Guidance on Safety Management Systems Development
|Issuing Office:||Civil Aviation|
|Activity Area:||Education||AC No.:||107-001|
|File No.:||Z 5015-11-2||Issue No.:||01|
|RDIMS No.:||3789918||Effective Date:||2008-01-01|
TABLE OF CONTENTS
- 1.0 INTRODUCTION
- 2.0 REFERENCES AND REQUIREMENTS
- 3.0 BACKGROUND
- 3.1 Who should use this guide and what is it about?
- 3.2 What is a Safety Management System?
- 3.3 Key Generic Features of the SMS Approach
- 3.4 Diagram One - Key Generic Features of an Effective SMS
- 3.5 The Accountable Executive and Corporate Culture
- 3.6 Diagram Two - Elements of Safety Culture
- 3.7 Who is the accountable executive?
- 3.8 Continuous Improvement Cycle
- 3.9 Table 1: Plan, Do, Check, Act: A Process for Improvement
- 3.10 PLAN
- 3.11 DO
- 3.12 CHECK
- 3.13 ACT
- 3.14 Advantages of Using PDCA Methodology
- 3.15 Why Bother Implementing a SMS?
- 3.16 Integrating Other Legislative Requirements in your SMS
- 4.0 COMPONENT 1: SAFETY MANAGEMENT PLAN
- 4.1 Safety Policy
- 4.2 Building a Safety Policy
- 4.3 Safety Planning, Objectives and Goals
- 4.4 Safety Performance Measurement
- 4.5 Table 3
- 4.6 Safety Reporting Policy
- 4.7 Roles and Responsibilities
- 4.8 DIAGRAM 3 - SMS Organization Chart
- 4.9 Individual Roles and Responsibilities
- 4.10 Delegation of Tasks to Effectively Operate the Safety Management System
- 4.11 Safety Office
- 4.12 Safety Committee
- 4.13 Employee Involvement in SMS Development and Implementation
- 4.14 Description of System Components
- 4.15 Diagram 4 - Example Process Flow
- 4.16 Dealing with Third Party Service Providers
- 4.17 Management Review of the Safety Management System
- 4.18 How do you know if your SMS is working?
- 5.0 COMPONENT 2 - DOCUMENTATION
- 6.0 COMPONENT 3 - SAFETY OVERSIGHT
- 7.0 COMMON REACTIVE/PROACTIVE ELEMENTS
- 8.0 COMPONENT 4 - TRAINING
- 9.0 COMPONENT 5 - QUALITY ASSURANCE PROGRAM
- 9.1 Quality Assurance General
- 9.2 PDCA
- 9.3 Focus on Process
- 9.4 Operational and System QA
- 9.5 Audits
- 9.6 Establishing an Internal Audit Program
- 9.7 Process versus Results Auditing
- 9.8 Checklists
- 9.9 On-Going Monitoring
- 9.10 QA Personnel
- 9.11 Existing Systems
- 9.12 Role of QA
- 9.13 How do you know if your SMS is working?
- 10.0 COMPONENT 6 - EMERGENCY RESPONSE PLAN
- 11.0 CONCLUSION
- 12.0 CONTACT OFFICE
This Advisory Circular (AC) is provided for information and guidance purposes. It may describe an example of an acceptable means, but not the only means of demonstrating compliance with regulations and standards. This AC on its own does not change, create, amend or permit deviations from regulatory requirements nor does it establish minimum standards.
The purpose of this AC is to provide guidance on some of the ways SMS can be implemented in large, complex organizations.
This document applies to certificate holders required to have a safety management system in accordance with the Canadian Aviation Regulations (CARs) Part 1.
1.3 Description of Changes
2.0 REFERENCES AND REQUIREMENTS
2.1 Reference Documents
The following reference materials were used in the development of this document:
- Part I Subpart 7 of the Canadian Aviation Regulations (CARs) - Safety Management System Requirements;
- Transport Publication (TP) 8606, 2005-07-01 - Inspection and Audit Manual;
- TP 13739, 2001-04-01 - Introduction to Safety Management Systems;
- TP 14135, 2004-09-01 - Safety Management Systems for Small Aviation Operations – A Practical Guide to Implementation;
- National Standard of Canada, CAN/CSA-ISO 9000-00 - Quality Management Systems-Fundamentals and Vocabulary;
- Alan Waring, United Kingdom, 1996 - Safety Management Systems;
- James Reason, United Kingdom, Ashgate, 1997 - Managing the Risks of Organizational Accident;
- James Reason, United Kingdom 1987 - Managing the Risks of Organizational Accidents;
- Shell Aircraft Aviation Safety Management Guidelines, January 2000
- Peter M. Senge, New York, Doubleday, 1990 - The Fifth Discipline;
- R. Curtis Graeber and Mike Moodi, Flight Safety Foundation, IFA/IASS, South Africa, 1998 - Understanding Flight Crew Adherence to Procedures: The Procedural Event Analysis Tool (PEAT);
- James R. Evans and William M. Lindsay, U.S.A., South-Western College Publishing, 1999 - The Management and Control of Quality;
2.2 Cancelled Documents
As of the effective date of this document, the following documents are cancelled:
Transport Publication (TP) 13881, Revision 1, dated 2002-03-01 - Safety Management Systems for Flight Operations and Aircraft Maintenance Organizations.
2.3 Definitions and Abbreviations
The following definitions and abbreviations are used in this document:
- CAD means Civil Aviation Document
- CARs means Canadian Aviation Regulations
- SMS means Safety Management System
- TC means Transport Canada
3.1 Who should use this guide and what is it about?
This guide is intended for Civil Aviation Certificate Holders who have an understanding of what a safety management system is. If you don't have a basic understanding of SMS, TC's technical publication (TP) 14135, Safety Management Systems For Small Aviation Operations or TP 13739, Introduction to Safety Management Systems may be a good place to start your reading.
This guidance material provides an interpretation of the intent and application of the SMS regulatory requirements in large, more complex operations. It contains practical examples of how the components that make up an SMS might be implemented and provides an assessment tool for understanding whether or not your organization meets the minimum regulatory requirements.
- Depending on the size and complexity of the organization, the tools that make up an organization's SMS will vary. As such, the material contained herein is not intended as prescriptive formula for meeting the regulatory requirements. The information provided in this guide is offered as an information source for interpreting the regulatory requirements and is intended to pave the way forward to the successful implementation of SMS in your organization.
3.2 What is a Safety Management System?
A SMS is an explicit, comprehensive and proactive process for managing risks that integrates operations and technical systems with financial and human resource management, for all activities related to a CAD.
Practically speaking, a SMS is a business-like approach to safety. In keeping with all management systems, a SMS provides for goal setting, planning, and measuring performance. It concerns itself with organizational safety rather than the conventional health and safety at work concerns. An organization's SMS defines how it intends the management of air safety to be conducted as an integral part of their business management activities. A SMS is woven into the fabric of an organization. It becomes part of the culture; the way people do their jobs.
- The organizational structures and activities that make up a SMS are found throughout an organization. Every employee in every department contributes to the safety health of the organization. In some departments safety management activity will be more visible than in others, but the system must be integrated into «the way things are done» throughout the establishment. This will be achieved by the implementation and continuing support of a safety program based on a coherent policy, that leads to well designed procedures.
3.3 Key Generic Features of the SMS Approach
There is no definitive meaning attached to the term «SMS». Every organization, and industry, for that matter, has its own interpretation of what it is. From the Civil Aviation perspective, five generic features characterize a SMS. These are:
A comprehensive systematic approach to the management of aviation safety within an organization, including the interfaces between the company and its suppliers, sub-contractors and business partners.
A principal focus on the hazards of the business and their effects upon those activities critical to flight safety.
The full integration of safety considerations into the business, via the application of management controls to all aspects of the business processes critical to safety.
The use of active monitoring and audit processes to validate that the necessary controls identified through the hazard management process are in place and to ensure continuing active commitment to safety.
The use of Quality Assurance principles, including improvement and feedback mechanisms.
When considering how to meet the SMS CARs requirements some companies may choose to utilize a commercial “off-the-shelf” system. Whilst this might be appropriate for some companies, the program should be tailored to meet the requirements of the individual organization rather than assuming that one size fits all. Attention should also be given to the linkages between the individual components; they should be linked in a systematic way, rather than appearing to be stand-alone units.
Key Components of a Safety Management System
A Safety Management Plan
Emergency Response Preparedness
- A SMS can be divided into three principle parts, all interlinked and interdependent. The key point to remember is that if any one of these parts is missing, the system will be ineffective. In the diagram below, you can see how each of the regulatory requirements (shown in letters corresponding to 3.3(3) fit into the SMS as a whole. Further, an SMS with all the principle parts in place will allow for continuous improvement because the prerequisites of the Plan, Do, Check, Act Model are already in place.
3.4 Diagram One - Key Generic Features of an Effective SMS
3.5 The Accountable Executive and Corporate Culture
For a SMS to be effective there has to be a champion; someone with the authority to commit the resources required to implement, maintain and take responsibility for the SMS.
An effective implementation strategy for SMS will involve changes in processes and procedures and will almost certainly involve a shift in the corporate culture. The safety culture of an organization is defined as “…the product of individual and group values, attitudes, perceptions, competencies and patterns of behaviour, that determine the commitment to, and the style and proficiency of, an organization's health and safety management.”. Simply put, it is quite literally the way things are done. Every organization has a culture, good or bad, safe or unsafe, the corporate culture is reflected in the mode of operation throughout the organisation. Typically, the tone of the culture is established from the top down. If the accountable executive is committed to managing safety risks then the way that organization operates will reflect this philosophy.
Managing safety risks, however, involves more than a personal commitment to make safety one's primary obligation. It often requires an expenditure of capital and resources to achieve a safer operating environment. That's why the proposed amendments to the Canadian Aviation Regulations define the accountable executive as “…the person [who] has full control of the financial and human resources required for the operation's authorized to be conducted under the operations certificates”
In an SMS environment, the accountable executive and all senior managers are accountable for safety. The dedication and involvement of top management towards safety and safety practices should be clearly visible. It is important that senior management is seen to provide a strong and active leadership role in the SMS. This includes a commitment to provide the resources necessary to attain the strategic safety objectives established by the organization. The following is a list of activities that demonstrate top management’s active commitment to SMS, these include:
Putting safety matters on the agenda of meetings, from the Board level downwards;
Being actively involved in safety activities and reviews at both local and remote sites;
Allocating the necessary resources, such as time and money, to safety matters;
Receiving and acting on safety reports submitted by employees;
Promoting safety topics in publications, and (probably most important of all); and
Setting personal examples in day-to-day work to demonstrate unmistakably that the organization's commitment to safety is real and not merely lip-service, and by clearly and firmly discouraging any actions that could send a contrary message.
