-

E D
CIVIL AVIATION GUIDANCE MATERIAL – 1902
LL
SAFETY
O
TR

MANAGEMENT
N
O

SYSTEM
C
N
-U

(SMS)

CIVIL AVIATION AUTHORITY OF MALAYSIA

ISSUE 01
REVI SI ON 00 – 17 T H DECEM BER 2021
 -
E D
LL
INTENTIONALLY LEFT BLANK
O
TR
N
O
C
N
-U
 Introduction

Introduction
This Civil Aviation Guidance Material 1902 (CAGM – 1902) is issued by the Civil Aviation
Authority of Malaysia (CAAM) to provide guidance for Safety Management System (SMS),
pursuant to Civil Aviation Directives 19 – Safety Management (CAD 19 – Safety Management).

Service providers may use these guidelines to demonstrate compliance with the provisions of
the relevant CAD’s issued. Notwithstanding Regulation 167 of the Malaysian Civil Aviation
Regulations 2016 (MCAR) 2016 and Regulation 15 of Civil Aviation (Aerodrome Operations)
Regulations 2016, when the CAGMs issued by the CAAM are used, the related requirements
of the CAD’s are considered as met, and further demonstration may not be required.

-
E D
LL
O
TR

(Captain Chester Voo Chee Soon)

N

Chief Executive Officer

Civil Aviation Authority of Malaysia
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 3

 Introduction

Civil Aviation Guidance Material Components and Editorial practices

This Civil Aviation Guidance Material is made up of the following components and are defined as
follows:

Standards: Usually preceded by words such as “shall” or “must”, are any specification for
physical characteristics, configuration, performance, personnel or procedure, where uniform
application is necessary for the safety or regularity of air navigation and to which Operators must
conform. In the event of impossibility of compliance, notification to the CAAM is compulsory.

Recommended Practices: Usually preceded by the words such as “should” or “may”, are any
specification for physical characteristics, configuration, performance, personnel or procedure,
where the uniform application is desirable in the interest of safety, regularity or efficiency of air
navigation, and to which Operators will endeavour to conform.

Appendices: Material grouped separately for convenience but forms part of the Standards and
Recommended Practices stipulated by the CAAM.

-
D
Definitions: Terms used in the Standards and Recommended Practices which are not self-
explanatory in that they do not have accepted dictionary meanings. A definition does not have

E
an independent status but is an essential part of each Standard and Recommended Practice in
which the term is used, since a change in the meaning of the term would affect the specification.
LL
Tables and Figures: These add to or illustrate a Standard or Recommended Practice and which
are referred to therein, form part of the associated Standard or Recommended Practice and have
O
the same status.
TR

Notes: Included in the text, where appropriate, Notes give factual information or references
bearing on the Standards or Recommended Practices in question but not constituting part of the
Standards or Recommended Practices;
N

Attachments: Material supplementary to the Standards and Recommended Practices or

O

included as a guide to their application.

C

It is to be noted that some Standards in this Civil Aviation Guidance Material incorporates, by
reference, other specifications having the status of Recommended Practices. In such cases, the
N

text of the Recommended Practice becomes part of the Standard.

-U

The units of measurement used in this document are in accordance with the International System
of Units (SI) as specified in CAD 5. Where CAD 5 permits the use of non-SI alternative units,
these are shown in parentheses following the basic units. Where two sets of units are quoted it
must not be assumed that the pairs of values are equal and interchangeable. It may, however,
be inferred that an equivalent level of safety is achieved when either set of units is used
exclusively.

Any reference to a portion of this document, which is identified by a number and/or title, includes
all subdivisions of that portion.

Throughout this Civil Aviation Guidance Material, the use of the male gender should be
understood to include male and female persons.

Issue 01/Rev 00 CAGM 1902 – SMS 4

 Record of Revisions

Record of Revisions
Revisions to this CAGM shall be made by authorised personnel only. After inserting the
revision, enter the required data in the revision sheet below. The ‘Initials’ has to be signed off
by the personnel responsible for the change.

ISS/REV Revision Date Revision Details Initials

No.

-
E D
LL
O
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 5

 Record of Revisions

-
E D
LL
O
TR

INTENTIONALLY LEFT BLANK

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 6

 Summary of Changes

Summary of Changes
ISS/REV no. Item no. Revision Details

-
E D
LL
O
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 7

 Summary of Changes

-
E D
LL
O
INTENTIONALLY LEFT BLANK
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 8

 Table of Contents

Table of Contents
1 APPLICATION ..................................................................................................................... 1-1
2 SMS FRAMEWORK ............................................................................................................. 2-1
3 COMPONENT 1: SAFETY POLICY AND OBJECTIVES ............................................................... 3-1
4 COMPONENT 2: SAFETY RISK MANAGEMENT ..................................................................... 4-1
5 COMPONENT 3: SAFETY ASSURANCE .................................................................................. 5-1
6 COMPONENT 4: SAFETY PROMOTION ................................................................................ 6-1
7 IMPLEMENTATION PLANNING ........................................................................................... 7-1
8 SAFETY RISK MANAGEMENT .............................................................................................. 8-1
9 HAZARD TAXONOMIES ...................................................................................................... 9-1

-
10 SAFETY PERFORMANCE INDICATORS AND SAFETY PERFORMANCE TARGETS ................. 10-1

D
11 APPENDICES ................................................................................................................ 11-1
11.1 APPENDIX 1 – APPLICATION FORM FOR ACCEPTANCE OF SAFETY MANAGEMENT SYSTEM AND NOMINATION

E
OF SAFETY MANAGER (CAAM/SMS/1902-00) ..................................................................................... 11-1

LL
11.2 APPENDIX 2 – GUIDANCE ON THE DEVELOPMENT OF AN SMS MANUAL .......................................... 11-3
11.3 APPENDIX 3 – JOB DESCRIPTION FOR A SAFETY MANAGER .......................................................... 11-17
11.4 APPENDIX 4 – SMS GAP ANALYSIS CHECKLIST AND IMPLEMENTATION PLAN .................................. 11-21
O
11.5 APPENDIX 5 – SMS INITIAL ACCEPTANCE CHECKLIST (CAAM/SMS/1902-02) ............................. 11-25
11.6 APPENDIX 6 – SMS MATURITY CHECKLIST (CAAM/SMS/1902-03) ........................................... 11-27
TR

11.7 APPENDIX 7 – EXAMPLES OF HAZARD TAXONOMIES ................................................................... 11-29

11.8 APPENDIX 8 – MALAYSIA SAFETY PERFORMANCE INDICATORS ..................................................... 11-43
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 9

 Table of Contents

-
E D
LL
O
INTENTIONALLY LEFT BLANK
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 10

 Chapter 1 – Application

1 Application

1.1 The purpose of an SMS is to provide service providers with a systematic approach to
managing safety. It is designed to continuously improve safety performance through:
the identification of hazards, the collection and analysis of safety data and safety
information, and the continuous assessment of safety risks. The SMS seeks to
proactively mitigate safety risks before they result in aviation accidents and incidents.
It allows service providers to effectively manage their activities, safety performance
and resources, while gaining a greater understanding of their contribution to aviation
safety. An effective SMS demonstrates to the CAAM the service provider’s ability to
manage safety risks and provides for effective management of safety at the State
level.

1.2 Pursuant to Regulation 167(2) of Civil Aviation Regulations (MCAR) 2016, a safety

-
management system shall be made acceptable to—

D
a) in the case of an air traffic service provider, the Secretary General of the Minister

E
of Transport; and

b)
LL
in the case of as service provider other than air traffic service provider, the
CAAM.
O
1.3 Pursuant to Regulation 15 of Civil Aviation (Aerodrome Operations) Regulations
2016, an aerodrome operator who maintains or operates a Category 1 or 3
TR

aerodrome shall establish a safety management system and shall ensure that the
safety management system is maintained, implemented and complied with.
N

1.4 Applicant for the initial acceptance of SMS and nomination of safety manager shall
submit to CAAM—
O

a) Application form CAAM/SMS/1902-00 (refer to Appendix 1);

C

b) SMS manual (refer to Appendix 2 for guidance on the development of an SMS

N

manual);
-U

c) SMS Gap Analysis Checklist CAAM/SMS/1902-01 and Implementation Plan

(refer to Appendix 4);

d) Initial SMS Acceptance Checklist CAAM/SMS/1902-02 (refer to Appendix 5); and

e) Proposed Safety Performance Indicators (SPIs) and Safety Performance

Targets (SPTs).

1.5 For the purpose of the continuation of SMS acceptance, the service provider shall be
subjected to periodic surveillance and inspection by CAAM. The service provider shall
conduct a self-assessment using SMS Maturity Checklist CAAM/SMS/1902-03 (refer
to Appendix 6).

Issue 01/Rev 00 CAGM 1902 – SMS 1-1

 Chapter 1 – Application

-
E D
LL
O
INTENTIONALLY LEFT BLANK
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 1-2

 Chapter 2 – SMS Framework

2 SMS Framework

2.1 CAD - 19 specifies the framework for the implementation and maintenance of an
SMS. Regardless of the service provider’s size and complexity, all elements of the
SMS framework apply. The implementation should be tailored to the organisation and
its activities.

2.2 The SMS framework is made up of the following four components and twelve
elements as shown in Table 2-1 below:

COMPONENT ELEMENT
1. Safety policy and 1.1 Management commitment
objectives
1.2 Safety accountability and responsibilities

-
D
1.3 Appointment of key safety personnel
1.4 Coordination of emergency response planning

2. Safety risk management
3. Safety assurance
TR
E
1.5 SMS documentation
LL
2.1 Hazard identification
O
2.2 Safety risk assessment and mitigation
3.1 Safety performance monitoring and

measurement
3.2 The management of change
N

3.3 Continuous improvement of the SMS

O

4. Safety promotion 4.1 Training and education

4.2 Safety communication
C
N

Table 2-1: Components and elements of the SMS framework

-U

Issue 01/Rev 00 CAGM 1902 – SMS 2-1

 Chapter 2 – SMS Framework

-
E D
LL
O
INTENTIONALLY LEFT BLANK
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 2-2

 Chapter 3 – Component 1: Safety Policy and Objectives

3 Component 1: Safety Policy and Objectives

3.1 The first component of the SMS framework focuses on creating an environment
where safety management can be effective. It is founded on a safety policy and
objectives that set out senior management’s commitment to safety, its goals and
the supporting organisational structure.

3.2 Management commitment and safety leadership is key to the implementation of

an effective SMS and is asserted through the safety policy and the establishment
of safety objectives. Management commitment to safety is demonstrated through
management decision-making and allocation of resources; these decisions and
actions should always be consistent with the safety policy and objectives to
cultivate a positive safety culture.

3.3 The safety policy should be developed and endorsed by senior management, and

-
D
is to be signed by the accountable executive. Key safety personnel, and where
appropriate, staff representative bodies (employee forums, trade unions) should

E
be consulted in the development of the safety policy and safety objectives to
promote a sense of shared responsibility.

3.4 Management commitment

LL
O
Safety policy
TR

3.4.1 The safety policy should be visibly endorsed by senior management and the
accountable executive. “Visible endorsement” refers to making management’s
active support of the safety policy visible to the rest of the organisation. This
N

can be done via any means of communication and through the alignment of
activities to the safety policy.
O

3.4.2 It is the responsibility of management to communicate the safety policy

C

throughout the organisation to ensure all personnel understand and work in

accordance with the safety policy.
N

3.4.3 To reflect the organisation’s commitment to safety, the safety policy should
-U

include a commitment to:

a) continuously improve the level of safety performance;

b) promote and maintain a positive safety culture within the organisation;

c) comply with all applicable regulatory requirements;

d) provide the necessary resources to deliver a safe product or service;

e) ensure safety is a primary responsibility of all managers; and

f) ensure it is understood, implemented and maintained at all levels.

3.4.4 The safety policy should also make reference to the safety reporting system
to encourage the reporting of safety issues and inform personnel of the

Issue 01/Rev 00 CAGM 1902 – SMS 3-1

 Chapter 3 – Component 1: Safety Policy and Objectives
disciplinary policy applied in the case of safety events or safety issues that are
reported.

3.4.5 The disciplinary policy is used to determine whether an error or rule breaking
has occurred so that the service providers can establish whether any
disciplinary action should be taken. To ensure the fair treatment of persons
involved, it is essential that those responsible for making that determination
have the necessary technical expertise so that the context of the event may
be fully considered.

3.4.6 A policy on the protection of safety data and safety information, as well as
reporters, can have a positive effect on the reporting culture. The service
provider should establish policy and procedures for de-identification and
aggregation of reports to allow meaningful safety analyses to be conducted
without having to implicate personnel or specific service providers.

-
D
Safety objectives

E
3.4.7 Taking into consideration its safety policy, the service provider should also

LL
establish safety objectives to define what it aims to achieve in respect of safety
outcomes. Safety objectives should be short, high-level statements of the
service provider’s safety priorities and should address its most significant
O
safety risks. Safety objectives may be included in the safety policy (or
TR

documented separately), and defines what the service provider intends to

achieve in terms of safety. Safety performance indicators (SPIs) and safety
performance targets (SPTs) are needed to monitor the achievement of these
N

safety objectives and are further elaborated on later in Chapter 5 of this

CAGM.
O

3.4.8 The safety policy and safety objectives should be periodically reviewed to
C

ensure they remain current (a change in the accountable executive would

require its review for instance).
N
-U

3.5 Safety accountability and responsibilities

Accountable executive

3.5.1 The accountable executive, typically the chief executive officer, is the person
who has ultimate authority over the safe operation of the organisation. The
accountable executive establishes and promotes the safety policy and safety
objectives that instil safety as a core organisational value. The accountable
executive should: have the authority to make decisions on behalf of the
organisation, have control of resources, both financial and human, be
responsible for ensuring appropriate actions are taken to address safety
issues and safety risks, and they should be responsible for responding to
accidents and incidents.

Issue 01/Rev 00 CAGM 1902 – SMS 3-2

 Chapter 3 – Component 1: Safety Policy and Objectives
3.5.2 There might be challenges for the service provider to identify the most
appropriate person to be the accountable executive, especially in large
complex organisations with multiple entities and multiple certificates,
authorisations or approvals. It is important the person selected is
organisationally situated at the highest level of the organisation, thus ensuring
the right strategic safety decisions are made.

3.5.3 The service provider is required to identify the accountable executive, placing
the responsibility for the overall safety performance at a level in the
organisation with the authority to take action to ensure the SMS is effective.
Specific safety accountabilities of all members of management should be
defined and their role in relation to the SMS should reflect how they can
contribute towards a positive safety culture. The safety responsibilities,
accountabilities and authorities should be documented and communicated
throughout the organisation. The safety accountabilities of managers should

-
D
include the allocation of the human, technical, financial or other resources
necessary for the effective and efficient performance of the SMS.

E
Note. — The term “accountability” refers to obligations which cannot be delegated.
LL
The term “responsibilities” refers to functions and activities which may be
delegated.
O
3.5.4 In the case where an SMS applies to several different certificates,
authorisations or approvals that are all part of the same legal entity, there
TR

should be a single accountable executive. Where this is not possible, individual

accountable executives should be identified for each organisational certificate,
authorisation or approval and clear lines of accountability defined; it is also
N

important to identify how their safety accountabilities will be coordinated.

O

3.5.5 One of the most effective ways the accountable executive can be visibly
C

involved, is by leading regular executive safety meetings. As they are

ultimately responsible for the safety of the organisation, being actively involved
N

in these meetings allows the accountable executive to:

-U

a) review safety objectives;

b) monitor safety performance and the achievement of safety targets;

c) make timely safety decisions;

d) allocate appropriate resources;

e) hold managers accountable for safety responsibilities, performance and

implementation timelines; and

f) be seen by all personnel as an executive who is interested in, and in charge

of, safety.

3.5.6 The accountable executive is not usually involved in the day-to-day activities
of the organisation or the problems faced in the workplace and should ensure

Issue 01/Rev 00 CAGM 1902 – SMS 3-3

 Chapter 3 – Component 1: Safety Policy and Objectives
there is an appropriate organisational structure to manage and operate the
SMS. Safety management responsibility is often delegated to the senior
management team and other key safety personnel. Although responsibility for
the day-to-day operation of the SMS can be delegated, the accountable
executive cannot delegate accountability for the system nor can decisions
regarding safety risks be delegated. For example, the following safety
accountabilities cannot be delegated:

a) ensuring safety policies are appropriate and communicated;

b) ensuring necessary allocation of resources (financing, personnel, training,

acquisition); and

c) setting of the acceptable safety risk limits and resourcing of necessary

controls.

-
3.5.7 It is appropriate for the accountable executive to have the following safety

D
accountabilities:

E
a) provide enough financial and human resources for the proper implementation

b)
of an effective SMS;

promote a positive safety culture;

LL
O
c) establish and promote the safety policy;
TR

d) establish the organisation’s safety objectives;

e) ensure the SMS is properly implemented and performing to requirements; and

N

f) see to the continuous improvement of the SMS.

O

3.5.8 The accountable executive’s authorities include, but are not limited to, having
final authority:
C

a) for the resolution of all safety issues; and

N

b) over operations under the certificate, authorisation or approval of the

-U

organisation, including the authority to stop the operation or activity.

3.5.9 The authority to make decisions regarding safety risk tolerability should be defined.
This includes who can make decisions on the acceptability of risks as well as the
authority to agree that a change can be implemented. The authority may be
assigned to an individual, a management position or a committee.

3.5.10 Authority to make safety risk tolerability decisions should be commensurate with
the manager's general decision-making and resource allocation authority. A lower-
level manager (or management group) may be authorised to make tolerability
decisions up to a certain level. Risk levels that exceed the manager's authority
must be escalated for consideration to a higher management level with greater
authority.

Issue 01/Rev 00 CAGM 1902 – SMS 3-4

 Chapter 3 – Component 1: Safety Policy and Objectives
Accountability and responsibilities

3.5.11 Accountabilities and responsibilities of all personnel, management and staff,

involved in safety-related duties supporting the delivery of safe products and
operations should be clearly defined. The safety responsibilities should focus on
the staff member's contribution to the safety performance of the organisation (the
organisational safety outcomes). The management of safety is a core function; as
such every senior manager has a degree of involvement in the operation of the
SMS.

3.5.12 All defined accountabilities, responsibilities and authorities should be stated in the
service provider’s SMS documentation and should be communicated throughout
the organisation. The safety accountabilities and responsibilities of each senior
manager are integral components of their job descriptions. This should also
capture the different safety management functions between line managers and the

-
D
safety manager (see 3.6 for further details).

E
3.5.13 Lines of safety accountability throughout the organisation and how they are
defined will depend on the type and complexity of the organisation, and their
LL
preferred communication methods. Typically, the safety accountabilities and
responsibilities will be reflected in organisational charts, documents defining
O
departmental responsibilities, and personnel job or role descriptions.
TR

3.5.14 The service provider should aim to avoid conflicts of interest between staff
members’ safety responsibilities and their other organisational responsibilities.
The service providers should allocate their SMS accountabilities and
N

responsibilities, in a way that minimises any overlaps and/or gaps.

O

Accountability and responsibilities and in respect to external organisations

C

3.5.15 A service provider is responsible for the safety performance of external

N

organisations where there is an SMS interface. The service provider may be held
accountable for the safety performance of products or services provided by
-U

external organisations supporting its activities even if the external organisations

are not required to have an SMS. It is essential for the service provider’s SMS to
interface with the safety systems of any external organisations that contribute to
the safe delivery of their product or services.

3.6 Appointment of key safety personnel

3.6.1 Appointment of a competent person or persons by the service provider to fulfil the
role of safety manager is essential to an effectively implemented and functioning
SMS. The safety manager may be identified by different titles. For the purposes of
this CAGM, the generic term “safety manager” is used and refers to the function,
not necessarily to the individual. The person carrying out the safety manager
function is responsible to the accountable executive for the performance of the
SMS and for the delivery of safety services to the other departments in the

Issue 01/Rev 00 CAGM 1902 – SMS 3-5

 Chapter 3 – Component 1: Safety Policy and Objectives
organisation. The nomination of a safety manager shall be subject to the
acceptance by CAAM.

3.6.2 The safety manager advises the accountable executive and line managers on
safety management matters, and is responsible for coordinating and
communicating safety issues within the organisation as well as with external
members of the aviation community. Functions of the safety manager include, but
are not limited to:

a) manage the SMS implementation plan on behalf of the accountable executive

(upon initial implementation);

b) perform/facilitate hazard identification and safety risk analysis;

c) monitor corrective actions and evaluate their results;

-
d) provide periodic reports on the organisation’s safety performance;

D
e) maintain SMS documentation and records;

E
f) plan and facilitate staff safety training;

g)

h)
LL
provide independent advice on safety matters;

monitor safety concerns in the aviation industry and their perceived impact on
O
the organisation’s operations aimed at product and service delivery; and
TR

i) coordinate and communicate (on behalf of the accountable executive) with

the CAAM on issues relating to safety.
N

3.6.3 The safety manager advises the accountable executive and line managers on
safety management matters, and is responsible for coordinating and
O

communicating safety issues within the organisation as well as with external

members of the aviation community. Functions of the safety manager include, but
C

are not limited to:

N

a) competition for funding (e.g. financial manager being the safety manager);
-U

b) conflicting priorities for resources; and

c) where the safety manager has an operational role and the ability to assess
the SMS effectiveness of the operational activities the safety manager is
involved in.

3.6.4 In cases where the function is allocated to a group of persons, (e.g. when service
providers extend their SMS across multiple activities) one of the persons should
be designated as “lead” safety manager, to maintain a direct and unequivocal
reporting line to the accountable executive.

3.6.5 The competencies for a safety manager should include, but not be limited to, the
following:
a) safety/ quality management experience;

Issue 01/Rev 00 CAGM 1902 – SMS 3-6

 Chapter 3 – Component 1: Safety Policy and Objectives
b) operational experience related to the product or service provided by the
service providers;

c) technical background to understand the systems that support operations or

the product/service provided;

d) interpersonal skills;

e) analytical and problem-solving skills;

f) project management skills;

g) oral and written communications skills; and

h) an understanding of human factors.

Note. — Detailed job description for a safety manager is specified in Appendix 3
of this CAGM.

-
D
3.6.6 Depending on the size, nature and complexity of the organisation, additional staff
may support the safety manager. The safety manager and supporting staff are

E
responsible for ensuring the prompt collection and analysis of safety data and
LL
appropriate distribution within the organisation of related safety information such
that safety risk decisions and controls, as necessary, can be made.
O
3.6.7 Service providers should establish appropriate safety committees that support the
TR

SMS functions across the organisation. This should include determining who
should be involved in the safety committee and frequency of the meetings.

3.6.8 The highest-level safety committee, sometimes referred to as a safety review

N

board (SRB), includes the accountable executive and senior managers with the
O

safety manager participating in an advisory capacity. The SRB is strategic and

deals with high-level issues related to safety policies, resource allocation and
C

organisational performance. The SRB monitors the:

N

a) effectiveness of the SMS;

-U

b) timely response in implementing necessary safety risk control actions;

c) safety performance against the organisation’s safety policy and objectives;

d) overall effectiveness of safety risk mitigation strategies;

e) effectiveness of the organisation’s safety management processes which

support:

1) the declared organisational priority of safety management; and

2) promotion of safety across the organisation.

3.6.9 Once a strategic direction has been developed by the highest-level safety
committee, implementation of safety strategies should be coordinated throughout
the organisation. This may be accomplished by creating safety action groups
(SAGs) that are more operationally focused. SAGs are normally composed of

Issue 01/Rev 00 CAGM 1902 – SMS 3-7

 Chapter 3 – Component 1: Safety Policy and Objectives
managers and front-line personnel and are chaired by a designated manager.
SAGs are tactical entities that deal with specific implementation issues in
accordance with the strategies developed by the SRB. The SAGs:

a) monitor operational safety performance within their functional areas of the

organisation and ensure that appropriate SRM activities are carried out;

b) review available safety data and identify the implementation of appropriate

safety risk control strategies and ensure employee feedback is provided;

c) assess the safety impact related to the introduction of operational changes or

new technologies;

d) coordinate the implementation of any actions related to safety risk controls

and ensure that actions are taken promptly; and

e) review the effectiveness of specific safety risk controls.

-
D
3.7 Coordination of emergency response planning

E
3.7.1 By definition, an emergency is a sudden, unplanned situation or event requiring
LL
immediate action. Coordination of emergency response planning refers to
planning for activities that take place within a limited period of time during an
O
unplanned aviation operational emergency situation. An emergency response plan
(ERP) is an integral component of a service provider’s SRM process to address
TR

aviation-related emergencies, crises or events. Where there is a possibility of a

service provider’s aviation operations or activities being compromised by
emergencies such as a public health emergency/pandemic, these scenarios
N

should also be addressed in its ERP as appropriate. The ERP should address
foreseeable emergencies as identified through the SMS and include mitigating
O

actions, processes and controls to effectively manage aviation-related

emergencies.
C
N

3.7.2 The overall objective of the ERP is the safe continuation of operations and the
return to normal operations as soon as possible. This should ensure an orderly
-U

and efficient transition from normal to emergency operations, including

assignment of emergency responsibilities and delegation of authority. It includes
the period of time required to re-establish “normal” operations following the
emergency. The ERP identifies actions to be taken by responsible personnel
during an emergency. Most emergencies will require coordinated action between
different organisations, possibly with other service providers and with other
external organisations such as non-aviation-related emergency services. The ERP
should be easily accessible to the appropriate key personnel as well as to the
coordinating external organisations.

3.7.3 Coordination of emergency response planning applies only to those service

providers required to establish and maintain an ERP. This coordination should be
exercised as part of the periodic testing of the ERP.

Issue 01/Rev 00 CAGM 1902 – SMS 3-8

 Chapter 3 – Component 1: Safety Policy and Objectives
3.8 SMS Documentation

3.8.1 The SMS documentation should include a top-level “SMS manual”, which
describes the service provider’s SMS policies, processes and procedures to
facilitate the organisation’s internal administration, communication and
maintenance of the SMS. It should help personnel to understand how the
organisation’s SMS functions, and how the safety policy and objectives will be met.
The documentation should include a system description that provides the
boundaries of the SMS. It should also help clarify the relationship between the
various policies, processes, procedures and practices, and define how these link
to the service provider’s safety policy and objectives. The documentation should
be adapted and written to address the day-to-day safety management activities
that can be easily understood by personnel throughout the organisation.

