10 5.3 Safety Risk Management Process Flow........................................................................ 12 5.4 Safety Assurance Process Flow .................................................................................... 13 Functional Expectations ..................................................................................................... 15 6.1 SMS Framework Structure ........................................................................................... 15 6.2 SMS System Expectations ............................................................................................ 15

4. 5.

6.

Component 1.0 Safety Policy and Objectives ........................................................................... 17 Element 1.1 Safety Policy......................................................................................................... 18 Element 1.2 Management Commitment and Safety Accountabilities ...................................... 19 Element 1.3 Key Safety Personnel............................................................................................ 19 Element 1.4 Emergency Preparedness and Response............................................................... 20 Element 1.5 SMS Documentation and Records........................................................................ 20 Component 2.0 Safety Risk Management (SRM) .................................................................... 22 Element 2.1 Hazard Identification and Analysis ...................................................................... 23 Process 2.1.1 System and Task Analysis............................................................................... 23 Process 2.1.2 Identify Hazards ............................................................................................. 23 Element 2.2 Risk Assessment and Control ............................................................................... 23 Process 2.2.1 Analyze Safety Risk......................................................................................... 23 Process 2.2.3 Control/Mitigate Safety Risk .......................................................................... 24 Component 3.0 Safety Assurance .............................................................................................. 26 Element 3.1 Safety Performance Monitoring and Measurement.............................................. 26 Process 3.1.1 Continuous Monitoring .................................................................................. 26 Process 3.1.2 Internal Audits by Operational Departments................................................. 27 Process 3.1.3 Internal Evaluation ........................................................................................ 28 Process 3.1.4 External Auditing of the SMS ......................................................................... 29 Process 3.1.5 Investigation ................................................................................................... 29 Process 3.1.6 Employee Reporting and Feedback System. .................................................. 29 i

FAA: SMS Framework

Process 3.1.7 Analysis of Data. ............................................................................................ 30 Process 3.1.8 System Assessment.......................................................................................... 30 Process 3.1.9 Preventive/Corrective Action. ........................................................................ 31 Process 3.1.10 Management Review. ................................................................................... 31 Element 3.2 Management of Change........................................................................................ 32 Element 3.3 Continual Improvement........................................................................................ 32 Component 4.0 Safety Promotion.............................................................................................. 33 Element 4.1 Competencies and Training .................................................................................. 33 Process 4.1.1 Personnel Expectations (Competence)........................................................... 33 Process 4.1.2 Training.......................................................................................................... 33 Element 4.2 Communication and Awareness ........................................................................... 34

ii

FAA: SMS Framework AVIATION SERVICE PROVIDER SAFETY MANAGEMENT SYSTEM (SMS) FRAMEWORK 1. Introduction: Background
One of the key objectives of the Office of the Associate Administrator for Aviation Safety (AVS) and of the Flight Standards Service (AFS) is to produce a system of expectations, guidance, and tools that allow aviation service providers to develop and implement corporatelevel safety management systems (SMSs) across multiple types of business and FAA certificates. AVS and AFS seek to minimize the need for multiple management systems in companies that must, due to the nature of their businesses, interact with multiple regulatory authorities. A functional framework consisting of a set of requirements for SMS processes was originally developed and published as Appendix 1 to AC 120-92. The elements of that process were considered to be essential to development and implementation of an effective, comprehensive SMS for an aviation service providers organization. This revised SMS framework, based on the original expression of expectations, as been reorganized to address the issues outlined below. AVS and AFS have conducted and continue to conduct, extensive dialogue with our domestic industry constituents as well as with foreign authorities and businesses who have FAA-issued certificates and other authorizations. The structure of the framework for aviation service providers reflects four key issues: 1. To provide aviation service providers in industry with a standardized set of concepts, documents, and tools for voluntary development and implementation of safety management systems; 2. To bring SMS standards for implementation of safety management systems into conformance with AVS policy in FAA Order VS 8000.367, appendix B; 3. To align the structure and format of Flight Standards documents and tools with the ICAO SMS frameworks, and; 4. To produce a set of documentation and tools that are internally mapped in a manner that is easier to use than the first generation of tools. Except for changes in titles and a small number of changes to text, which were necessitated to align with the requirements in FAA Order VS 8000.367, the expectations in this document are unchanged from original guidance. However, they have been restructured to align with the structure of the ICAO Frameworks. Consequently, some text has been moved from the original placement. To provide clearer understanding, components, elements and processes are defined in terms of functional expectations, i.e., those characteristics that would be expected to be incorporated in a robust SMS. Functional expectations are further defined in terms of performance objectives and design expectations to better align with current system safety and ATOS models. 1

FAA: SMS Framework 2. Purpose of This Framework

To provide a uniform framework for voluntary SMS development and implementation by aviation service providers.

3. Scope and Applicability

3.1 Scope
This Framework introduces the concept of a safety management system (SMS) to aviation service providers (for example, airlines, air taxi operators, corporate flight departments, and pilot schools). 1. This Framework provides guidance for SMS development by aviation service providers. 2. This Framework is not mandatory and does not constitute a regulation. Development and implementation of an SMS is voluntary. While the Federal Aviation Administration (FAA) encourages each aviation service provider to develop and implement an SMS, these systems in no way substitute for regulatory compliance of other certificate requirements, where applicable. 3.2 Applicability This Framework is applicable to both certificated and non-certificated air operators that desire to develop and implement an SMS. An SMS is not currently required for U.S. certificate holders. However, the FAA views the objectives and expectations in this Framework to be a minimum level of development for an efficient and functional SMS implemented by an aviation service provider. 1. This Framework describes the objectives and expectations for a product/service providers Safety Management System (SMS) in the air transportation system. 2. This framework is intended to address aviation safety related operational and support processes and activities rather than occupational safety, environmental protection, or customer service quality. 3. Operators and service providers are responsible for the safety of services or products contracted to or purchased from other organizations. 4. This document establishes the minimum objectives and expectations; service provides may establish additional or more stringent requirements for their organization.