- The ideal safety culture embodies a spirit of openness and demonstrates support for staff and the systems of work. Senior management should be accessible and dedicated to making the changes necessary to enhance safety. They should be available to discuss emerging trends and safety issues identified through the System. A positive safety culture reinforces the entire safety achievement of the organization and is critical to its success.
3.6 Diagram Two - Elements of Safety Culture
The following diagram demonstrates the types of cultural attributes that indicate a good safety culture
3.7 Who is the accountable executive?
The accountable executive is, for all intents and purposes, the certificate holder. In fact, in a sole proprietorship he or she will almost certainly be the certificate holder.
In a corporation, he or she will most likely be the CEO or a senior executive who has been delegated authority similar to that of the CEO. This is not just a manager with a big budget. It is someone at a level that determines how big the various departmental budgets will be, with full executive control over the organization's activities. In an airport environment where the owner is the local council, the accountable executive will most likely be the mayor.
The reason for specifying a single accountable executive for all certificates held is to ensure that this responsibility is not simply delegated to the various functional heads responsible for the different certificates. After all, as the individual responsible for the SMS, this person will have to decide whether, for example, to divert funds from new aircraft acquisition to new hangar construction, or from training to test equipment.
The implementation of the accountable executive will ensure that:
Senior management cannot avoid responsibility for systemic failures due to ignorance;
All major safety-related findings are known by the accountable executive; and
The accountable executive is held responsible for safety deficiencies.
- The flow chart shown in Staff Instruction 106-001 – Validation of an Accountable Executive will help define who the accountable executive is in your organization.
3.8 Continuous Improvement Cycle
For an SMS to be successful it must never be static. Just because the basic components and elements of the SMS are in place, it cannot be considered “complete”. Your organization isn't static: personnel, equipment, routes, runways and the operating environment change all the time. As the organization changes, so must the SMS. It must continually evolve using the system outputs and lessons learned. To achieve this state of continuous improvement it is important to understand that all work done in an organization is the result of process.
It has been said that, “The emphasis with assuring quality must focus first on process because a stable, repeatable process is one in which quality can be an emergent property”. In other words, to validate and ensure the effectiveness of a process, the process must a) exist and be understood, and b) be followed repeatedly by all personnel. Once it is confirmed that a process exists and is in use, the output or product of that process can be reviewed to ensure that the desired outcome is in fact being realized. Where the result of a process falls short of expectations, that process can then be adjusted to achieve the desired result.
One way of achieving this state of continuous improvement is to apply the Plan, Do, Check, Act (PDCA) model popularized by W. Edwards Deming. Dr. Deming's pioneering work in quality management gave rise to a continuous process to achieve better quality products and services, and to improve the processes that deliver them. Essentially, what the PDCA does is provide a logical process for the development of all SMS elements and components, including processes already in existence within the company.
- The PDCA model can be used to develop every aspect of your SMS. The chart below demonstrates how this can be applied. While you're reading this, think about an SMS process, voluntary reporting for example, and follow it through the PDCA process.
3.9 Table 1: Plan, Do, Check, Act: A Process for Improvement
- Determine Responsibility
It is likely that implementing, improving or replacing processes will involve more than one person, although this is not always the case. Using a group of people to work on quality improvements, especially people who are knowledgeable about, or who have had input into existing processes, will increase the likelihood that they understand and will use the new processes when they are implemented.
- Determine Requirements
The first step in implementing any component or element of an SMS is to determine what is required. Reviewing TC's documentation relating to oversight and other publications, may be helpful. TC's documentation relating to oversight sets out the regulatory criteria for each component and element in a simple-to-use format. This document also sets out the expectations that not only meet the required criteria but include additional program characteristics that can be considered best practice.
- Assess Current Processes
The next step is to determine where you are in relation to where you want to be; in other words, you must know what processes you currently have in place. Using the voluntary reporting system as an example, it is likely that your organization already has some type of process for personnel to voice safety concerns. It may be informal or it may be established and documented, such as the safety reporting system required by air operators operating under Subpart 705. It is probable, however, that not all of the required criteria will be in place; there may not be a non-punitive reporting policy for example, and the scope of the reporting program may be directed to specific groups of employees, rather than all employees of the organization.
Your task at this point is to determine the shortcomings of current processes and a good way to do this is by using the Gap Analysis Form provided in Appendix B of TP 14343, (referred to above). Once you have completed the analysis of where you are versus where you want to be, you will have a much clearer idea of the changes and additions that have to be made. These changes and additions can now be documented in an implementation plan such as the sample provided in Appendix C of the Implementation Procedures Guide for Air Operators and Approved Maintenance Organizations (TP 14343) andwill become the benchmarks by which you can measure progress of implementation and the effectiveness of the ongoing program element.
- Gather Baseline Data
What data do you have that provides a baseline for where you are now? Before you jump into making improvements or additions, you must know, and be able to show, where you stand. For instance, do you know how many safety reports have been submitted through an existing safety-reporting program in the previous month, or over the past year? What departments are the personnel who submit reports working in? Have personnel who reported safety deficiencies or hazards received a response to their report? Is this type of information in quantifiable terms? The identification of this baseline data is important, as it is from this point that you will be able to measure improvement.
- Set Goals and Determine Performance Measures
The next step is to convert the benchmarks (criteria) and baseline data (where you are now) into goals. Be realistic during this activity, and follow the basic principles of goal setting such as writing goals down, stating them positively, prioritizing, and being precise (e.g. increasing the number of reports by X% per month, or increasing awareness of the program across the organization by a specific date). Performance measures can then be determined by asking how you will know if you've met your goals. How many reports have been receiving measured against the baseline? From what departments? Are people aware of the reporting program? Do they know how to submit a report? Do they know what form to use or how to submit a report by email or fax?
An added benefit of following this process is that the safety goals and performance measures established during this activity will form, or link, to the safety goals and performance measures required under the safety management plan. In addition, the quality assurance department will then be able to use the performance measures to determine effectiveness of current or newly established processes. It is important to realize though, that benchmarks, goals and performance measures will change as the program evolves; they may even change as planned activity (theoretical) moves into practical implementation.
- Formulate an Action Plan
Once you have your data, you must formulate a plan for taking action. If you have completed the preceding steps thoroughly, this step should proceed smoothly as all you need do is ask the following question: What is stopping us from achieving our goals? The answers to that question will form the basis for your plan. One of the more important aspects of this phase is ensuring that new and revised processes are documented (refer to Chapter 5).
Often the most effective training at this stage is “just-in-time” (i.e. as needed) training, brought to members of a working group at the point where they are in need of more skills or information.
- Implement Action Plan
The assessment and planning that has been put into the development of an implementation plan will pay dividends during this phase; this is especially true if new or revised processes that personnel will be required to follow have been well documented. It is time now to try out what looks good on paper. A working group may implement the plan they have developed, or the plans and recommendations may be turned over to another group for implementation.
- Make Adjustments as Needed
Sometimes plans look better on paper! As mentioned earlier, it may become necessary to make adjustments or changes to the plan and to documented processes.
- Gather and Organize Data
Since you have baseline data gathered before you implemented changes, you will want to measure again after the plan is implemented. This measurement will tell you whether there has been an improvement in the process and if you have achieved your objective(s). You can use your data to substantiate to other people that your effort has been successful. The display of this data is valuable, both to you and to people who want to know what you and/or the working group have done.
There are two elements of training to consider at this point; training for personnel (i.e., the training component of SMS) and any additional training required by the implementation team. In addition to general SMS principles, SMS training for personnel will focus on those components/elements being implemented. Like any other phase of SMS implementation, personnel training must be considered dynamic, which is to say that you'll want to be open to feedback and expect that some fine-tuning will be needed. A good way to facilitate this is to end each training session with a “what went well – what needs improvement” segment. You will also want to align training sessions with new elements/components as they come on line, so expect that your training plan will include a number of shorter component/element-specific training sessions over the implementation period.
- Compare New Data to Baseline
What does your data tell you? At this point in your improvement process, you should be able to determine if your action plan (the Do part of PDCA) is accomplishing what you designed it to do.
- Compare Performance to Goals
Review the goals you set in the planning phase and determine whether or not you are meeting them. This is where the thought that went into performance measurement really pays off, as you'll have clearly defined measures to assist in evaluating the effectiveness of planned implementation activities.
- Make Adjustments as Needed
With the information you now have, you and/or your working group will have the opportunity to determine what needs fine-tuning or what changes are required to improve your results. Are planned processes being followed? Are they effective? Can they be improved upon so that the operation is more efficient?
- If Significant Gaps Remain:
If you are grappling with a particularly difficult and involved phase, you may find that you need to rethink the Action Plan and make changes in the original plan. If so, return to the DO phase and follow through like before. This is not a setback. Anything that provides information and points you in the right direction is progress.
Be vigilant to changes that will necessitate changes to training programs and ensure that a process has been developed to make personnel aware of these changes.
- Standardize Effective Changes
When you know that your plan works, you will make it a part of the way you do business.
- Use Data and Improved Outcomes to Sell Changes
You can take the opportunity to show your data to the sceptics, proving how the changes are saving resources and/or improving service to stakeholders.
- Set Up Quality Indicators and Continue to Measure Periodically
The final part of the improvement project is not the end. Quality indicators will tell you what to measure, and those who worked on the project will determine how often to measure. This is an effective way to monitor progress and make sure there is no "backsliding."
- Look for Other Places in the Organization that could Profit from your Experience and Publicize your Success
There may be other areas of the organization struggling with issues similar to yours. If you know about some of those places, you can make a point of reporting your results and offering to share information. Your hard work can benefit more than just your area.
- Be a Quality Advocate
Advertise the benefits of applying a PDCA approach to improving your processes. Apply quality management principles to everything you do and encourage others to do the same.
This part of the process is something that happens quite naturally. When you have experienced what can be accomplished through following the quality process and applying your expertise and knowledge to solve a problem, you will want to tell others about your success. It is important to celebrate with your group members and others who helped you along the way.
- Assess to Identify Other Gaps
You are now able to identify other places where you have gaps in performance. As you do, you can cycle back to the PLAN phase of the process.
3.14 Advantages of Using PDCA Methodology
The advantages of using this methodology is:
The methodology provides a simple framework for organizing your action plan.
You will be building consensus among stakeholders as you work through implementing SMS.
The methodology prompts you to determine your baseline data when you begin implementation activities.
Data is a quick, effective way to share results with those interested in your outcomes.
- The methodology provides tools for problem solving.