3.8.2 The SMS manual also serves as a primary safety communication tool between the

-
D
service provider and key safety stakeholders (e.g. CAAM for the purpose of
regulatory acceptance, assessment and subsequent monitoring of the SMS). The

E
SMS manual may be a stand-alone document, or it may be integrated with other
organisational documents (or documentation) maintained by the service provider.
LL
Where details of the organisation’s SMS processes are already addressed in
existing documents, appropriate cross-referencing to such documents is enough.
O
This SMS document must be kept up to date. CAAM acceptance is required before
significant amendments are made to the SMS manual, as it is a controlled manual.
TR

The manual may be subject to endorsement or approval by CAAM as evidence of

its acceptance.
N

3.8.3 The SMS manual should include a detailed description of the service provider’s
policies, processes and procedures including:
O

a) safety policy and safety objectives;

C

b) reference to any applicable regulatory SMS requirements;

N

c) system description;
-U

d) safety accountabilities and key safety personnel;

e) voluntary and mandatory safety reporting system processes and procedures;

f) hazard identification and safety risk assessment processes and procedures;

g) safety investigation procedures;

h) procedures for establishing and monitoring safety performance indicators;

i) SMS training processes and procedures and communication;

j) safety communication processes and procedures;

k) internal audit procedures;

l) management of change procedures;

Issue 01/Rev 00 CAGM 1902 – SMS 3-9

 Chapter 3 – Component 1: Safety Policy and Objectives
m) SMS documentation management procedures; and

n) where applicable, coordination of emergency response planning.

Note. — Detailed guidance on the development of SMS manual is specified in
Appendix 2 of this CAGM.

3.8.4 SMS documentation also includes the compilation and maintenance of operational
records substantiating the existence and ongoing operation of the SMS.
Operational records are the outputs of the SMS processes and procedures such
as the SRM and safety assurance activities. SMS operational records should be
stored and kept in accordance with existing retention periods. Typical SMS
operational records should include:

a) hazards register and hazard/safety reports;

b) SPIs and related charts;

-
D
c) record of completed safety risk assessments;

E
d) SMS internal review or audit records;

e)

f)
internal audit records;
LL
records of SMS/safety training records;
O
g) SMS/safety committee meeting minutes;
TR

h) SMS implementation plan (during the initial implementation); and

i) gap analysis to support implementation plan.

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 3-10

 Chapter 4 – Component 2: Safety Risk Management

4 Component 2: Safety Risk Management

4.1 Service providers should ensure they are managing their safety risks. This process
is known as safety risk management (SRM), which includes hazard identification,
safety risk assessment and safety risk mitigation.

4.2 The SRM process systematically identifies hazards that exist within the context of the
delivery of its products or services. Hazards may be the result of systems that are
deficient in their design, technical function, human interface or interactions with other
processes and systems. They may also result from a failure of existing processes or
systems to adapt to changes in the service provider’s operating environment. Careful
analysis of these factors can often identify potential hazards at any point in the
operation or activity life cycle.

4.3 Understanding the system and its operating environment is essential for the

-
D
achievement of high safety performance. Having a detailed system description that
defines the system and its interfaces will help. Hazards may be identified throughout

E
the operational life cycle from internal and external sources. Safety risk assessments
and safety risk mitigations will need to be continuously reviewed to ensure they
LL
remain effective. Figure 4-1 provides an overview of the hazard identification and
safety risk management process for a service provider.
O
Note. — Detailed guidance on hazard identification and safety risk assessment
TR

procedures is addressed in Chapter 8 of this CAGM.

N
O
C
N
-U

Figure 4-1: Hazard identification and risk management process

4.4 Hazard identification

Hazard identification is the first step in the SRM process. The service provider should
develop and maintain a formal process to identify hazards that could impact aviation
safety in all areas of operation and activities. This includes equipment, facilities and
systems. Any aviation safety-related hazard identified and controlled is beneficial for
the safety of the operation. It is important to also consider hazards that may exist as
a result of the SMS interfaces with external organisations.

Issue 01/Rev 00 CAGM 1902 – SMS 4-1

 Chapter 4 – Component 2: Safety Risk Management
Sources for hazard identification

4.4.1 There are a variety of sources for hazard identification, internal or external to the
organisation. Some internal sources include:

a) Normal operations monitoring; this uses observational techniques to monitor

the day-to-day operations and activities such as line operations safety audit
(LOSA).

b) Automated monitoring systems; this uses automated recording systems to

monitor parameters that can be analysed such as flight data monitoring
(FDM).

c) Voluntary and mandatory safety reporting systems; this provides everyone,

including staff from external organisations, with opportunities to report
hazards and other safety issues to the organisation.

-
D
d) Audits; these can be used to identify hazards in the task or process being
audited. These should also be coordinated with organisational changes to

E
identify hazards related to the implementation of the change.

e) LL
Feedback from training; training that is interactive (two way) can facilitate
identification of new hazards from participants.
O
f) Service provider safety investigations; hazards identified in internal safety
TR

investigation and follow-up reports on accidents/incidents.

4.4.2 Examples of external sources for hazard identification include:

N

a) Aviation accident reports; reviewing accident reports; this may be related to

accidents in the same State or to a similar aircraft type, region or operational
O

environment.
C

b) State mandatory and voluntary safety reporting systems.

N

c) State oversight audits and third-party audits; external audits can sometimes
identify hazards. These may be documented as an unidentified hazard or
-U

captured less obviously within an audit finding.

d) Trade associations and information exchange systems.

Safety reporting system

4.4.3 One of the main sources for identifying hazards is the safety reporting system,
especially the voluntary safety reporting system. Whereas the mandatory system
is normally used for incidents that have occurred, the voluntary system provides
an additional reporting channel for potential safety issues such as hazards, near
misses or errors. They can provide valuable information to the CAAM and service
provider on lower consequence events.

Issue 01/Rev 00 CAGM 1902 – SMS 4-2

 Chapter 4 – Component 2: Safety Risk Management
4.4.4 It is important that service providers provide appropriate protections to encourage
people to report what they see or experience. For example, enforcement action
may be waived for reports of errors, or in some circumstances, rule-breaking. It
should be clearly stated that reported information will be used solely to support the
enhancement of safety. The intent is to promote an effective reporting culture and
proactive identification of potential safety deficiencies.

4.4.5 Voluntary safety reporting systems should be confidential, requiring that any
identifying information about the reporter is known only to the custodian to allow
for follow-up action. The role of custodian should be kept to a few individuals,
typically restricted to the safety manager and personnel involved in the safety
investigation. Maintaining confidentiality will help facilitate the disclosure of
hazards leading to human error, without fear of retribution or embarrassment.
Voluntary safety reports may be de-identified and archived once necessary follow-
up actions are taken. De-identified reports can support future trending analyses to

-
D
track the effectiveness of risk mitigation and to identify emerging hazards.

E
4.4.6 Personnel at all levels and across all disciplines are encouraged to identify and
report hazards and other safety issues through their safety reporting systems. To
LL
be effective, safety reporting systems should be readily accessible to all personnel.
Depending on the situation, a paper-based, web-based or desktop form can be
O
used. Having multiple entry methods available maximizes the likelihood of staff
engagement. Everyone should be made aware of the benefits of safety reporting
TR

and what should be reported.

4.4.7 Anybody who submits a safety report should receive feedback on what decisions
N

or actions have been taken. The alignment of reporting system requirements,

analysis tools and methods can facilitate exchange of safety information as well
O

as comparisons of certain safety performance indicators. Feedback to reporters in

C

voluntary reporting schemes also serves to demonstrate that such reports are
considered seriously. This helps to promote a positive safety culture and
N

encourage future reporting.

-U

4.4.8 There may be a need to filter reports on entry when there are a large number of
safety reports. This may involve an initial safety risk assessment to determine
whether further investigation is necessary and what level of investigation is
required.

4.4.9 Safety reports are often filtered through the use of a taxonomy, or a classification
system. Filtering information using a taxonomy can make it easier to identify
common issues and trends. The service provider should develop taxonomies that
cover their type(s) of operation. The disadvantage of using a taxonomy is that
sometimes the identified hazard does not fit cleanly into any of the defined
categories. The challenge then is to use taxonomies with the appropriate degree
of detail; specific enough that hazards are easy to allocate, yet generic enough
that the hazards are valuable for analysis. Chapter 9 of this CAGM provides
additional information on hazard taxonomies.

Issue 01/Rev 00 CAGM 1902 – SMS 4-3

 Chapter 4 – Component 2: Safety Risk Management
4.4.10 Other methods of hazard identification include workshops or meetings in which
subject matter experts conduct detailed analysis scenarios. These sessions
benefit from the contributions of a range of experienced operational and technical
personnel. Existing safety committee meetings (SRB, SAG, etc.) could be used
for such activities; the same group may also be used to assess associated safety
risks.

4.4.11 Identified hazards and their potential consequences should be documented. This
will be used for safety risk assessment processes.

4.4.12 The hazard identification process considers all possible hazards that may exist
within the scope of the service provider’s aviation activities including interfaces
with other systems, both within and external to the organisation. Once hazards are
identified, their consequences (i.e. any specific events or outcomes) should be
determined.

-
E D
Investigation of hazards

4.4.13
LL
Hazard identification should be continuous and part of the service provider’s
ongoing activities. Some conditions may merit more detailed investigation. These
may include:
O
a) instances where the organisation experiences an unexplained increase in
TR

aviation safety-related events or regulatory non-compliance; or

b) significant changes to the organisation or its activities.

N

4.5 Service provider safety investigation

O

4.5.1 Effective safety management depends on quality investigations to analyse safety

C

occurrences and safety hazards, and report findings and recommendations to

improve safety in the operating environment:
N
-U

4.5.2 There is a clear distinction between accident and incident investigations under
Annex 13 and service provider safety investigations. Investigation of accidents and
serious incidents under Annex 13 are the responsibility of the Air Accident
Investigation Bureau (AAIB). This type of information is essential to disseminate
lessons learned from accidents and incidents. Service provider safety
investigations are conducted by service providers as part of their SMS to support
hazard identification and risk assessment processes. There are many safety
occurrences that fall outside of Annex 13 that could provide a valuable source of
hazard identification or identify weaknesses in risk controls. These problems might
be revealed and remedied by a safety investigation led by the service provider.

4.5.3 The primary objective of the service provider safety investigation is to understand
what happened, and how to prevent similar situations from occurring in the future
by eliminating or mitigating safety deficiencies. This is achieved through careful

Issue 01/Rev 00 CAGM 1902 – SMS 4-4

 Chapter 4 – Component 2: Safety Risk Management
and methodical examination of the event and by applying the lessons learned to
reduce the probability and/or consequence of future recurrences. Service provider
safety investigations are an integral part of the service provider's SMS.

4.5.4 Service provider investigations of safety occurrences and hazards are an essential
activity of the overall risk management process in aviation. The benefits of
conducting a safety investigation include:

a) gaining a better understanding of the events leading up to the occurrence;

b) identifying contributing human, technical and organisational factors;

c) identifying hazards and conducting risk assessments;

d) making recommendations to reduce or eliminate unacceptable risks; and

e) identifying lessons learned that should be shared with the appropriate

-
members of the aviation community.

E D
Investigation triggers

4.5.5 LL
A service provider safety investigation is usually triggered by a notification (report)
submitted through the safety reporting system. Figure 4-2 outlines the safety
O
investigation decision process and the distinction between when a service provider
TR

safety investigation should take place and when an investigation under Annex 13
provisions should be initiated:
N
O
C
N
-U

Figure 4-2: Safety investigation decision process

4.5.6 Not all occurrences or hazards can or should be investigated; the decision to
conduct an investigation and its depth should depend on the actual or potential
consequences of the occurrence or hazard. Occurrences and hazards considered

Issue 01/Rev 00 CAGM 1902 – SMS 4-5

 Chapter 4 – Component 2: Safety Risk Management
to have a high-risk potential are more likely to be investigated and should be
investigated in greater depth than those with lower risk potential. Service providers
should use a structured decision-making approach with defined trigger points.
These will guide the safety investigation decisions: what to investigate and the
scope of the investigation. This could include:

a) the severity or potential severity of the outcome

b) regulatory or organisational requirements to carry out an investigation;

c) safety value to be gained;

d) opportunity for safety action to be taken;

e) risks associated with not investigating;

f) contribution to targeted safety programmes;

-
D
g) identified trends;

E
h) training benefit; and

i) resources availability.

Assigning an investigator
LL
O
4.5.7 If an investigation is to commence, the first action will be to appoint an investigator
TR

or where the resources are available, an investigation team with the required skills
and expertise. The size of the team and the expertise profile of its members
depend on the nature and severity of the occurrence being investigated. The
N

investigating team may require the assistance of other specialists. Often, a single
person is assigned to carry out an internal investigation, with support from
O

operations and safety office experts.

C

4.5.8 Service provider safety investigators are ideally organisationally independent from
N

the area associated with the occurrence or identified hazard. Better results will be
obtained if the investigator(s) are knowledgeable (trained) and skilled
-U

(experienced) in service provider safety investigations. The investigators would

ideally be chosen for the role because of their knowledge, skills and character
traits, which should include: integrity, objectivity, logical thinking, pragmatism, and
lateral thinking.

The investigation processes

4.5.9 The investigation should identify what happened and why it happened and this
may require root cause analysis to be applied as part of the investigation. Ideally,
the people involved in the event should be interviewed as soon as possible after
the event. The investigation should include:

a) establishing timelines of key events, including the actions of the people

involved;

Issue 01/Rev 00 CAGM 1902 – SMS 4-6

 Chapter 4 – Component 2: Safety Risk Management
b) review of any policies and procedures related to the activities;

c) review of any decisions made related to the event;

d) identifying any risk controls that were in place that should have prevented the
event occurring; and

e) reviewing safety data for any previous or similar events.

4.5.10 The safety investigation should focus on the identified hazards and safety risks
and opportunities for improvement, not on blame or punishment. The way the
investigation is conducted, and most importantly, how the report is written, will
influence the likely safety impact, the future safety culture of the organisation, and
the effectiveness of future safety initiatives.

4.5.11 The investigation should conclude with clearly defined findings and

-
recommendations that eliminate or mitigate safety deficiencies.

D
4.6 Safety risk assessment and mitigation

E
4.6.1
LL
The service provider must develop a safety risk assessment model and
procedures which will allow a consistent and systematic approach for the
assessment of safety risks. This should include a method that will help determine
O
what safety risks are acceptable or unacceptable and to prioritize actions.
TR

4.6.2 The SRM tools used may need to be reviewed and customized periodically to
ensure they are suitable for the service provider’s operating environment. The
service provider may find more sophisticated approaches that better reflect the
N

needs of their operation as their SMS matures. The service provider and CAAM
O

should agree on a methodology.

C

4.6.3 More sophisticated approaches to safety risk classification are available. These
may be more suitable if the service provider is experienced with safety
N

management or operating in a high-risk environment.

-U

4.6.4 The safety risk assessment process should use whatever safety data and safety
information is available. Once safety risks have been assessed, the service
provider will engage in a data-driven decision-making process to determine what
safety risk controls are needed.

4.6.5 Safety risk assessments sometimes have to use qualitative information (expert
judgement) rather than quantitative data due to unavailability of data. Using the
safety risk matrix allows the user to express the safety risk(s) associated with the
identified hazard in a quantitative format. This enables direct magnitude
comparison between identified safety risks. A qualitative safety risk assessment
criterion such as “likely to occur” or “improbable” may be assigned to each
identified safety risk where quantitative data is not available.

Issue 01/Rev 00 CAGM 1902 – SMS 4-7

 Chapter 4 – Component 2: Safety Risk Management
4.6.6 For service providers that have operations in multiple locations with specific
operating environments, it may be more effective to establish local safety
committees to conduct safety risk assessments and safety risk control
identification. Advice is often sought from a specialist in the operational area
(internal or external to the service provider). Final decisions or control acceptance
may be required from higher authorities so that the appropriate resources are
provided.

4.6.7 How service providers go about prioritizing their safety risk assessments and
adopting safety risk controls is their decision. As a guide, the service provider
should find the prioritization process:

a) assesses and controls highest safety risk;

b) allocates resources to highest safety risks;

-
c) effectively maintains or improves safety;

D
d) achieves the stated and agreed safety objectives and SPTs; and

E
e) satisfies the CAAM’s requirements with regard to control of safety risks.

4.6.8
LL
After safety risks have been assessed, appropriate safety risk controls can be
O
implemented. It is important to involve the “end users” and subject matter experts
in determining appropriate safety risk controls. Ensuring the right people are
TR

involved will maximize the practicality of safety risk chosen mitigations. A

determination of any unintended consequences, particularly the introduction of
new hazards, should be made prior to the implementation of any safety risk
N

controls.
O

4.6.9 Once the safety risk control has been agreed and implemented, the safety
performance should be monitored to assure the effectiveness of the safety risk
C

control. This is necessary to verify the integrity, efficiency and effectiveness of the
N

new safety risk controls under operational conditions.

-U

4.6.10 The SRM outputs should be documented. This should include the hazard and any
consequences, the safety risk assessment and any safety risk control actions
taken. These are often captured in a register so they can be tracked and
monitored. This SRM documentation becomes a historical source of
organisational safety knowledge which can be used as reference when making
safety decisions and for safety information exchange. This safety knowledge
provides material for safety trend analyses and safety training and communication.
It is also useful for internal audits to assess whether safety risk controls and
actions have been implemented and are effective.

Issue 01/Rev 00 CAGM 1902 – SMS 4-8

 Chapter 5 – Component 3: Safety Assurance

5 Component 3: Safety Assurance

5.1 Civil Aviation Directive (CAD) 19 requires that service providers develop and maintain
the means to verify the safety performance of the organisation and to validate the
effectiveness of safety risk controls. The safety assurance component of the service
provider’s SMS provides these capabilities.

5.2 Safety assurance consists of processes and activities undertaken to determine

whether the SMS is operating according to expectations and requirements. This
involves continuously monitoring its processes as well as its operating environment
to detect changes or deviations that may introduce emerging safety risks or the
degradation of existing safety risk controls. Such changes or deviations may then be
addressed through the SRM process.

5.3 Safety assurance activities should include the development and implementation of

-
D
actions taken in response to any identified issues having a potential safety impact.
These actions continuously improve the performance of the service provider’s SMS.

E
5.4 Safety performance monitoring and measurement
LL
To verify the safety performance and validate the effectiveness of safety risk controls
O
requires the use of a combination of internal audits and the establishment and
monitoring of SPIs. Assessing the effectiveness of the safety risk controls is important
TR

as their application does not always achieve the results intended. This will help
identify whether the right safety risk control was selected and may result in the
application of a different safety risk control strategy.
N

Internal audit
O

5.4.1 Internal audits are performed to assess the effectiveness of the SMS and identify
C

areas for potential improvement. Ensuring compliance with the regulations through
the internal audit is a principle aspect of safety assurance.
N
-U

5.4.2 It is also necessary to ensure that any safety risk controls are effectively
implemented and monitored. The causes and contributing factors should be
investigated and analysed where non-conformances and other issues are
identified. The main focus of the internal audit is on the policies, processes and
procedures that provide the safety risk controls.

5.4.3 Internal audits are most effective when conducted by persons or departments
independent of the functions being audited. Such audits should provide the
accountable executive and senior management with feedback on the status of:

a) compliance with regulations;

b) compliance with policies, processes and procedures;

c) the effectiveness of safety risk controls;

Issue 01/Rev 00 CAGM 1902 – SMS 5-1

 Chapter 5 – Component 3: Safety Assurance
d) the effectiveness of corrective actions; and

e) the effectiveness of the SMS

5.4.4 Some organisations cannot ensure appropriate independence of an internal audit,

in such cases, the service provider should consider engaging external auditors
(e.g. independent auditors or auditors from another organisation).

5.4.5 Planning of internal audits should take into account the safety criticality of the
processes, the results of previous audits and assessments (from all sources), and
the implemented safety risk controls. Internal audits should identify non-
compliance with regulations and policies, processes and procedures. They should
also identify system deficiencies, lack of effectiveness of safety risk controls and
opportunities for improvement.

-
5.4.6 Assessing for compliance and effectiveness are both essential to achieving safety

D
performance. The internal audit process can be used to determine both
compliance and effectiveness. The following questions can be asked to assess

E
compliance and effectiveness of each process or procedure:

a) Determining compliance

1)
LL
Does the required process or procedure exist?
O
2) Is the process or procedure documented (inputs, activities, interfaces and
TR

outputs defined)?
3) Does the process or procedure meet requirements (criteria)?
4) Is the process or procedure being used?
N

5) Are all affected personnel following the process or procedure

consistently?
O

6) Are the defined outputs being produced?

7) Has a process or procedure change been documented and
C

implemented?
N

b) Assessing effectiveness
-U

1) Do users understand the process or procedure?

2) Is the purpose of the process or procedure being achieved consistently?
3) Are the results of the process or procedure what the “customer” asked
for?
4) Is the process or procedure regularly reviewed?
5) Is a safety risk assessment conducted when there are changes to the
process or procedure?
6) Have process or procedure improvements resulted in the expected
benefits?

5.4.7 In addition, internal audits should monitor progress in closing previously identified
non-compliances. These should have been addressed through root cause
analysis and the development and implementation of corrective and preventive

Issue 01/Rev 00 CAGM 1902 – SMS 5-2

 Chapter 5 – Component 3: Safety Assurance
action plans. The results from analysis of cause(s) and contributing factors for any
non-compliance should feed into the service provider’s SRM processes.

5.4.8 The results of the internal audit process become one of the various inputs to the
SRM and safety assurance functions. Internal audits inform the service provider’s
management of the level of compliance within the organisation, the degree to
which safety risk controls are effective and where corrective or preventive action
is required.

Safety performance monitoring

5.4.9 Safety performance monitoring is conducted through the collection of safety data
and safety information from a variety of sources typically available to an
organisation. Data availability to support informed decision-making is one of the
most important aspects of the SMS. Using this data for safety performance

-
monitoring and measurement are essential activities that generate the information

D
necessary for safety risk decision-making.

E
5.4.10 Safety performance monitoring and measurement should be conducted observing
LL
some basic principles. The safety performance achieved is an indication of
organisational behaviour and is also a measure of the effectiveness of the SMS.
This requires the organisation to define:
O
a) safety objectives, which should be established first to reflect the strategic
TR

achievements or desired outcomes related to safety concerns specific to the

organisation’s operational context;
N

b) SPIs, which are tactical parameters related to the safety objectives and
therefore are the reference for data collection; and
O

c) SPTs, which are also tactical parameters used to monitor progress towards
C

the achievement of the safety objectives.

N

5.4.11 A more complete and realistic picture of the service provider’s safety performance
-U

will be achieved if SPIs encompass a wide spectrum of indicators. This should

include:

a) low probability/high severity events (e.g. accidents and serious incidents);

b) high probability/low severity events (e.g. uneventful operational events, non-

conformance reports, deviations etc.): and

c) process performance (e.g. training, system improvements and report

processing).

5.4.12 SPIs are used to measure operational safety performance of the service provider
and the performance of their SMS. SPIs rely on the monitoring of data and
information from various sources including the safety reporting system. They
should be specific to the individual service provider and be linked to the safety
objectives already established.

Issue 01/Rev 00 CAGM 1902 – SMS 5-3

 Chapter 5 – Component 3: Safety Assurance
5.4.13 When establishing SPIs service providers should consider:
a) Measuring the right things: Determine the best SPIs that will show the
organisation is on track to achieving its safety objectives. Also consider what
are the biggest safety issues and safety risks faced by the organisation, and
identify SPIs which will show effective control of these.

b) Availability of data: Is there data available which aligns with what the
organisation wants to measure? If there isn’t, there may be a need to establish
additional data collection sources. For small organisations with limited
amounts of data, the pooling of data sets may also help to identify trends. This
may be supported by industry associations who can collate safety data from
multiple organisations.

c) Reliability of the data: Data may be unreliable either because of its subjectivity
or because it is incomplete.

-
D
d) Common industry SPIs: It may be useful to agree on common SPIs with
similar organisations so that comparisons can be made between

E
organisations. The regulator or industry associations may enable these.

5.4.14 LL
Once SPIs have been established the service provider should consider whether it
appropriate to identify SPTs and alert levels. SPTs are useful in driving safety
O
improvements but, implemented poorly, they have been known to lead to
undesirable behaviours – that is, individuals and departments becoming too
TR

focused on achieving the target and perhaps losing sight of what the target was
intended to achieve – rather than an improvement in organisational safety
performance. In such cases it may be more appropriate to monitor the SPI for
N

trends.
O

5.4.15 The following activities can provide sources to monitor and measure safety
C

performance:
N

a) Safety studies are analyses to gain a deeper understanding of safety issues

or better understand a trend in safety performance.
-U

b) Safety data analysis uses the safety reporting data to uncover common issues
or trends that might warrant further investigation.

c) Safety surveys examine procedures or processes related to a specific

operation. Safety surveys may involve the use of checklists, questionnaires
and informal confidential interviews. Safety surveys generally provide
qualitative information. This may require validation via data collection to
determine if corrective action is required. Nonetheless, surveys may provide
an inexpensive and valuable source of safety information.

d) Safety audits focus on assessing the integrity of the service provider’s SMS
and supporting systems. Safety audits can also be used to evaluate the
effectiveness of installed safety risk controls or to monitor compliance with
safety regulations. Ensuring independence and objectivity is a challenge for

Issue 01/Rev 00 CAGM 1902 – SMS 5-4

 Chapter 5 – Component 3: Safety Assurance
safety audits. Independence and objectivity can be achieved by engaging
external entities or internal audits with protections in place - policies,
procedures, roles, communication protocols.

e) Findings and recommendations from safety investigations can provide useful

safety information that can be analysed against other collected safety data.

f) Operational data collection systems such as FDA, radar information can

provide useful data of events and operational performance.

5.4.16 The development of SPIs should be linked to the safety objectives and be based
on the analysis of data that is available or obtainable. The monitoring and
measurement process involve the use of selected safety performance indicators,
corresponding SPTs and safety triggers.

5.4.17 The organisation should monitor the performance of established SPIs and SPTs

-
D
to identify abnormal changes in safety performance. SPTs should be realistic,
context specific and achievable when considering the resources available to the

E
organisation and the associated aviation sector.