4. References
This Framework is in accordance with the following documents, as revised: Annex 6 to the Convention on International Civil Aviation, Operation of Aircraft International Civil Aviation Organization (ICAO) Document 9859, ICAO Safety Management Manual (SMM) 2

FAA: SMS Framework

ICAO Document 9734, Safety Oversight Manual FAA Order VS 8000.369, Safety Management System Guidance FAA Order VS 8000.367, Aviation Safety (AVS) Safety Management System Requirements

FAA: SMS Framework 5. Definitions

5.1 Terms and Acronyms
Accident an unplanned event or series of events that results in death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. Analysis the process of identifying a question or issue to be addressed, modeling the issue, investigating model results, interpreting the results, and possibly making a recommendation. Analysis typically involves using scientific or mathematical methods for evaluation. Assessment process of measuring or judging the value or level of something. Attributes - System Attributes are present in any well defined organization and apply to an effective SMS. While the six system attributes were first applied with Air Transportation Oversight System fielding, there are conceptual differences when applied to SMS, as discussed below: Responsibility and Authority: Management and individual employee accountability and, therefore, responsibility and authority are fundamental to management of safety. These concepts are integrated into the SMS Framework. Specifically, element 1.2 establishes expectations for top management, other management officials, and all employees of the organization. Element 1.3 establishes a special requirement for a person of responsibility to oversee SMS development, implementation, and operation. It should be noted that this person does not bear the principal responsibility for safety management. The managers of the line operational functions, from middle management to frontline managers and supervisors, manage the operations in which risk is incurred. These managers and supervisors are, therefore, the owners of the SMS. For each process, the provisions of element 1.2, which defines responsibilities for aviation safety activities, applies to all components, elements, and processes. It is, therefore, expected that responsibility and authority be defined and documented for each of these areas. Procedures - The design expectations that are noted as procedures derive directly from the detailed SMS framework. Procedures are simply documented activities to accomplish processes e.g. a way to perform a process. The organization should specify their own procedures for accomplishing their processes in the context of their unique operational environment, organizational structure, and management objectives. Controls - Organizational process controls are typically defined in terms of special procedures, supervisory and management practices and processes. Many controls are inherent features of the SMS framework. Such practices as continuous monitoring, internal audits, internal evaluations, and management reviews (all parts of the safety assurance component) are identified as controls within the design expectations. 4

FAA: SMS Framework

Additionally, other practices such as documentation, process reviews, and data tracking are identified as controls within specific elements and processes. Process Measures - A fundamental principle of safety assurance is that fundamental processes be measured so that management can be data-driven. The general expectations for Component 1, Policy, specify that SMS outputs be measured and analyzed. These measurements and analyses are accomplished in Component 3, Safety Assurance. Outputs of each process should, therefore, be identified during Component 3 activities. For example, these outputs should be the subjects of continuous monitoring, internal audits and internal evaluation. Interfaces in Safety Risk Management and Safety Assurance - Safety Risk Management (SRM) and Safety Assurance (SA) are the key processes of the SMS. They are also highly interactive. The interface attribute concerns the input-output relationships between the activities in the processes. This is especially important where interfaces between processes involve interactions between different departments, contractors, etc. Assessments of these relationships should pay special attention to flow of authority, responsibility and communication, as well as procedures and documentation.

Audit scheduled, formal reviews and verifications to evaluate compliance with policy, standards, and/or contractual requirements. The starting point for an audit is the management and operations of the organization, and it moves outward to the organization's activities and products/services. Internal audit an audit conducted by, or on behalf of, the organization being audited. External audit an audit conducted by an entity outside of the organization being audited.

Aviation system the functional operation/production system used by the service provider to produce the product/service (see Figure 1). Complete nothing has been omitted and the attributes stated are essential and appropriate to the level of detail. Conformity Fulfillment of a requirement (ref. ISO 9000-2000). This includes but is not limited to compliance with Federal regulations. It also includes company requirements, requirements of operator developed risk controls or operator specified policies and procedures. Continuous monitoring uninterrupted watchfulness over the system. Corrective action action to eliminate or mitigate the cause or reduce the effects of a detected nonconformity or other undesirable situation. Correct accurately reflects the item with an absence of ambiguity or error in its attributes. Documentation information or meaningful data and its supporting medium (e.g., paper, electronic, etc.). In this context it is distinct from records because it is the written description of policies, processes, procedures, objectives, requirements, authorities, responsibilities, or work instructions.