3.15 Why Bother Implementing a SMS?
It's often said that safety makes economic sense. Unless an organization experiences a loss, or critically assesses both the direct and indirect costs of an occurrence, it is often difficult to relate to this statement. The direct costs are usually easy to quantify, they include damage to the aircraft, compensation for injuries and damage to property and are usually settled through an insurance claim.
The indirect costs are a little more difficult to assess, these are often not covered or fully reimbursed by the organization’s insurance and the impact is often delayed. This includes items such as:
Loss of business and reputation;
Legal fees and damage claims;
Medical costs not covered by worker's compensation;
Cost of lost use of equipment (loss of income);
Time lost by injured person(s) and cost of replacement workers;
Increased insurance premiums;
Aircraft recovery and clean-up;
The economic argument is even more salient when one considers the following figures produced by the Boeing Aircraft Corporation. Boeing estimated the average cost in U.S. dollars of the following:
In-flight shutdown - $500, 000
Flight cancellation - $50, 000
Flight delay per hour - $10, 000
In an airport environment other costs to consider are things like cost of runway or airport closure
The following table looks at the profit margins required to cover specific yearly incident costs. Taking into account the following figures, it is clear that the cost of implementing and maintaining a SMS becomes less significant and well worth the investment when contrasted with the cost of doing nothing.
- Table 2
Yearly Incident Costs Profit Margin 1% 2% 3% $1,000 $100,000 $50,000 $33,000 $10,000 $1,000,000 $500,000 $333,000 $50,000 $5,000,000 $2,500,000 $1,667,000 $100,000 $10,000,000 $5,000,000 $3,333,000 SALES REQUIRED TO COVER LOSSES
3.16 Integrating Other Legislative Requirements in your SMS
To fully understand and identify hazards and risks, an organization must consider all aspects of the organization and not just those impacted by the Canadian Aviation Regulations. Reporting and information sharing requirements exist in other bodies of legislation such as the Canada Labour Code and the Canadian Environmental Protection Act. These requirements complement and enhance the SMS requirement of the CARs by providing a broader perspective on the operational hazards and risks that might impact flight safety. Organizations are encouraged to utilize this information in their consideration of operational risk.
- In some cases, an organization may benefit from using the same component or element to accomplish multiple legislative requirements, data storage for example. It should be noted, however that compliance with individual legislative requirements will be determined by the Authority responsible for the specific legislative requirements. In no circumstances does compliance with the CARs SMS requirements alleviate an organization's responsibility to comply with other legislative requirements nor does it provide a mechanism for circumventing theses requirements.
4.0 COMPONENT 1: SAFETY MANAGEMENT PLAN
An operator's safety management plan defines how the certificate holder will establish, implement and maintain its SMS. It should represent a logical design detailing how the SMS will be implemented and maintained. It should contain four principle things:
- A definition of the fundamental approach an organization will adopt for managing safety within their organization, including a safety policy that clearly defines the organization's philosophical approach to safety and the performance goals it has established for itself
- Clearly defined roles and responsibilities for all personnel involved in safety.
- A description of the safety management system components
- A description of how the safety performance is measured.
4.1 Safety Policy
- A safety policy is a statement of what an organization is committed to in regards to the safety of technical operations. It should be signed by the accountable executive and should clearly state the organization's intentions, management principles and aspirations for continuous improvement in the safety level. This can be achieved through documented policies describing what organizational processes and structures it will use to achieve the SMS. It should also contain a statement outlining the organization's objectives and the outcomes it hopes to achieve through its SMS.
- Your safety policy can be as simple or as complex as you choose to make it. The key is to understand that the safety policy is not simply a platitude that no one thinks about after it is published. On the contrary, the safety policy must be seen to have value; it must be the philosophy that everyone adheres to in their everyday activities. It must form the foundation of the SMS you wish to build and adhere to.
4.2 Building a Safety Policy
Typically, an organization's safety policy will comprise the following elements:
- General Statement of Intent
This is sometimes called a mission statement or a corporate policy. Regardless of the terminology, the statement should start by defining what the organization is committed to in regards to safety. For example, TC's statement of intent is: to develop and administer policies, regulations and services for the best possible transportation system for Canada and Canadians - one that is safe, efficient, affordable, integrated and environmentally friendly. Transport Canada's vision is - A transportation system in Canada that is recognized worldwide as safe, secure, efficient, and environmentally responsible.
- Safety Objectives
- Safety objectives clearly define what the organization wants to achieve with its SMS. The objectives, as well as a top-level statement regarding the organization's commitment to achieving improvements in safety, form the basis of the safety policy and should be widely publicized and distributed.
- A typical statement outlining the safety objectives of the SMS should include both primary and secondary objectives. For example, «Our primary objective is to make our airline the safest in the world by addressing flight safety issues which:
- Take into account realistic exposure to risk and the resources available to deal with it;
- Employ systems that are acceptable to the regulatory authorities;
- Minimize both the likelihood and consequences of accidents causing damage to people and/or property.
- Provide the means by which the organization can deal proactively with events.
- It is important to ensure that the stated objectives are achievable and clearly define the limits within which the organization will operate. They should be unambiguous, well documented, readily accessible and should be reviewed on a regular basis. In effect, your safety objectives should form the basis for the internal safety goals and performance measures you will use to determine if your SMS is working.
- Roles and Responsibilities
- Clearly define who is responsible and who is accountable for safety within the organization. The distinction between responsibility and accountability is subtle but vitally important in a SMS. Accountability means that you are liable for a specific action, for example the accountable executive is held liable for establishing the SMS. The responsibility for establishing the SMS, that is the physical activity of establishing the system, can be delegated to another person. You can therefore, be responsible but not accountable for something.
- The following example of a safety policy can be amended to suit the needs of the organization.
Among our core values, we will include:
- Safety, health and the environment
- Ethical behaviour
- Valuing people
Our fundamental safety beliefs are:
- Safety is a core business and personal value
- Safety is a source of our competitive advantage
- We will strengthen our business by making safety excellence an integral part of all flight and ground activities
- We believe that all accidents and incidents are preventable
- All levels of management are accountable for our safety performance, starting with the Chief Executive Office (CEO) / Managing Director
CORE ELEMENTS OF OUR SAFETY APPROACH
The five core elements of our safety approach include:
Top Management Commitment
- Safety excellence will be a component of our mission
- Senior leaders will hold line management and all employees accountable for safety performance
- Senior leaders and line management will demonstrate their continual commitment to safety
- Safety performance will be an important part of our management/employee evaluation system
- We will recognise and reward flight and ground safety performance
- Before any work is done, we will make everyone aware of the safety rules and processes as well as their personal responsibility to observe them
Clearly Communicated Expectations of Zero Incidents
- We will have a formal written safety goal, and we will ensure everyone understands and accepts that goal
- We will have a communications and motivation system in place to keep our people focused on the safety goal
Auditing &Measuring for Improvement
- Management will ensure regular safety audits are conducted and that everyone will participate in the process
- We will focus our audits on the behaviour of people as well as on the conditions of the operating area
- We will establish both leading and trailing performance indicators to help us evaluate our level of safety
Responsibility of All Employees
- Each one of us will be expected to accept responsibility and accountability for our own behaviour
- Each one of us will have an opportunity to participate in developing safety standards and procedures
- We will openly communicate information about safety incidents and will share the lessons with others
- Each of us will be concerned for the safety of others in our organisation
THE OBJECTIVES OF THE SAFETY PROCESS
- ALL levels of management will be clearly committed to safety
- We will have clear employee safety performance metrics, with clear accountability
- We will have open safety communications
- We will involve everyone in the decision process
- We will provide the necessary training to build and maintain meaningful ground and flight safety leadership skills
- The safety of our employees, customers and suppliers will be a corporate issue
4.3 Safety Planning, Objectives and Goals
- Establishing a set of safety objectives is key to establishing a successful SMS. Safety objectives define what the organization hopes to accomplish with its SMS. Safety objectives are the broader targets the organization hopes to achieve. They should be published and distributed so that all employees understand what the organization is seeking to accomplish with its SMS.
- Goal setting is vital to an organization's performance and helps to define a coherent set of targets for accomplishing the organization's overall safety objectives. All organizations have their own ways of setting and expressing goals. In some organizations, the goals are not stated very explicitly. Other organizations set goals formally and document the process. Regardless of how management goals are set, few organizations are good at developing safety goals. The most common weakness in setting safety goals is focusing on outcomes. This usually means counting accidents, but we know that safe companies can have accidents while less safe operations can be lucky and avoid accidents. Although the ultimate goal is 'no accidents', there are more precise and useful ways of measuring safety, especially in a safe system, than counting accidents.
- It is a never-ending struggle to identify and eliminate or control hazards. We will never run out of things to do to make the system safer. Sound management requires that we identify them, decide how to achieve them and hold ourselves accountable for achieving them. Risk management procedures can help managers decide where the greatest risks are and help set priorities. Sound safety objectives and goal setting concentrates on identifying systemic weaknesses and accident precursors, and either eliminating or mitigating them.
4.4 Safety Performance Measurement
- The safety performance of the operation needs to be monitored, proactively and reactively, to ensure that the key safety goals continue to be achieved. Monitoring by audit forms a key element of this activity and should include both a quantitative and qualitative assessment. Meaning that a numeric as well as an effectivity assessment should be applied. The results of all safety performance monitoring should be documented and used as feedback to improve the system.
- It is widely acknowledged that accident rates are not an effective measurement of safety. They are purely reactive and are only effective when the accident rates are high enough. Furthermore, relying on accident rates as a safety performance measure can create a false impression; an assumption that nil accidents indicate the organization is safe. In reality, there will always be latent conditions within the system that might, if left unattended, lead to an accident. A more effective way to measure safety might be to address the individual areas of concern. For example, an assessment of the improvements made to work procedures might be far more effective than measuring accident rates.
- Performance measurement should be integrally linked to the company's stated overall objectives. This requires two things: the development and implementation of a coherent set of safety performance measures; and, a clear linkage between the safety performance measures and the organization's business performance measures. This shows a clear relationship between the organization's safety objectives and the achievement of its organizational and business goals. A simple example is given in table 3 below.
4.5 Table 3
|Objective||Safety Performance Measure|
|Reduction in insurance rates|
Decrease number and severity of hangar incidents
4.6 Safety Reporting Policy
- An essential element of any SMS is the safety reporting policy. To the extent possible, it should be non-punitive and developed, and implemented with all affected parties. This builds confidence in the system but also provides a clear understanding to all employees of what the safety reporting policy actually is.