5.4.18 LL
Primarily, safety performance monitoring and measurement provides a means to
verify the effectiveness of safety risk controls. In addition, they provide a measure
O
of the integrity and effectiveness of SMS processes and activities.
TR

5.4.19 During development of SPIs and SPTs, the service provider should consult CAAM
for acceptance.
N

5.4.20 For more information about safety performance indicators and safety performance
targets, refer to Chapter 10 of this CAGM.
O

5.5 The management of change

C

5.5.1 Service providers experience change due to a number of factors including, but not
N

limited to:
-U

a) organisational expansion or contraction;

b) business improvements that impact safety; these may result in changes to

internal systems, processes or procedures that support the safe delivery of
the products and services;

c) changes to the organisation’s operating environment;

d) changes to the SMS interfaces with external organisations; and

e) external regulatory changes, economic changes and emerging risks.

5.5.2 Change may affect the effectiveness of existing safety risk controls. In addition,
new hazards and related safety risks may be inadvertently introduced into an
operation when change occurs. Hazards should be identified and related safety

Issue 01/Rev 00 CAGM 1902 – SMS 5-5

 Chapter 5 – Component 3: Safety Assurance
risks assessed and controlled as defined in the organisation’s existing hazard
identification or SRM procedures.

5.5.3 The organisation’s management of change process should take into account the
following considerations:

a) Criticality. How critical is the change? The service provider should consider
the impact on their organisation’s activities, and the impact on other
organisations and the aviation system.

b) Availability of subject matter experts. It is important that key members of the

aviation community are involved in the change management activities; this
may include individuals from external organisations.

c) Availability of safety performance data and information. What data and

information are available that can be used to give information on the situation

-
and enable analysis of the change?

D
5.5.4 Small incremental changes often go unnoticed, but the cumulative effect can be

E
considerable. Changes, large and small, might affect the organisation’s system
LL
description, and may lead to the need for its revision. Therefore, the system
description should be regularly reviewed to determine its continued validity, given
that most service providers experience regular, or even continuous, change.
O
TR

5.5.5 The service provider should define the trigger for the formal change process.
Changes that are likely to trigger formal change management include:

a) introduction of new technology or equipment;

N

b) changes in the operating environment;

O

c) changes in key personnel;

C

d) significant changes in staffing levels;

N

e) changes in safety regulatory requirements;

-U

f) significant restructuring of the organisation; and

g) physical changes (new facility or base, aerodrome layout changes etc.).

5.5.6 The service provider should also consider the impact of the change on personnel.
This could affect the way the change is accepted by those affected. Early
communication and engagement will normally improve the way the change is
perceived and implemented.

5.5.7 The change management process should include the following activities:
a) understand and define the change; this should include a description of the
change and why it is being implemented;

b) understand and define who and what it will affect; this may be individuals
within the organisation, other departments or external people or

Issue 01/Rev 00 CAGM 1902 – SMS 5-6

 Chapter 5 – Component 3: Safety Assurance
organisations. Equipment, systems and processes may also be impacted. A
review of the system description and organisations’ interfaces may be
needed. This is an opportunity to determine who should be involved in the
change. Changes might affect risk controls already in place to mitigate other
risks, and therefore change could increase risks in areas that are not
immediately obvious;

c) identify hazards related to the change and carry out a safety risk assessment;
this should identify any hazards directly related to the change. The impact on
existing hazards and safety risk controls that may be affected by the change
should also be reviewed. This step should use the existing organisation’s
SRM processes;

d) develop an action plan; this should define what is to be done, by whom and
by when. There should be a clear plan describing how the change will be

-
implemented and who will be responsible for which actions, and the

D
sequencing and scheduling of each task;

E
e) sign off on the change; this is to confirm that the change is safe to implement.
The individual with overall responsibility and authority for implementing the

f)
LL
change should sign the change plan; and

assurance plan; this is to determine what follow-up action is needed. Consider

O
how the change will be communicated and whether additional activities (such
TR

as audits) are needed during or after the change. Any assumptions made
need to be tested.
N

5.6 Continuous improvement of the SMS

O

5.6.1 CAD 19 requires that… “the service provider monitor and assess its SMS
processes to maintain or continuously improve the overall effectiveness of the
C

SMS.” Maintenance and continuous improvement of the service provider’s SMS

effectiveness is supported by safety assurance activities that include the
N

verification and follow up of actions and the internal audit processes. It should be
-U

recognized that maintaining and continuously improving the SMS is an ongoing

journey as the organisation itself and the operational environment will be
constantly changing.

5.6.2 Internal audits involve assessment of the service provider’s aviation activities that
can provide information useful to the organisation’s decision-making processes.
The internal audit function includes evaluation of all of the safety management
functions throughout the organisation.

5.6.3 SMS effectiveness should not be based solely on SPIs; service providers should
aim to implement a variety of methods to determine its effectiveness, measure
outputs as well as outcomes of the processes, and assess the information
gathered through these activities. Such methods may include:

Issue 01/Rev 00 CAGM 1902 – SMS 5-7

 Chapter 5 – Component 3: Safety Assurance
a) Audits; this includes internal audits and audits carried out by other
organisations.

b) Assessments; includes assessments of safety culture and SMS effectiveness.

c) Monitoring of occurrences; monitor the recurrence of safety events including

accidents and incidents as well as errors and rule-breaking situations.

d) Safety surveys; including cultural surveys providing useful feedback on staff

engagement with the SMS. It may also provide an indicator of the safety
culture of the organisation.

e) Management reviews; examine whether the safety objectives are being

achieved by the organisation and are an opportunity to look at all the available
safety performance information to identify overall trends. It is important that
senior management review the effectiveness of the SMS. This may be carried

-
out as one of the functions of the highest-level safety committee.

D
f) Evaluation of SPIs and SPTs; possibly as part of the management review. It

E
considers trends and, when appropriate data is available, can be compared
to other service providers or regional or global data.

g)
LL
Addressing lessons learnt; from safety reporting systems and service provider
safety investigations. These should lead to safety improvements being
O
implemented.
TR

5.6.4 In summary, the monitoring of the safety performance and internal audit processes
contributes to the service provider’s ability to continuously improve its safety
N

performance. Ongoing monitoring of the SMS, its related safety risk controls and
support systems assures the service provider and CAAM that the safety
O

management processes are achieving the desired safety performance objectives.

C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 5-8

 Chapter 6 – Component 4: Safety Promotion

6 Component 4: Safety Promotion

6.1 Safety promotion encourages a positive safety culture and helps achieve the service
provider’s safety objectives through the combination of technical competence that is
continually enhanced through training and education, effective communication, and
information-sharing. Senior management provides the leadership to promote the
safety culture throughout an organisation.

6.2 Effective safety management cannot be achieved solely by mandate or strict

adherence to policies and procedures. Safety promotion affects both individual and
organisational behaviour, and supplements the organisation’s policies, procedures
and processes, providing a value system that supports safety efforts.

6.3 The service provider should establish and implement processes and procedures that
facilitate effective two-way communication throughout all levels of the organisation.

-
D
This should include clear strategic direction from the top of the organisation and the
enabling of “bottom-up” communication that encourages open and constructive

E
feedback from all personnel.

6.4 Training and education LL

O
6.4.1 CAD 19 requires that “the service provider shall develop and maintain a safety
training programme that ensures that personnel are trained and competent to
TR

perform their SMS duties.” It also requires that “the scope of the safety training
programme be appropriate to each individual’s involvement in the SMS.” The
safety manager is responsible for ensuring there is a suitable safety training
N

programme in place. This includes providing appropriate safety information

relevant to specific safety issues met by the organisation. Personnel who are
O

trained and competent to perform their SMS duties, regardless of their level in the
organisation, is an indication of management’s commitment to an effective SMS.
C

The training programme should include initial and recurrent training requirements
N

to maintain competencies. Initial safety training should consider, as a minimum,

the following.
-U

a) organisational safety policies and safety objectives;

b) organisational roles and responsibilities related to safety;

c) basic SRM principles;

d) safety reporting systems;

e) the organisation’s SMS processes and procedures; and

f) human factors.

6.4.2 Recurrent safety training should focus on changes to the SMS policies, processes
and procedures, and should highlight any specific safety issues relevant to the
organisation or lessons learned.

Issue 01/Rev 00 CAGM 1902 – SMS 6-1

 Chapter 6 – Component 4: Safety Promotion
6.4.3 The training programme should be tailored to the needs of the individual’s role
within the SMS. For example, the level and depth of training for managers involved
in the organisation's safety committees will be more extensive than for personnel
directly involved with delivery of the organisation’s product or services. Personnel
not directly involved in the operations may require only a high-level overview of
the organisation’s SMS.

Training need analysis

6.4.4 For most organisations, a formal training needs analysis (TNA) is necessary to
ensure there is a clear understanding of the operation, the safety duties of the
personnel and the available training. A typical TNA will normally start by
conducting an audience analysis, which usually includes the following steps:

a) Every one of the service provider’s staff will be affected by the implementation

-
of the SMS, but not in the same ways or to the same degree. Identify each

D
staff grouping and in what ways they will interact with the safety management
processes, inputs and outputs - in particular with safety duties. This

E
information should be available from the position/role descriptions. Normally

LL
groupings of individuals will start to emerge that have similar learning needs.
The service provider should consider whether it is valuable to extend the
analysis to staff in external interfacing organisations;
O
b) Identify the knowledge and competencies needed to perform each safety duty
TR

and required by each staff grouping.

c) Conduct an analysis to identify the gap between the current safety skill and
N

knowledge across the workforce and those needed to effectively perform the
allocated safety duties.
O

d) Identify the most appropriate skills and knowledge development approach for
C

each group with the aim of developing a training programme appropriate to

each individual or group’s involvement in safety management. The training
N

programme should also consider the staff’s ongoing safety knowledge and
-U

competency needs; these needs will typically be met through a recurrent

training programme.

6.4.5 It is also important to identify the appropriate method for training delivery. The
main objective is that, on completion of the training, personnel are competent to
perform their SMS duties. Competent trainers are usually the single most
important consideration; their commitment, teaching skills and safety management
expertise will have a significant impact on the effectiveness of the training
delivered. The safety training programme should also specify responsibilities for
development of training content and scheduling as well as training and
competency records management.

6.4.6 The organisation should determine who should be trained and to what depth, and
this will depend on their involvement in the SMS. Most people working in the

Issue 01/Rev 00 CAGM 1902 – SMS 6-2

 Chapter 6 – Component 4: Safety Promotion
organisation have some direct or indirect relationship with aviation safety, and
therefore have some SMS duties. This applies to any personnel directly involved
in the delivery of products and services, and personnel involved in the
organisation's safety committees. Some administrative and support personnel will
have limited SMS duties and will need some SMS training, as their work may still
have an indirect impact on aviation safety.

6.4.7 The service provider should identify the SMS duties of personnel and use the
information to examine the safety training programme and ensure each individual
receives training aligned with their involvement with SMS. The safety training
programme should specify the content of safety training for support staff,
operational personnel, managers and supervisors, senior managers and the
accountable executive.

6.4.8 There should be specific safety training for the accountable executive and senior

-
D
managers that includes the following topics:

a) specific awareness training for new accountable executives and post holders

E
on their SMS accountabilities and responsibilities;

b) importance of
requirements;
compliance LL
with national and organisational safety
O
c) management commitment;
TR

d) allocation of resources;

e) promotion of the safety policy and the SMS;

N

f) promotion of a positive safety culture;

O

g) effective interdepartmental safety communication;

C

h) safety objective, SPTs and alert levels; and

N

i) disciplinary policy.
-U

6.4.9 The main purpose of the safety training programme is to ensure that personnel, at
all levels of the organisation, maintain their competence to fulfil their safety roles;
therefore, competencies of personnel should be reviewed on a regular basis.

6.5 Safety Communication

6.5.1 The service provider should communicate the organisation’s SMS objectives and
procedures to all appropriate personnel. There should be a communication
strategy that enables safety communication to be delivered by the most
appropriate method based on the individual’s role and need to receive safety
related information. This may be done through safety newsletters, notices,
bulletins, briefings or training courses. The safety manager should also ensure
that lessons learned from investigations and case histories or experiences, both

Issue 01/Rev 00 CAGM 1902 – SMS 6-3

 Chapter 6 – Component 4: Safety Promotion
internally and from other organisations, are distributed widely. Safety
communication therefore aims to:

a) ensure that staff are fully aware of the SMS; this is a good way of promoting
the organisation’s safety policy and safety objectives.

b) convey safety-critical information; Safety critical information is specific

information related to safety issues and safety risks that could expose the
organisation to safety risk. This could be from safety information gathered
from internal or external sources such as lessons learned or related to safety
risk controls. The service provider determines what information is considered
safety critical and the timeliness of its communication.

c) raise awareness of new safety risk controls and corrective actions; The safety
risks faced by the service provider will change over time, and whether this is
a new safety risk that has been identified or changes to safety risk controls,

-
D
these changes will need to be communicated to the appropriate personnel.

d) provide information on new or amended safety procedures; when safety

E
procedures are updated it is important that the appropriate people are made

e)
aware of these changes.
LL
promote a positive safety culture and encourage personnel to identify and
O
report hazards; safety communication is two-way. It is important that all
personnel communicate safety issues to the organisation through the safety
TR

reporting system.

f) provide feedback; provide feedback to personnel submitting safety reports on

N

what actions have been taken to address any concerns identified.

O

6.5.2 Service providers should consider whether any of the safety information listed
above needs to be communicated to external organisations.
C

6.5.3 Service providers should assess the effectiveness of their safety communication
N

by checking personnel have received and understood any safety critical

-U

information that has been distributed. This can be done as part of the internal audit
activities or when assessing the SMS effectiveness.

6.5.4 Safety promotion activities should be carried out throughout the life cycle of the
SMS, not only at the beginning.

Issue 01/Rev 00 CAGM 1902 – SMS 6-4

 Chapter 7 – Implementation Planning

7 Implementation Planning

7.1 System description

7.1.1 A system description helps to identify the organisational processes, including any
interfaces, to define the scope of the SMS. This provides an opportunity to identify
any gaps related to the service provider’s SMS components and elements and
may serve as a starting point to identify organisational and operational hazards. A
system description serves to identify the features of the product, the service or the
activity so that SRM and safety assurance can be effective.

7.1.2 Most organisations are made up of a complex network of interfaces and

interactions involving different internal departments as well as different external
organisations that all contribute to the safe operation of the organisation. The use
of a system description enables the organisation to have a clearer picture of its

-
D
many interactions and interfaces. This will enable better management of safety
risk and safety risk controls if they are described, and help in understanding the

E
impact of changes to the SMS processes and procedures.

7.1.3 LL
When considering a system description, it is important to understand that a
“system” is a set of things working together as parts of an interconnecting network.
O
In an SMS, it is any of an organisation’s products, people, processes, procedures,
facilities, services, and other aspects (including external factors), which are related
TR

to, and can affect, the organisation’s aviation safety activities. Often, a “system” is
a collection of systems, which may also be viewed as a system with subsystems.
These systems and their interactions with one another make up the sources of
N

hazards and contribute to the control of safety risks. The important systems
include both those which could directly impact aviation safety and those which
O

affect the ability or capacity of an organisation to perform effective safety

C

management.
N

7.1.4 An overview of the system description and the SMS interfaces should be included
in the SMS documentation. A system description may include a bulleted list with
-U

references to policies and procedures. A graphic depiction, such as a process flow

chart or annotated organisation chart, may be enough for some organisations. An
organisation should use a method and format that works for that organisation.

7.1.5 Because each organisation is unique, there is no “one size fits all” method for SMS
implementation. It is expected that each organisation will implement an SMS that
works for its unique situation. Each organisation should define for itself how it
intends to go about fulfilling the fundamental requirements. To accomplish this, it
is important that each organisation prepare a system description that identifies its
organisational structures, processes, and business arrangements that it considers
important to safety management functions. Based on the system description, the
organisation should identify or develop policy, processes, and procedures that
establish its own safety management requirements.

Issue 01/Rev 00 CAGM 1902 – SMS 7-1

 Chapter 7 – Implementation Planning
7.1.6 When an organisation elects to make a significant or substantive change to the
processes identified in the system description, the changes should be viewed as
potentially affecting its baseline safety risk assessment. Thus, the system
description should be reviewed as part of the management of change processes.

7.2 Interface management

Safety risks faced by service providers are affected by interfaces. Interfaces can
be either internal (e.g. between departments) or external (e.g. other service
providers or contracted services,). By identifying and managing these interfaces
the service provider will have more control over any safety risks related to the
interfaces. These interfaces should be defined within the system description.

7.3 Identification of SMS interfaces

-
7.3.1 Initially service providers should concentrate on interfaces in relation to its

D
business activities. The identification of these interfaces should be detailed in the
system description that sets out the scope of the SMS and should include internal

E
and external interfaces.

7.3.2 LL
Figure 7-1 is an example of how a service provider could map out the different
organisations it interacts with to identify any SMS interfaces. The objective of this
O
review is to produce a comprehensive list of all interfaces. The rationale for this
exercise is that there may be SMS interfaces which an organisation is not
TR

necessarily fully aware of. There may be interfaces where there are no formal
agreements in place, such as with the power supply or building maintenance
companies.
N
O
C
N
-U

Figure 7-1: Example of air traffic service provider SMS interfaces

Issue 01/Rev 00 CAGM 1902 – SMS 7-2

 Chapter 7 – Implementation Planning

7.3.3 Some of the internal interfaces may be with business areas not directly associated
with safety, such as marketing, finance, legal and human resources. These areas
can impact safety through their decisions which impact on internal resources and
investment, as well as through agreements and contracts with external
organisations, and may not necessarily address safety.

7.3.4 Once the SMS interfaces have been identified, the service provider should
consider their relative criticality. This enables the service provider to prioritize the
management of the more critical interfaces, and their potential safety risks. Things
to consider are:

a) what is being provided;

b) why it is needed;

c) whether the organisations involved has an SMS or another management

-
system in place; and

D
d) whether the interface involves the sharing of safety data / information

E
7.3.5
Assessing safety impact of interfaces
LL
The service provider should then identify any hazards related to the interfaces and
O
carry out a safety risk assessment using its existing hazard identification and
safety risk assessment processes.
TR

7.3.6 Based on the safety risks identified, the service provider may consider working
with the other organisation to determine and define an appropriate safety risk
N

control strategy. By involving the other organisation, they may be able to contribute
to identifying hazards, assessing the safety risk as well as determining the
O

appropriate safety risk control. This collaborative effort is needed because the
C

perception of safety risks may not be the same for each organisation. The risk
control could be carried out by either the service provider or the external
N

organisation.
-U

7.3.7 It is also important to recognize that each organisation involved has the
responsibility to identify and manage hazards that affect their own organisation.
This may mean the critical nature of the interface is different for each organisation
as they may apply different safety risk classifications and have different safety risk
priorities (in term of safety performance, resources, time, etc.).

Managing and monitoring interfaces

7.3.8 The service provider is responsible for managing and monitoring the interfaces to
ensure the safe provision of their services and products. This will ensure the
interfaces are managed effectively and remain current and relevant. Formal
agreements are an effective way to accomplish this as the interfaces and
associated responsibilities can be clearly defined. Any changes in the interfaces
and associated impacts should be communicated to the relevant organisations.

Issue 01/Rev 00 CAGM 1902 – SMS 7-3

 Chapter 7 – Implementation Planning
7.3.9 Challenges associated with the service provider’s ability to manage interface
safety risks include:

a) one organisation’s safety risk controls are not compatible with the other
organisations’;

b) willingness of both organisations to accept changes to their own processes

and procedures;

c) insufficient resources or technical expertise available to manage and monitor

the interface; and

d) number and location of interfaces.

7.3.10 It is important to recognize the need for coordination between the organisations
involved in the interface. Effective coordination should include:

-
a) clarification of each organisation’s roles and responsibilities;

D
b) agreement of decisions on the actions to be taken (e.g. safety risk control

E
actions and timescales);

c) LL
identification of what safety information needs to be shared and
communicated;
O
d) how and when coordination should take place (task force, regular meetings,
TR

ad hoc or dedicated meetings); and

e) agreeing on solutions that benefit both organisations but that do not impair the
effectiveness of the SMS.
N

7.3.11 All safety issues or safety risks related to the interfaces should be documented
O

and made accessible to each organisation for sharing and review. This will allow
C

the sharing of lessons learned and the pooling of safety data that will be valuable
for both organisations. Operational safety benefits may be achieved through an
N

enhancement of safety reached by each organisation as the result of shared

ownership of safety risks and responsibility.
-U

7.4 SMS scalability

7.4.1 The organisation’s SMS, including the policies, processes and procedures, should
reflect the size and complexity of the organisation and its activities. It should
consider:

a) the organisational structure and availability of resources;

b) size and complexity of the organisation (including multiple sites and bases);
and

c) complexity of the activities and the interfaces with external organisations.

Issue 01/Rev 00 CAGM 1902 – SMS 7-4

 Chapter 7 – Implementation Planning
7.4.2 The service provider should carry out an analysis of its activities to determine the
right level of resources to manage the SMS. This should include the determination
of the organisational structure needed to manage the SMS. This would include
considerations of who will be responsible for managing and maintaining the SMS,
what safety committees are needed, if any, and the need for specific safety
specialists.

Safety risk considerations

7.4.3 Regardless of the size of the service provider, scalability should also be a function
of the inherent safety risk of the service provider’s activities. Even small
organisations may be involved in activities that may entail significant aviation
safety risks. Therefore, safety management capability should be commensurate
with the safety risk to be managed.

-
Safety data and safety information and its analysis

D
7.4.4 For small organisations, the low volume of data may mean that it is more difficult

E
to identify trends or changes in the safety performance. This may require meetings
LL
to raise and discuss safety issues with appropriate experts. This may be more
qualitative than quantitative but will help identify hazards and risks for the service
provider. Collaborating with other service providers or industry associations can
O
be helpful, since these may have data that the service provider does not have. For
TR

example, smaller service providers can exchange with similar

organisations/operations to share safety risk information and identify safety
performance trends. Service providers should adequately analyse and process
N

their internal data even though it may be limited.

O

7.4.5 Service providers with many interactions and interfaces will need to consider how
they gather safety data and safety information from multiple organisations. This
C

may result in large volumes of data being collected to be collated and analysed
N

later. These service providers should utilise an appropriate method of managing

such data. Consideration should also be given to the quality of the data collected
-U

and the use of taxonomies to help with the analysis of the data.

7.5 Integration of management systems

7.5.1 Safety management should be considered as part of a management system (and

not in isolation). Therefore, a service provider may implement an integrated
management system that includes the SMS. An integrated management system
may be used to capture multiple certificates, authorisations or approvals or to
cover other business management systems such as quality, security, occupational
health and environmental management systems. This is done to remove
duplication and exploit synergies by managing safety risks across multiple
activities. For example, where a service provider holds multiple certificates it may
choose to implement a single management system to cover all of its activities. The

Issue 01/Rev 00 CAGM 1902 – SMS 7-5

 Chapter 7 – Implementation Planning
service provider should decide the best means to integrate or segregate its SMS
to suit its business or organisational needs.

7.5.2 A typical integrated management system may include a:

a) quality management system (QMS);

b) safety management system (SMS);

c) security management system (SeMS), further guidance may be found in the

Aviation Security Manual (Doc 8973 — Restricted);

d) environmental management system (EMS);

e) occupational health and safety management system (OHSMS);

f) financial management system (FMS);

-
g) documentation management system (DMS); and

D
h) fatigue risk management system (FRMS).

E
7.5.3 A service provider may choose to integrate these management systems based on
LL
their unique needs. Risk management processes and internal audit processes are
essential features of most of these management systems. It should be recognized
O
that the risks and risk controls developed in any of these systems could have an
impact on other systems. In addition, there may be other operational systems
TR

associated with the business activities that may also be integrated, such as
supplier management, facilities management, etc.
N

7.5.4 A service provider may also consider applying the SMS to other areas that do not
have a current regulatory requirement for an SMS. Service providers should
O

determine the most suitable means to integrate or segregate their management

C

system to suit their business model, operating environment, regulatory, and

statutory requirements as well as the expectations of the aviation community.
N

Whichever option is taken, it should still ensure that it meets the SMS
requirements.
-U

Benefits and challenges of management system integration

7.5.5 Integrating the different areas under a single management system will improve
efficiency by:

a) reducing duplication and overlapping of processes and resources;

b) reducing potentially conflicting responsibilities and relationships;

c) considering the wider impacts of risks and opportunities across all activities;
and

d) allowing effective monitoring and management of performance across all

activities.

Issue 01/Rev 00 CAGM 1902 – SMS 7-6

 Chapter 7 – Implementation Planning
7.5.6 Possible challenges of management system integration include:
a) existing systems may have different functional managers who resist the
integration; this could result in conflict;

b) there may be resistance to change for personnel impacted by the integration

as this will require greater cooperation and coordination;

c) impact on the overall safety culture within the organisation as there may be
different cultures in respect of each system; this could create conflicts;

d) regulations may prevent such an integration or the different regulators and

standards bodies may have diverging expectations on how their requirements
should be met; and

e) integrating different management systems (such as QMS and SMS) may

create additional work to be able to demonstrate that the separate

-
requirements are being met.

E D
7.5.7 To maximize the benefits of integration and address the related challenges, senior
management commitment and leadership is essential to manage the change
LL
effectively. It is important to identify the person who has overall responsibility for
the integrated management system.
O
7.6 SMS and QMS Integration
TR

7.6.1 Some service providers have both an SMS and QMS. These sometimes are
integrated into a single management system. The QMS is generally defined as the
organisational structure and associated accountabilities, resources, processes
N

and procedures necessary to establish and promote a system of continuous

O

quality assurance and improvement while delivering a product or service.

C

7.6.2 Both systems are complementary; the SMS focuses on managing safety risks and
safety performance while the QMS focuses on compliance with prescriptive
N

regulations and requirements to meet customer expectations and contractual

-U

obligations. The objectives of an SMS are to identify hazards, assess the

associated safety risk and implement effective safety risk controls. In contrast, the
QMS focuses on the consistent delivery of products and services that meet
relevant specifications. Nonetheless, both the SMS and the QMS:

a) should be planned and managed;

b) involve all organisational functions related to the delivery of aviation products

and services;

c) identify ineffective processes and procedures;

d) strive for continuous improvement; and

e) have the same goal of providing safe and reliable products and services to
customers.

Issue 01/Rev 00 CAGM 1902 – SMS 7-7

 Chapter 7 – Implementation Planning
7.6.3 The SMS focuses on:

a) identification of safety-related hazards facing the organisation;

b) assessment of the associated safety risk;

c) implementation of effective safety risk controls to mitigate safety risks;

d) measuring safety performance; and

e) maintaining an appropriate resource allocation to meet safety performance

requirements.