FAA: SMS Framework

Evaluation [ref. AC 120-59A] a functionally independent review of company policies, procedures, and systems. If accomplished by the company itself, the evaluation should be done by an element of the company other than the one performing the function being evaluated. The evaluation process builds on the concepts of auditing and inspection. An evaluation is an anticipatory process, and is designed to identify and correct potential findings before they occur. An evaluation is synonymous with the term systems audit. Hazard any existing or potential condition that can lead to injury, illness, or death to people; damage to or loss of a system, equipment, or property; or damage to the environment. A hazard is a condition that is a prerequisite to an accident or incident. Incident a near miss episode with minor consequences that could have resulted in greater loss. An unplanned event that could have resulted in an accident, or did result in minor damage, and indicates the existence of, though may not define, a hazard or hazardous condition. Lessons learned knowledge or understanding gained by experience, which may be positive, such as a successful test or mission, or negative, such as a mishap or failure. Lessons learned should be developed from information obtained from within, as well as outside of, the organization and/or industry. Likelihood the estimated probability or frequency, in quantitative or qualitative terms, of an occurrence related to the hazard. Line management management structure that operates the aviation system. Nonconformity non-fulfillment of a requirement (ref. ISO 9000-2000). This includes but is not limited to noncompliance with Federal regulations. It also includes company requirements, requirements of operator developed risk controls or operator specified policies and procedures. Objective - The desired state or performance target of a process. Usually is the final state of a process and contains the results and outputs used to obtain the objective. Operational life cycle period of time spanning from implementation of a product/service until it is no longer in use. Outputs The product of an SMS process, which is capable of being recorded, monitored, measured, and analyzed. Outputs are the minimum expectation for the content of each process area and the input for the next process in succession. Each of the outputs of a process should have a method of measurement specified by the service provider. Measures need not be quantitative where this is not practical, however some method of providing objective evidence of the attainment of the expectation is expected. The individual outputs of a process are the content of the measures. The table of SMS Outputs is at Figure 1, at the end of this definitions section. Oversight a function that ensures the effective promulgation and implementation of the safetyrelated standards, requirements, regulations, and associated procedures. Safety oversight also ensures that the acceptable level of safety risk is not exceeded in the air transportation system. Safety oversight in the context of the safety management system will be conducted via oversights safety management system (SMS-O).

FAA: SMS Framework

Preventive action action to eliminate or mitigate the cause or reduce the effects of a potential nonconformity or other undesirable situation. Procedure specified way to carry out an activity or a process. Process set of interrelated or interacting activities, which transforms inputs into outputs. Process Measures - Refer to Attributes (Process Measures). Product/service anything that might satisfy a want or need, which is offered in, or can be purchased in, the air transportation system. In this context, administrative or licensing fees paid to the government do not constitute a purchase. Product/service provider any entity that offers or sells a product/service to satisfy a want or need in the air transportation system. In this context, administrative or licensing fees paid to the government do not constitute a purchase. Examples of product/service providers include: aircraft and aircraft parts manufacturers; aircraft operators; maintainers of aircraft, avionics, and air traffic control equipment; educators in the air transportation system; etc. (Note: any entity that is a direct consumer of air navigation services and or operates in the U.S. airspace is included in this classification; examples include: general aviation, military aviation, and public use aircraft operators.) Records evidence of results achieved or activities performed. In this context it is distinct from documentation because records are the documentation of SMS outputs. Residual safety risk the remaining safety risk that exists after all control techniques have been implemented or exhausted, and all controls have been verified. Only verified controls can be used for the assessment of residual safety risk. Risk The composite of predicted severity and likelihood of the potential effect of a hazard in the worst credible system state. Risk Control refers to steps taken to eliminate hazards of to mitigate their effects by reducing severity and/or likelihood of risk associated with those hazards. Safety Assurance SMS process management functions that systematically provide confidence that organizational products/services meet or exceed safety requirements. The Safety Assurance flow diagram (below) is annotated with the Framework element/process numbers and some other notes. They will aid the user to visualize the Framework in terms of a process flow with attending interfaces and perhaps more clearly understand the Component/Element/Process expectations. The flow diagram of Safety Assurance is at Figure 2, at the end of this definitions section. Safety culture the product of individual and group values, attitudes, competencies, and patterns of behavior that determine the commitment to, and the style and proficiency of, the organization's management of safety. Organizations with a positive safety culture are characterized by communications founded on mutual trust, by shared perceptions of the importance of safety, and by confidence in the efficacy of preventive measures. Safety Management System (SMS) the formal, top-down business-like approach to managing safety risk. It includes systematic procedures, practices, and policies for the management of 7

FAA: SMS Framework

safety (as described in this document it includes safety risk management, safety policy, safety assurance, and safety promotion). Product/Service Provider Safety Management System (SMS-P) the SMS owned and operated by a product/service provider. Oversight Safety Management System (SMS-O) the SMS owned and operated by an oversight entity.
17

Safety objectives. something sought or aimed for, related to safety. NOTE 1: Safety objectives are generally based on the organizations safety policy. NOTE 2: Safety objectives are generally specified for relevant functions and levels in the organization.
18

Safety planning part of safety management focused on setting safety objectives and specifying necessary operational processes and related resources to fulfill the quality objectives. Safety risk the composite of predicted severity and likelihood of the potential effect of a hazard. Safety risk control anything that reduces or mitigates the safety risk of a hazard. Safety risk controls must be written in requirements language, measurable, and monitored to ensure effectiveness. Safety Risk Management (SRM) a formal process within the SMS composed of describing the system, identifying the hazards, assessing the risk, analyzing the risk, and controlling the risk. The SRM process is embedded in the processes used to provide the product/service; it is not a separate/distinct process. The flow diagram of Safety Risk Management is at Figure 3, at the end of this definitions section. Safety promotion a combination of safety culture, training, and data sharing activities that support the implementation and operation of an SMS in an organization Separate Aviation Maintenance Service providers - This pertains to independent maintenance organizations, such as, but not limited to, certificated repair stations, non-certificated repair facilities, etc. This does not pertain to an air operators maintenance organization (it is not intended to duplicate 1.0 B) 1) a) 3) of an Air Operators organization). Severity the consequence or impact of a hazard in terms of degree of loss or harm. Substitute risk risk unintentionally created as a consequence of safety risk control(s). System an integrated set of constituent elements that are combined in an operational or support environment to accomplish a defined objective. These elements include people, hardware, software, firmware, information, procedures, facilities, services, and other support facets. System Attributes - See Attributes. Top Management (ref. ISO 9000-2000 definition 3.2.7) the person or group of people who directs and controls an organization.