- From a usability perspective, employees are more likely to report events and cooperate in an investigation when some level of immunity from disciplinary action is offered. When considering the application of a safety reporting policy, the organization should consider whether the event was wilful, deliberate or negligent on the part of the individual involved and the attendant circumstances. For example, has the individual been involved in an event like this before and did the individual participate fully in the investigation. Consideration should also be given to whether or not the individual was exhibiting normative behaviour that was sanctioned by management. In other words, is breaking the rules the norm in the organization and has management sanctioned «corner cutting» in the past? Careful analysis of the circumstances surrounding the event is required to determine whether the reporting policy is applicable or not.
- A typical safety reporting policy might include the following statements:
- Safe flight operations are ABC airlines most important commitment. To ensure that commitment, it is imperative that we have uninhibited reporting of all incidents and occurrences that compromise the safety of our operations.
- We ask that each employee accept the responsibility to communicate any information that may affect the integrity of flight safety. Employees must be assured that this communication will never result in reprisal, thus allowing a timely, uninhibited flow of information to occur.
- All employees are advised that ABC Airlines will not initiate disciplinary actions against an employee who discloses an incident or occurrence involving flight safety. This policy cannot apply to criminal, intentional or wilful acts.
- ABC Airlines has developed Safety Reports to be used by all employees for reporting information concerning flight safety. They are designed to protect the identity of the employee who provides information. These forms are readily available in your work area.
- We urge all employees to use this program to help ABC Airlines continue its leadership in providing our customers and employees with the highest level of flight safety.
- A non-punitive approach to safety reporting does not preclude the use of a general approach to discipline in cases where an employee is involved in similar, recurrent events.
- The safety reporting policy should also include features to guard against the deliberate abuse of the system, such as using self-disclosure as a means of obtaining indemnity for deliberate violations of both the letter and spirit of the system.
4.7 Roles and Responsibilities
- An organization should document and define the roles and responsibilities of all personnel in the SMS. Furthermore, a statement should be made attesting that everyone has a responsibility for safety.
- The following guidelines highlight some of the key areas that should be documented:
- The safety responsibilities for each position and task
- The competencies required for each position
- The line of responsibility for ensuring all staff are competent and trained for their duties and for ensuring that training takes place, and
- The responsibilities of the manager responsible for externally supplied services. All unapproved contracting companies should meet the organization's own SMS standards or an equivalent to them.
- Diagram 3 shows where existing organizational bodies, such as the safety office, fit into the SMS. To put this in today's context, in many organizations the safety office is considered to be a stand-alone entity equal to any other operational body. The functions specific to the SMS are concentrated within this silo and are not distributed throughout the organization. Safety management is a business function comparable to any other function in the operation. In the same way that financial considerations are integrated into the organization, so should safety management issues. In SMS, safety is considered to be everyone's responsibility and is not unique to the safety office. This model can be applied to any Certificate holder including airports.
4.8 DIAGRAM 3 - SMS Organization Chart
4.9 Individual Roles and Responsibilities
- The effective management of safety requires a clear delineation of all lines of authority within the organization. There should be a clear understanding of the accountability, responsibility and authority of all individuals involved in the system. An effort should be made to document and distribute the organogram throughout the organization, thereby promoting a common understanding of everyone's role in the SMS. Diagram 3 offers an example organogram of how the lines of responsibility might be established. In this diagram, the SMS analytical functions are performed within the individual technical areas. The Safety Services office is available to coordinate activities and provide advice where required. This model provides a fully integrated SMS model.
- Management's role, responsibilities and accountabilities for the SMS and organizational deficiencies identified through the system should be well defined and the lines of authority clearly understood. As stated in the proposed regulatory requirements, these requirements include:
- The accountable executive is accountable for establishing and maintaining the SMS;
- The functional area, that is the area of direct responsibility, maintenance, airport or flight operations for example, is responsible for the SMS;
- Everyone is responsible for safety in the organization. This includes all technical personnel as well as individuals in other non-technical areas such as marketing and customer service;
- SMS specific functions must be exercised by an individual employed within the operational area in which he/she works. The exception to this rule is in cases where the size of the operation, reasonably precludes the application of dedicated resources to this activity.
- The person responsible for the affected functional area is accountable for determining and implementing appropriate comprehensive corrective actions. The reason for this is threefold:
- The functional director, that is the person with direct line responsibility for the affected area, is directly involved in the decision making process. In most cases, he/she has the knowledge and expertise to recommend effective corrective and preventative actions and has the authority to assign the appropriate resources where required.
- The functional director must assume responsibility for safety within his/her own area of responsibility. In this way, he/she is involved in the «safety» process and is accountable for issues that arise in his/her functional area.
- A quality assurance function is provided because event investigations and corrective actions are separate activities. This eliminates the potential for conflict of interest because the person who identifies the problem is not the person who determines what the corrective action is. This does not preclude discussion of safety findings within a safety committee environment; however, the final say on any remedial action resides with the responsible functional director.
- The development of a positive safety culture is predicated on the involvement of all facets of the organization in the safety process. The objective of this requirement, therefore, is to involve all parties in the SMS, thereby fostering a company-wide commitment to safety management.
4.10 Delegation of Tasks to Effectively Operate the Safety Management System
To ensure that the SMS operates effectively it is essential that the following tasks be delegated to personnel as appropriate. The roles, responsibilities and accountabilities of each individual/position should be well defined and the lines of responsibility clearly understood. As stated in the proposed regulatory requirements, he/she is responsible for:
- Establishing and maintaining a reporting system to collect safety related data
- Conducting hazard identification and risk management analysis
- Conducting periodic reviews to determine the effectiveness of the program
- Developing and evaluating the results of safety initiatives
- Monitoring industry safety concerns that could affect the organization
- Determining the adequacy of training programs, and
- Advising reporters of the results of event analyses.
4.11 Safety Office
- There is no regulatory requirement to have a safety office. However, it is recognized that in larger organizations a safety office may be useful as a consultative or administrative body. In these cases, the safety office might act as a repository for safety related reports and information, provide an interdepartmental linkage for cross-functional safety events, coordinate occupational health and safety issues, as well as provide risk assessment and data analysis expertise to the functional managers. The safety office should provide data directly to the appropriate manager regarding major safety issues identified by the system. Individuals performing this function report directly to the appropriate responsible manager on issues related to the Certificate. In effect, the safety office becomes a safety services support provider.
- The responsibility for informing the accountable executive of major safety deficiencies identified within their responsible area remains with the appropriate functional director. Furthermore, whilst the safety office may be involved in discussions regarding possible corrective action, it is the responsibility of the functional head to determine what the corrective action will be and to ensure the outcome is monitored and evaluated. The safety office does not have the authority to overturn operational decisions related to safety issues identified by the system or the SMS itself.
4.12 Safety Committee
- Another form of interdepartmental communication is the safety committee. Safety committees may provide an effective forum for discussion, particularly in larger, more complex organizations and can provide benefits to the organization. Safety committees provide a forum for discussing safety related issues from a cross-functional perspective and may lead to the inclusion of issues that look at safety from a broader viewpoint. Conventional health and safety at work concerns are a good example of this. Frequently, safety issues are not limited to one specific area and require inputs and expertise from a variety of different fields. Safety committees provide a forum for this dialogue and can be utilized to assess the effectiveness of the system from a «big picture» perspective. They also provide a means by which safety achievements can be reviewed and safety information broadcast.
- The safety office may coordinate and provide administrative assistance to the safety committee. The safety committee could also be a stand-alone entity; meaning, one can exist without the other. The accountable executive should chair this committee and all parts of the organization must be represented. This does not preclude the existence of sub-committees with specific areas of responsibility.
- If you do choose to use a committee type approach within your SMS, there are a few caveats that should be applied:
- Always take minutes of the meetings. Minutes ensure that action items can be developed, followed up; and highlights of the meetings can be distributed to those not present at the meeting.
- Avoid «committee meeting fatigue» by structuring meetings at an appropriate interval for an appropriate length of time. Always provide and stick to an agenda and deal with business in a timely manner, try to overly lengthy committee meetings.
- Finally, establish the ground rules. Managing by consensus is a wonderful thing when everyone agrees but can create gridlock at other times. Make it clear from the outset that while everyone's opinion is valuable, and everyone will get their say, ultimately someone will have to take a final decision. When it comes to decisions about flight safety, that decision belongs to the appropriate functional manger. It is important that the presence of the accountable executive as chair does not create the impression that the committee's decisions constitute direction to responsible managers on matters that are clearly their responsibility and within their own specialist professional fields.
4.13 Employee Involvement in SMS Development and Implementation
- A successful SMS requires a focused sense of ownership throughout the system. Whilst it is essential that top management commit to doing whatever it takes to improve safety, it is equally important that all employees feel they have a system that values their input and is responsive to their contributions and ideas. In order to achieve this, all employees should have the opportunity to contribute to the development and implementation of the SMS. Employees are ideally placed to understand the most efficient and appropriate safety management mechanisms for their work environment. Their involvement in the decision-making process not only fosters ownership of the system, it also promotes a positive safety culture.
- In effect, the organization is striving to create a shared vision. As such, it is not sufficient for the accountable executive to make a safety policy statement outlining what the organization is committing to, without first acquiring feedback from all employees. One problem with top-down vision statements is that they reflect management's vision and do not always build on the individuals' personal vision. The result can be an authoritarian statement that does not inspire the achievement of a common goal - in this case safety. When people truly share a common vision they are united in a common aspiration, they have a common identity and they have ownership in the system.
- The involvement of employees or their representatives in the development and maintenance of the SMS will also foster the development of a reporting culture within the organization. If you recall the three prerequisite parts for an SMS, an integral part was the development of a robust system for assuring safety. One means of assuring safety is to encourage voluntary reporting. This cannot be successfully achieved without having some level of trust between employees, management and in some instances bargaining agents. In some cases, it may be necessary to enter into agreements with bargaining agents. Keep in mind that it is far easier to achieve a successful outcome when all parties have participated in the development of the SMS and have a clear understanding of what it is and is not. However, it is important to maintain the distinction between this role and the more traditional functions of collective bargaining.
- It should be clear, to all concerned, that safety is not negotiable in the usual sense of the term. Furthermore, just because a particular process was introduced for safety reasons does not guarantee that it was necessarily the best solution or that it is “off-limits” for change. Experience has shown that procedures that were felt to be sound from a safety perspective sometimes can have undesirable safety consequences. There are no “sacred cows” in a good SMS, so it is preferable that safety issues should not be entrenched in collective bargaining agreements.
4.14 Description of System Components
The SMS plan must include a description of each component of the system and should clearly describe the interrelationships between each of these components. A process flow diagram may be useful for this activity. This is essential if personnel, and the regulator, are to understand how the whole system is integrated. The documentary requirements for this element are discussed under the documentation section.