7.6.4 The QMS focuses on:

a) compliance with regulations and requirements;

b) consistency in the delivery of products and services;

-
D
c) meeting the specified performance standards; and

E
d) delivery of products and services that are “fit for purpose” and free of defects
or errors.

7.6.5
LL
Monitoring compliance with regulations is necessary to ensure that safety risk
O
controls, applied in the form of regulations, are effectively implemented and
monitored by the service provider. The causes and contributing factors of any non-
TR

compliance should also be analysed and addressed.

7.6.6 Given the complementary aspects of SMS and QMS, it is possible to integrate
N

both systems without compromising each function. This can be summarized as

follows:
O

a) an SMS is supported by QMS processes such as auditing, inspection,

C

investigation, root cause analysis, process design, and preventive actions;

N

b) a QMS may identify safety issues or weaknesses in safety risk controls;

-U

c) a QMS may foresee safety issues that exist despite the organisation’s
compliance with standards and specifications;

d) quality principles, policies and practices should be aligned with the objectives
of safety management; and

e) QMS activities should consider identified hazards and safety risk controls for
the planning and performance of internal audits.

7.6.7 In conclusion, in an integrated management system with unified goals and

decision-making that considers the wider impacts across all activities, quality
management and safety management processes will be highly complementary
and will support the achievement of the overall safety goals.

Issue 01/Rev 00 CAGM 1902 – SMS 7-8

 Chapter 7 – Implementation Planning

7.7 SMS gap analysis and implementation

7.7.1 Before implementing an SMS, the service provider should carry out a gap analysis.
This compares the service provider’s existing safety management processes and
procedures with the SMS requirements. It is likely that the service provider already
has some of the SMS functions in place. The development of an SMS should build
upon existing organisational policies and processes. The gap analysis identifies
the gaps that should be addressed through an SMS implementation plan that
defines the actions needed to implement a fully functioning and effective SMS.

7.7.2 The SMS implementation plan should provide a clear picture of the resources,
tasks and processes required to implement the SMS. The timing and sequencing
of the implementation plan may depend on a variety of factors that will be specific
to each organisation, such as:

-
a) regulatory, customer and statutory requirements;

D
b) multiple certificates held (with possibly different regulatory implementation

E
dates);

c)
LL
the extent to which the SMS may build upon existing structures and
processes;
O
d) the availability of resources and budgets;
TR

e) interdependencies between different steps (a reporting system should be

implemented before establishing a data analysis system); and

f) the existing safety cultures.

N
O

7.7.3 The SMS implementation plan should be developed in consultation with the
accountable executive and other senior managers, and should include who is
C

responsible for the actions along with timelines. The plan should address
coordination with external organisations or contractors where applicable.
N

7.7.4 The SMS implementation plan may be documented in different forms, varying from
-U

a simple spread sheet to specialized project management software. The plan

should be monitored regularly and updated as necessary. It should also clarify
when a specific element can be considered successfully implemented.

7.8 Phased Implementation Approach

7.8.1 General

7.8.1.1 The objective of this section is to introduce an example of the four SMS
implementation phases. The implementation of an SMS is a systematic
process. Nevertheless, this process may be quite a challenging task depending
on factors, such as the availability of guidance material and resources required
for implementation, as well as the service provider’s pre-existing knowledge of
SMS processes and procedures.

Issue 01/Rev 00 CAGM 1902 – SMS 7-9

 Chapter 7 – Implementation Planning
7.8.1.2 The reasons for a phased approach to SMS implementation include:

a) the provision of a manageable series of steps to follow in implementing an

SMS, including allocation of resources;

b) the need to allow implementation of SMS framework elements in various

sequences, depending upon the results of each service provider’s gap
analysis;

c) the initial availability of data and analytic processes to support reactive,

proactive and predictive safety management practices; and

d) the need for a methodical process to ensure effective and sustainable SMS
implementation.

7.8.1.3 The phased approach recognizes that implementation of a fully mature SMS is

-
a multi-year process. A phased implementation approach permits the SMS to

D
become more robust as each implementation phase is completed.
Fundamental safety management processes are completed before moving to

E
successive phases involving processes of greater complexity.

7.8.1.4 LL
Four implementation phases are proposed for an SMS. Each phase is
associated with various elements (or sub-elements) as per the ICAO SMS
O
framework. It is apparent that the particular configuration of elements in this
guidance material is not meant to be absolute. Service providers may choose
TR

to make adjustments as may be deemed appropriate for the circumstances. A

summary of the four phases of SMS implementation and their corresponding
elements is shown in Table 7-1.
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 7-10

 Chapter 7 – Implementation Planning
Phase 1 (12 months*)
1. SMS Element 1.1 (i):
a) identify the SMS accountable
executive;
b) establish an SMS
implementation team;
c) define the scope of the SMS;
d) perform an SMS gap
analysis.
2. SMS Element 1.5 (i):
a) develop an SMS
implementation plan.
3. SMS Element 1.3:
a) establish a key person/office
responsible for the
administration and
maintenance of the SMS.
4. SMS Element 4.1 (i):
a) establish an SMS training
programme for personnel,
with priority for the SMS
implementation team.
5.
a)
SMS Element 4.2 (i):
initiate SMS/ safety
communication channels.
C
N
-U
SMS Element 1.5: SMS documentation (Phases 1 to 4) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
SMS Elements 4.1 and 4.2: SMS training, education and communication (Phases 1 and thereafter) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Note 1. — The implementation period indicated is an approximation. The actual implementation period is dependent on the scope of actions
required for each element allocated and the size/complexity of the organisation.
Note 2. — The SMS element numbers indicated correspond to the ICAO SMS element numbers. Suffixes such as a), b) and c) indicate that the
element has been subdivided to facilitate the phased implementation approach.
Table 7-1:
Issue 01/Rev 00
Phase 2 (12 months)
1. SMS Element 1.1 (ii):
a) establish the safety policy
andobjectives,
2. SMS Element 1.2:
a) define safety management
responsibilities and
accountabilities across
relevant departments of
the organisation;
b) establish an SMS/safety
coordination mechanism/
committee;
c) establish departmental/
divisional SAGs where
applicable.
3. SMS Element 1.4:
a) establish an
emergency response
plan.
4. SMS Element 1.5 (ii):
a) initiate progressive
development of an SMS
document/manual and other
supporting documentation.
LL
O
TR
N
O
Four phases of SMS implementation
CAGM 1902 – SMS
Phase 3 (18 months)
1. SMS Element 2.1 (i):
a) establish a voluntary hazard
reporting procedure.
2. SMS Element 2.2:
a) establish safety risk
management procedures.
3. SMS Element 3.1 (i):
a) establish occurrence
reporting and investigation
procedures;
b) establish a safety data
collection and processing
system for high-consequence
outcomes;
c) develop high-consequence
SPIs and associated targets
and alert settings.
-
4. SMS Element 3.2:
D
a) establish a management of
change procedure that
E
includes safety risk
assessment.
5.
a)
SMS Element 3.3 (i):
establish an internal quality
audit programme;
b) establish an external quality
audit programme.
Phase 4 (18 months)
1. SMS Element 1.1 (iii):
a) enhance the existing
disciplinary procedure/ policy
with due consideration of
unintentional errors or
mistakes from deliberate or
gross violations.
2. SMS Element 2.1 (ii):
a) integrate hazards identified
from occurrence investigation
reports with the voluntary
hazard reporting system;
b) integrate hazard identification
and risk management
procedures with the
subcontractor’s or customer’s
SMS where applicable.
3. SMS Element 3.1 (ii):
a) enhance the safety data
collection and processing
system to include lower-
consequence events;
b) develop lower-consequence
SPIs and associated targets/
4.
alert settings.
SMS Element 3.3 (ii):
a) establish SMS audit
programmes or integrate
them into existing internal
andexternal audit
programmes;
b) establish other operational
SMS review/survey
programmes where
appropriate.
5. SMS Element 4.1 (ii):
a) ensure that the SMS training
programme for all relevant
personnel has been
completed.
6. SMS Element 4.2 (ii):
a) promote safety information
sharing and exchange
internally and externally.
7-11
 Chapter 7 – Implementation Planning

7.8.2 Phase 1

7.8.2.1 The objective of Phase 1 of SMS implementation is to provide a blueprint of

how the SMS requirements will be met and integrated into the organisation’s
control systems, as well as an accountability framework for the implementation
of the SMS.

7.8.2.2 During Phase 1, basic planning and assignment of responsibilities are

established. Central to Phase 1 is the gap analysis. From the gap analysis, an
organisation can determine the status of its existing safety management
processes and can begin planning for the development of further safety
management processes. The significant output of Phase 1 is the SMS
implementation plan.

7.8.2.3 At the completion of Phase 1, the following activities should be finalized in such

-
a manner that meets the expectations of the civil aviation oversight authority,

D
as set forth in relevant requirements and guidance material:

E
a)
LL
Management commitment and responsibility — Element 1.1 (i)

Identify the accountable executive and the safety accountabilities of

O
managers. This activity is based on Elements 1.1 and 1.2 of the ICAO SMS
framework.
TR

b) Establish an SMS implementation team. The team should be comprised of

representatives from the relevant departments. The team’s role is to drive
N

the SMS implementation from the planning stage to its final

implementation. Other functions of the implementation team will include but
O

not be limited to:

C

1) developing the SMS implementation plan;

N

2) ensuring the adequate SMS training and technical expertise of the

team in order to effectively implement the SMS elements and related
-U

processes; and
3) monitoring of and reporting on the progress of the SMS
implementation, providing regular updates and coordinating with the
SMS accountable executive.

c) Define the scope of the organisation’s activities (departments/ divisions) to

which the SMS will be applicable. The scope of the organisation’s SMS
applicability will subsequently need to be described in the SMS document
as appropriate. This activity is based on Element 1.5 of the ICAO SMS
framework. Guidance on the system description is provided in Chapter 7.1
of this CAGM.

d) Conduct a gap analysis of the organisation’s current systems and

processes in relation to the ICAO SMS framework requirements (or the

Issue 01/Rev 00 CAGM 1902 – SMS 7-12

 Chapter 7 – Implementation Planning
relevant SMS regulatory requirements). Guidance on an SMS gap analysis
and implementation plan is provided in Appendix 4 of this CAGM.

SMS implementation plan — Element 1.5 (i)

a) Develop an SMS implementation plan on how the organisation will
implement the SMS on the basis of the identified system and process gaps
resulting from the gap analysis. An example of a basic SMS
implementation plan is provided in Appendix 7 to this Chapter.

Appointment of key safety personnel — Element 1.3

a) Identify the key SMS person (safety/quality function) within the

organisation who will be responsible for administering the SMS on behalf

-
of the accountable executive.

D
b) Establish the safety services office.

E
a) Conduct a training needs analysis.
LL
Training and education — Element 4.1 (i)
O
b) Organise and set up schedules for appropriate training of all staff according
TR

to their individual responsibilities and involvement in the SMS.

c) Develop safety training considering:

N

1) initial (general safety) job-specific training; and

O

2) recurrent training.

d) Identify the costs associated with training.

C

e) Develop a validation process that measures the effectiveness of training.

N

f) Establish a safety training records system.

-U

Safety communication — Element 4.2 (i)

a) Initiate a mechanism or medium for safety communication.

b) Establish a means to convey safety information through any of:

1) safety newsletters, notices and bulletins;
2) websites;
3) email.

Issue 01/Rev 00 CAGM 1902 – SMS 7-13

 Chapter 7 – Implementation Planning

7.8.3 Phase 2

The objective of Phase 2 is to implement essential safety management

processes, while at the same time correcting potential deficiencies in existing
safety management processes. Most organisations will have some basic
safety management activities in place at different levels of implementation.
This phase aims at consolidating existing activities and developing those
which do not yet exist.

Management commitment and responsibility — Element 1.1 (ii)

a) Develop a safety policy.

b) Have the accountable executive sign the safety policy.

c) Communicate the safety policy throughout the organisation.

-
D
d) Establish a review schedule for the safety policy to ensure it remains

E
relevant and appropriate to the organisation.

e)
standards in terms of:
1)
LL
Establish safety objectives for the SMS by developing safety performance

safety performance indicators;

O
2) safety performance targets and alert levels; and
TR

3) action plans.

f) Establish the SMS requirements for subcontractors:

N

1) establish a procedure to write SMS requirements into the contracting

O

process; and
C

2) establish the SMS requirements in the bidding documentation.

N

Safety accountabilities — Element 1.2

-U

a) Define safety accountabilities and communicate them throughout the

organisation.

b) Establish the safety action group (SAG).

c) Establish the safety/SMS coordination committee.

d) Define clear functions for the SAG and the safety/SMS coordination
committee.

e) Establish lines of communication between the safety services office, the

accountable executive, the SAG and the safety/SMS coordination
committee.

f) Appoint the accountable executive as the chairperson of the safety/SMS

coordination committee.

Issue 01/Rev 00 CAGM 1902 – SMS 7-14

 Chapter 7 – Implementation Planning
g) Develop a schedule of meetings for the safety services office to meet with
the safety/SMS coordination committee and SAG as needed.

Coordination of emergency response planning — Element 1.4

a) Review the outline of the ERP related to the delegation of authority and
assignment of emergency responsibilities.

b) Establish coordination procedures for action by key personnel during the

emergency and the return to normal operations.

c) Identify external entities that will interact with the organisation during
emergency situations.

d) Assess the respective ERPs of the external entities.

e) Establish coordination between the different ERPs.

-
D
f) Incorporate information about the coordination between the different ERPs
in the organisation’s SMS documentation.

E
SMS documentation — Element 1.5 (ii) LL
O
a) Create an SMS documentation system to describe, store, retrieve and
archive all SMS-related information and records by:
TR

1) developing an SMS document that is either a stand-alone manual or a

distinct section within an existing controlled organisation manual (refer
to Appendix 2 for guidance on developing an SMS manual);
N

2) establishing an SMS filing system to collect and maintain current

O

records relating to the organisation’s ongoing SMS processes;

C

3) maintaining records to provide a historical reference as well as the

current status of all SMS processes such as: a hazard register; an
N

index of completed safety assessments; SMS/safety training records;

current SPIs and associated safety objectives; internal SMS audit
-U

reports; SMS/safety committee meeting minutes and the SMS

implementation plan;
4) maintaining records that will serve as evidence of the SMS operation
and activities during internal or external assessment or audit of the
SMS.

7.8.4 Phase 3

The objective of Phase 3 is to establish safety risk management processes.

Towards the end of Phase 3, the organisation will be ready to collect safety
data and perform safety analyses based on information obtained through the
various reporting systems.

Issue 01/Rev 00 CAGM 1902 – SMS 7-15

 Chapter 7 – Implementation Planning

Hazard identification — Element 2.1 (i)

a) Establish a voluntary reporting procedure. Refer to Appendix 5 for

guidance.

b) Establish a programme/schedule for systematic review of all applicable

aviation safety-related processes/equipment that are eligible for the HIRM
process.

c) Establish a process for prioritization and assignment of identified hazards

for risk mitigation.

Safety risk assessment and mitigation — Element 2.2

a) Establish a safety risk management procedure, including its approval and

periodic review process.

-
b) Develop and adopt safety risk matrices relevant to the organisation’s

D
operational or production processes.

E
c) Include adopted safety risk matrices and associated instructions in the

LL
organisation’s SMS or risk management training material.

Safety performance monitoring and measurement — Element 3.1 (i)

O
a) Establish an internal occurrence reporting and investigation procedure.
TR

This may include mandatory or major defect reports (MDR) where

applicable.

b) Establish safety data collection, processing and analysis of high-

N

consequence outcomes.
O

c) Establish high consequence safety indicators (initial ALoSP) and their

C

associated target and alert settings. Examples of high-consequence safety

indicators are accident rates, serious incident rates and monitoring of high-
N

risk non-compliance outcomes. Refer to Chapter 10 of this CAGM for

guidance on safety performance indicators.
-U

d) Reach an agreement with the CAAM on safety performance indicators and

safety performance targets.

The management of change — Element 3.2

a) Establish a formal process for the management of change that considers:
1) the vulnerability of systems and activities;
2) the stability of systems and operational environments;
3) past performance;
4) regulatory, industry and technological changes.

Issue 01/Rev 00 CAGM 1902 – SMS 7-16

 Chapter 7 – Implementation Planning
b) Ensure that management of change procedures address the impact on
existing safety performance and risk mitigation records before
implementing new changes.

c) Establish procedures to ensure that safety assessment of new aviation

safety-related operations, processes and equipment are conducted (or
accounted for) as applicable, before they are commissioned.

Continuous improvement of the SMS — Element 3.3 (i)

a) Develop forms for internal evaluations.

b) Define an internal audit process.

c) Define an external audit process.

d) Define a schedule for evaluation of facilities, equipment, documentation

-
and procedures to be completed through audits and surveys.

D
e) Develop documentation relevant to operational safety assurance.

E
7.8.5 Phase 4
LL
Phase 4 is the final phase of SMS implementation. This phase involves the
O
mature implementation of safety risk management and safety assurance. In this
phase operational safety assurance is assessed through the implementation of
TR

periodic monitoring, feedback and continuous corrective action to maintain the

effectiveness of safety risk controls.
N

Management commitment and responsibility — Element 1.1 (iii)

O

a) Enhance the existing disciplinary procedure/policy with due consideration

C

of unintentional errors/ mistakes from deliberate/gross violations.

N

Hazard identification — Element 2.1 (ii)

-U

a) Integrate the hazards identified from occurrence investigation reports with

the voluntary reporting system.

b) Integrate hazard identification and risk management procedures with the

subcontractor or customer SMS where applicable.

c) If necessary, develop a process for prioritizing collected hazards for risk

mitigation based on areas of greater need or concern.

Safety performance monitoring and measurement — Element 3.1 (ii)

a) Enhance the safety data collection and processing system to include lower-
consequence events.

b) Establish lower-consequence safety/quality indicators with target/alert

level monitoring as appropriate (mature ALoSP).

Issue 01/Rev 00 CAGM 1902 – SMS 7-17

 Chapter 7 – Implementation Planning
c) Reach an agreement with the CAAM on lower-consequence safety
performance indicators and safety performance target/alert levels.

Continuous improvement of the SMS — Element 3.3 (ii)

a) Establish SMS audits or integrate them into existing internal and external
audit programmes.

b) Establish other operational SMS review/survey programmes where

appropriate.

Training and education — Element 4.1 (ii)

a) Complete an SMS training programme for all relevant personnel.

Safety communication — Element 4.2 (ii)

-
D
a) Establish mechanisms to promote safety information sharing and exchange

E
internally and externally.

7.8.6
LL
SMS elements progressively implemented throughout Phases 1 to 4

In the phased approach implementation, the following three key elements are
O
progressively implemented throughout each phase:
TR

SMS documentation — Element 1.5

As the SMS progressively matures the relevant SMS manual and safety
N

documentation must be revised and updated accordingly. This activity will be

inherent to all phases of SMS implementation and must be maintained after
O

implementation as well.
C

Training and education — Element 4.1 and Safety communication —

N

Element 4.2
-U

As with SMS documentation, training, education and safety communication are

important ongoing activities throughout all phases of SMS implementation. As
the SMS evolves, new processes, procedures or regulations may come into
effect or existing procedures may change to cater for the SMS requirements.
To ensure these changes are effectively understood and implemented by all
personnel involved in safety- related duties it is vital that training and
communication remain as ongoing activities throughout and after the complete
implementation of the SMS.

Issue 01/Rev 00 CAGM 1902 – SMS 7-18

 Chapter 8 – Safety Risk Management

8 Safety Risk Management

Safety Risk Management (SRM) is a key component of safety management and

includes hazard identification, safety risk assessment, safety risk mitigation and risk
acceptance. SRM is a continuous activity because the aviation system is constantly
changing, new hazards can be introduced and some hazards and associated safety
risks may change over time. In addition, the effectiveness of implemented safety risk
mitigation strategies must be monitored to determine if further action is required.

8.1 Introduction to hazards

8.1.1 In aviation, a hazard can be considered as a dormant potential for harm which is
present in one form or another within the system or its environment. This potential
for harm may appear in different forms, for example: as a natural condition (e.g.
terrain) or technical status (e.g. runway markings).

-
D
8.1.2 Hazards are an inevitable part of aviation activities; however, their manifestation

E
and possible adverse consequences can be addressed through mitigation
strategies which aim to contain the potential for the hazard to result in an unsafe
LL
condition. Aviation can coexist with hazards so long as they are controlled. Hazard
identification is the first step in the SRM process. It precedes a safety risk
O
assessment and requires a clear understanding of hazards and their related
consequences
TR

8.2 Understanding hazards and their consequences

N

8.2.1 Hazard identification focuses on conditions or objects that could cause or

contribute to the unsafe operation of aircraft or aviation safety-related equipment,
O

products and services (guidance on distinguishing hazards that are directly

pertinent to aviation safety from other general/industrial hazards is addressed in
C

subsequent paragraphs).
N

8.2.2 Consider, for example, a fifteen-knot wind. Fifteen-knots of wind is not necessarily
-U

a hazardous condition. In fact, a fifteen-knot wind blowing directly down the runway
improves aircraft take-off and landing performance. But if the fifteen-knot wind is
blowing across the runway, a crosswind condition is created which may be
hazardous to operations. This is due to its potential to contribute to aircraft
instability. The reduction in control could lead to an occurrence, such as a lateral
runway excursion.

8.2.3 It is not uncommon for people to confuse hazards with their consequences. A
consequence is an outcome that can be triggered by a hazard. For example, a
runway excursion (overrun) is a potential consequence related to the hazard of a
contaminated runway. By clearly defining the hazard first, one can more readily
identify possible consequences.

Issue 01/Rev 00 CAGM 1902 – SMS 8-1

 Chapter 8 – Safety Risk Management
8.2.4 In the crosswind example above, an immediate outcome of the hazard could be
loss of lateral control followed by a consequent runway excursion. The ultimate
consequence could be an accident. The damaging potential of a hazard can
materialize through one or many consequences. It is important that safety risk
assessments identify all of the possible consequences. The most extreme
consequence - loss of human life - should be differentiated from those that involve
lesser consequences, such as: aircraft incidents; increased flight crew workload;
or passenger discomfort. The description of the consequences will inform the risk
assessment and subsequent development and implementation of mitigations
through prioritization and allocation of resources. Detailed and thorough hazard
identification will lead to more accurate assessment of safety risks.

Hazard identification and prioritisation

-
8.2.5 Hazards exist at all levels in the organisation and are detectable through many

D
sources including reporting systems, inspections, audits, brainstorming sessions
and expert judgement. The goal is to proactively identify hazards before they lead

E
to accidents, incidents or other safety-related occurrences. An important

LL
mechanism for proactive hazard identification is a voluntary safety reporting
system. Information collected through such reporting systems may be
supplemented by observations or findings recorded during routine site inspections
O
or organisational audits.
TR

8.2.6 Hazards can also be identified in the review or study of internal and external
investigation reports. A consideration of hazards when reviewing accident or
N

incident investigation reports is a good way to enhance the organisation’s hazard

identification system. This is particularly important when the organisation’s safety
O

culture is not yet mature enough to support effective voluntary safety reporting, or
in small organisations with limited events or reports. An important source of
C

specific hazards linked to operations and activities is from external sources such
N

as ICAO, trade associations or other international bodies.

-U

8.2.7 Hazard identification may also consider hazards that are generated outside of the
organisation and hazards that are outside the direct control of the organisation,
such as extreme weather or volcanic ash. Hazards related to emerging safety risks
are also an important way for organisations to prepare for situations that may
eventually occur.

8.2.8 The following should be considered when identifying hazards:

a) system description;

b) design factors, including equipment and task design;

c) human performance limitations (e.g. physiological, psychological, physical

and cognitive);

Issue 01/Rev 00 CAGM 1902 – SMS 8-2

 Chapter 8 – Safety Risk Management
d) procedures and operating practices, including documentation and checklists,
and their validation under actual operating conditions;

e) communication factors, including media, terminology and language;

f) organisational factors, such as those related to the recruitment, training and

retention of personnel, compatibility of production and safety goals, allocation
of resources, operating pressures and corporate safety culture;

g) factors related to the operational environment (e.g. weather, ambient noise

and vibration, temperature and lighting);

h) regulatory oversight factors, including the applicability and enforceability of

regulations, and the certification of equipment, personnel and procedures;

i) performance monitoring systems that can detect practical drift, operational

deviations or a deterioration of product reliability;

-
D
j) human-machine interface factors; and

E
k) factors related to the SMS interfaces with other service providers.

LL
Occupational safety health and environmental (OSHE) hazards
O
8.2.9 Safety risks associated with compound hazards that simultaneously impact
TR

aviation safety as well as OSHE may be managed through separate (parallel) risk
mitigation processes to address the separate aviation and OSHE consequences,
respectively. Alternatively, an integrated aviation and OSHE risk mitigation system
N

may be used to address compound hazards. An example of a compound hazard

is a lightning strike on an aircraft at an airport transit gate. This hazard may be
O

deemed by an OSHE inspector to be a “workplace hazard” (ground

personnel/workplace safety). To an aviation safety inspector, it is also an aviation
C

hazard with risk of damage to the aircraft and a risk to passenger safety. It is
N

important to consider both the OSHE and aviation safety consequences of such
compound hazards, since they are not always the same. The purpose and focus
-U

of preventive controls for OSHE and aviation safety consequences may differ.

Hazard identification methodologies

8.2.10 The two main methodologies for identifying hazards are:

a) Reactive. This methodology involves analysis of past outcomes or events.

Hazards are identified through investigation of safety occurrences. Incidents
and accidents are an indication of system deficiencies and therefore can be
used to determine which hazard(s) contributed to the event.

b) Proactive. This methodology involves collecting safety data of lower

consequence events or process performance and analysing the safety
information or frequency of occurrence to determine if a hazard could lead to

Issue 01/Rev 00 CAGM 1902 – SMS 8-3

 Chapter 8 – Safety Risk Management
an accident or incident. The safety information for proactive hazard
identification primarily comes from flight data analysis (FDA) programmes,
safety reporting systems and the safety assurance function.

8.2.11 Hazards can also be identified through safety data analysis which identifies
adverse trends and makes predictions about emerging hazards, etc.