FAA: SMS Framework

________________________
17 18

Adapted from definition 3.2.5 in ISO 9000-2000 for quality objectives. Adapted from definition 3.2.9 in ISO 9000-2000 for quality planning.

FAA: SMS Framework

5.2 Process Outputs

The table below lists SMS outputs for each process, as identified in the SMS Framework. Table 1. SMS Process Outputs
Process Reference Output Expectation Component 2.0 - Safety Risk Management 2.1.1 System/Task Analysis 2.1.1(B)(1) 2.0(B)(2)(a) 2.0(B)(2)(b) 2.0(B)(2)(d) 2.1.2 Hazard Identification 2.1.2(B)(1)b) 2.1.2(B)(2)(a) 2.2.1 Risk Analysis 2.2.2 Risk Assessment 2.2.3 Risk Control 2.2.1(B)(1)(c) 2.2.2(B)(1) 2.2.3(B)(1) System Descriptions for following situations:

Initial designs of systems, organizational procedures, and products Development of operational procedures Planned Changes

Hazards documented Hazards tracked Assignment of severity and likelihood for each hazard (as documented in 2.1.2) Assessment of acceptability of each risk (as documented in 2.1.2) Risk control/mitigation plans for each hazard with unacceptable risk (as assessed in 2.2.2)

Component 3.0 - Safety Assurance 3.1.1 Continuous Monitoring 3.1.2 Internal Audit 3.1.1 3.1.2(B)(5)(b)(1) 3.1.2(B)(5)(b)(3) & (4) 3.1.3 Internal Evaluation 3.1.3(B)(3)(d)(2)(a) .1.3(B)(3)(d)(2) (c) & (d) 3.1.4 External Evaluation 3.1.5 Investigations 3.1.4 3.1.5(B)(1) 3.1.5(B)(1)(a) 3.1.5(B)(1)(b) 3.1.5(B)(1)(c) Objective evidence of monitoring activities IAW company policy Plans Reports/Records Plans Reports/Records Objective evidence of audit findings of external audits (e.g. IOSA, IS-BAO, ACSF, CASE, FAA) Data collected (e.g. records, reports) for investigations of: Incidents Accidents Regulatory violations (e.g. VDRP records)

10

FAA: SMS Framework

Process 3.1.6 Employee Reporting System (ERS) Reference 3.1.6(B)(1) Output Expectation Evidence of system (e.g. report file, log, database)

3.1.6(B)3) 3.1.6(B)(4) 3.1.7 Analysis of Data 3.1.7(B) 3.1.7(B)(1) 3.1.8 System Assessment 3.1.9 Preventive/Corrective Action 3.1.8(B)(4) 3.1.9(B)(1)

Evidence of monitoring of ERS data for hazards Evidence of analysis of ERS data Objective evidence of analysis processes for each data type Records of system assessments Corrective action plans

3.1.9(B)(5) 3.1.10 Management Review 3.1.10(B)(1)

Records of disposition and status of corrective actions Objective evidence of management reviews (e.g. minutes, log)

Component 4.0 - Safety Promotion 4.1.1 Competency Requirements 4.1.2 Training 4.1.1(B)(1) 4.1.2(B)(1) 4.1.2(B)(3) 4.1.2(B)(4) Documented competency requirements IAW 1.2 (B)(3) & 1.3(B)(1) Plans/requirements Records Reviews

11

FAA: SMS Framework

5.3 Safety Risk Management Process Flow
The Safety Risk Management flow diagram (below) is annotated with the Framework element/process numbers and other notes. They will aid the operator and service provider to visualize the Framework in terms of a process flow with attending interfaces and perhaps more clearly understand the Component/Element/Process expectations.

Start

2 .1 H az a rd ID & A n aly s is
Inputs : 2.0 Safe ty Ris k M anage m en t, (B) (2) (a), (b) & (d) Ne w Sy ste m Sy ste m C hang e Ne w Opera tiona l Proc edure (2.1.1) Inputs : 2.0 Safe ty Ris k Man age m en t, (B) (2) (c) Also fro m SA: 3.1.8 (B) (3) (2.1.2)

System Ana lysis

(D esign)

H azard Identif ication

2 .2 R is k A s s e s s m e n t & Co n tro l
Risk Ana lysis
(2.2.1) Evaluate C ontrols 2.2.3 C ontro l/ Mi tiga te Safe ty Risk, (B) (2) & (3)

Risk Ass ess m ent

(2.2.2)

O utpu ts: To 3.0 S afe ty Assuranc e, (B) (1) (b)

Risk C ontrol
(2.2.3)

Figure 1. Safety Risk Management Process Flow Diagram

12

FAA: SMS Framework

5.4 Safety Assurance Process Flow
Inputs: From SRM 2.2.2 (B) & 2.2.3 (B) (2) (b), into SA: 3.0 (B) (1) (b)

System Operation

3.1 Performance Monitor & Measure

Data Acquisition Process

3.1.1 Continuous Monitoring 3.1.2 Internal Audits 3.1.3 Internal Evaluation 3.1.4 External Evaluation 3.1.5 Investigations 3.1.6 Employee Reporting

Analysis

3.1.7 Analysis of Data

System Assessment

Outputs: 3.1.8 System Assessment, (B) (3), into Safety Risk Management 2.0 (B) (2) (c) 3.1.8 System Assessment 3.1.10 Management Review

Corrective Action

3.1.9 Preventative/Corrective Action

Note: Each data source should be traceable through Analysis (3.1.7 (B) (1)), Assessment (3.1.8 (B) (1), and Corrective Action (3.1.9 (B) (1), where necessary.