4.15 Diagram 4 - Example Process Flow
4.16 Dealing with Third Party Service Providers
- The utilization of third party service providers is normal practice in aviation. Depending on the nature of the operating environment this may involve both domestic and international service providers. So how do you manage the inherent safety risks involved with dealing with contractors? How do you integrate them into your SMS?
- There are several approaches that can be taken. The first is to insist contractually that all service providers establish their own SMS. While this should give you the confidence that the organization is managing its own safety risks, it might limit the number of service providers available. This approach has been adopted quite successfully in other high-risk industries such as oil and gas; however, it does take a period of adaptation and persistence to enforce this contractual requirement. In the oil and gas industry, this requirement has had a positive effect; providing increased incentive to companies to establish their own SMS.
- Another option would be to extend your own corporate SMS to the service provider. Given the extensive network of service providers employed by some organizations, economically this might not be feasible. In smaller organizations, it might provide the required level of oversight to ensure that risks are being managed effectively.
- A third alternative would be to ensure that service providers have the ability to report safety hazards into your SMS and establish a method of transferring safety information between yourself and the contracting party. This will involve some level of basic training and an exchange of information, but the investment is minimal given the risk associated with using service providers that are often non-regulated.
- Regardless of the approach taken, there should be a documented statement included in the safety management plan detailing how your organization will deal with third party contractors.
4.17 Management Review of the Safety Management System
- To ensure that the SMS is working effectively the accountable executive should conduct a periodic review of the SMS processes and procedures. To the extent possible, the review should be conducted by individuals not performing tasks directly related to the SMS. The safety manager for example should not be reviewing the SMS, as he or she is an integral part of the system. The review should also include an assessment of how well the organization is achieving its specific safety goals, the success of the corrective action plans and the risk reduction strategies implemented.
- The review is intended to provide a quality review and to provide a continuous improvement function within the SMS. It may be conducted by doing a traditional checklist audit or it may take the form of an effectivity assessment. Whatever the method, the accountable executive should be informed directly of the results. Essentially, this is the accountable executive's report card on how well the system is performing.
4.18 How do you know if your SMS is working?
|Component 1 - Safety Management Plan||Yes/No|
|Element 1.1 Safety Policy|
|Is a safety management system with defined components established, maintained and adhered to?|
|Is there a safety policy in place?|
|Is the safety policy approved by the accountable executive?|
|Has the organization based its safety management system on the safety policy?|
|Is the safety policy promoted by the accountable executive?|
|Is the safety policy reviewed periodically?|
|Is the safety policy communicated to all employees with the intent that they are made aware of their individual safety obligations?|
|Element 1.2, Non-Punitive Safety Reporting Policy|
|Is there a policy in place that provides immunity from disciplinary action for employees that report safety deficiencies, hazards or occurrences?|
|Element 1.3, Roles &Responsibilities|
|Has an accountable executive been appointed with responsibility for ensuring that the safety management system is properly implemented and performing to requirements in all areas of the organization?|
|Does the accountable executive have control of the financial and human resources required for the proper execution of his/her SMS responsibilities?|
|Does the person managing the operation of the SMS fulfill the required job functions and responsibilities?|
|Are the safety authorities, responsibilities and accountabilities of personnel at all levels of the organization defined and documented?|
|Do all personnel understand their authorities, responsibilities and accountabilities in regards to all safety management processes, decisions and actions?|
|Element 1.4, Communication|
|Are there communication processes in place within the organization that permit the safety management system to function effectively?|
|Are communication processes (written, meetings, electronic, etc.) commensurate with the size and scope of the organization?|
|Is information established and maintained in a suitable medium that provides direction in related documents?|
|Is there a process for the dissemination of safety information throughout the organization and a means of monitoring the effectiveness of this process?|
|Element 1.5, Safety Planning, Objective &Goals|
|Have safety objectives been established?|
|Is there a formal process to develop a coherent set of safety goals necessary to achieve overall safety objectives?|
|Are safety objective and goals publicized and distributed?|
|Element 1.6, Performance Measurement|
|Is there a formal process to develop and maintain a set of performance parameters to be measured?|
|Element 1.7, Management Review|
|Are regular and periodic, planned reviews of company safety performance and achievement including an examination of the company's Safety Management System conducted to ensure its continuing suitability, adequacy and effectiveness?|
|Is there a process to evaluate the effectiveness of corrective actions?|
5.0 COMPONENT 2 - DOCUMENTATION
- Up to date documentation is essential if the organization is to operate in a safe and efficient manner in accordance with current aviation safety regulations and standards. For this reason an operator's SMS documentation must address the following elements:
- The identification of applicable regulations, standards and exemptions.
- Consolidated documentation describing each component of the SMS, the interrelationship between the elements and the implementation process for required changes to documentation.
- Records management policy and procedures.
5.1 Identification and Maintenance of Applicable Regulations and Standards
- The organization must have a process for documenting the regulations, standards and exemptions by which it is regulated for the various activities it conducts. This documentation may reside in the approved manual or the organization's safety management program documentation as appropriate, but must be available to employees. The important thing is to position the documentation in a manner that promotes its usage.
- It is the organization's responsibility to maintain current regulatory and organization documentation. When changes to documentation are required the organization must have a documented process in place to ensure these changes are implemented.
- The process should provide for early identification of amendments. This will allow the organization to be proactive in addressing any required changes to documents and procedures.
- To address these situations the organization must have processes in place to:
- Identify any changes within the organization that could affect the organization's documentation, and amend the documentation as appropriate. A process to address changes within the organization could consist of a trigger to review documentation at any time a change to the organization's operations or structure occurs or is planned to occur. Specific events or dates could trigger processes for periodic reviews of regulatory information and the organization's documentation. These dates could be selected to augment other activities.
- Periodically review regulatory information to ensure the most current information is available.
- Periodically review documentation such as the approved manual or safety management program documentation to ensure compliance with current regulations.
- Documents required by regulation must conform to specific standards for compliance with those regulations. In an organization with a SMS, a corporate documentation strategy stemming from a clear policy with clear procedures for document development, management, control and revision will substantially contribute to the functionality and effectiveness of the system.
5.2 SMS Documentation
- Documentation in the context of a SMS has two components: the description of the SMS itself, and other corporate documentation, all of which must ultimately reflect the SMS philosophy in practice.
- One way of accomplishing this is by developing a corporate SMS policy manual. This could contain a description of the SMS itself, and provide detail that could be incorporated by reference into other company manuals to minimize repetition. These components are not addressed separately here since the integration of safety management into the whole of the organization is the objective, and becomes the normal way of doing business.
- The approach detailed in 5.2.(1) is only one way of accomplishing the documentation requirements. Companies may also incorporate their SMS requirements into existing approved documentation if this method works better for them. No matter which approach is taken, the document must be meaningful, explicit and utilised by the SMS user.
- SMS documentation should provide the policy, procedures and details of the SMS processes. A process loop alone does not give sufficient detail to provide a repeatable and auditable series of steps for the user. The following definitions apply to this document:
- Policy means a high level overall plan that outlines goals and objectives of an organization;
- Procedure means a specified way to carry out an activity or process;
- Process means a group of interrelated or interacting activities that convert inputs into outputs.
A complete SMS documentation package should contain all three of these elements. This doesn't mean they have to be located in the same manual it simply means for documentation to be comprehensive all three elements must be complete.
- In cases where the SMS documentation is located in several manuals it should be noted that a table of concordance indicating where documentation can be found should be included in the approved manual. A brief description of the documentation should also be included. It should also be noted that when an organisation chooses an all-inclusive format for SMS documentation or to incorporate documentation by reference these documents are still considered to be approved and should be submitted to your principal inspector for approval as required.
- SMS documentation should include a description of each component of the SMS including policy and procedures that explain the SMS processes. This step is essential if the organization's personnel, and the regulator, are to understand how the whole system is integrated.
- A SMS is a way of managing risk in the entire organization and must address all facets of the organization. The absence of a corporate documentation strategy may lead to a conflict in the level of documentation surrounding processes dictated by the SMS regulation and processes not included in the SMS regulation.
- Safety management must be integrated into everyday business; it cannot be an add-on. Unlike most industrial processes that have an attainable target, safety can always be improved, and risks managed more effectively. In order to achieve that goal, a corporate policy for documentation review and amendment is essential. As well, the business advantages inherent in a SMS can only be maximized if the non-regulated elements of the corporate whole are integrated into the SMS.
- To that end, a corporate SMS policy manual (SMSPM), although not a regulatory requirement, can be utilized to facilitate and incorporate SMS into the organization. Employee involvement in the development of the manual and the policy and procedures therein can be a valuable first step in fostering a sense of ownership and commitment to a positive safety culture. Where a company creates a stand-alone SMS manual, it should be noted that it must be incorporated by reference in all applicable approved manuals and must be approved by TC.
- A SMSPM should provide clear policy guidelines for the standardization of process fundamentals for regulated activities, and be specific enough to allow the non-regulated elements of the organization to contribute to and benefit from the organizational enhancements.
- At the end of the developmental process, corporate documentation will provide the guidance for the continuous improvement that is at the heart of a mature SMS. Without core documentation that guides each functional manager in the growth of their own area's development, these processes could evolve in a diverse manner, perhaps with negative consequences for interoperability and safety.
- Should an organization choose to incorporate their SMS policies and procedures directly into the approved manual they may do so. The intent is to document the SMS in an effective manner and to store it in a document that will actually be used on a daily basis.
5.2.1 Gap Analysis
- An important initial step in the implementation of a SMS is the gap analysis to determine the outstanding elements between the existing corporate structure and a structure that will meet SMS regulatory requirements and embrace best practices and continuous improvement. It is a good idea to conduct a pre-documentation analysis and define the process in the implementation strategy. The process should:
- Identify organizational silos and determine whether the communications links in all directions are effective. An SMS should break down any isolation of silos and improve efficiency through elimination of "not my responsibility" syndromes;
- Identify and codify interdependencies. Managers can be unaware of the extent of networking employees are required to do to complete tasks. The process mapping exercise should involve all employees involved in the completion of all organizational activities, whether regulated or not;
- Clarify and codify communications requirements. The interactions will require integrated procedures between managed units. These clear and unambiguous communications requirements must be resident in the operating procedures for each functional unit with a part to play in a given process. There must be universal understanding that the onus is on the sender of a message to ensure that the message is received and understood. There's no point in one unit mapping a process if another with a key role to play is 'winging' it;
- Identify fiefdoms, protected turf and sacred cows. These must be disestablished and removed. There is no room in an SMS for hidden agendas, nor any person or process that is not subject to scrutiny.