Hazards related to SMS interfaces with external organisations

8.2.12 Organisations should also identify hazards related to their safety management
interfaces. This should, where possible, be carried out as a joint exercise with the
interfacing organisations. The hazard identification should consider the
operational environment and the various organisational capabilities (people,
processes, technologies) which could contribute to the safe delivery of the service

-
or product’s availability, functionality or performance.

D
8.2.13 As an example, an aircraft turnaround involves many organisations and

E
operational personnel all working in and around the aircraft. There are likely to be

LL
hazards related to the interfaces between operational personnel, their equipment
and the coordination of the turnaround activity.
O
8.3 Safety risk probability
TR

8.3.1 Safety risk probability is the likelihood that a safety consequence or outcome will
occur. It is important to envisage a variety of scenarios so that all potential
consequences can be considered. The following questions can assist in the
N

determination of probability:
O

a) Is there a history of occurrences similar to the one under consideration, or is

this an isolated occurrence?
C

b) What other equipment or components of the same type might have similar
N

issues?
-U

c) What is the number of personnel following, or subject to, the procedures in

question?

d) What is the exposure of the hazard under consideration? For example, during
what percentage of the operation is the equipment or activity in use?

8.3.2 Taking into consideration any factors that might underlie these questions will help
when assessing the probability of the hazard consequences in any foreseeable
scenario.

8.3.3 An occurrence is considered foreseeable if any reasonable person could have

expected the kind of occurrence to have happened under the same circumstances.
Identification of every conceivable or theoretically possible hazard is not possible.
Therefore, good judgment is required to determine an appropriate level of detail in
hazard identification. Service providers should exercise due diligence when

Issue 01/Rev 00 CAGM 1902 – SMS 8-4

 Chapter 8 – Safety Risk Management
identifying significant and reasonably foreseeable hazards related to their product
or service.
Note. — Regarding product design, the term “foreseeable” is intended to be
consistent with its use in airworthiness regulations, policy, and guidance.

8.3.4 Table 8-1 presents a typical safety risk probability classification table. It includes
five categories to denote the probability related to an unsafe event or condition,
the description of each category, and an assignment of a value to each category.
This example uses qualitative terms; quantitative terms could be defined to provide
a more accurate assessment. This will depend on the availability of appropriate
safety data and the sophistication of the organisation and operation.

Likelihood Meaning Value

Frequent Likely to occur many times (has occurred 5

-
frequently)

D
Occasional Likely to occur sometimes (has occurred 4

E
infrequently)

Remote

Improbable
rarely) LL
Unlikely to occur, but possible (has occurred

Very unlikely to occur (not known to have

3

2
O
occurred)

Extremely Almost inconceivable that the event will occur 1

TR

improbable

Table 8-1: Safety risk probability table

N

8.4 Safety risk severity

O

8.4.1 Once the probability assessment has been completed, the next step is to assess
C

the severity, taking into account the potential consequences related to the hazard.
Safety risk severity is defined as the extent of harm that might reasonably be
N

expected to occur as a consequence or outcome of the identified hazard. The

severity classification should consider:
-U

a) fatalities or serious injury which would occur as a result of:

1) being in the aircraft;

2) having direct contact with any part of the aircraft, including parts which
have become detached from the aircraft; or
3) having direct exposure to jet blast; and

b) damage:

1) damage or structural failure sustained by the aircraft which:

i) adversely affects the structural strength, performance or flight
characteristics of the aircraft;
ii) would normally require major repair or replacement of the affected
component;

Issue 01/Rev 00 CAGM 1902 – SMS 8-5

 Chapter 8 – Safety Risk Management
2) damage sustained by ATS or aerodrome equipment which:
i) adversely affects the management of aircraft separation; or
ii) adversely affects landing capability.

8.4.2 The severity assessment should consider all possible consequences related to a
hazard, taking into account the worst foreseeable situation. Table 8-2 presents a
typical safety risk severity table. It includes five categories to denote the level of
severity, the description of each category, and the assignment of a value to each
category. As with the safety risk probability table, this table is an example only.

Severity Meaning Value

Catastrophic • Aircraft / equipment destroyed A

• Multiple deaths

-
Hazardous • A large reduction in safety margins, physical distress B

D
or a workload such that operational personnel cannot
be relied upon to perform their tasks accurately or

E
completely
• Serious injury

Major
•

•
LL
Major equipment damage

A significant reduction in safety margins, a reduction

in the ability of operational personnel to cope with
C
O
adverse operating conditions as a result of an
increase in workload or as a result of conditions
impairing their efficiency
TR

• Serious incident
• Injury to persons
Minor • Nuisance D
N

• Operating limitations
• Use of emergency procedures
• Minor incident
O

Negligible • Few consequences E

C

Table 8-2: Example of safety risk severity table

N

8.5 Safety risk tolerability

-U

8.5.1 The safety risk index rating is created by combining the results of the probability
and severity scores. In the example above, it is an alphanumeric designator. The
respective severity/probability combinations are presented in the safety risk
assessment matrix in Table 8-3. The safety risk assessment matrix is used to
determine safety risk tolerability. Consider, for example, a situation where the
safety risk probability has been assessed as Occasional (4), and the safety risk
severity has been assessed as Hazardous (B), resulting in a safety risk index of
(4B).

Issue 01/Rev 00 CAGM 1902 – SMS 8-6

 Chapter 8 – Safety Risk Management

Safety Risk Severity

Probability Catastrophic Hazardous Major Minor Negligible

A B C D E

Frequent 5 5A 5B 5C 5D 5E

Occasional 4 4A 4B 4C 4D 4E

Remote 3 3A 3B 3C 3D 3E

Improbable 2 2A 2B 2C 2D 2E

Extremely improbable 1 1A 1B 1C 1D 1E

Table 8-3: Example of safety risk matrix

Note. — In determining the safety risk tolerability, the quality and reliability of

-
D
the data used for the hazard identification and safety risk probability should
be taken into consideration.

E
8.5.2 The index obtained from the safety risk assessment matrix should then be
LL
exported to a safety risk tolerability table that describes — in a narrative form —
the tolerability criteria for the particular organisation. Table 8-4 presents an
O
example of a safety risk tolerability table. Using the example above, the criterion
for safety risk assessed as 4B falls in the “intolerable” category. In this case, the
TR

safety risk index of the consequence is unacceptable. The organisation should

therefore take risk control action to reduce:
N

a) the organisation’s exposure to the particular risk, i.e., reduce the probability
component of the risk to an acceptable level;
O

b) the severity of consequences related to the hazard, i.e., reduce the severity
C

component of the risk to an acceptable level; or

N

c) both the severity and probability so that the risk is managed to an acceptable
level.
-U

8.5.3 Safety risks are conceptually assessed as acceptable, tolerable or intolerable.

Safety risks assessed as initially falling in the intolerable region are unacceptable
under any circumstances. The probability and/or severity of the consequences of
the hazards are of such a magnitude, and the damaging potential of the hazard
poses such a threat to safety, that mitigation action is required or activities are
stopped.

Issue 01/Rev 00 CAGM 1902 – SMS 8-7

 Chapter 8 – Safety Risk Management

Safety Risk Index Range Safety Risk Description Recommended Action

5A, 5B, 5C, 4A, 4B, 3A
INTOLERABLE Take immediate action to mitigate the risk
or stop the activity. Perform priority safety
risk mitigation to ensure additional or
enhanced preventative controls are in
place to bring down the safety risk index to
tolerable.

5D, 5E, 4C, 4D, 4E, 3B, TOLERABLE Can be tolerated based on the safety risk
3C, 3D, 2A, 2B, 2C, 1A mitigation. It may require management
decision to accept the risk.

3E, 2D, 2E, 1B, 1C, 1D, ACCEPTABLE Acceptable as is. No further safety risk
1E mitigation required.

Table 8-4: Example of safety risk tolerability

-
8.6 Assessing human factors related risks

D
8.6.1 The consideration of human factors has particular importance in SRM as people

E
can be both a source and a solution of safety risks by:

a) LL
contributing to an accident or incident through variable performance due to
human limitations;
O
b) anticipating and taking appropriate actions to avoid a hazardous situation: and
TR

c) solving problems, making decisions and taking actions to mitigate risks.

8.6.2 It is therefore important to involve people with appropriate human factors expertise
N

in the identification, assessment and mitigation of risks.

O

8.6.3 SRM requires all aspects of safety risk to be addressed, including those related to
C

humans. Assessing the risks associated with human performance is more

complex than risk factors associated with technology and environment since:
N

a) human performance is highly variable, with a wide range of interacting

-U

influences internal and external to the individual. Many of the effects of the
interaction between these influences are difficult, or impossible to predict; and

b) the consequences of variable human performance will differ according to the

task being performed and the context.

8.6.4 This complicates how the probability and the severity of the risk is determined.
Therefore, human factors expertise is valuable in the identification and
assessment of safety risks.

8.7 Safety risk mitigation strategies

8.7.1 Safety risk mitigation is often referred to as a safety risk control. Safety risks should
be managed to an acceptable level by mitigating the safety risk through the
application of appropriate safety risk controls. This should be balanced against the

Issue 01/Rev 00 CAGM 1902 – SMS 8-8

 Chapter 8 – Safety Risk Management
time, cost and difficulty of taking action to reduce or eliminate the safety risk. The
level of safety risk can be lowered by reducing the severity of the potential
consequences, reducing the likelihood of occurrence or by reducing exposure to
that safety risk. It is easier and more common to reduce the likelihood than it is to
reduce the severity.

8.7.2 Safety risk mitigations are actions that often result in changes to operating
procedures, equipment or infrastructure. Safety risk mitigation strategies fall into
three categories:

a) Avoidance: The operation or activity is cancelled or avoided because the

safety risk exceeds the benefits of continuing the activity, thereby eliminating
the safety risk entirely.

b) Reduction: The frequency of the operation or activity is reduced, or action is

-
taken to reduce the magnitude of the consequences of the safety risk.

D
c) Segregation: Action is taken to isolate the effects of the consequences of the

E
safety risk or build in redundancy to protect against them.

8.7.3
LL
The consideration of human factors is an integral part of identifying effective
mitigations because humans are required to apply, or contribute to, the mitigation
or corrective actions. For example, mitigations may include the use of processes
O
or procedures. Without input from those who will be using these in “real world”
TR

situations and/or individuals with human factors expertise, the processes or

procedures developed may not be fit for their purpose and result in unintended
consequences. Further, human performance limitations should be considered as
N

part of any safety risk mitigation, building in error capturing strategies to address
human performance variability. Ultimately, this important human factors
O

perspective results in more comprehensive and effective mitigations.

C

8.7.4 A safety risk mitigation strategy may involve one of the approaches described
N

above or may include multiple approaches. It is important to consider the full range
of possible control measures to find an optimal solution. The effectiveness of each
-U

alternative strategy must be evaluated before a decision is made. Each proposed

safety risk mitigation alternative should be examined from the following
perspectives:

a) Effectiveness. The extent to which the alternatives reduce or eliminate the

safety risks. Effectiveness can be determined in terms of the technical,
training and regulatory defences that can reduce or eliminate safety risks.

b) Cost/benefit. The extent to which the perceived benefits of the mitigation

outweigh the costs.

c) Practicality. The extent to which mitigation can be implemented and how

appropriate it is in terms of available technology, financial and administrative
resources, legislation, political will, operational realities, etc.

Issue 01/Rev 00 CAGM 1902 – SMS 8-9

 Chapter 8 – Safety Risk Management
d) Acceptability. The extent to which the alternative is acceptable to those people
that will be expected to apply it.

e) Enforceability. The extent to which compliance with new rules, regulations or

operating procedures can be monitored.

f) Durability. The extent to which the mitigation will be sustainable and effective.

g) Residual safety risks. The degree of safety risk that remains subsequent to
the implementation of the initial mitigation and which may necessitate
additional safety risk control measures.

h) Unintended consequences. The introduction of new hazards and related

safety risks associated with the implementation of any mitigation alternative.

i) Time. Time required for the implementation of the safety risk mitigation
alternative.

-
D
8.7.5 Corrective action should take into account any existing defences and their

E
(in)ability to achieve an acceptable level of safety risk. This may result in a review
of previous safety risk assessments that may have been impacted by the
LL
corrective action. Safety risk mitigations and controls will need to be
verified/audited to ensure that they are effective. Another way to monitor the
O
effectiveness of mitigations is through the use of SPIs. See Chapter 4 for more
information on safety performance management and SPIs.
TR

8.8 Safety risk management documentation

N

8.8.1 Safety risk management activities should be documented, including any

assumptions underlying the probability and severity assessment, decisions made,
O

and any safety risk mitigation actions taken. This may be done using a spread
sheet or table. Some organisations may use a database or other software where
C

large amounts of safety data and safety information can be stored and analysed.
N

8.8.2 Maintaining a register of identified hazards minimises the likelihood that the
-U

organisation will lose sight of its known hazards. When hazards are identified, they
can be compared with the known hazards in the register to see if the hazard has
already been registered, and what action(s) were taken to mitigate it. Hazard
registers are usually in a table format and typically include: the hazard, potential
consequences, assessment of associated risks, identification date, hazard
category, short description, when or where it applies, who identified it and what
measure have been put in place to mitigate the risks.

8.8.3 Safety risk decision-making tools and processes can be used to improve the
repeatability and justification of decisions taken by organisational safety decision
makers. An example of a safety risk decision aid is provided below in Figure 8-1.

Issue 01/Rev 00 CAGM 1902 – SMS 8-10

 Chapter 8 – Safety Risk Management

For feedback
purposes, record the
hazard ID and safety Safety concern perceived
risk assessment

and
Identity hazards / consequences
and assess risk

Define level Define level

of probability of severity

Define the level of risk

YES Is the risk level acceptable? NO

-
E D
Take action and
continue operations Can the risk be eliminated? NO

YES
LLCan the risk be mitigated?
O
TR

Is the residual risk (if any)

YES
acceptable?

Do not perform
N

NO
operation
O
C

Figure 8-1: Safety risk management decision aid

N
-U

8.9 Cost-benefit analysis

8.9.1 Cost-benefit or cost-effectiveness analysis is normally carried out during the safety
risk mitigation activities. It is commonly associated with business management,
such as a regulatory impact assessment or project management processes.
However, there may be situations where a safety risk assessment may have a
significant financial impact. In such situations, a supplementary cost-benefit
analysis or cost-effectiveness process to support the safety risk assessment may
be warranted. This will ensure cost-effectiveness analysis or justification of
recommended safety risk control actions has been taken into consideration, with
the associated financial implications.

Issue 01/Rev 00 CAGM 1902 – SMS 8-11

 Chapter 8 – Safety Risk Management

-
E D
LL
O
TR

INTENTIONALLY LEFT BLANK

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 8-12

 Chapter 9 – Hazard Taxonomies

9 Hazard Taxonomies

9.1 Safety data should ideally be categorized using taxonomies and supporting
definitions so that the data can be captured and stored using meaningful terms.
Common taxonomies and definitions establish a standard language, improving the
quality of information and communication. The aviation community's capacity to focus
on safety issues is greatly enhanced by sharing a common language. Taxonomies
enable analysis and facilitate information sharing and exchange. Some examples of
taxonomies include:

a) Aircraft model: The organisation can build a database with all models certified to
operate.

b) Airport: The organisation may use ICAO or International Air Transport

Association (IATA) codes to identify airports.

-
D
c) Type of occurrence: An organisation may use taxonomies developed by ICAO
and other international organisations to classify occurrences.

E
9.2 There are a number of industry common aviation taxonomies. Some examples
include:

a)
LL
ADREP: an occurrence category taxonomy that is part of ICAO’s accident and
O
incident reporting system. It is a compilation of attributes and the related values
TR

that allow safety trend analysis on these categories.

b) Commercial Aviation Safety Team (CAST)/International Civil Aviation

Organisation (ICAO) Common Taxonomy Team (CICTT): tasked with developing
N

common taxonomies and definitions for aircraft accident and incident reporting
systems.
O

c) Safety Performance Indicators Task Force (SPI-TF): tasked with developing

C

globally harmonized metrics for service providers’ SPIs as part of their SMS, to
N

ensure uniformity in the collection of information and comparison of analysis

results.
-U

9.3 More examples of hazard taxonomies are provided in Appendix 7 of this CAGM.

9.4 Hazard taxonomies are especially important. Identification of a hazard is often the
first step in the risk management process. Commencing with a commonly recognized
language makes the safety data more meaningful, easier to classify and simpler to
process. The structure of a hazard taxonomy may include a generic and specific
component.

9.5 The generic component allows users to capture the nature of a hazard with a view to
aid in identification, analysis, and coding. A high-level taxonomy of hazards has been
developed by the CICTT which classifies hazards in families of hazard types
(Environmental, Technical, Organisational, and Human).

Issue 01/Rev 00 CAGM 1902 – SMS 9-1

 Chapter 9 – Hazard Taxonomies
9.6 The specific component adds precision to the hazard definition and context. This
enables more detailed risk management processing. The following criteria may be
helpful when formulating hazard definitions. When naming a hazard, it should be:

a) clearly identifiable;

b) described in the desired (controlled) state; and

c) identified using accepted names.

9.7 Common taxonomies may not always be available between databases. In such a
case, data mapping should be used to allow the standardization of safety data and
safety information based on equivalency. Using an aircraft type example, a mapping
of the data could show that a “Boeing 787-8” in one database is equivalent with a
“788” in another. This may not be a straightforward process as the level of detail
during safety data and safety information capture may differ.

-
E D
LL
O
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 9-2

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

10 Safety Performance Indicators and Safety Performance

Targets

10.1 Types of safety performance indicators

Qualitative and quantitative indicators

10.1.1 SPIs are used to help senior management know whether or not the organisation
is likely to achieve its safety objective; they can be qualitative or quantitative.
Quantitative indicators relate to measuring by the quantity, rather than its quality,
whereas qualitative indicators are descriptive and measure by quality. Quantitative
indicators are preferred over qualitative indicators because they are more easily
counted and compared. The choice of indicator depends on the availability of
reliable data that can be measured quantitatively. Does the necessary evidence

-
have to be in the form of comparable, generalizable data (quantitative), or a

D
descriptive image of the safety situation (qualitative)? Each option, qualitative or

E
quantitative, involves different kinds of SPIs, and requires a thoughtful SPI
selection process. A combination of approaches is useful in many situations, and
LL
can solve many of the problems which may arise from adopting a single approach.
An example of a qualitative indicator for a service provider the assessment of the
O
safety culture.
TR

10.1.2 Quantitative indicators can be expressed as a number (x incursions) or as a rate

(x incursions per n movements). In some cases, a numerical expression will be
sufficient. However, just using numbers may create a distorted impression of the
N

actual safety situation if the level of activity fluctuates. For example, if air traffic
control records three altitude busts in July and six in August, there may be great
O

concern about the significant deterioration in safety performance. But August may
C

have seen double the movements of July meaning the altitude busts per
movement, or the rate, has decreased, not increased. This may or may not change
N

the level of scrutiny, but it does provide another valuable piece of information that
may be vital to data-driven safety decision-making.
-U

10.1.3 For this reason, where appropriate, SPIs should be reflected in terms of a relative
rate to measure the performance level regardless of the level of activity. This
provides a normalized measure of performance; whether the activity increases or
decreases. As another example, an SPI could measure the number of runway
incursions. But if there were fewer departures in the monitored period, the result
could be misleading. A more accurate and valuable performance measure would
be the number of runway incursions relative to the number of movements, e.g. x
incursions per 1,000 movements.

Issue 01/Rev 00 CAGM 1902 – SMS 10-1

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
Lagging and leading indicators

10.1.4 The two most common categories used by the service providers to classify their
SPIs are lagging and leading. Lagging SPIs measure events that have already
occurred. They are also referred to as “outcome-based SPIs” and are normally
(but not always) the negative outcomes the organisation is aiming to avoid.
Leading SPIs measure processes and inputs being implemented to improve or
maintain safety. These are also known as “activity or process SPIs” as they
monitor and measure conditions that have the potential to lead to or contribute to
a specific outcome.

10.1.5 Lagging SPIs help the organisation understand what has happened in the past
and are useful for long-term trending. They can be used as a high-level indicator
or as an indication of specific occurrence types or locations, such as “types of
accidents per aircraft type” or “specific incident types by region”. Because lagging

-
SPIs measure safety outcomes, they can measure the effectiveness of safety

D
mitigations. They are effective at validating the overall safety performance of the

E
system. For example, monitoring the “number of ramp collisions per number of
movements between vehicles following a redesign of ramp markings” provides a
LL
measure of the effectiveness of the new markings (assuming nothing else has
changed). The reduction in collisions validates an improvement in the overall
O
safety performance of the ramp system; which may be attributable to the change
in question.
TR

10.1.6 Trends in lagging SPIs can be analysed to determine conditions existing in the
system that should be addressed. Using the previous example, an increasing trend
N

in ramp collisions per number of movements may have been what led to the
identification of sub-standard ramp markings as a mitigation.
O

10.1.7 Lagging SPIs are divided into two types:

C

a) low probability/high severity: outcomes such as accidents or serious incidents.

N

The low frequency of high severity outcomes means that aggregation of data
-U

(at industry segment level or regional level) may result in more meaningful
analyses. An example of this type of lagging SPI would be “aircraft and/or
engine damage due to bird strike.

b) high probability/low severity: outcomes that did not necessarily manifest

themselves in a serious accident or incident, these are sometimes also
referred to as precursor indicators. SPIs for high probability/low severity
outcomes are primarily used to monitor specific safety issues and measure
the effectiveness of existing safety risk mitigations. An example of this type of
precursor SPI would be “bird radar detections”, which indicates the level of
bird activity rather than the amount of actual bird strikes.

10.1.8 Aviation safety measures have historically been biased towards SPIs that reflect
“low probability/high severity” outcomes. This is understandable in that accidents
and serious incidents are high profile events and are easy to count. However, from

Issue 01/Rev 00 CAGM 1902 – SMS 10-2

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
a safety performance management perspective, there are drawbacks in an
overreliance on accidents and serious incidents as a reliable indicator of safety
performance. For instance, accidents and serious incidents are infrequent (there
may be only one accident in a year, or none) making it difficult to perform statistical
analysis to identify trends. This does not necessarily indicate that the system is
safe. A consequence of a reliance on this sort of data is a potential false sense of
confidence that an organisation’s or system’s safety performance is effective,
when it may in fact be perilously close to an accident.

10.1.9 Leading indicators are measures that focus on processes and inputs that are being
implemented to improve or maintain safety. These are also known as “activity or
process SPIs” as they monitor and measure conditions that have the potential to
become or to contribute to a specific outcome.

10.1.10 Examples of leading SPIs driving the development of organisational capabilities

-
D
for proactive safety performance management include such things as “percentage
of staff who have successfully completed safety training on time” or “frequency of

E
bird scaring activities”.

10.1.11 LL
Leading SPIs may also inform the organisation about how their operation copes
with change, including changes in its operating environment. The focus will be
O
either on anticipating weaknesses and vulnerabilities as a result of the change, or
monitoring the performance after a change. An example of an SPI to monitor a
TR

change in operations would be “percentage of sites that have implemented

procedure X”.
N

10.1.12 For a more accurate and useful indication of safety performance, lagging SPIs,
measuring both “low probability/high severity” events and “high probability/low
O

severity” events should be combined with leading SPIs. Figure 10-1 illustrates the
concept of leading and lagging indicators that provide a more comprehensive and
C

realistic picture of the organisation’s safety performance.

N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 10-3

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

Precursor event
• Bird sightings near aircraft
• Bird radar detections

Input Process Output

Leading indicator
• Bird scaring activities Lagging indicator
• Crops control • Bird-strikes

-
• Grass mowing • Bird-ingestions (one or multiple engines)

D
• Location of feeding troughs

E
LL
Figure 10-1: Leading vs Lagging indicator concept phases
O
TR

10.2 Selecting and defining SPIs

10.2.1 SPIs are the parameters that provide the organisation with a view of its safety
N

performance: where it has been; where it is now; and where it is headed, in relation
to safety. This picture acts as a solid and defensible foundation upon which the
O

organisation’s data-driven safety decisions are made. These decisions, in turn,

C

positively affect the organisation’s safety performance. The identification of SPIs

should therefore be realistic, relevant, and linked to safety objectives, regardless
N

of their simplicity or complexity.

-U

10.2.2 It is likely the initial selection of SPIs will be limited to the monitoring and
measurement of parameters representing events or processes that are easy
and/or convenient to capture (safety data that may be readily available). Ideally,
SPIs should focus on parameters that are important indicators of safety
performance, rather than on those that are easy to attain.

10.2.3 Lagging SPIs are divided into two types:

a) related to the safety objective they aim to indicate;

b) selected or developed based on available data and reliable measurement;

c) appropriately specific and quantifiable; and

d) realistic, by taking into account the possibilities and constraints of the

organisation.

Issue 01/Rev 00 CAGM 1902 – SMS 10-4

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
10.2.4 A combination of SPIs is usually required to provide a clear indication of safety
performance. There should be a clear link between lagging and leading SPIs.
Ideally lagging SPIs should be defined before determining leading SPIs. Defining
a precursor SPI linked to a more serious event or condition (the lagging SPI)
ensures there is a clear correlation between the two. All of the SPIs, lagging and
leading, are equally valid and valuable. An example of these linkages is illustrated
in Figure 10-2.

-
E D
LL
Figure 10-2: Examples of links between lagging and leading indicators
O
10.2.5 It is important to select SPIs that relate to the organisation’s safety objectives.
TR

Having SPIs that are well defined and aligned will make it easier to identify SPTs,
which will show the progress being made towards the attainment of safety
objectives. This allows the organisation to assign resources for greatest safety
N

effect by knowing precisely what is required, and when and how to act to achieve
the planned safety performance.
O
C

Defining SPIs
N

10.2.6 The contents of each SPI should include:

-U

a) a description of what the SPI measures;

b) the purpose of the SPI (what it is intended to manage and who it is intended
to inform)

c) the units of measurement and any requirements for its calculation;

d) who is responsible for collecting, validating, monitoring, reporting and acting

on the SPI (these may be staff from different parts of the organisation);

e) where or how the data should be collected; and

f) the frequency of reporting, collecting, monitoring and analysis of the SPI data.

SPIs and safety reporting

Issue 01/Rev 00 CAGM 1902 – SMS 10-5

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

10.2.7 Changes in operational practices may lead to underreporting until their impact is
fully accepted by potential reporters. This is known as “reporting bias”. Changes
in the provisions related to the protection of safety information and related sources
could also lead to over-reporting. In both cases, reporting bias may distort the
intent and accuracy of the data used for the SPI. Employed judiciously, safety
reporting may still provide valuable data for the management of safety
performance.