Figure 2. Safety Assurance Flow Diagram 13

FAA: SMS Framework

This page intentionally left blank.

14

FAA: SMS Framework 6. Functional Expectations

6.1 SMS Framework Structure
The SMS Framework is broken down into components, elements and processes. The component and elements are based on the ICAO SMS Framework. Elements in the Safety Risk Management and Safety Assurance Components are further broken down into Processes.

6.2 SMS System Expectations

This section lays out characteristics that are expected of a robust SMS. They are called functional expectations because they describe the what, not the how of each process. Service Providers are expected to develop processes to meet these expectations, but fit their unique business and management models. Expectations are further defined in terms of performance objectives and design expectations. Performance Objectives: These statements represent the objective outcomes of the particular element or process under evaluation. Design Expectations: Based on the SMS Framework, these expectations represent characteristics of the system that, if properly implemented should provide the system outcomes identified in the performance objectives.

15

FAA: SMS Framework

This page intentionally left blank.

16

FAA: SMS Framework

Component 1.0 Safety Policy and Objectives

A) Performance Objectives: The service provider will 1) Develop and implement an integrated, comprehensive, SMS for its entire organization. 2) Incorporate a procedure to identify and maintain compliance with current safety related, regulatory, and other requirements. B) General Design Expectations: 1) Safety management will be included in the complete scope and life cycle of the product/service providers systems including: a) For Air Operators: (1) Flight operations; (2) Operational Control (Dispatch/flight following); (3) Maintenance and inspection; (4) Cabin safety; (5) Ground handling and servicing; (6) Cargo handling; and (7) Training. b) For separate Aviation Maintenance Service providers: (1) Parts/Materials; (2) Resource Management (Tools & Equipment, Personnel, and Facilities); (3) Technical Data; (4) Maintenance and Inspection; (5) Quality Control; (6) Records Management; (7) Contract Maintenance; and (8) Training. 2) SMS processes will be: a) Documented; b) Monitored; c) Measured; and 17

FAA: SMS Framework

d) Analyzed. 3) SMS outputs will be: a) Recorded; b) Monitored; c) Measured; and d) Analyzed. 4) It is expected that: a) The service provider will promote the growth of a positive safety culture (described under Component 4, B); b) If the service provider has a quality policy, Top Management will ensure that the quality policy is consistent with the SMS; c) The SMS will incorporate a means of compliance with legal and regulatory requirements; d) The service provider will establish and maintain a procedure to identify current legal and regulatory requirements applicable to the SMS; e) The service provider will develop and maintain procedures with measurable criteria to accomplish the objectives of the safety policy 1 ; and f) The service provider will establish and maintain supervisory and operational controls to ensure procedures are followed for safety-related operations and activities. g) The service provider will establish and maintain a safety management plan to describe methods for achieving the safety objectives laid down in its safety policy.

Element 1.1 Safety Policy

A) Performance Objective: Top Management will define the service providers safety policy and convey the expectations and objectives to its employees. B) Design Expectations: 1) Top management will define the service providers safety policy. 2) The safety policy will: a) Include a commitment to implement an SMS; b) Include a commitment to continually improvement in the level of safety; c) Include a commitment to the management of safety risk;
1

Measures are not expected for each procedural step. However, measures and criteria should be of sufficient depth and level of detail to ascertain and track accomplishment of objectives. Criteria and measures can be expressed in either quantitative or qualitative terms.

18

FAA: SMS Framework

d) Include a commitment to comply with applicable regulatory requirements; and e) Include a commitment to encourage employees to report safety issues without reprisal (as per Process 3.1.6); f) Establish clear standards for acceptable behavior; g) Provide management guidance for setting safety objectives; h) Provide management guidance for reviewing safety objectives; i) Be documented; j) Be communicated with visible management endorsement to all employees and responsible parties; k) Be reviewed periodically to ensure it remains relevant and appropriate to the organization; and l) Identify responsibility of management and employees with respect to safety performance.

Element 1.2 Management Commitment and Safety Accountabilities

A) Performance Objective: The service provider will define, document, and communicate the roles, responsibilities, and authorities regarding safety throughout its organization. B) Design Expectations: 1) Top management will have the ultimate responsibility for the SMS. 2) Top management will provide resources essential to implement and maintain the SMS. 3) Aviation safety-related positions, responsibilities, and authorities will be: a) Defined; b) Documented; and c) Communicated throughout the organization. 4) The organization will define levels of management that can make safety risk acceptance decisions.

Element 1.3 Key Safety Personnel

A) Performance Objective: Each service provider will appoint a management representative to manage, monitor and coordinate the SMS processes. B) Design Expectations: 1) Top management will appoint a member of management who, irrespective of other responsibilities, will have responsibilities and authority that includes: 19

FAA: SMS Framework

a) Ensuring that processes needed for the SMS are established, implemented and maintained; b) Reporting to top management on the performance of the SMS and the need for improvement; and c) Ensuring the promotion of awareness of safety expectations throughout the organization.

Element 1.4 Emergency Preparedness and Response

A) Performance Objective: The service provider will develop and implement procedures that it will follow in the event of an accident or incident to mitigate the effects of these events. B) Design Expectations: The service provider will establish procedures to: 1) Identify the potential for accidents and incidents; 2) Coordinate and plan the organizations response to accidents and incidents; and 3) Execute periodic exercises of the organizations response.