- It is possible that the processes most difficult to document and codify will be the ones that do not cause any difficulty because they operate smoothly. This is usually dependent on persons who have been accomplishing the task for a lengthy period of time, and for who the process has become automatic and routine. These tasks, whether associated with previous regulatory requirements or not, must be captured in process detail, to enable the internal audit function to be effective, to permit organizational and fault analysis and ultimately to ease succession when required.
5.2.2 Training Policy Documentation
Training documentation is mandated for persons employed in activities regulated under CARs. In order to ensure a corporate approach to documentation processes, however, the organization's policy with regard to training documentation should reside in the management policy document. This means that training documentation for persons whose jobs were not previously regulated would be dealt within the corporate policy framework, and enables more efficient internal audit processes as well as trend analysis for continuous improvement.
5.2.3 Commonality Issues of Documentation
The requirement for risk assessment guidelines and matrices should be developed and applied consistently within each functional area. While customization to meet specific needs is understood, the basis for the tools should be common, for example, to ensure that inter-departmental safety audits can be carried out by persons to whom the audited department's tools and processes seem fundamentally the same as their own.
5.2.4 Documentation Summary
Recalling the discussion of the Plan, Do, Check, Act cycle, the following summary highlights how this can be applied in building and utilizing effective SMS documentation:
- No undocumented processes. None. Every task in the organization is described, every job description detailed, every process described and recorded. (Plan)
- Use the documented procedures. Always. Everybody. If management takes shortcuts, the employees will feel justified in doing the same. This takes leadership as well as management. (Do)
- Audit and review to make sure that those procedures are documented and everyone uses them. An unworkable, unrealistic or unreasonable procedure will be bypassed or replaced in the work context. Make sure that procedures are documented so they can be used, supported and enforced. In the final analysis, this step will be broken into two parts, checking the existing system (Check) and improving the system by making changes where required (Act).
5.3 Records Management
Among the many fundamental corporate processes is the requirement for record keeping. While regulation directs the recording and retention of certain information, a corporate philosophy that addresses the importance of record keeping can embrace the regulatory elements and use the momentum to reinforce precision in other business documentation. This should include event reports, investigations, etc.
5.4 How do you know if your SMS is working?
|Component 2 - Documentation||Yes/No|
|Element 2.1 - Identification and Maintenance of Applicable Regulations|
|A documented procedure has been established and maintained for identifying applicable regulatory requirements (Parts IV, VI, VIII only)|
|Regulations, Standards and exemptions are periodically reviewed to ensure that the most current information is available (Parts IV, VI, VIII only)|
|Element 2.2 - SMS Documentation|
|There is consolidated documentation that describes the safety management system and the interrelationship between all of its elements|
|The information resides or is incorporated by reference into approved documentation, such as DAPM/EPM, Company Operations Manual, Maintenance Control Manual, Airport Operations Manual, as applicable, and where these approved documents are not required by regulation, the organization includes the information in a separate, controlled document|
|Element 2.3 - D2.3 Records Management|
|The organization has a records system that ensures the generation and retention of all records necessary to document and support operational requirements, and is in accordance with applicable regulatory requirements|
|The system shall provide the control processes necessary to ensure appropriate identification, legibility, storage, protection, archiving, retrieval, retention time, and disposition of records.|
6.0 COMPONENT 3 - SAFETY OVERSIGHT
- Safety oversight is fundamental to the safety management process. Safety oversight provides the information required to make an informed judgment on the management of risk in your organisation. Additionally, it provides a mechanism for an organization to critically review its existing operations, proposed operational changes and additions or replacements, for their safety significance. Safety oversight is achieved through two principal means:
- Reactive processes for managing occurrences, including event investigation and analysis;
- Proactive processes for managing hazards, including procedures for hazard identification, active monitoring techniques and safety risk profiling.
- For the most part these are two distinct elements in the SMS: one is reactive, the other proactive. The basic difference is the method of discovery: the reactive process responds to events that have already occurred, whilst the proactive method actively seeks to identify potential hazards through an analysis of the everyday activities of the organization. The exception to this rule occurs when a potential hazard has been reported through the organization's safety reporting program.
- Once an event has been reported, or a hazard identified, the procedures for dealing with these issues follow a similar process, as shown in diagram 3. The method of investigating and dealing with these issues may vary, however, the mechanism for storing, determining corrective actions and monitoring will likely be the same. This section will review the specifics involved with the reactive and pro-active processes and will discuss the commonalities involved.
6.1 DIAGRAM 5 - SMS Process Flow
6.2 Reactive Processes
6.2.1 Event and Hazard Reporting
- Every event is an opportunity to learn valuable safety lessons. The lessons will only be understood, however, if the occurrence is analyzed so that all employees, including management, understand not only what happened, but also why it happened. This involves looking beyond the event and investigating the contributing factors, the organizational and human factors within the organization, that played a role in the event.
- To achieve this, the organization should maintain procedures for the internal reporting and recording of occurrences, hazards and other safety related issues. The collection of timely, appropriate and accurate data will allow the organization to react to information received, and apply the necessary corrective action to prevent a recurrence of the event.
- The key to accomplishing this is to have a reporting system that meets the needs of the people who will be using it - the employees. As such, employee input into the development of the system is vital. A safety reporting system is worthless if no one uses it; the importance of the employee in the whole process, therefore, should not be minimized. An attendant safety reporting policy, and a real and demonstrated commitment by management to achieve the organization's safety goals, will help to foster the development of a reporting culture within the organization.
- An operator's safety reporting system should encompass the following fundamental elements:
- Systems for reporting hazards, events or safety concerns;
- Systems for analyzing data, safety reports and any other safety related information;
- Methods for the collection, storage and distribution of data;
- Corrective action and risk reduction strategies;
- On-going monitoring, and
- Confirmation of the effectiveness of corrective action.
6.2.2 Event and Hazard Reporting
- Employees must have a means of reporting all events and emerging hazards to an appropriate manager, as identified in the appropriate manual. The manager will then forward it to the data bank for processing.
- The reporting system should be simple, confidential and convenient to use and should be complemented with a safety reporting policy. These attributes, accompanied by efficient follow-up mechanisms acknowledging to the reporter that a report has been received, investigated and acted upon, will encourage the development of a reporting culture. The results should be distributed to the individual involved and the population at large where appropriate.
- There are many reporting programs in place for all types of operations. It is important to establish a system that suits the size and technology level of the operational environment. In smaller operations, reporting might be achieved through a simple written form deposited in a conveniently situated, secure box. Larger organizations may employ a more sophisticated, on-line safety reporting system. Under certain conditions, it may be more expedient to submit a verbal report; without exception, however, this should be augmented with a written report.
- At a minimum, report forms should allow for a full description of the event and provide space for the reporter to offer suggestions as to possible solutions to the problem being reported. Reports should employ a common and clearly understood taxonomy of error classifications. Simply put, this is the division of error types into ordered groups or categories. It is important that reporters and investigators share a familiar language to explain and understand the types of errors that are contributing to events. This will facilitate more accurate data inputs and trend analysis of the events.
- No matter what reporting system is utilized, its effectiveness will depend on four things:
- Employees clearly understand what they should report;
- All reports are confidential;
- Individuals are provided feedback on their reports in a timely fashion;
- The organization has a non-punitive disciplinary policy in place.
6.2.3 Why report?
All events require appropriate investigation in order to:
- Establish their root cause, that is the underlying initial contributing factor(s) that caused the event, and identify actions to minimize the chance of recurrence;
- Satisfy any regulatory requirements for reporting and investigation as per the Canadian Aviation Regulations;
- Provide a factual record of the circumstances of the event or hazard to allow others to learn from the situation; and
- Categorize the underlying causes and establish the appropriate remedial and continuous improvement action.
6.2.4 What should be reported?
- Knowing what to report plays a key role in an active reporting program. As a general rule, any event or hazard with the potential to cause damage or injury should be reported. Some examples of these issues are:
- Excessive duty times
- Crews rushing through checks
- Inadequate tool or equipment control
- Inadequate runway signage
- Unruly passengers
- Emergency exit paths blocked
- Incorrect or inadequate procedures, and a failure to adhere to standard procedures
- Poor communication between operational areas
- Lack of up to date technical manuals
- Poor shift changeovers
- Poor snow removal practices
- Lack of adequate training and recurrent training.
- Runway incursions
- This list is not intended to be all-inclusive; in fact it may be to the organization's detriment to attempt to define every hazard. Instead, the list should be seen as guidance to educate employees as to the types of things that constitute flight safety hazards.
6.2.5 Report Investigation and Analysis
- Every event should be investigated. The extent of the investigation will depend on the actual and potential consequences of the occurrence or hazard. This can be determined through a risk assessment (see Diagrams 7 & 8). Reports that demonstrate a high potential should be investigated in greater depth than those with low potential.
- The investigative process should be comprehensive and should attempt to address the factors that contributed to the event, rather than simply focusing on the event itself - the active failure. Active failures are the actions that took place immediately prior to the event and have a direct impact on the safety of the system because of the immediacy of their adverse effects. They are not, however, the root cause of the event; as such, applying corrective actions to these issues may not address the real cause of the problem. A more detailed analysis is required to establish the organizational factors that contributed to the error.
- The investigator, or team of investigators must be technically competent and either possess or have access to background information, so the facts and events are interpreted accurately. The investigator should have the confidence of the staff and the investigation process should be a search to understand how the mishap happened, not a hunt for someone to blame.
6.2.6 Event Investigation
- There are many tools that can be utilized to investigate events. An initial risk assessment may help determine the type of investigation that is conducted, or an organization may employ a predetermined event investigation format regardless of the event. It is up to the individual organization to determine which is the most appropriate method for their organization.
- Boeing's Maintenance Error Decision Aid (MEDA), the Ramp Error Decision Aid (REDA) and the Procedural Event Analysis Tool (PEAT) are examples of tools designed to investigate ramp, maintenance and flight operations events. The Cabin Procedural Investigation Tool is also available. These tools can be adapted to suit your operational needs. Regardless of the process utilized, a rigorous, repeatable methodology is required to effectively investigate events.
- These methodologies use the same process flow shown here in Diagram 6:
Diagram 6 - MEDA/PEAT/REDA Process Flow
- Boeing developed MEDA, REDA and PEAT to address the human performance factors that must be considered during an event investigation. There are slight differences with the investigative process employed in MEDA, REDA and PEAT. For example, PEAT focuses on the key event elements and identifies key underlying cognitive factors that contributed to the procedural deviation. The objective of the process is to help the investigator to arrive at valid, effective recommendations aimed at preventing the occurrence of similar types of procedural deviation. In contrast, MEDA looks at the organizational factors that can contribute to human error such as poor communication, inadequate information and poor lighting. While REDA is a structured investigation process used to determine the factors that contribute to errors committed by ramp and other ground operations personnel such as baggage handlers and individuals involved in aircraft servicing.