10.3 Setting safety performance targets

10.3.1 Safety performance targets (SPTs) define short-term and medium-term safety
performance management desired achievements. They act as “milestones” that
provide confidence that the organisation is on track to achieving its safety
objectives and provide a measurable way of verifying the effectiveness of safety
performance management activities. SPT setting should take into consideration

-
D
factors such as the prevailing level of safety risk, safety risk tolerability, as well as
expectations regarding the safety of the particular aviation sector. The setting of

E
SPTs should be determined after considering what is realistically achievable for
the associated aviation sector and recent performance of the particular SPI, where
historical trend data is available. LL
O
10.3.2 If the combination of safety objectives, SPIs and SPTs working together are
SMART, it allows the organisation to more effectively demonstrate its safety
TR

performance. There are multiple approaches to achieving the goals of safety

performance management, especially, setting SPTs. One approach involves
establishing general high- level safety objectives with aligned SPIs and then
N

identifying reasonable levels of improvements after a baseline safety performance

has been established. These levels of improvements may be based on specific
O

targets (e.g. percentage decrease) or the achievement of a positive trend. Another

C

approach which can be used when the safety objectives are SMART is to have
the safety targets act as milestones to achieving the safety objectives. Either of
N

these approaches are valid and there may be others that an organisation finds
effective at demonstrating their safety performance. Different approaches can be
-U

used in combination as appropriate to the specific circumstances.

Setting targets with high-level safety objectives

10.3.3 Targets are established with senior management agreeing on high-level safety
objectives. The organisation then identifies appropriate SPIs that will show
improvement of safety performance towards the agreed safety objective(s). The
SPIs will be measured using existing data sources, but may also require the
collection of additional data. The organisation then starts gathering, analysing and
presenting the SPIs. Trends will start to emerge, which will provide an overview of
the organisation’s safety performance and whether it is steering towards or away
from its safety objectives. At this point the organisation can identify reasonable
and achievable SPTs for each SPI.

Issue 01/Rev 00 CAGM 1902 – SMS 10-6

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
Setting targets with SMART safety objectives

10.3.4 Safety objectives can be difficult to communicate and may seem challenging to
achieve; by breaking them down into smaller concrete safety targets, the process
of delivering them is easier to manage. In this way, targets form a crucial link
between strategy and day-to-day operations. Organisations should identify the key
areas that drive the safety performance and establish a way to measure them.
Once an organisation has an idea what their current level of performance is by
establishing the baseline safety performance, they can start setting SPTs to give
everyone in the organisation a clear sense of what they should be aiming to
achieve. The organisation may also use benchmarking to support setting
performance targets. This involves using performance information from similar
organisations that have already been measuring their performance to get a sense
of how others in the community are doing.

-
10.3.5 An example of the relationship between safety objectives, SPIs and SPTs is

D
illustrated in Figure 10-3. In this example, the organisation recorded 100 runway

E
excursions per million movements in 2018. It has been determined this is too
many, and an objective to reduce the number of runway excursions by fifty per
LL
cent by 2022 has been set. Specific targeted actions and associated timelines
have been defined to meet these targets. To monitor, measure and report their
O
progress, the organisation has chosen “RWY excursions per million movements
per year” as the SPI. The organisation is aware that progress will be more
TR

immediate and effective if specific targets are set which align with the safety
objective. They have therefore set a safety target which equates to an average
reduction of 12.5 per year over the reporting period (four years). As shown in the
N

graphical representation, the progress is expected to be greater in the first years

and less so in the later years. This is represented by the curved projection towards
O

their objective. In the Figure 10-3:

C

a) the SMART safety objective is “50 per cent reduction in RWY excursions rate
N

by 2022”;
-U

b) the SPI selected is the “number runway excursions per million movements per
year”; and

c) the safety targets related to this objective represent milestones for reaching
the SMART safety objective and equate to a ~12 per cent reduction each year
until 2022;

1) SPT 1a is “less than 78 runway excursions per million movement in

2019”;
2) SPT 1b is “less than 64 runway excursions per million movement in
2020”;
3) SPT 1c is “less than 55 runway excursions per million movement in 2021”.

Issue 01/Rev 00 CAGM 1902 – SMS 10-7

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

-
D
Figure 10-3: Example SPTs with SMART safety objective

E
10.3.6
LL
Additional considerations for SPI and SPT selection

When selecting SPIs and SPTs, the following should also be considered:
O
a) Workload management. Creating a workable amount of SPIs can help
TR

personnel manage their monitoring and reporting workload. The same is true
of the SPIs complexity, or the availability of the necessary data. It is better to
agree on what is feasible, and then prioritize the selection of SPIs on this
N

basis. If an SPI is no longer informing safety performance, or been given a

lower priority, consider discontinuing in favour of a more useful or higher
O

priority indicator.
C

b) Optimal spread of SPIs. A combination of SPIs that encompass the focus

N

areas will help gain an insight to the organisation’s overall safety performance
and enable data-driven decision-making.
-U

c) Clarity of SPIs. When selecting an SPI, it should be clear what is being

measured and how often. SPIs with clear definitions aid understanding of
results, avoid misinterpretation, and allow meaningful comparisons over time.

d) Encouraging desired behaviour. SPTs can change behaviours and contribute

to desired outcomes. This is especially relevant if achievement of the target
is linked to organisational rewards, such as management remuneration. SPTs
should foster positive organisational and individual behaviours that
deliberately result in defensible decisions and safety performance
improvement. It is equally important to consider the potential unintended
behaviours when selecting SPIs and SPTs.

e) Choosing valuable measures. It is imperative that useful SPIs are selected,

not only ones which are easy to measure. It should be up to the organisation

Issue 01/Rev 00 CAGM 1902 – SMS 10-8

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
to decide what the most useful safety parameters are; those that guide the
organisation to improve decision-making, safety performance management,
and achievement of its safety objectives.

f) Achieving SPTs. This is a particularly important consideration, and linked to

the desired safety behaviours. Achieving the agreed SPTs is not always
indicative of safety performance improvement. The organisation should
distinguish between just meeting SPTs and actual, demonstrable
organisational safety performance improvement. It is imperative that the
organisation consider the context within which the target was achieved, rather
than looking at an SPT in isolation. Recognition for overall improvement in
safety performance, rather than an individual SPT achievement, will foster
desirable organisational behaviours and encourage exchange of safety
information that lies at the heart of both SRM and safety assurance. This could
also enhance the relationship between the CAAM and the service provider

-
and willingness to share safety data and ideas.

E D
10.4 Safety Performance Measurement

LL
Getting safety performance measurement right involves deciding how best to
measure the achievement of the safety objectives. This may vary from service
provider to service provider. Organisations should take the time to develop their
O
strategic awareness of what it is that drives safety improvement for their safety
TR

objectives.

10.5 Use of SPIs and SPTs

N

SPIs and SPTs can be used in different ways to demonstrate safety performance.
O

It is crucial that organisations tailor, select and apply various measurement tools
and approaches depending on their specific circumstances and the nature of what
C

is being measured. For instance, in some cases, organisations could adopt SPIs
that all have specific associated SPTs. In another situation, it may be preferable
N

to focus on achieving a positive trend in the SPIs, without specific target values.
-U

The package of selected performance metrics will usually employ a combination

of these approaches.

10.6 Monitoring Safety Performance

10.6.1 Once an organisation has identified the targets based on the SPIs they believe will
deliver the planned outcome, they must ensure the stakeholders follow through by
assigning clear responsibility for delivery.

10.6.2 Mechanisms for monitoring and measuring the organisation’s safety performance
should be established to identify what changes may be needed if the progress
made isn't as expected and reinforce the commitment of the organisation to meet
its safety objectives.

Issue 01/Rev 00 CAGM 1902 – SMS 10-9

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

10.6.3 Baseline safety performance

Understanding how the organisation plans to progress towards its safety

objectives requires that they know where they are, in relation to safety. Once
the organisation’s safety performance structure (safety objectives, indicators,
targets, triggers) has been established and is functioning, it is possible to learn
their baseline safety performance through a period of monitoring. Baseline
safety performance is the safety performance at the commencement of the
safety performance measurement process, the datum point from which
progress can be measured. In the example used in figures 10-2 and 10-3, the
baseline safety performance for that particular safety objective was “100
runway excursions per million movements during the year (2018)”. From this
solid basis, accurate and meaningful indications and targets can be recorded.

10.6.4 Refinement of SPIs and SPTs

-
D
10.6.4.1 SPIs and associated SPTs will have to be reviewed to determine if they are

E
providing the information needed to track the progress being made toward the
safety objectives and to ensure that the targets are realistic and achievable.

10.6.4.2
LL
Safety performance management is an ongoing activity. Safety risks and/or
availability of data change over time. Initial SPIs may be developed using
O
limited resources of safety information. Later, more reporting channels may be
TR

established, more safety data may be available and the organisation’s safety
analysis capabilities will likely mature. It may be appropriate for organisations
to develop simple (broader) SPIs initially. As they gather more data and safety
N

management capability, they can consider refining the scope of SPIs and SPTs
to better align with the desired safety objectives. Small non-complex
O

organisations may elect to refine their SPIs and SPTs and/or select generic (but
specific) indicators which apply to most aviation systems. Some examples of
C

generic indicators would be:

N

a) events including structural damage to equipment;

-U

b) events indicating circumstances in which an accident nearly occurred;

c) events in which operational personnel or members of the aviation

community were fatally or seriously injured;

d) events in which operational personnel became incapacitated or unable to

perform their duties safely;

e) rate of voluntary occurrence reports; and

f) rate of mandatory occurrence reports.

10.6.4.3 Larger more complex organisations may elect to institute a broader and/or
deeper range of SPIs and SPTs and to integrate generic indicators such as
those listed above with activity-specific ones. A large airport, for example,
providing services to major airlines and situated under complex airspace, might

Issue 01/Rev 00 CAGM 1902 – SMS 10-10

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
consider combining some of the generic SPIs with deeper-scope SPIs
representing specific aspects of their operation. The monitoring of these may
require greater effort but will likely produce superior safety results. There is a
clear correlation between the relative complexity of SPIs and SPTs and the
scale and complexity of the service providers’ operations. This relative
complexity should be reflected in the indicator and target set. Those
responsible for establishing safety performance management should be
conscious of this.

10.6.4.4 The set of SPIs and SPTs selected by an organisation should be periodically
reviewed to ensure their continued meaningfulness as indications of
organisational safety performance. Some reasons to continue, discontinue or
change SPIs and SPTs include:

a) SPIs continually report the same value (such as zero per cent or 100 per

-
cent); these SPIs are unlikely to provide meaningful input to senior

D
management decision-making;

E
b) SPIs that have similar behaviour and as such are considered a duplication;

c) LL
the SPT for an SPI implemented to measure the introduction of a
programme or targeted improvement has been met;
O
d) another safety concern becomes a higher priority to monitor and measure;
TR

e) to gain a better understanding of a particular safety concern by narrowing

the specifics of an SPI (i.e. reduce the “noise” to clarify the “signal”); and
N

f) safety objectives have changed and as a consequence the SPIs require

updating to remain relevant.
O

10.6.5 Safety triggers

C

10.6.5.1 A brief perspective on the notions of triggers is relevant to assist in their

N

eventual role within the context of the management of safety performance by

-U

an organisation.

10.6.5.2 A trigger is an established level or criteria value that serves to trigger (start) an
evaluation, decision, adjustment or remedial action related to the particular
indicator. One method for setting out-of-limits trigger criteria for SPTs is the use
of the population standard deviation (STDEVP) principle. This method derives
the standard deviation (SD) value based on the preceding historical data points
of a given safety indicator. The SD value plus the average (mean) value of the
historical data set forms the basic trigger value for the next monitoring period.
The SD principle (a basic statistical function) sets the trigger level criteria based
on actual historical performance of the given indicator (data set), including its
volatility (data point fluctuations). A more volatile historical data set will usually
result in a higher (more generous) trigger level value for the next monitoring
period. Triggers provide early warnings which enable decision makers to make

Issue 01/Rev 00 CAGM 1902 – SMS 10-11

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
informed safety decisions, and thus improve safety performance. An example
of trigger levels based on standard deviations (SDs) is provided at Figure 10-4
below. In this example, data-driven decisions and safety mitigation actions may
need to be taken when the trend goes beyond +1SD or +2SD from the mean of
the preceding period. Often the trigger levels (in this case +1SD, +2SD or
beyond +2SD) will align with decision management levels and urgency of
action.

-
E D
LL
O
TR
N

Figure 10-4: Example of representation of safety triggers (alert) levels

O
C

10.6.6 Identifying actions required

N

10.6.6.1 Arguably the most important outcome of establishing a safety performance

-U

management structure is the presentation of information to the organisation’s

decision makers so they can make decisions based on current, reliable safety
data and safety information. The aim should always be to make decisions in
accordance with the safety policy and towards the safety objectives.

10.6.6.2 In relation to safety performance management, data-driven decision-making is

about making effective, well-informed decisions based on the results of
monitored and measured SPIs, or other reports and analysis of safety data and
safety information. Using valid and relevant safety data combined with
information that provides context supports the organisation in making decisions
that align with its safety objectives and targets. Contextual information may also
include other stakeholder priorities, known deficiencies in the data, and other
complementary data to evaluate the pros, cons, opportunities, limitations and
risks associated with the decision. Having the information readily available and

Issue 01/Rev 00 CAGM 1902 – SMS 10-12

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
easy to interpret helps to mitigate bias, influence and human error in the
decision-making process.

10.6.6.3 Data-driven decision-making also supports the evaluation of decisions made in

the past to support any realignment with the safety objectives.

10.7 Update of safety objective

10.7.1 Safety performance management is not intended to be “set and forget”. Safety
performance management is dynamic and central to the functioning of every
service providers, and should be reviewed and updated:

a) routinely, in accordance with the periodic cycle established and agreed upon
by the high-level safety committee;

b) based on inputs from safety analyses (refer to Chapter 6 for details); and

-
D
c) in response to major changes in the operation, top risks or environment.

E
10.8 Methodology of Safety Performance Monitoring

10.8.1 LL
Tables 10-1 to 10-4 (safety indicator examples) provide illustrative examples of
service providers aggregate safety performance indicators (SPIs) and their
O
corresponding alert and target level setting criteria.
TR

Such a summary table may be compiled by the service providers and

populated accordingly with as many existing or viable safety indicators as
possible. SMS SPIs will need to be developed by service providers in relation
N

to the expectations of the Malaysian Safety Programme’s (MSP) safety

indicators. In order to ensure congruence between MSP and SMS indicators,
O

the service provider will need to actively engage with CAAM during its
C

development of SMS SPIs. It can be expected for SMS SPIs to be more

comprehensive than MSP safety indicators. It is possible that certain safety/
N

quality indicators may have been maintained by service providers for

supplementary purposes and hence need not be included for SMS level
-U

monitoring and measurement purposes. These would usually be lower level

or other process-specific indicators within the organisation.

10.8.2 Table 10-5 (example of an SMS safety indicator chart) is an example of what a
high-consequence SMS safety performance indicator chart looks like. In this case
it is the service provider’s aggregate reportable/ mandatory incident rates. The
chart on the left is the preceding year’s performance, while the chart on the right
is the current year’s progressive data trending. The alert level setting is based on
basic safety metrics standard deviation criteria. The Excel spreadsheet formula is
“=STDEVP”. For the purpose of manual standard deviation calculation, the formula
is:

Issue 01/Rev 00 CAGM 1902 – SMS 10-13

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

where “X” is the value of each data point, “N” is the number of data points and
“μ” is the average value of all the data points.

10.8.3 The target setting is a desired percentage improvement (in this case 5%) over the
previous year’s data point average. It should be noted that the actual data point
interval and occurrence rate denominator will need to be determined based on the
nature of each data set, in order to ensure the viability of the safety indicator. For
very low frequency occurrences, the data point interval may, for example, have to
be on a yearly instead of quarterly update basis.

Likewise, the occurrence rate denominator may, for example, be per 100 000

-
air movements instead of 1 000 air movements. This chart is generated by

D
the data sheet shown in Table 10-6.

E
10.8.4 The data sheet in Table 10-6 (data sheet for a sample safety indicator chart) is

LL
used to generate the safety indicator chart shown in Table 10-5. The same can be
used to generate any other safety indicator chart with the appropriate data entry
and safety indicator descriptor customization. The three alert lines and target line
O
are automatically generated based on their respective settings in this data sheet.
TR

10.8.5 Table 10-7 (example of an ALoSP performance summary) is a summary of all the
service provider’s safety indicators, with their respective alert and target level
outcomes annotated. Such a summary may be compiled at the end of each
N

monitoring period to provide an overview of the service provider’s ALoSP

O

performance. If a more quantitative performance summary measurement is

desired, appropriate points may be assigned to each Yes/No response for each
C

target and alert outcome. For example:

N

High-severity indicators:
-U

Alert level not breached [Yes (4), No (0)]

Target achieved [Yes (3), No (0)]
Low-severity indicators:
Alert level not breached [Yes (2), No (0)]
Target achieved [Yes (1), No (0)]
This may allow a summary score (or percentage) to be obtained to indicate the
overall performance of the ALoSP safety indicators at the end of any given
monitoring period as shown in Table 10-8.

Issue 01/Rev 00 CAGM 1902 – SMS 10-14

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
SMS safety performance indicators
High-severity indicators Low-severity indicators
Safety Alert level Target level Safety Alert level Target level
performance criteria criteria performance criteria criteria
indicator indicator

Air operator Average + __% (e.g. 5%) Operator Average + __% (e.g. 5%)
individual 1/2/3 SD improvement combined 1/2/3 SD improvement
fleet monthly (annual or between each fleet monthly (annual or between each
serious 2 yearly annual mean incident rate 2 yearly annual mean
incident rate reset) rate (e.g. per reset) rate
(e.g. per 1,000 FH)
1,000 FH)
Air operator Average + __% (e.g. 5%) Operator
combined 1/2/3 SD improvement internal
fleet monthly (annual or between each QMS/SMS

Consideration

Consideration
serious 2 yearly annual mean annual
incident rate reset) rate audit LEI % or

-
(e.g. per findings rate

D
1,000 FH) (findings
per audit)
Air operator Average + __% (e.g. 5%) Operator

E Consideration

Consideration
engine IFSD 1/2/3 SD improvement voluntary
incident rate (annual or between each hazard report
(e.g. per
1,000 FH)
2 yearly
reset)
annual mean
rate
LL rate
(e.g. per
1,000 FH)
O
Operator Average + __% (e.g. 5%)
TR

DGR 1/2/3 SD improvement

incident report (annual or between each
rate(e.g. per 2 yearly annual mean
1,000 FH) reset) rate
N
O

Table 10-1. Example of safety performance indicators for air operators

C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 10-15

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
SMS safety performance indicators
High-severity indicators Low-severity indicators
Safety Alert level Target level Safety Alert level Target level
performance criteria criteria performance criteria criteria
indicator indicator

Aerodrome Average + __% (e.g. 5%) Aerodrome

operator 1/2/3 SD improvement operator
quarterly (annual or between each internal

Consideration

Consideration
ground 2 yearly annual mean QMS/SMS
accident/serious reset) rate annual audit
incident rate — LEI % or
involving any findings rate
aircraft (e.g. per (findings
10,000 ground per audit)
movements)
Aerodrome Average + __% (e.g. 5%) Aerodrome
operator 1/2/3 SD improvement operator

-
quarterly (annual or between each quarterly

Consideration

Consideration
D
runway 2 yearly annual mean runway
excursion reset) rate foreign
incident rate — object/debris

E
involving any hazard report
aircraft (e.g. per rate (e.g. per
10,000
departures)
LL 10,000
ground
movements)
O
Aerodrome Average + __% (e.g. 5%) Operator
operator 1/2/3 SD improvement voluntary
TR

quarterly (annual or between each hazard report Consideration

Consideration
runway 2 yearly annual mean rate (per
incursion reset) rate operational
incident rate — personnel
N

involving any per quarter)

aircraft (e.g. per
O

10,000
departures)
C

Aerodrome Average + __% (e.g.

operator 1/2/3 SD 5%)
quarterly (annual or improvement
N

aircraft 2 yearly between

ground reset) each
-U

foreign object annual

damage mean
incident rate
report rate —
involving
damage to
aircraft (e.g.
per
10,000
ground
movements)

Table 10-2. Example of safety performance indicators for aerodrome operators

Issue 01/Rev 00 CAGM 1902 – SMS 10-16

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
SMS safety performance indicators
High-severity indicators Low-severity indicators
Safety Alert level Target level Safety Alert level Target level
performance criteria criteria performance criteria criteria
indicator indicator

ATS operator Average __% (e.g. ATS operator Average + __% (e.g. 5%)
quarterly FIR + 5%) quarterly FIR 1/2/3 SD improvement
serious incident 1/2/3 SD improvement TCAS RA (annual or between each
rate — involving (annual or between incident rate 2 yearly annual mean
any aircraft (e.g. 2 yearly each annual — involving reset) rate
per 100,000 reset) mean rate any aircraft
flight (e.g. per
movements) 100,000
flight
movements)
ATS operator Assuming Assuming the ATS operator Average + __% (e.g. 5%)
quarterly/annual the historical quarterly FIR 1/2/3 SD improvement

-
near-miss historical annual level (annual or between each

D
incident annual average rate bust (LOS) 2 yearly annual mean
rate (e.g. per average is 3, the incident reset) rate
100 000 flight rate is 3, possible rate —

E
movements) the target rate involving any
possible could be 2 aircraft (e.g.
alert rate
could be
5
LL per
100,000
flight
O
movements)
ATS operator
TR

internal Consideration

Consideration
QMS/SMS
annual
audit LEI %
N

or
findings rate
O

(findings
per audit)
C

Table 10-3. Example of safety performance indicators for ATS operators

N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 10-17

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
SMS safety performance indicators
High-severity indicators Low-severity indicators
Safety Alert Target level Safety Alert level Target
performance level criteria performance criteria level
indicator criteria indicator criteria

AMO/PO Average __% (e.g. AMO/PO/DO

Consideration

Consideration
quarterly rate of + 5%) internal
component 1/2/3 SD improvement QMS/SMS
technical (annual between annual audit LEI
warranty claims or each annual % or findings
2 yearly mean rate rate (findings
reset) per audit)
PO/DO AMO/PO/DO
quarterly rate of quarterly final
Consideration

Consideration

Consideration

Consideration
operational inspection/testing
products which failure/rejection
are the subject rate (due to

-
of ADs/ASBs internal quality

D
(per product issues)
line)
AMO/PO AMO/PO/DO

E
quarterly rate of voluntary hazard
Consideration

Consideration

Consideration

Consideration
component report rate (per
mandatory/major
defect reports
raised (due to
LLoperational
personnel
per quarter)
O
internal quality
issues)
TR

Table 10-4. Example of safety performance indicators for Approved Maintenance

Organisations (AMO), Design Organisation (DO) and Production Organisation (PO)
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 10-18

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

-
ED
LL
O
TR
N
O
C
N
-U

Table 10-5. Example of a safety performance indicator chart (with alert and target level settings)

Issue 01/Rev 00 CAGM 1902 – SMS 10-19

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

-
ED
LL
O
TR
N
O
C
N
-U

Table 10-6. Sample data sheet used to generate a high severity safety indicator chart (with alert and target setting criteria)

Issue 01/Rev 00 CAGM 1902 – SMS 10-20

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

High-severity indicators

Alert level Target

SPI alert level criteria breached SPI target level criteria achieved
SPI description (for 2020) (Yes/No) (for 2020) (Yes/No)

1 Air operator’s fleet monthly serious Average + 1/2/3 SD Yes 5% improvement of the No
incident rate (e.g. per 1 000 FH) (annual or 2 yearly reset) 2020 average rate over the
2019 average rate

2 Air operator’s fleet engine IFSD Average + 1/2/3 SD Yes 3% improvement of the Yes
incident rate (e.g. per 1 000 FH) (annual or 2 yearly reset) 2020 average rate over the
2019 average rate

3 etc.

Low-severity indicators

Alert level Target

SPI alert level criteria breached SPI target level criteria achieved

-
SPI description (for 2020) (Yes/No) (for 2020) (Yes/No)

D
1 Operator combined fleet monthly Average + 1/2/3 SD Yes 5% improvement of the No
incident rate (e.g. per 1 000 FH) (annual or 2 yearly reset) 2020 average rate over the

E
2019 average rate

2 Operator internal QMS annual audit

LEI % or findings rate (findings per
audit)
LL
More than 25% average
LEI or any Level 1 finding
or more than 5 Level 2
findings per audit
Yes 5% improvement of the
2020 average rate over the
2019 average rate
Yes
O
3 Operator voluntary hazard report rate TBD TBD
(e.g. per 1 000 FH)
TR

4 Operator DGR incident report rate (e.g. Average + 1/2/3 SD No 5% improvement of the Yes
per 1 000 FH) (annual or 2 yearly reset) 2020 average rate over the
2019 average rate
N

5 etc.
O

Table 10-7. Example of air operator’s ALoSP summary (say for the year 2020)
C
N

Note 1.— Other process indicators. Apart from the above SMS level safety indicators, there may be
-U

other system level indicators within each operational area of an organisation. Examples would include process-
or system-specific monitoring indicators in engineering, operations, QMS, etc., or indicators associated with
performance-based programmes such as fatigue risk management or fuel management. Such process- or
system-specific indicators should rightly be administered as part of the system or process concerned. They may
be viewed as specific system or process level indicators which supplement the higher-level safety performance
indicators. They should be addressed within the respective system or process manuals/SOPs as appropriate.
Nevertheless, the criteria for setting alert or target levels forsuch indicators should preferably be aligned with that
of the SMS level safety performance indicators where applicable.

Note 2.— Selection of indicators and settings. The combination (or package) of high and low severity
safety indicators is to be selected by an organisation according to the scope of the organisation’s system. For
those indicators where the suggested alert or target level setting criteria is not applicable, the organisation may
consider alternate criteria as appropriate. General guidance is to set alerts and targets that take into
consideration recent historical or current performance.