Element 1.5 SMS Documentation and Records

A) Performance Objectives: The service provider will have documented safety policies; objectives, procedures, a document/record management process and a safety management plan that meet organizational safety expectations and objectives. B) Design Expectations: 1) The service provider will establish and maintain information, in paper or electronic form, to describe: a) Safety policies; b) Safety objectives; c) SMS expectations; d) Safety procedures and processes; e) Responsibilities and authorities for safety-related procedures and processes; f) Interaction/interfaces between the safety-related procedures and processes; and g) SMS outputs. 2) The service provider will maintain their safety management plan in accordance with the objectives and expectations contained within this element (1.5). 3) Documentation Management a) Documentation will be:

20

FAA: SMS Framework

(1) Legible; (2) Dated (with dates of revisions); (3) Readily identifiable; (4) Maintained in an orderly manner; and (5) Retained for a specified period of time as determined by the service provider. b) The service provider will establish and maintain procedures for controlling all documents required by this Framework to ensure that: (1) They can be located; (2) They are periodically: (a) Reviewed, (b) Revised as necessary, and (c) Approved for adequacy by authorized personnel. c) The current versions of relevant documents are available at all locations where operations essential to the effective functioning of the SMS are performed; and d) Obsolete documents are promptly removed from all points of use or otherwise assured against unintended use. 4) Records Management a) For SMS records, the service provider will establish and maintain procedures for their: (1) Identification; (2) Maintenance; and (3) Disposition. b) SMS records will be: (1) Legible; (2) Identifiable; and (3) Traceable to the activity involved. c) SMS records will be maintained in such a way that they are: (1) Readily retrievable; and (2) Protected against: (a) Damage, (b) Deterioration, or (c) Loss. d) Record retention times will be documented.

21

FAA: SMS Framework Component 2.0 Safety Risk Management (SRM)

A) Performance Objective: The service provider will develop processes to understand the critical characteristics of its systems and operational environment and apply this knowledge to the identification of hazards, risk decision-making, and the design of risk controls. B) General Design Expectations: 1) Safety Risk Management (SRM) will, at a minimum, include the following processes: a) System and task analysis; b) Hazard Identification; c) Safety Risk Analysis; d) Safety Risk Assessment; and e) Safety Risk Control and Mitigation. 2) The SRM process will be applied to: a) Initial designs of systems, organizations, and/or products; b) The development of operational procedures; c) Hazards that are identified in the safety assurance functions (described in Component 3.0, B); and d) Planned changes to the operational processes. 3) The service provider will establish feedback loops between assurance functions described in Process 3.1.1, B to evaluate the effectiveness of safety risk controls. 4) The Service provider will define a process for risk acceptance that: a) Defines acceptable and unacceptable levels of safety risk. b) Establishes descriptions for: (1) Severity levels, and (2) Likelihood levels. c) The service provider will define specific levels of management that can make safety risk acceptance decisions. d) The service provider will define acceptable risk for hazards that will exist in the short-term while safety risk control/mitigation plans are developed and executed.

22

FAA: SMS Framework

Element 2.1 Hazard Identification and Analysis Process 2.1.1 System and Task Analysis
A) Performance Objective: The service provider will analyze its systems, operations, and operational environment to gain an understanding of critical design and performance factors, processes, and activities to identify hazards. B) Design Expectations: 1) System and task descriptions will be developed to the level of detail necessary to: a) Identify hazards, b) Develop operational procedures, and, c) Develop and implement risk controls.

Process 2.1.2 Identify Hazards

A) Performance Objective: The service provider will identify and document the hazards in its operations that are likely to cause death, serious physical harm or damage to equipment or property in sufficient detail to determine associated risk and determine acceptability. B) Design Expectations: 1) Hazards will be: a) Identified for the entire scope of the system, as defined in the system description2 ; and b) Documented. 2) Hazard information will be: a) Tracked, and b) Managed through the entire SRM process.

Element 2.2 Risk Assessment and Control Process 2.2.1 Analyze Safety Risk
A) Performance Objective: The service provider will determine and analyze the severity and likelihood of potential events associated with identified hazards and identied factors associated with unacceptable levels of severity or likelihood.
2

While it is recognized that identification of every conceivable hazard is impractical, operators are expected to exercise due diligence in identifying and controlling significant and reasonably foreseeable hazards related to their operations.

23

FAA: SMS Framework

B) Design Expectations: 1) The safety risk analysis process will include: a) Existing safety risk controls; b) Triggering mechanisms; and; c) Safety risk of reasonably likely outcomes from the existence of a hazard, to include estimation of the: (1) Likelihood; and (2) Severity. (3) Risk likelihood and severity may be expressed in quantitative or qualitative terms.

Process 2.2.2 Assess Safety Risk

A) Performance Objective: The service provider will assess each identified hazard and define risk acceptance procedures and levels of management that can make safety risk acceptance decisions. B) Design Expectations: Each hazard will be assessed for its safety risk acceptability using the safety risk acceptance process described in Component 2.0 B) 4).

Process 2.2.3 Control/Mitigate Safety Risk

A) Performance Objective: The service provider will design and implement a risk control for each identified hazard for which there is an unacceptable risk to reduce the potential for death, serious physical harm, or damage to equipment or property to acceptable levels. For each Risk Control the residual or substitute risk will be analyzed before implementation.

24

FAA: SMS Framework

B) Design Expectations: 1) Safety control/mitigation plans will be defined for each hazard with unacceptable risk. 2) Safety risk controls will be: a) Clearly described; b) Evaluated to ensure that the expectations have been met; c) Ready to be used in the operational environment for which they are intended; and d) Documented. 3) Substitute risk will be evaluated in the creation of safety risk controls/mitigations.