- MEDA, REDA and PEAT are based on the philosophy that traditional efforts to investigate errors are often aimed at identifying the employee who made the error. The usual result is that the employee is defensive and is subjected to a combination of disciplinary action and recurrent training. Because retraining often adds little or no value to what the employee already knows, it may be ineffective in preventing future errors.
- In addition, by the time the employee is identified, information about the factors that contributed to the event has been lost. Because the factors that contributed to the error remain unchanged, the error is likely to recur, setting what is called the "blame and train" cycle in motion again. To break this cycle, MEDA, REDA and PEAT employ investigative techniques that look for the factors that contributed to the error, rather than looking for someone to blame.
6.2.7 The MEDA Process
MEDA employs a basic five-step process for operators to follow (see Diagram 6) for the process flow). As previously stated, there are slight differences in the investigative focus between PEAT, REDA and MEDA, the process flow, however, is the same. In the MEDA process there are five steps:
- Event - An event occurs, such as a gate return or air turn back. It is the responsibility of the maintenance organisation to select the error-caused events that will be investigated.
- Decision - After fixing the problem and returning the airplane to service, the operator makes a Decision: Was the event maintenance-related? If yes, the operator performs a MEDA investigation.
- Investigation - Using the MEDA results form, the operator carries out an investigation. The trained investigator uses the form to record general information about the airplane, when the maintenance and the event occurred, the event that began the investigation, the error that caused the event, the factors that contributed to the error, and a list of possible prevention strategies.
- Prevention Strategies - The operator reviews, prioritizes, implements, and then tracks prevention strategies (process improvements) in order to avoid or reduce the likelihood of similar errors in the future.
- Feedback - The operator provides feedback to the maintenance workforce so technicians know that changes have been made to the maintenance system as a result of the MEDA process. The operator is responsible for affirming the effectiveness of employees' participation and validating their contribution to the MEDA process by sharing investigation results with them (reproduced by permission of the Boeing Company, AERO no. 3, 1998).
6.2.8 The PEAT Process
- The primary focus of PEAT is to find out why a serious event occurred and if a procedural deviation is involved. As such, PEAT relies heavily on the investigative philosophy that professional flight crews very rarely fail to comply with a procedure intentionally, especially if doing so is a safety risk. The PEAT methodology comprises three elements:
- A process - PEAT provides an in-depth, structured analytic process consisting of a sequence of steps that guides the investigator through the identification of key contributing factors and the development of effective recommendations aimed at the elimination of similar errors in the future. This includes collecting information about the event, analyzing the event for errors, classifying the error and identifying preliminary recommendations.
- Data storage - to facilitate data analysis PEAT provides a database for the storage of procedurally related event data. Although designed as a structured tool, PEAT also provides the flexibility to allow for the capture and analysis of narrative information as needed. This allows airlines to track their progress in addressing issues revealed by PEAT analyses and to identify emerging trends.
- Analysis - using the PEAT tool in a typical analysis of a procedurally related event, a trained investigator will consider the following areas and assess their significance in contributing to flight crew decision errors:
- Flight Phase where error occurred
- Equipment factors
- The role of automation
- Airplane deck indications
- Airplane configuration
- Other stimuli (beyond indications)
- Environmental factors
- The procedure from which the error resulted
- The status of the procedure
- Onboard source of the procedure
- Procedural factors (e.g. negative transfer, impractical, complexity, etc.)
- Crew interpretation of the relevant procedure
- Current policies, guidelines/policies aimed at prevention of event)
- Crew Factors
- Crew intention
- Crew understanding of situation at the time of procedure execution
- Situation awareness factors (e.g. vigilance, attention, etc.)
- Factors affecting individual performance (e.g. fatigue, workload, etc.)
- Personal and corporate stressors, management or peer pressure, etc.)
- Crew coordination/communication
- Technical knowledge/skills/experience
- Other factors
- PEAT provides consistency in application and results. The PEAT form is designed to facilitate the investigation of specific types of events, i.e. those involving non-adherence to procedures. As such, it addresses all the pertinent elements.
6.3 Pro-Active Processes
6.3.1 Safety Assessment
- For a SMS to transition from a reactive to a proactive system, it must actively seek out potential safety hazards and evaluate the associated risks. This can be achieved through the application of safety assessment practices. A safety assessment allows for the identification of potential hazards and then applies risk management techniques to effectively manage the hazard.
- A safety assessment identifies conditions that may be affected by personnel, equipment or materials by performing a systemic assessment of the organization's procedures, processes, functions and systems. Including the assessing the impact financial and other non-technical issues.
- A certificate holder's safety assessment system should encompass the following basic elements:
- Systems for identifying potential hazards
- Risk management techniques
- On-going monitoring/quality assurance.
6.3.2 Assessment Frequency
A safety assessment activity should be undertaken, at a minimum:
- During the implementation of your SMS and at regular intervals thereafter;
- When major operational changes are planned;
- If the organization is undergoing rapid change, such as growth and expansion, offering new services, cutting back on existing service, or introducing new equipment or procedures; and
- When key personnel change.
6.3.3 Hazard Identification
- Hazard identification is the act of identifying any condition with the potential of causing injury to personnel, damage to equipment or structures, loss of material, or reduction of the ability to perform a prescribed function. In particular, this includes any conditions that could contribute to the release of an un-airworthy aircraft, to the operation of aircraft in an unsafe manner or unsafe practices in an airport environment. This can be achieved through:
- A safety assessment of all company processes used to perform a specific operation. This involves an ongoing assessment of the functions and systems, and any changes to them, and the development of a safety case to proactively manage safety. Safety assessments are a core process in the safety management construct and provide a vital function in evaluating and maintaining the system's safety health.
- Trend and Pattern Analysis;
- Internal reporting systems: employee, service provider, customer, industry partner inputs;
- Safety audits of all aspects of operation including third parties, non-regulated entities and contractors;
- Data monitoring: FDMP, Maintenance monitoring, reliability data, Airport incidents statistics;
- Incident/accident data review;
- Site inspections: hangar, airports, flight line;
- Quality assurance reviews;
- Active behavioural monitoring: LOSA, MOSA, DOSA, observe people as they perform their work;
- Corporate experience, workplace opinions;
- Line Management Judgement on the operating environment;
- Industry generic hazard register: ASRS, Association lists, ICAO information;
- Safety data recording systems such as the CADORs and GAIN.
- Understanding the hazards and inherent risks associated with everyday activities allows the organization to minimize unsafe acts and respond proactively, by improving the processes, conditions and other systemic issues that lead to unsafe acts. These include - training, budgeting, procedures, planning, marketing and other organizational factors that are known to play a role in many systems-based accidents. In this way, safety management becomes a core-business function and is not just an adjunct management task. It is a vital step in the transition from a reactive culture - one in which the organization reacts to an event, to a proactive culture, in which the organization actively seeks to address systemic safety issues before they result in an active failure.
6.3.4 Building a Safety Risk Profile and a Hazard Register
A safety risk profile is a prioritised list of the known risks in your organization. In order to develop a safety risk profile you must develop a hazard register relating to your organization. This requires active and on-going monitoring to determine what are the hazards and the attendant risks. Some of the techniques for identifying hazards are highlighted in section 6.3.3
6.3.5 Safety Risk Profiling
Once potential risks have been identified, it is useful to fully understand the impact that they might have if they remain unchecked. In order to determine this, a full risk assessment should be conducted. This process is described below in section 6.4 Common Reactive/Proactive Elements. It should be applied to both the reactive investigations and pro-active safety assessments an organization conducts.
Safety risk profiling should look at the entire organization and identify levels of risk within the organization. Examples of areas that should be considered are:
Operational factors, such as weather information and approach aids;
Technical factors, such as parts interchange-ability and aircraft type;
Human factors, such as availability of equipment, working environment and human resources.
A comprehensive risk assessment identifies the range of possible hazards, threats, or perils that have or might impact the entity, surrounding area, or critical infrastructure supporting the entity. The potential impact of each hazard, threat, or peril is determined by the severity of each and the vulnerability of people, property, operations, the environment, and the entity to each threat, hazard, or peril.
The risk assessment should categorize threats, hazards, or perils by both their relative frequency and severity, keeping in mind that there might be many possible combinations of frequency and severity for each. The certificate holder should attempt to mitigate, prepare for, plan to respond to, and recover from those threats, hazards, or perils that are able to significantly impact people, property, operations, the environment, etc.
- A number of methodologies and techniques for risk assessment exist that range from simple to complex. These techniques and associated amplifying information include, but are not limited to the following:
- «What-if». The purpose of the «What-if» analysis is to identify specific hazards or hazardous situations that could result in undesirable consequences. This technique has limited structure but relies on knowledgeable individuals who are familiar with the areas/operations/processes. The value of the end result is dependent on the team and the exhaustive nature of the questions they ask regarding the hazards.
- Checklist: A specific list of items is used to identify hazards and hazardous situations by comparing the current or projected situations with accepted standards. The value of the end result is dependent on the quality of the checklist and the experience/credentials of the checklist user.
- What-if/checklist: This technique is a combination of the what-if and checklist techniques, and uses the strength of both techniques to complete the risk assessment. The what-if questions are developed and checklist(s) are used to encourage the creativity of the what-if process, as well as fill in any gaps in the process of developing questions. The value of the end result is dependent on the team and exhaustive nature of the questions they ask regarding the hazards.
- Hazard and operability study: This technique requires an interdisciplinary team that is very knowledgeable of the areas/operations/processes to be assessed. This approach is thorough, time-consuming, and costly. The value of the result depends on the qualifications/experience of the team, the quality of the reference material available, the ability of the team to function as a team, and strong, positive leadership.
- Failure mode and effects analysis: Each element in a system is examined individually and collectively to determine the effect when one or more elements fail. This is a bottom-up approach, that is, the elements are examined and the effect of failure on the overall system is predicted. A small interdisciplinary team is required. This technique is best suited for assessing potential equipment failures. The value of the end result is dependent on the credentials of the team and scope of the system to be examined.
- Fault-tree analysis: This is a top-down approach where an undesirable event is identified and the range of potential causes that could lead to the undesirable event is identified. The value of the end result is dependent on the competence in using the FTA process, on the credentials of the team, and on the depth of the team's analysis.