Issue 01/Rev 00 CAGM 1902 – SMS 10-21

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets
High-Severity Safety Indicators
Safety Indicator (SI) SI Alert Level/ Alert Level SI Target Level/ Target
Description Criteria (for 2020) Not Criteria (for 2020) Achieved
Breached [Yes (3),
[Yes (4), No (0)]
No (0)]
Air operator individual 2020 average rate 4 5% improvement of 3
fleet monthly serious + 1/2/3 SD the 2020 average
incident rate (e.g. per (annual reset) rate over the 2019
1,000 FH) average rate
Air operator 2020 average rate 0 5% improvement of 0
combined fleet monthly + 1/2/3 SD the 2020 average
serious incident rate (annual reset) rate over the 2019
(e.g. per 1,000 FH) average rate
Air operator engine 2020 average rate 4 5% improvement of 3
IFSD incident rate + 1/2/3 SD the 2020 average
(e.g. per 1,000 FH) (annual reset) rate over the 2019
average rate

-
Sub-total 8 Sub-total 6

D
Max 12 Max 9

E
Low-Severity Safety Indicators
Safety Indicator (SI)
Description
SI Alert Level/
Criteria (for 2020) LL
Alert Level
Not
Breached
SI Target Level/
Criteria (for 2020)
Target
Achieved
[Yes (1),
O
[Yes (2), No (0)]
No (0)]
Operator combined 2020 average rate 0 5% improvement of 0
TR

fleet monthly incident + 1/2/3 SD the 2020 average

rate (e.g. per (annual reset) rate over the 2019
1,000 FH) average rate
N

Operator internal 2020 average rate 2 5% improvement of 1

QMS/SMS annual + 1/2/3 SD the 2020 average
audit LEI % or rate over the 2019
O

(annual reset)
findings rate (findings average rate
per audit)
C

Operator voluntary 2020 average rate 0 5% improvement of 0

hazard report rate + 1/2/3 SD the 2020 average
N

(e.g. per 1,000 FH) (annual reset) rate over the 2019
average rate
-U

Operator DGR 2020 average rate 2 5% improvement of 0

incident report rate (e.g. + 1/2/3 SD the 2020 average
per 1,000 FH) (annual reset) rate over the 2019
average rate
Sub-total 4 Sub-total 1
Max 8 Max 4

No Alert % 60 Target Achieved % 53.8

Overall ALoSP (2020) 57.6 %

Table 10-8. Quantitative example of air operator’s ALoSP

Issue 01/Rev 00 CAGM 1902 – SMS 10-22

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

10.9 Malaysia Safety Performance Indicators

10.9.1 The service providers shall implement but not limited to the identified SPIs in
accordance with the Appendix 8 of this CAGM.

-
E D
LL
O
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 10-23

 Chapter 10 – Safety Performance Indicators and Safety Performance Targets

-
E D
LL
O
TR

INTENTIONALLY LEFT BLANK

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 10-24

 Chapter 11 – Appendices

11 Appendices

11.1 Appendix 1 – Application Form for Acceptance of Safety Management System

and Nomination of Safety Manager (CAAM/SMS/1902-00)

1 The applicant is to obtain the up-to-date application form (CAAM/SMS/1902-00) in

CAAM website www.caam.gov.my

-
E D
LL
O
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-1

 Chapter 11 – Appendices

-
E D
LL
O
TR

INTENTIONALLY LEFT BLANK

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-2

 Chapter 11 – Appendices

11.2 Appendix 2 – Guidance on the Development of an SMS Manual

1 General
1.1 This appendix serves to guide organisations in their compilation of a top-level SMS
manual (or document) to define their SMS framework and its associated elements.
The manual can be a stand-alone SMS manual or be integrated as a consolidated
SMS section/chapter within an appropriate approved manual of the organisation (e.g.
the organisation’s exposition manual or company manual). The actual configuration
may depend on regulatory expectation.
1.2 Using the suggested format and content items in this appendix and adapting them as
appropriate is one way in which an organisation can develop its own top-level SMS
manual. The actual content items will depend on the specific SMS framework and
elements of the organisation. The description under each element will be
commensurate with the scope and complexity of the organisation’s SMS processes.

-
D
1.3 The manual will serve to communicate the organisation’s SMS framework internally
as well as with relevant external organisations.

E
2 Format of the SMS manual LL
O
2.1 The SMS manual may be formatted in the following manner:
a) section heading;
TR

b) objective;

c) criteria;
N

d) cross-reference documents.
O

2.2 Below each numbered “section heading” is a description of the “objective” for that
C

section, followed by its “criteria” and “cross-reference documents”. The “objective” is

what the organisation intends to achieve by doing what is described in that section.
N

The “criteria’ defines the scope of what should be considered when writing that
section. The “cross-reference documents” links the information to other relevant
-U

manuals or SOPs of the organisation which contain details of the element or process
as applicable.

Issue 01/Rev 00 CAGM 1902 – SMS 11-3

 Chapter 11 – Appendices
3 Contents of the Manual
3.1 The contents of the manual may include the following sections:
1) Document control;

2) SMS regulatory requirements;

3) Scope and integration of the safety management system;

4) Safety policy;

5) Safety objectives;

6) Safety accountabilities and key personnel;

7) Safety reporting and remedial actions;

8) Hazard identification and risk assessment;

-
D
9) Safety performance monitoring and measurement;

E
10) Safety-related investigations and remedial actions;

11) Safety training and communication;

LL
12) Continuous improvement and SMS audit;
O
13) SMS records management;
TR

14) Management of change; and

15) Emergency/ contingency response plan.

N

3.2 Below is an example of the type of information that could be included in each
O

section using the format prescribed in 2.2.

C

1. Document control
N

Objective
-U

Describe how the manual(s) will be kept up to date and how the
organisation will ensure that all personnel involved in safety-related
duties have the most current version.

Criteria

a) Hard copy or controlled electronic media and distribution list.

b) The correlation between the SMS manual and other existing

manuals such as the maintenance control manual (MCM) or
the operations manual.

c) The process for periodic review of the manual and its

Issue 01/Rev 00 CAGM 1902 – SMS 11-4

 Chapter 11 – Appendices
related forms/documents to ensure their continuing
suitability, adequacy and effectiveness.

d) The manual’s administration, approval and regulatory

acceptance process.

Cross-reference documents

Quality manual, engineering manual, etc.

2. SMS regulatory requirements

Objective
Address current SMS regulations and guidance material for

-
necessary reference and awareness by all concerned.

E D
Criteria

a) LL
Spell out the current SMS regulations/standards. Include the
compliance timeframe and advisory material references as
O
applicable.
TR

b) Where appropriate, elaborate on or explain the significance

and implications of the regulations to the organisation.
N

c) Establish a correlation with other safety-related requirements

or standards where appropriate.
O

Cross-reference documents
C
N

SMS regulation/requirement references, SMS guidance document

references, etc.
-U

3. Scope and integration of the safety management system

Objective

Describe the scope and extent of the organisation’s aviation-related

operations and facilities within which the SMS will apply. The scope
of the processes, equipment and operations deemed eligible for the
organisation’s hazard identification and risk management (HIRM)
programme should also be addressed.

Criteria

Issue 01/Rev 00 CAGM 1902 – SMS 11-5

 Chapter 11 – Appendices
a) Spell out the nature of the organisation’s aviation business
and its position or role within the industry as a whole.

b) Identify the major areas, departments, workshops and

facilities of the organisation within which the SMS will apply.

c) Identify the major processes, operations and equipment

which are deemed eligible for the organisation’s HIRM
programme, especially those which are pertinent to aviation
safety. If the scope of the HIRM-eligible processes,
operations and equipment is too detailed or extensive, it may
be controlled under a supplementary document as
appropriate.

d) Where the SMS is expected to be operated or administered

-
across a group of interlinked organisations or contractors,

D
define and document such integration and associated
accountabilities as applicable.

E
e)
LL
Where there are other related control/management
systems within the organisation, such as QMS, OSHE and
SeMS, identify their relevant integration (where applicable)
O
within the aviation SMS.
TR

Cross-reference documents
N

Quality manual, engineering manual, etc.

O

4. Safety policy
C

Objective
N

Describe the organisation’s intentions, management principles and

-U

commitment to improving aviation safety in terms of the product or

service provider. A safety policy should be a short description
similar to a mission statement.

Criteria

a) The safety policy should be appropriate to the size and

complexity of the organisation.

b) The safety policy states the organisation’s intentions,

management principles and commitment to continuous
improvement in aviation safety.

c) The safety policy is approved and signed by the accountable

Issue 01/Rev 00 CAGM 1902 – SMS 11-6

 Chapter 11 – Appendices
executive.

d) The safety policy is promoted by the accountable executive and

all other managers.

e) The safety policy is reviewed periodically.

f) Personnel at all levels are involved in the establishment and

maintenance of the safety management system.

g) The safety policy is communicated to all employees with the

intent that they are made aware of their individual safety
obligations.

Cross-reference documents

-
D
OSHE safety policy, etc.

E
5. Safety objectives

Objective
LL
O
Describe the safety objectives of the organisation. The safety
TR

objectives should be a short statement that describes in broad

terms what the organisation hopes to achieve.
N

Criteria
O

a) The safety objectives have been established.

C

b) The safety objectives are expressed as a top-level statement

N

describing the organisation’s commitment to achieving

safety.
-U

c) There is a formal process to develop a coherent set of safety

objectives.

d) The safety objectives are publicized and distributed.

e) Resources have been allocated for achieving the objectives.

f) The safety objectives are linked to safety indicators to

facilitate monitoring and measurement where appropriate.

Cross-reference documents

Safety performance indicators document, etc.

Issue 01/Rev 00 CAGM 1902 – SMS 11-7

 Chapter 11 – Appendices

6. Roles and responsibilities

Objective

Describe the safety authorities, responsibilities and accountabilities

for personnel involved in the SMS.

Criteria

a) The accountable executive is responsible for ensuring that

the safety management system is properly implemented and
is performing to requirements in all areas of the organisation.

b) An appropriate safety manager (office), safety committee or

-
safety action groups have been appointed as appropriate.

D
c) Safety authorities, responsibilities and accountabilities of

E
personnel at all levels of the organisation are defined and

d)
documented.
LL
All personnel understand their authorities, responsibilities
O
and accountabilities with regard to all safety management
processes, decisions and actions.
TR

e) An SMS organisational accountabilities diagram is available.

N

Cross-reference documents
O

Company exposition manual, SOP manual, administration manual,

C

etc.
N

7. Safety reporting
-U

Objective

A reporting system should include both reactive (accident/incident

reports, etc.) and proactive/ predictive (hazard reports). Describe
the respective reporting systems. Factors to consider include:
report format, confidentiality, addressees, investigation/evaluation
procedures, corrective/ preventive actions and report
dissemination.

Criteria

Issue 01/Rev 00 CAGM 1902 – SMS 11-8

 Chapter 11 – Appendices
a) The organisation has a procedure that provides for the
capture of internal occurrences including accidents, incidents
and other occurrences relevant to SMS.

b) A distinction is to be made between mandatory reports

(accidents, serious incidents, major defects, etc.), which are
required to be notified to CAAM, and other routine occurrence
reports, which remain within the organisation.

c) There is also a voluntary and confidential hazard/occurrence

reporting system, incorporating appropriate identity/data
protection as applicable.

d) The respective reporting processes are simple, accessible and

commensurate with the size of the organisation.

e) High-consequence reports and associated recommendations

-
are addressed to and reviewed by the appropriate level of

D
management.

E
f) Reports are collected in an appropriate database to facilitate
the necessary analysis.

Cross-reference documents
LL
O
TR

--------------
N
O

8. Hazard identification and risk assessment

Objective
C

Describe the hazard identification system and how such data are
N

collated. Describe the process for the categorization of hazards/risks

and their subsequent prioritization for a documented safety
-U

assessment. Describe how the safety assessment process is

conducted and how preventive action plans are implemented.
Criteria
a) Identified hazards are evaluated, prioritized and processed for
risk assessment as appropriate.
b) There is a structured process for risk assessment involving the
evaluation of severity, likelihood, tolerability and preventive
controls.
c) Hazard identification and risk assessment procedures focus on
aviation safety as their fundamental context.

Issue 01/Rev 00 CAGM 1902 – SMS 11-9

 Chapter 11 – Appendices

d) The risk assessment process utilises worksheets, forms or

software appropriate to the complexity of the organisation and
operations involved.
e) Completed safety assessments are approved by the
appropriate level of management.
f) There is a process for evaluating the effectiveness of the
corrective, preventive and recovery measures that have been
developed.
g) There is a process for periodic review of completed safety
assessments and documenting their outcomes.

Cross-reference documents

-
D
--------------

E
6.

Objective
LL
Safety performance monitoring and measurement
O
TR

Describe the safety performance monitoring and measurement

component of the SMS. This includes the organisation’s SMS
safety performance indicators (SPIs).
N

Criteria
O

a) The formal process to develop and maintain a set of safety

C

performance indicators and their associated performance

N

targets.
-U

b) Correlation established between the SPIs and the

organisation’s safety objectives where applicable and the
process of regulatory acceptance of the SPIs where required.

c) The process of monitoring the performance of these SPIs

including remedial action procedure whenever unacceptable
or abnormal trends are triggered.

d) Any other supplementary SMS or safety performance

monitoring and measurement criteria or process.

Cross-reference documents

--------------

Issue 01/Rev 00 CAGM 1902 – SMS 11-10

 Chapter 11 – Appendices

7. Safety-related investigations and remedial actions

Objective

Describe how accidents/incidents/occurrences are investigated

and processed within the organisation, including their
correlation with the organisation’s SMS hazard identification
and risk management system.

Criteria

a) Procedures to ensure that reported accidents and incidents are

investigated internally.

-
D
b) Dissemination of completed investigation reports internally as
well as to CAAM as applicable.

E
c)
LL
A process for ensuring that corrective actions taken or
recommended are carried out and for evaluating their
outcomes/effectiveness.
O
d) Procedure on disciplinary inquiry and actions associated with
TR

investigation report outcomes.

e) Clearly defined conditions under which punitive disciplinary

N

action would be considered (e.g. illegal activity,

recklessness, gross negligence or wilful misconduct).
O

f) A process to ensure that investigations include identification

C

of active failures as well as contributing factors and hazards.

N

g) Investigation procedure and format provides for findings on

contributing factors or hazards to be processed for follow-up
-U

action by the organisation’s hazard identification and risk

management system where appropriate.

Cross-reference documents

--------------

8. Safety training and communication

Objective

Describe the type of SMS and other safety-related training that staff
receive and the process for assuring the effectiveness of the

Issue 01/Rev 00 CAGM 1902 – SMS 11-11

 Chapter 11 – Appendices
training. Describe how such training procedures are documented.
Describe the safety communication processes/channels within the
organisation.

Criteria

a) The training syllabus, eligibility and requirements are

documented.

b) There is a validation process that measures the effectiveness

of training.

c) The training includes initial, recurrent and update training,

where applicable.

d) The organisation’s SMS training is part of the organisation’s

-
overall training programme.

D
e) SMS awareness is incorporated into the employment or

E
indoctrination programme.

f) LL
The safety communication processes/channels within the
organisation.
O
Cross-reference documents
TR

--------------
N

9. Continuous improvement and SMS audit

O

Objective
C
N

Describe the process for the continuous review and improvement of

the SMS.
-U

Criteria

a) The process for regular internal audit/ review of the

organisation’s SMS to ensure its continuing suitability,
adequacy and effectiveness.

b) Describe any other programmes contributing to continuous

improvement of the organisation’s SMS and safety
performance, e.g. MEDA, safety surveys, ISO systems.

Cross-reference documents

--------------

Issue 01/Rev 00 CAGM 1902 – SMS 11-12

 Chapter 11 – Appendices
10. SMS records management

Objective

Describe the method of storing all SMS-related records and

documents.

Criteria

a) The organisation has an SMS records or archiving system

that ensures the retention of all records generated in
conjunction with the implementation and operation of the
SMS.

b) Records to be kept include hazard reports, risk assessment

-
reports, safety action group/ safety meeting notes, safety

D
performance indicator charts, SMS audit reports and SMS

E
training records.

c)
LL
Records should be traceable for all elements of the SMS
and be accessible for routine administration of the SMS as
well as internal and external audits purposes.
O
Cross-reference documents
TR

--------------
N
O

11. Management of change

C

Objective
N

Describe the organisation’s process for managing changes that

-U

may have an impact on safety risks and how such processes are
integrated with the SMS.

Criteria

a) Procedures to ensure that substantial organisational or

operational changes take into consideration any impact which
they may have on existing safety risks.

b) Procedures to ensure that appropriate safety assessment is

performed prior to introduction of new equipment or
processes which have safety risk implications.

Issue 01/Rev 00 CAGM 1902 – SMS 11-13

 Chapter 11 – Appendices
c) Procedures for review of existing safety assessments
whenever there are changes to the associated process or
equipment.

Cross-reference documents

Company SOP relating to management of change, etc.

12. Emergency/ contingency response plan

Objective

Describe the organisation’s intentions regarding, and commitment

to dealing with, emergency situations and their corresponding

-
recovery controls. Outline the roles and responsibilities of key

D
personnel. The emergency response plan can be a separate

E
document or it can be part of the SMS manual.

LL
Criteria (as applicable to the organisation)
O
a) The organisation has an emergency plan that outlines the
TR

roles and responsibilities in the event of a major incident,

crisis or accident.
N

b) There is a notification process that includes an emergency

call list and an internal mobilization process.
O

c) The organisation has arrangements with other agencies for

C

aid and the provision of emergency services as applicable.

N

d) The organisation has procedures for emergency mode

-U

operations where applicable.

e) There is a procedure for overseeing the welfare of all affected

individuals and for notifying next of kin.

f) The organisation has established procedures for handling the

media and insurance-related issues.

g) There are defined accident investigation responsibilities within

the organisation.

h) The requirement for preservation of evidence, securing the

affected area, and mandatory/ governmental reporting is
clearly stated.

Issue 01/Rev 00 CAGM 1902 – SMS 11-14

 Chapter 11 – Appendices
i) There is emergency preparedness and response training for
affected personnel.

j) A disabled aircraft or equipment evacuation plan has been

developed by the organisation in consultation with
aircraft/equipment owners, aerodrome operators or other
agencies as applicable.

k) A procedure exists for recording activities during an emergency

response.

Cross-reference documents

ERP manual, etc.

-
E D
LL
O
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-15

 Chapter 11 – Appendices

-
E D
LL
O
TR

INTENTIONALLY LEFT BLANK

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-16

 Chapter 11 – Appendices

11.3 Appendix 3 – Job Description for a Safety Manager

1 Overall purpose
The safety manager is responsible to the accountable executive for providing
guidance and direction for the planning, implementation and operation of the
organisation’s safety management system (SMS). The safety manager provides
SMS-related services to the certificated, non-certificated and third-party areas of the
organisation that are included in the SMS and may have delegated responsibilities
on behalf of persons holding positions required by regulations.
2 Key roles

Safety advocate

• Demonstrates an excellent safety behaviour and attitude, follows regulatory

practices and rules, recognizes and reports hazards and promotes effective

-
safety reporting.

D
Leader

E
• Models and promotes an organisational culture that fosters safety practices
through effective leadership.

Communicator
LL
O
• Acts as an information conduit to bring safety issues to the attention of
TR

management and to deliver safety information to the organisation’s staff,

contractors and stakeholders.

• Provides and articulates information regarding safety issues within the

N

organisation.
O

Developer
C

• Assists in the continuous improvement of the hazard identification and safety risk
assessment schemes and the organisation’s SMS.
N

Relationship builder
-U

• Builds and maintains an excellent working relationship with the organisation’s

safety action group (SAG) and within the safety services office (SSO).

Ambassador

• Represents the organisation on government, international organisation and

industry committees (e.g. ICAO, IATA, CAAM, AAIB, etc.).

Analyst

• Analyses technical data for trends related to hazards, events and occurrences.

Process management

Issue 01/Rev 00 CAGM 1902 – SMS 11-17

 Chapter 11 – Appendices
• Effectively utilises applicable processes and procedures to fulfil roles and
responsibilities.

• Investigates opportunities to increase the efficiency of processes.

• Measures the effectiveness and seeks to continually improve the quality of

processes.
3 Responsibilities
Among other duties, the safety manager is responsible for:
a) managing the operation of the safety management system;

b) collecting and analysing safety information in a timely manner;

c) administering any safety-related surveys;

d) monitoring and evaluating the results of corrective actions;

-
D
e) ensuring that risk assessments are conducted when applicable;

E
f) monitoring the industry for safety concerns that could affect the organisation;

g)

h)
LL
being involved with actual or practice emergency responses;

being involved in the development and updating of the emergency response plan
O
and procedures; and
TR

i) ensuring safety-related information, including organisational goals and

objectives, are made available to all personnel through established
communication processes.
N

4 Nature and scope

O

The safety manager must interact with operational personnel, senior managers and
departmental heads throughout the organisation. The safety manager should also
C

foster positive relationships with regulatory authorities, agencies and product and
N

service providers outside the organisation. Other contacts will be established at a

working level as appropriate.
-U

5 Qualifications
To qualify as a safety manager a person should have:
a) full-time experience in aviation safety in the capacity of an aviation safety
investigator, safety/ quality manager or safety risk manager;

b) sound knowledge of the organisation’s operations, procedures and activities;

c) broad aviation technical knowledge;

d) an extensive knowledge of safety management systems (SMS) and have

completed appropriate SMS training;

e) an understanding of risk management principles and techniques to support the

SMS;

Issue 01/Rev 00 CAGM 1902 – SMS 11-18

 Chapter 11 – Appendices
f) experience implementing and/ or managing an SMS;

g) experience and qualifications in aviation accident/incident investigation and

human factors;

h) experience and qualifications in conducting safety/quality audits and inspections;

i) sound knowledge of aviation regulatory frameworks, including ICAO Standards

and Recommended Practices (SARPS) and relevant civil aviation regulations;

j) the ability to communicate at all levels both inside and outside the company;

k) the ability to be firm in conviction, promote a “just and fair culture” and yet
advance an open and non-punitive atmosphere for reporting;

l) the ability and confidence to communicate directly to the accountable executive

as his advisor and confidante;

-
D
m) well-developed communication skills and demonstrated interpersonal skills of a
high order, with the ability to liaise with a variety of individuals and organisational

E
representatives, including those from differing cultural backgrounds; and

6
n)
LL
computer literacy and superior analytical skills.

Authority
O
6.1 Regarding safety matters, the safety manager has direct access to the accountable
TR

executive and appropriate senior and middle management.

6.2 The safety manager is authorised under the direction of the accountable executive to
conduct safety audits, surveys and inspections of any aspect of the operation in
N

accordance with the procedures specified in the safety management system

documentation.
O

6.3 The safety manager is authorised under the direction of the accountable executive to
C

conduct investigations of internal safety events in accordance with the procedures

specified in the organisation’s SMS documentation.
N

6.4 The safety manager should not hold other positions or responsibilities that may
-U

conflict or impair his role as an SMS/safety manager. This should be a senior

management position not lower than or subservient to the production or operational
functions of the organisation.

Issue 01/Rev 00 CAGM 1902 – SMS 11-19

 Chapter 11 – Appendices

-
E D
LL
O
INTENTIONALLY LEFT BLANK
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-20

 Chapter 11 – Appendices

11.4 Appendix 4 – SMS Gap Analysis Checklist and Implementation Plan

1 SMS Gap Analysis Checklist (CAAM/SMS/1902-01)

1.1 The applicant is to obtain the up-to-date SMS Gap Analysis Checklist on CAAM
website www.caam.gov.my
1.2 The SMS Gap Analysis Checklist can be used as a template to conduct the first step
of an SMS gap analysis. This format with its overall “Yes/No/Partial” responses will
provide an initial indication of the broad scope of gaps and hence overall workload to
be expected. The questionnaire may be adjusted to suit the needs of the organisation
and the nature of the product or service provided. This initial information should be
useful to senior management in anticipating the scale of the SMS implementation
effort and hence the resources to be provided. This initial checklist would need to be
followed up by an appropriate implementation plan as per Tables A4-1 and Table A4-
2.

-
D
1.3 A “Yes” answer indicates that the organisation meets or exceeds the expectation of
the question concerned. A “No” answer indicates a substantial gap in the existing

E
system with respect to the question’s expectation. A “Partial” answer indicates that

LL
further enhancement or development work is required to an existing process in order
to meet the question’s expectations.
O
2 Detailed SMS Gap Analysis and Implementation Tasks (Table A4-1)
TR

2.1 The SMS Gap Analysis Checklist should then be followed up by using the detailed
“SMS gap analysis and implementation task identification plan” in Table A4-1. Once
completed, Table A4-1 will provide follow-up analysis on details of the gaps and help
N

translate these into actual required tasks and subtasks in the specific context of the
O

organisation’s processes and procedures. Each task will then accordingly be

assigned to appropriate individuals or groups for action. It is important that correlation
C

of individual element/ task development with their descriptive placeholders in the

SMS document be provided for in Table A4-1 in order to trigger progressive updating
N

of the draft SMS document as each element is implemented or enhanced. (Initial

element write-ups in SMS documents tend to be anticipatory rather than declaratory.
-U

3 Actions/ Tasks Implementation Schedule (Table A4-2)

Table A4-2 will show the milestones (start-end dates) scheduled for each task/ action.
For a phased implementation approach, these tasks/ actions will need to be sorted
according to the phase allocation of their related elements. Refer to Chapter 7.8 of
this CAGM for the phased prioritization of SMS elements as appropriate. Table A4-2
can be a separate consolidation of all outstanding actions/ tasks or, if preferred, be a
continuation of Table A4-1 in the form of a spreadsheet. Where it is anticipated that
the actual number of tasks/ actions and their milestones are sufficiently voluminous
and complex so as to require utilising a project management software to manage
them, this may be done by using software such as MS project/Gantt chart as
appropriate. Table A4-3 is an illustration of a Gantt chart.

Issue 01/Rev 00 CAGM 1902 – SMS 11-21

 Chapter 11 – Appendices

SMS Status of
GAQ Answer Action/task required Assigned task document action/task
Ref. Gap analysis question (Yes/No/Partial) Description of gap to fill the gap group/person reference (Open/WIP/Closed)
1.1-1 Is there a safety policy in Partial The existing safety a) enhance the existing Task Chapter 1, Open
place? policy addresses OSHE safety policy to Group 1 Section 1.3.

-
only. include aviation

ED
SMS objectives and
policies or develop a
separate aviation
safety policy;

LL
b) have the safety
policy approved and

O
signed by the
accountable

TR
executive.
etc.