25

FAA: SMS Framework Component 3.0 Safety Assurance

A) Performance Objective: The service provider will monitor, measure, and evaluate the performance and effectiveness of risk controls. B) General Design Expectations: 1) The service provider will monitor their systems and operations to: a) Identify new hazards; b) Measure the effectiveness of safety risk controls; and c) Ensure compliance with regulatory requirements. d) The safety assurance function will be based upon a comprehensive system description as described in Section 2.1.1. 2) The service provider will collect the data necessary to demonstrate the effectiveness of the organizations: a) Operational processes; and b) The SMS.

Element 3.1 Safety Performance Monitoring and Measurement Process 3.1.1 Continuous Monitoring
A) Performance Objective: The service provider will monitor operational data, including products and services received from contractors, to identify hazards, measure the effectiveness of safety risk controls, and assess system performance. B) Design Expectations: 1) The service provider will monitor operational data (e.g., duty logs, crew reports, work cards, process sheets, and reports from the employee safety feedback system specified in Process 3.1.6) to: a) Determine conformity with safety risk controls (described in Process 2.2.3); b) Measure the effectiveness of safety risk controls (described in Process 2.2.3); c) Assess system performance; and d) Identify hazards. 2) The service provider will monitor products and services received from subcontractors.

26

FAA: SMS Framework

Process 3.1.2 Internal Audits by Operational Departments

A) Performance Objective: The service provider will perform regularly scheduled internal audits of operational processes, including those performed by contractors, to determine the performance and effectiveness of risk controls. B) Design Expectations: 1) Line management of operational departments will ensure that regular internal audits of safety-related functions of the organizations operational processes (production system) are conducted. This obligation will extend to any subcontractors that they may use to accomplish those functions. (Note: The Internal Audit is a primary means of output measurement under Component 1.0, B, 3) c) and 4) e)). 2) Line management will ensure that regular audits are conducted to: a) Determine conformity with safety risk controls; and b) Assess performance of safety risk controls. 3) Planning of the audits program will take into account: a) Safety criticality of the processes to be audited; and b) The results of previous audits. 4) The organization will define: a) Audits, including: (1) Criteria, (2) Scope, (3) Frequency, and (4) Methods. b) The processes used to select the auditors; c) The requirement that auditors will not audit their own work; 5) Documented procedures, which include: a) The responsibilities; and b) Expectations for: (1) Planning audits; (2) Conducting audits; (3) Reporting results; (4) Maintaining records; and (5) Audits of contractors and vendors.

27

FAA: SMS Framework

Process 3.1.3 Internal Evaluation

A) Performance Objective: The service provider will conduct, at planned intervals, internal evaluations of the SMS and operational processes, to determine that the SMS conforms to its objectives and expectations. B) Design Expectations: 1) The service provider will conduct internal evaluations of the operational processes and the SMS at planned intervals to determine that the SMS conforms to objectives and expectations (Note: Sampling of SMS output measurement is a primary control under Component 1.0, B, 3) c) and 4) e)). 2) Planning of the evaluation program will take into account: a) Safety criticality of processes to be evaluated; and b) The results of previous evaluations. 3) The organization will define: a) Evaluations, including: (1) Criteria; (2) Scope; (3) Frequency; and (4) Methods; b) The processes used to select the evaluators; c) Documented procedures, which include: (1) The responsibilities, and (2) Requirements for: (a) Planning evaluations; (b) Conducting evaluations; (c) Reporting results; and (d) Maintaining records. (e) Evaluations of contractors and vendors. 4) The program will include an evaluation of the programs described in Component 1.0, B), 1). 5) The person or organization performing evaluations of operational departments must be functionally independent of the department being evaluated.

28

FAA: SMS Framework

Process 3.1.4 External Auditing of the SMS

A) Performance Objective: The service provider will include the results of assessments performed by oversight organizations in its analysis of data. B) Design Expectations: The service provider will include the results of oversight organization assessments in the analyses conducted as described in Process 3.1.7.

Process 3.1.5 Investigation

A) Performance Objective: The service provider will establish procedures to collect data and investigate incidents, accidents and instances of potential regulatory non-compliance that occur to identify potential new hazards or failures of risk controls. B) Design Expectations: 1) The service provider will collect data on: a) Incidents; b) Accidents; and c) Potential regulatory non-compliance. 2) The service provider will establish procedures to: a) Investigate accidents; b) Investigate incidents; and c) Investigate instances of potential regulatory non-compliance.

Process 3.1.6 Employee Reporting and Feedback System.

A) Performance Objective: The service provider will establish and maintain a confidential employee safety reporting and feedback system. Data obtained from this system will be monitored to identify emerging hazards and to assess performance of risk controls in the operational systems. B) Design Expectations: 1) The service provider will establish and maintain a confidential employee safety reporting and feedback system as in Component 4.0 B) 1) e). 2) Employees will be encouraged to use the safety reporting and feedback system without fear of reprisal and where possible, encourage submission of solutions /safety improvements. 3) Data from the safety reporting and feedback system will be monitored to identify emerging hazards.

29

FAA: SMS Framework

4) Data collected in the safety reporting and feedback system will be included in analyses described in Process 3.1.7.

Process 3.1.7 Analysis of Data.

A) Performance Objective: The service provider will analyze the data described in Processes 3.1.1 through 3.1.6, to assess the performance and effectiveness of risk controls in the organizations operational processes and the SMS and to identify root causes of deficiencies and potential new hazards. B) Design Expectations: 1) The service provider will analyze the data described in Processes 3.1.1 through 3.1.6 to demonstrate the effectiveness of: a) Risk controls in the organizations operational processes, and b) The SMS. 2) Through data analysis, the service provider will evaluate where improvements can be made to the organizations: a) Operational processes, and b) SMS.

Process 3.1.8 System Assessment.