N
O
C
N
-U

Table A4-1. Example of gap analysis and implementation task identification plan

Issue 01/Rev 00 CAGM 1902 – SMS 11-22

 Chapter 11 – Appendices

Assigned Status Schedule/timeline

Action/task required SMS task of
to fill the gap document group/ action/ 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q
ref. person task 10 10 10 10 11 11 11 11 12 12 12 12 etc.
1.1-1 a) Enhance the existing Chapter 1, Task Open

-
safety policy to include Section 1.3. Group 1

ED
aviation SMS objectives
and policies or develop a
separate aviation safety
policy.

LL
1.1-1 b) Require the safety policy
to be approved and

O
signed by the
accountable executive.

TR
etc.

N
O
C
N

Table A4-2. Example of SMS implementation schedule

-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-23

 Chapter 11 – Appendices

-
ED
LL
O
TR
N
O
C
N
-U

Table A4-3. Example of SMS implementation schedule (Gantt chart)

Issue 01/Rev 00 CAGM 1902 – SMS 11-24

 Chapter 11 – Appendices

11.5 Appendix 5 – SMS Initial Acceptance Checklist (CAAM/SMS/1902-02)

The applicant is to obtain the up-to-date SMS Initial Acceptance Checklist on CAAM
website www.caam.gov.my

-
E D
LL
O
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-25

 Chapter 11 – Appendices

-
E D
LL
O
TR

INTENTIONALLY LEFT BLANK

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-26

 Chapter 11 – Appendices

11.6 Appendix 6 – SMS Maturity Checklist (CAAM/SMS/1902-03)

The applicant is to obtain the up-to-date SMS Initial Acceptance Checklist on CAAM
website www.caam.gov.my

-
E D
LL
O
TR
N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-27

 Chapter 11 – Appendices

-
E D
LL
O
TR

INTENTIONALLY LEFT BLANK

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-28

 Chapter 11 – Appendices

11.7 Appendix 7 – Examples of Hazard Taxonomies

In coordination with the Commercial Aviation Safety Team (CAST)/ICAO Common

Taxonomy Team (CICTT), the following high-level hazard taxonomy categories have
been established:
a) Organisational – Management or documentation, processes and procedures

b) Environmental – Weather or Wildlife

c) Human – Limitation of the human which in the system has the potential for
causing harm

d) Technical – Aerodrome, Air Navigation, Operations, Maintenance, and Design

and Manufacturing

-
D
Organisational

E
Type of activity/
Type of operation infrastructure/
system LL Examples of Hazards

Lack of, poor or ineffective legislation and/ or

O
regulations
Lack of or ineffective accident investigation
Regulator
TR

capability
Inadequate oversight capability
Aerodrome,
Limited or lack of management commitment –
N

Air Navigation Management do not demonstrate support for the

Service activity
O

Provider,
Lack of or incomplete description of roles,
accountabilities andresponsibilities
C

Air Operation,

Limited or lack of resource availability or

N

Maintenance
Organisation, planning, including staffing
Management
-U

Lack of or ineffective policies

Design &
Manufacturing Incorrect or incomplete procedures including
Organisation instructions
Lack of or poor management and labour
relationships
Lack of or ineffective organisational structure
Poor organisational safety culture

Issue 01/Rev 00 CAGM 1902 – SMS 11-29

 Chapter 11 – Appendices
Organisational

Type of activity/
Type of operation infrastructure/ Examples of Hazards
system
Lack of or ineffective safety management
processes (including risk management, safety
assurance, auditing, training and resource
allocation)
Lack or ineffective audit procedures
Lack of or limited resource allocation
Incorrect or incomplete or lack of training and
knowledgetransfer.
Note: Training should reflect the needs of the
organisation. Accidents have shown that
inadequate training is a hazard and may even

-
lead to accidents.

D
Unofficial organisational structures
Note: These structures may be of a benefit but

E
also may lead to ahazard.

Aerodrome,

Air Navigation
Management
LL
Growth, strikes, recession or organisational
financial distress
Mergers or acquisition
O
Service Provider, (continued) Changes, upgrades or new tools, equipment,
TR

processes orfacilities
Air Operation,
Incorrect or ineffective shift/crew member
Maintenance change overprocedures
Organisation,
N

Changes or turnover in management or

Design & employees
O

Manufacturing
Organisation Informal processes (Standard Operating
Procedures)
C

(continued) Lack of or poor or inappropriate materials/

N

equipment acquisition decision

Lack of, poor staffing recruitment/ assignment
-U

Note: Staff should be hired or assigned

according to organisational needs but also
according to their skills, qualifications and
abilities. An employee with the wrong skill set
can be a hazard. This includes management.
Incorrect, poor or lack of internal and external
communicationincluding language barriers
Lack of, incorrect or incomplete manuals, or
operatingprocedures (including maintenance)
Documentation, Lack of, incorrect or incomplete employee duty
Processes and descriptions
Procedures
Lack of, incorrect, incomplete or
complicated document update processes

Issue 01/Rev 00 CAGM 1902 – SMS 11-30

 Chapter 11 – Appendices
Organisational

Type of activity/
Type of operation infrastructure/ Examples of Hazards
system
dd

Documentation, Lack of, incorrect or incomplete reports and

Processes and records
Procedures
Lack of, incorrect or incomplete control of
(continued) necessary documents for personnel (licences,
ratings, and certificates)

Environmental

Type of activity/
Type of operation infrastructure/ Examples of Hazards

-
system

D
Thunderstorms and lightning

E
Hail

Aerodrome,
LL
Heavy rain
Fog (reduced visibility)
O
Wind shear
Air Navigation Sand storm
TR

Service Provider,
Snow or ice storms
Weather/ Natural
Air Operation, Disasters Excessive or cross winds
N

Maintenance Hurricane, Tsunami, or tornado

Organisation Floods
O

(Effects may not Ash (including volcanic or forest fire)

C

be all
Earthquake
encompassing)
N

Extreme temperatures
Icing conditions (Impact on aircraft surfaces)
-U

Mountains or bodies of water

Geography
Altitude at the aerodrome
Wildlife on airfield
Wildlife
Flying wildlife

Issue 01/Rev 00 CAGM 1902 – SMS 11-31

 Chapter 11 – Appendices
Human

Type of activity/
Type of operation infrastructure/ Examples of Hazards
system

Sudden Heart attack, stroke, kidney stone, seizure

Incapacitation
Subtle Nausea, diarrhoea, Carbon Monoxide,
Incapacitation/ medication, fatigue
Impairment
Illness Influenza, Upper Respiratory Tract Infection (TI),
Urinary TI
Aerodrome, Static Limitations Colour vision, visual field limitations, mobility
limitations,colostomy bag, hearing loss
Air Navigation
Self-Imposed Fatigue (lack of sleep), alcohol and substance
Service Provider,

-
Stresses abuse, medications, complacency

D
Air Operation, Psycho-Social Financial, birth of child, divorce, bereavement,
Stresses challenging timelines, inadequate resources

E
Maintenance In-flight turbulence cabin crew injury, injury
Organisation, Trauma caused to personnel during ground aircraft
Design &
Manufacturing Environmental/
LL
operations or luggage handling
Jet lag, Paint shop, Solvents, Chemical/Biological
O
Organisation Occupational exposures,Noise, Vibrations, Distractions
Latent Failures Human factors related to design, manufacturing,
TR

Related to Man/ maintenanceand operations.

Machine/ Process
Interface
CognitiveCapacity Excessive number of aircraft in a controller's
N

area; Varying multi-tasking actions; Over

saturation of digital information
O
C

Technical - Aerodrome
N

Type of activity/
-U

Type of operation infrastructure/ Examples of Hazards

system
Construction, vehicles and people on movement
area
Poor aerodrome design (Intersecting runways;
Obstacleclearance; Taxiway crossing runways)
Aerodrome Runway Distracting lights
Operations Lack of coordination with Air Traffic Control (ATC)
Improper, inadequate, or lack of
Notices to Airmen(NOTAMs) issuance
Laser beams

Issue 01/Rev 00 CAGM 1902 – SMS 11-32

 Chapter 11 – Appendices

Technical - Aerodrome

Type of activity/
Type of operation infrastructure/ Examples of Hazards
system
Poor condition or improper runway surface
Runway Condition
Inadequate runway length
Lack of, or inadequate runway protected areas
Jet blast
Lack of, limited or incorrect type of aircraft
parking
Improper marshalling
Lack of, or insufficient protective pylons around
aircraft
Airfield Apron Lack of, or inadequate chalks when aircraft parks

-
Operation Lack of, or improper foreign object debris (FOD)

D
control
Lack of, or improper ramp control tie down

E
procedures
Improper fuel or hazardous material spill
LL
containment and clean up
Poor refuelling procedures
Vehicle failure during aerodrome services
O
Poor mechanical condition
Poor radio or communication equipment
TR

condition
Oil spills on apron and/or in passenger areas
Aerodrome
(continued) Lack of vehicle maintenance
N

Poor Emergency Reponses Planning

O

Airside Vehicle Erratic driving or not complying with flight line

Operations drivingregulations
C

Driving too fast

Improper parking
N

Failure to chalk vehicles

Leaving engine running while vehicle is
-U

unattended
Lack of coordination between vehicles during
aircraft servicing
Pedestrians on apron areas
Ignoring aircraft hazard beacons
Improper checking around aircraft during
departure marshalling
Action of Misinterpreting apron markings
Individuals Smoking on the apron
Passenger failure to follow guidance
Use of cell phone within 15 meters of a refuelling
operation
Littering on ramp
Running on apron

Issue 01/Rev 00 CAGM 1902 – SMS 11-33

 Chapter 11 – Appendices

Technical - Aerodrome

Type of activity/
Type of operation infrastructure/ Examples of Hazards
system

Faulty electrical power supply systems on airport

or navigational aids (radars, satellites, very high
frequency (VHF) omni-directional radio range
(VOR), Automatic Dependent Surveillance -
Broadcast (ADS-B), etc.)

Faulty, incorrect or incomplete airfield markings

(especially inmovement areas)
Faulty, incorrect, or incomplete airfield lighting
(especially inmovement areas)
Faulty, incorrect, or incomplete approach lighting

-
D
Poor condition or inappropriate runway surface
Aerodrome
Facilities
(continued) Poor condition or inappropriate apron surface

E
Taxiway and runway system complexity

LL
Inadequate airfield or terrain drainage
Insufficient equipment, radios, infrastructure, or
personnel
O
Issues that attract wildlife (high grass, proximity of
landfills,nearby water bodies)
TR

Inadequate or inappropriate firefighting

equipment
Lack of or limited parking areas
N

Lack of safety protective equipment

O

Technical – Air Navigation Service Provider (ANSP)

C
N

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
-U

system

Traffic complexity (mixture of aircraft type)

Excessive aircraft in pattern or given airspace
Ineffective design and flow of traffic pattern
Runway incursions by aircraft or vehicles
ANSP Traffic pattern
Unauthorised flights entering into traffic pattern
Unauthorised procedures by aircraft
Similar sounding or confusing call signs
Lack of or poor procedures for aircraft in distress

Issue 01/Rev 00 CAGM 1902 – SMS 11-34

 Chapter 11 – Appendices
Technical – Air Navigation Service Provider (ANSP)

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
system

Insufficient airspace for typical traffic

Airspace
Improperly distributed airspace
Airspace combined during excessive traffic
Confusing labelling of fixes or way points
Improperly developed instrument procedures
Aircraft incorrectly performing missed approach
procedures
Intermingling of ICAO and national instrument
procedurecriteria

-
D
Incomplete clearances
Controller
actions Misidentification of aircraft or targets (radar)

E
Improper reading of clearance instructions

LL
Loss of separation between aircraft
Loss of separation between aircraft and terrain or
O
ANSP obstacles
Misinterpretation of pilot desires
TR

(continued) Incorrect judgment of aircraft characteristics

Incorrect, confusing, or incomplete communication
betweenATC and aerodrome personnel
N

Incorrect, confusing, or incomplete communication

between ATC and aircraft
O

Incorrect, confusing, or incomplete coordination

between orwithin ATC facilities
C

Communications Radio/ Frequency failures or anomalies

N

Navigational aid (radars, satellites, VOR, ADS-B,

etc) failures or anomalies
-U

Differences in ICAO and national Air Traffic

Control phraseology
Not using the standard international aviation
language
Language barriers (Multiple languages)
Lack of, or wrong aeronautical information

Issue 01/Rev 00 CAGM 1902 – SMS 11-35

 Chapter 11 – Appendices
Technical – Air Navigation Service Provider (ANSP)

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
system

Faulty electrical power supply systems on airport

or navigational aids (radars, satellites, VOR,
ADS-B, etc)
Faulty, incorrect or incomplete airfield markings
or lighting
ANSP
Facilities Faulty, incorrect, or incomplete approach lighting
(continued)
Taxiway and runway system complexity
Inadequate airfield or terrain drainage
Insufficient equipment, radios, infrastructure, or

-
personnel

E D
Technical - Air Operation and Maintenance

Type of
Type of activity/
infrastructure/
LL Examples of Hazards
O
operation
system
TR

Faulty electrical power supply systems on airport

or navigational aids (radars, satellites, VOR,
ADS-B, etc)
N

Faulty, incorrect or incomplete airfield markings

and lighting
O

Faulty, incorrect, or incomplete approach lighting

Taxiway and runway system complexity

C

Inadequate airfield drainage

N

Insufficient equipment, radios, infrastructure, or

Air Operation Facilities
-U

personnel

Lack of, limited or incorrect type of aircraft

parking

Poor HVAC (heating, ventilation, and air

conditioning)

Noisy environment

Lack of or poor Lighting

Poor facilities (inadequate space)

Issue 01/Rev 00 CAGM 1902 – SMS 11-36

 Chapter 11 – Appendices
Technical - Air Operation and Maintenance

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
system

Lack of or poor airworthiness verification

Lack of or poor verification of equipment and
instruments necessary to a particular flight or
operation
Lack of, incorrect or incomplete aircraft
Pre-flight
performance limitations verification
Preparation
Lack of, incorrect or incomplete flight planning
Poor fuelling processes

-
Lack of or poor aircraft dispatch or release

D
Lack of or poor maintenance release

E
Incorrect cargo loading and distribution
Improper or unauthorised hazardous materials
LL
carriage

Poor cargo and baggage stowage

O
Aircraft Loading
Incorrect information on cargo or baggage
TR

Air Operation loaded

(continued) Improper stowage of carry-on baggage

Improper weight and balance calculations
N

Use of obsolete documents

O

Absence of or incorrect flight and cabin crew

manuals orcharts on board
C

Improper response to flight route changes

N

Lack of, or poor crew resource management

Lack of or poor flight following
-U

Improper execution of procedures in all flight

Flight Operation phases (including taxiing and parking)
Inadequate or complicated procedures
Equipment and instruments necessary for a
particular flight or operation not available or
malfunctioning
Lack of, or poor communication (ATC, ramp,
maintenance,flight Ops, cabin, dispatch, etc)
Language barriers (Multiple languages)

Issue 01/Rev 00 CAGM 1902 – SMS 11-37

 Chapter 11 – Appendices
Technical - Air Operation and Maintenance

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
system

Poor HVAC (heating, ventilation, and air

conditioning)
Noisy work environment
Facilities
Lack of, or poor Lighting
Poor facilities (inadequate space, equipment or
infrastructure)

Lack of, or poor maintenance release

Lack of, or poor maintenance programs

-
(Including imprecise maintenance data or

D
transcription errors when creating job-cards)
SUPS (Suspected Unapproved Parts)

E
Maintenance movement of aircraft/run-ups

Maintenance
LL
Lack of, or poor communication (ATC, ramp,
flight Ops,cabin, dispatch, etc)
Language barriers in maintenance teams
O
(Multiple languages)
TR

Poor control of outsourced maintenance (any

maintenancecompleted outside the maintenance
Maintenance facility or organisation including third party
Activity maintenance)
N

Lack of or, inappropriate specialized processes

(including NDT, plating, welding, composite
O

repairs etc…)
Lack of or, improper Airworthiness Directive
C

Control
N

Ineffective or lack of procedures to ensure

materials, parts, or assemblies are worked or
-U

fabricated through a series of precisely controlled

steps, and that undergo physical, chemical, or
metallurgical transformation (some examples are
heat-treating, brazing, welding, and processing
of composite materials).
Lack of or, inadequate reliability program

Issue 01/Rev 00 CAGM 1902 – SMS 11-38

 Chapter 11 – Appendices
Technical - Air Operation and Maintenance

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
system

Lack of, or poor tool accountability (Including

traceability orregistration)
Lack of or unsafe or unreliable equipment, tools,
and safety equipment
Inappropriate layout of controls or displays
Tooling
Mis-calibrated tools
Maintenance
Inappropriate or incorrect use of tools for the task
(continued) Lack of, or inadequate instructions for
equipment, tools, and safety equipment

-
D
Complex design (Difficult fault isolation, multiple
similar connections, etc)

E
Maintainability Inaccessible component/ area

LL
Aircraft configuration variability (Similar parts on
different models)
O
Technical – Design and Manufacturing
TR

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
system
N

Non-compliance with applicable regulations (For

O

example FAA 14 CFR part 23, 25, 27, 29, 33).

Inadequate Functional Hazard Assessment.
C

Safety
Requirements Inadequate structural static and dynamic loads
N

Capture analysis.
Inadequate Preliminary System Safety
-U

Assessment.
Inadequate common cause analysis.

Incomplete or ineffective design reviews,

Safety analysis, simulator, wind tunnel and flight testing.
Aircraft Design Requirements Ineffective or incomplete structural external,
Validation internal, andelemental loads analysis.
Incomplete structures load verification, such as
static loadtests, ground vibration tests, and flight
tests.
Safety Inadequate System Safety Assessments (SSA)
Requirement process including lack of, or improper verifying
Verification of, failure effects using failure performance
testing.
Inadequate verification of software and complex
hardware

Issue 01/Rev 00 CAGM 1902 – SMS 11-39

 Chapter 11 – Appendices
Technical – Design and Manufacturing

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
system

Inadequate requirements traceability

Inadequate design requirements control

Aircraft Integration Inadequate verification of system/system and

system/structure unintended functions and
physical interference, such as lack of
Bench/Sim/Airplane Testing and inadequate
zonal inspections
Ineffective in-service monitoring methods such
as lack offailure reporting and tracking.
Aircraft Design Inadequate or no root cause analysis, risk

-
Continued analysis, corrective action development,

D
(continued) Operational Safety corrective action validation, and incorporation of
corrective action and lessons learned into

E
Design Process

LL
Lack of methods for approving, controlling, and
documentinginitial designs and design changes
Inadequate planning and integration of the
O
Design Control facility’s procedures for continuously maintaining
the integrity of design data, drawings, part lists,
TR

and specifications necessary to define the

configuration and the design features of the
product
N

Lack of processes for the control of materials,

parts, or assemblies, how they are accepted,
worked or fabricated, tested, inspected, stored,
O

and prepared for shipment

Problems with special manufacturing processes
C

and specificfunctions and operations necessary

for the fabrication and inspection of parts and
N

assemblies (some examples are machining,

riveting, and assembling).
-U

Ineffective or lack of procedures to ensure

Aircraft Manufacturing materials, parts, or assemblies are worked or
Manufacturing Processes fabricated through a series of precisely
controlled steps, and that undergo physical,
chemical, or metallurgical transformation (some
examples are heat-treating, brazing, welding,
and processing of composite materials).
Inadequate methods used to accept and protect
raw materials,parts, subassemblies, assemblies,
and completed products during receipt,
manufacture, inspection, test, storage, and
preparation for shipment.

Issue 01/Rev 00 CAGM 1902 – SMS 11-40

 Chapter 11 – Appendices
Technical – Design and Manufacturing

Type of activity/
Type of
infrastructure/ Examples of Hazards
operation
system

Inadequate Airworthiness Determination, which

Manufacturing is the function that provides for evaluation of
Processes completed products/parts thereof, and related
documentation, to determine conformity to
(continued) approved design data and theircondition for safe
operation.
Ineffective methods that are used by the
Production Approval Holder to control product
quality by statistical methods, and that may be
used for continuous improvement and/or product
acceptance. Statistical Quality Control includes
techniques such as statistical sampling, PRE-

-
control, and statistical process control.

D
Aircraft Ineffective control of precision measuring

E
Manufacturing devices (for example, tools, scales, gauges,
fixtures, instruments, and automated measuring
(continued) Manufacturing
Controls LL
machines) used in fabrication, special
processing, inspection, test of detail parts,
assemblies, and completed products to
O
determine conformity to approved design.
Lack of functions that provide for static,
TR

destructive, and functional tests of production

products/ parts thereof to ensure conformity to
approved design.
Ineffective methods of controlling, evaluating,
N

and dispositioning of any product/ part thereof

that does not conform to approved design.
O

Ineffective methods by which the production

facility ensures supplier materials, parts, and
C

Supplier Control
services conform to approved design. The term
“supplier” includes distributors.
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-41

 Chapter 11 – Appendices

-
E D
LL
O
TR

INTENTIONALLY LEFT BLANK

N
O
C
N
-U

Issue 01/Rev 00 CAGM 1902 – SMS 11-42

 Chapter 11 – Appendices

11.8 Appendix 8 – Malaysia Safety Performance Indicators

The following are list of high-severity and low-severity lagging SPIs that need to be
implemented by applicable service providers;

Low probability / high severity High probability / low severity

Air Traffic Service

H1- Serious Incident (SI): Aggregate monthly serious L1- TCAS RA: Aggregate monthly TCAS RA rate per
incidents rate per 100,000 flight movements 100,000 flight movements

H2- Lost of Separations (LOS): Aggregate monthly lost of L2- Level Bust (LB): Aggregate monthly level bust rate per
separations rate per 100,000 flight movements 100,000 flight movements

-
H3- Runway Incursion (RINC): Aggregate monthly runway L3- Large Height Deviation (LHD): Aggregate monthly large

D
incursion rate per 100,000 flight movements height deviation rate per 100,000 flight movements

E
H4- Runway Excursion (REXC): Aggregate monthly runway L4- ILS: Aggregate monthly ILS downtime rate per 100,000
excursion rate per 100,000 flight movements hours

LL
L5- DVOR: Aggregate monthly DVOR downtime rate per
100,000 hours
O
L6- RSS: Aggregate monthly RSS downtime rate per
100,000 hours
TR

L7- AWOS: Aggregate monthly AWOS downtime rate per

100,000 hours
N

L8- PAPI: Aggregate monthly PAPI downtime rate per

100,000 hours
O

L9- VHF: Aggregate monthly VHF downtime rate per

C

100,000 hours
N

L10- Go Around - Inadequate Spacing (IS): Aggregate

monthly go around due to inadequate spacing rate per
-U

100,000 flight movements

Airworthiness

H1- MOR Incident: Aggregate monthly incident rate per
10,000 hrs maintenance.
Aerodrome Service
H1- Aircraft Related Ground Accident/Incident: Aggregate
monthly aircraft related ground accident/incident rate per
100,000 aircraft movements
H2- Runway Incursion: Aggregate monthly runway incursion
rate per 100,000 aircraft movements
H3- Runway Excursion: Aggregate monthly runway
excursion rate per 100,000 aircraft movements
L1- Customer Return Product: Aggregate monthly return
product rate per 1,000 release certificates.
L1- Non-Aircraft Related Accident/Incident: Aggregate
monthly non-aircraft related accident/incident rate per
100,000 aircraft movements
L2- Taxiway Incursion: Aggregate monthly taxiway incursion
rate per 100,000 aircraft movements
L3- Oil Spillage: Aggregate monthly oil spillage rate per
100,000 aircraft movements

Issue 01/Rev 00 CAGM 1902 – SMS 11-43

 Chapter 11 – Appendices
H4- Reported FOD on Runway: Aggregate monthly reported
FOD on runway rate per 100,000 aircraft movements
Flight Operations
H-Controlled flight into terrain (CFIT): Aggregate monthly
Controlled flight into terrain rate per 100,000 flight
movements
H-Loss of control – Inflight (LOC-I): Aggregate monthly Loss
of control – Inflight rate per 100,000 flight movements
H-Runway excursion (RE): Aggregate monthly runway
O
excursion rate per 100,000 flight movements
TR
H-Runway incursion (RI): Aggregate monthly runway
incursion rate per 100,000 flight movements
H-Mid-air collision: Aggregate monthly mid-air collision rate
N
per 100,000 flight movements
O
C
N
-U
Issue 01/Rev 00 CAGM 1902 – SMS
L4- Bird strike in the movement area: Aggregate monthly
bird strike in the movement area rate per 100,000 aircraft
movements
L5- Wildlife strike in the movement area: Aggregate monthly
wildlife strike in the movement area rate per 100,000 aircraft
movements
L6- Wildlife sighted in the movement area: Aggregate
monthly wildlife sighted in the movement area rate per
100,000 aircraft movements
L7- Reported FOD on Taxiway: Aggregate monthly reported
FOD on taxiway rate per 100,000 aircraft movements
L8- Reported FOD on apron: Aggregate monthly reported
FOD on apron rate per 100,000 aircraft movements
L9- Runway Surface Friction Level
-
D
L-Abnormal runway contact (ARC): Aggregate monthly
Abnormal runway contact rate per 100,000 flight
E
movements
L-Bird strike (Bird): Aggregate monthly Bird strike rate per
LL
100,000 flight movements
L-Collision with obstacle during take-off and landing
(CTOL): Aggregate monthly Collision with obstacle during
take-off and landing rate per 100,000 flight movements
L-Fuel related events (FUEL): Aggregate monthly Fuel
related events rate per 100,000 flight movements
L-Ground collision (GCOL): Aggregate monthly Ground
collision rate per 100,000 flight movements
L-Loss of control – Ground (LOS-G): Aggregate monthly
Loss of control rate per 100,000 flight movements
L-Navigation errors (NAV): Aggregate monthly Navigation
errors rate per 100,000 flight movements
L-Occurrence during ground handling operations (RAMP):
Aggregate monthly Occurrence during ground handling
operations rate per 100,000 flight movements
L-System/component failure or malfunction, Non-power
plant (SCF-NP): Aggregate monthly System/component
failure or malfunction, Non-power plant rate per 100,000
flight movements
L-System/component failure or malfunction, Power plant
(SCF-PP): Aggregate monthly System/component failure or
malfunction, Power plant rate per 100,000 flight movements
L-Unstabilised approach (UA): Aggregate monthly
Unstabilised approach rate per 100,000 flight movements
11-44