A) Performance Objective: The service provider will perform an assessment of the performance and effectiveness of risk controls, conformance to SMS expectations as stated herein and the objectives of the safety policy. B) Design Expectations: 1) The service provider will assess the performance of: a) Safety-related functions of operational processes against their objectives and expectations, and b) The SMS against its objective and expectations. 2) System assessments will document results that indicate a finding of: a) Conformity with existing safety risk control(s)/ SMS expectations(s) (including regulatory requirements); b) Nonconformity with existing safety risk control(s)/ SMS expectations(s) (including regulatory requirements); and c) New hazard(s) found. 3) The SRM process will be utilized if the assessment indicates: a) The identification of new hazards; or 30

FAA: SMS Framework

b) The need for system changes. 4) The service provider will maintain records of assessments in accordance with the expectations of Element 1.5.

Process 3.1.9 Preventive/Corrective Action.

A) Performance Objective: The service provider will take corrective and preventive action to eliminate the causes of nonconformance identified during analysis to prevent recurrence. B) Design Expectations: 1) The service provider will develop: a) Corrective actions for identified nonconformities with risk controls; and b) Preventive actions for identified potential nonconformities with risk controls. 2) Safety lessons learned will be considered in the development of: a) Corrective actions; and b) Preventive actions. 3) The service provider will take necessary corrective and preventive action based on the findings of investigations. 4) The service provider will prioritize and implement corrective and preventative action(s) in a timely manner. 5) Records will be kept and maintained of the disposition and status of corrective and preventive actions.

Process 3.1.10 Management Review.

A) Performance Objective: Top management will conduct regular reviews of the SMS including outputs of safety risk management, safety assurance, and lessons learned. Management reviews will include assessing the performance and effectiveness of an organizations operational processes and the need for improvements. B) Design Expectations: 1) Top management will conduct regular reviews of the SMS, including: a) The outputs of SRM (Component 2.0); b) The outputs of safety assurance (Component 3.0); and c) Lessons learned (Element 3.3, B, 2).

31

FAA: SMS Framework

2) Management reviews will include assessing the need for improvements to the organizations: a) Operational processes; and b) SMS.

Element 3.2 Management of Change

A) Performance Objective: The service providers management will identify and determine acceptable safety risk for changes within the organization which may affect established processes and services by new system design, changes to existing system designs, new operations/procedures or modified operations/procedures. B) Design Expectations: 1) The following will not be implemented until the safety risk of each identified hazard is determined to be acceptable in: a) New system designs; b) Changes to existing system designs; c) New operations/procedures; and d) Modified operations/procedures. 2) The SRM process will not preclude the service provider from taking interim immediate action to mitigate existing safety risk.

Element 3.3 Continual Improvement

A) Performance Objective: The service provider will promote continual improvement of its SMS through continuous application of Safety Risk Management (Component 2.0), Safety Assurance (Component 3.0) and by using safety lessons learned and communicating them to all personnel. B) Design Expectations: 1) The service provider will continuously improve the effectiveness of the SMS and of safety risk controls through the use of the safety and quality policies, objectives, audit and evaluation results, analysis of data, corrective and preventive actions, and management reviews. 2) The service provider will develop safety lessons learned. a) Lessons learned information will be used to promote continuous improvement of safety. b) The service provider will communicate information on safety lessons learned.

32

FAA: SMS Framework Component 4.0 Safety Promotion

A) Performance Objective: Top Management will promote the growth of a positive safety culture and communicate it through out the organization. B) General Design Expectations: 1) Top management will promote the growth of a positive safety culture through: a) Publication of senior managements stated commitment to safety to all employees; b) Visible demonstration of their commitment to the SMS; c) Communication of the safety responsibilities for the organizations personnel; d) Clear and regular communication of safety policy, goals, objectives, standards, and performance to all employees of the service provider; e) An effective employee reporting and feedback system that provides confidentiality as is necessary; f) Use of a safety information system that provides an accessible efficient means to retrieve information; and g) Allocation of resources essential to implement and maintain the SMS.

Element 4.1 Competencies and Training

Process 4.1.1 Personnel Expectations (Competence)
A) Performance Objective: The service provider will: 1) Document competency requirements for those positions identified in Element 1.2 B) 3) & 1.3 and ensure those requirements are met. B) Design Expectations: 1) The service provider will determine and document competency requirements for those positions identified in Element 1.2 B) 3) & 1.3. 2) The service provider will ensure that those individuals in the positions identified in Element 1.2 B) 3) & 1.3, meet the Process 4.1.1 B) 1) competency requirements.

Process 4.1.2 Training

A) Performance Objective: The service provider will be responsible for developing, delivering and documenting training necessary to meet to meet competency requirements of 4.1.1 B) 1).

33

FAA: SMS Framework

B) Design Expectations: 1) Training necessary to meet competency requirements of 4.1.1 B) 1) will be developed for those individuals in the positions identified in Element 1.2 B) 3) & 1.3. 2) Training development will consider scope, content, and frequency of training required to maintain competency for those individuals in the positions identified in Element 1.2 B) 3) & 1.3. 3) Employees will receive training commensurate with their: a) Position level within the organization; and b) Impact on the safety of the organizations products or services. 4) To ensure training currency, it will be periodically: a) Reviewed; and b) Updated.

Element 4.2 Communication and Awareness

A) Performance Objective: Top Management will communicate the output of its SMS to its employees, and provide access to SMS outputs to its oversight organization in accordance with established agreements and disclosure programs. B) Design Expectations: 1) The service provider will communicate outputs of the SMS to its employees. 2) The service provider will provide access to the outputs of the SMS to its oversight organization. 3) The service providers SMS will be able to interoperate with other organizations SMSs to manage cooperatively issues of mutual concern.

34