- The impact analysis is a broad description and quantification of a potential event that can impact a certificate holder. This analysis should give a clear idea of what hazards are most likely to occur, what facilities, functions, or services are affected based on their vulnerability to that hazard; what actions will most effectively protect them, and the potential impact on the entity in quantifiable terms.
- Hazard identification is an on-going activity. Hazards emerge and evolve as a result of changes in the operating environment which occurs frequently. As such, we can not assume that all hazards are visible, although most are predictable. For example, most hazards in aviation are not as obvious as a pool of water on the floor. We have to actively seek to know, understand and manage them.
- A safety risk profile allows you to prioritise your flight safety risks and effectively allocate resources to address the highest risk areas
- Your Safety Risk Profile should identify your top 10-12 risks to flight safety as it is impossible to address all risks identified through your system. This methodology allows management to effectively allocate resources where they are required the most.
- The safety risk profile should be linked to the objectives and goals of your organization. For example:
Risk number 1 Damage to aircraft as a result of unsecured equipment Objective 1 Reduce incidents of aircraft damage due to unsecured equipment Goal 1 Reduce aircraft damage by 50% within 6 months Control (CAP) Introduce new procedure for restraining equipment Measurement by number of aircraft damage incidents due to unsecured equipment
- The Development and updating of the safety risk profile should take place in accordance with your established management review cycle. However, where a hazard is identified and assessed as critical it should be reviewed by management and the safety risk profile adjusted when required.
6.3.6 Developing a Safety Case
- A safety case is developed in much the same way as a business case. It helps the organization to anticipate hazards that can result from operational change. At a minimum it should be used:
- When a major operational change is planned
- When a major organizational change is planned
- When key personnel change
- When a new route structure is contemplated
- When a new aircraft is introduced into the fleet
- When a new airport is being considered for use
- Building the safety case involves identifying the hazards associated with major change. Consideration should be given to hazards generated as a result of a change in management, facilities, routes or operating equipment. Once the hazards have been identified, an assessment of the risks related to the hazard and a plan for managing the risks should be developed.
- Developing a Safety case is need driven. When a major change occurs in your organization a safety case needs to be developed. This allows your organization to demonstrate to all stakeholders how you have managed the risks associated with that change.
6.3.7 Information Sources for Determining Potential Hazards
Identifying hazards is often perceived as resource intensive and unduly onerous. It doesn't have to be. There are numerous sources of readily accessible information that can be utilized to better understand potential risk within an organization. The following list details some of the possible resources:
- Corporate experience - Existing safety reports detailing events and near misses. Minutes of safety meetings and committee meetings can also reveal potential areas of concern.
- Line management judgement - All line managers will have perceptions of where the greatest risks are in their areas of accountability.
- Workplace opinions - Actively seek the input of the workforce. This can be achieved through focus groups, consulting employee representatives and conducting structured vulnerability analyses with subordinate managers and supervisors.
- Audit reports - The organization's internal audit system should contain a structured record of areas of concern in a prioritized format. A review of audit reports and remedial action plans (including an assessment of follow-up action completions) should be conducted. Corporate memories are often much shorter than the current incumbents realize and research beyond 5 to 10 years could reveal important information.
- Corporate hazard analysis - Records of previously conducted formal hazard analyses may reveal risk exposures, which did not appear very significant at the time, but do now, in light of the changed circumstances.
- Industry generic hazard register - Hazards/risks identified by other organizations might trigger concerns that should be addressed by the organization.
- Safety data recording systems - Mandatory occurrence reporting programs such as CADORs and industry safety data exchange programs like BASIS can be consulted (section 2.1 l)
6.3.8 Active Monitoring Techniques
There are several active monitoring methods that can be employed in safety assessment, these include:
Inspections - Determines adherence to requirements, plans and procedures by inspecting of premises, plant and equipment or activities. Usually achieved through detailed inspection of actual specific target area activities against planned methods or procedures. Tends to be focused at the task level.
Management safety inspections - Determines the effectiveness of systems and demonstration of line commitment. Usually achieved through examination of managers or teams that focus on people's activities and the system they use.
Audits - Verifies conformance with established guidelines and standards. Usually achieved through systematic independent review of an organization's systems personnel, facilities, etcetera using a predetermined targeted scope of coverage. Tends to be focused at the process level.
Process and practice monitoring - Identifies whether the procedure in use is relevant and actively used and whether practices employed are in line with the documented requirements. This can take the form of behavioural observation; monitoring people in real time while they conduct their job functions and can be very effective in identifying where deviations from procedures, normative behaviour and shortcuts are occurring. The observation is intended to analyse the cause of the behaviour rather than point fingers at any one person.
Review - Provides a review of processes to determine if they are appropriate and effective. Resource allocation is often a target of a review (section 4.17).
6.3.9 Checklist Usage
In most quality assurance systems, audit checklists are used to collect data related to the system. The same type of checklist should be utilized to provide a safety assessment of the organization. This will allow the organization to develop a safety case, an analysis of safety issues within the organization that adequately portrays the safety level of the organization.
7.0 COMMON REACTIVE/PROACTIVE ELEMENTS
Occurrence and hazard reporting and safety assessment are two individual functions within the SMS. Once a report has been submitted, however, the process flow is the same. The following represents common aspects that should be considered in these elements when developing a SMS.
7.1 Reporting Procedures
- The procedure for reporting an event or a hazard should be as simple as possible. Procedures for submitting the report should be clear, well documented and should include details of where and to whom reports should be submitted. This will reduce confusion over where safety reports go and will ensure that all events are brought to the attention of the appropriate person.
- When designing a safety report form, it is important to consider that the form may be used to submit information regarding events and hazards. The form should be structured in such a manner that it can accommodate both the reactive and proactive type of reporting. Sufficient space should be allowed for reporters to identify suggested corrective actions related to the issue they are reporting.
- There are many possible ways in which a report can be submitted. The size and complexity of the organization will determine how sophisticated the system is. In some cases this might involve having a locked post-box on the hangar floor, in other cases it might be more effective to submit reports directly to the safety office. It is up to the individual organization to determine the most suitable method.
7.2 Data Collection
- When producing an occurrence or hazard report every effort should be made to ensure that the form is easy to understand and user friendly. The organization should strive to make all reporting forms compatible for each area of the operation. This will facilitate data sharing, trend analysis and will also make the occurrence or hazard investigation process easier.
- Depending on the size of the organization, the most expedient data collection method might be to utilize existing paperwork, such as flight, airport and maintenance reports. The use of hand written reports or the information derived from verbal reports is equally acceptable. As previously stated, however, verbal accounts should always be followed-up with a written report.
- Reporting can also be achieved through the use of a dedicated occurrence and hazard report. A general off-the-shelf software package can be used or a predefined report, generated from integrated systems such as the Aviation Quality Database (AQD) report or the Aviation Events Reports Organiser (AERO). These types of system are all inclusive; they generate reports, collect and store data and can be used to provide trend analysis and safety reports.
7.3 Data Collection Systems
- AQD and AERO are examples of electronic data collection systems designed for use in a variety of different sized organizations.
- The use of pre-existing electronic data collection and storage is not a SMS requirement. A simple Microsoft ACCESS database or a manual filing system can be utilized. Your choice of data collection should be based on the size and complexity of your organization.
7.4 Risk Management
- Risk management is a proactive activity that looks at the risks associated with identified hazards and assists in selecting actions to maintain an appropriate level of safety when faced with these hazards.
- Once hazards have been identified, through either occurrence/hazard reporting, or a safety assessment the risk management process begins. Risk management is an evaluation of the potential for injury or loss due to a hazard and the management of that probability. This concept includes both the likelihood of a loss and the magnitude. The basic elements of a risk
- Risk Analysis
- Risk Assessment
- Risk Control
- Risk Analysis is the first element in the risk management process. It encompasses risk identification and risk estimation. Once a hazard has been identified, the risks associated with the hazard must be identified and the amount of risk estimated.
- Risk Assessment takes the work completed during the risk analysis and goes one step further by conducting a risk evaluation. Here the probability and severity of the hazard are assessed to determine the level of risk. Diagram 7 shows one example of a risk assessment matrix. In this diagram, the matrix defines a method to determine the level of risk.
7.5 DIAGRAM 7 - Risk Analysis Matrix
7.6 DIAGRAM 8 - Risk Assessment Matrix
|1 - 6||Minimum Risk||Proceed after considering all elements of risk|
|6 - 14||Moderate Risk||Continue after taking action to manage overall level of risk|
|15 - 25||High Risk||STOP: Do not proceed until sufficient control measures have been implemented to reduce risk to an acceptable level|
- To use the risk assessment matrix effectively it is important that everyone has the same understanding of the terminology used for probability and severity. For this reason definitions for each level of these components should be provided. It is up to individual organizations to define when intervention is required, in other words, the organization must decide where its tolerable level of risk is. Figure 5 provides an example of what this risk classification index might look like. The description should indicate the action required and if necessary a timeframe for completion.
- There are a number of examples of risk assessment and classification matrixes and their definitions available. Some of these utilize economic indicators such as dollar figures to define the level of acceptable risk.
- Risk Control addresses any risks identified during the evaluation process that require an action to be taken to reduce the risks to an acceptable level. It is here that a corrective action plan is developed.
- Monitoring is essential to ensure that once the corrective action plan is in place, it is effective in addressing the stated issues or hazards.
7.6.1 Existing Risk Management Processes
- There are a number of existing processes that can assist an organization in meeting the regulatory requirements for a risk assessment component to their SMS. These processes vary considerably in their scope and complexity. It is important that the process selected meets the capabilities and requirements of the organization in question. Following are only a few examples of processes that include the required components:
- Canadian Standards Association (CSA) Standard CAN/CSA-CEI/IEC 300-9-97, Dependability management - Part 3 Application Guide - Section 9: Risk Analysis of Technological Systems. This document provides the guidelines for selecting and implementing risk analysis techniques, primarily for risk assessment of technological systems. It contains guidelines regarding:
- Risk analysis concepts
- Risk analysis processes
- Risk analysis methods
- CSA Standard CAN/CSA-Q850-97 Risk Management: Guideline for Decision Makers. This guideline is intended to assist decision makers in effectively managing all types of risk issues, including injury or damage to health, property, the environment, or something else of value. It describes a process for acquiring, analyzing, evaluating, and communicating information that is necessary for decision-making. The guideline provides a description of the major components of the risk management decision process using a step-by-step process as follows:
- Preliminary Analysis
- Risk Estimation
- Risk Evaluation
- Risk Control
- Commercially available Software Programs. A number of software programs which advertise a risk analysis component, are available to operators. Some are directly focused on the safety management aspect within aviation and others are more generic in nature, but may meet individual organization's requirements. Information on these programs is readily available on the internet.
7.6.2 Corrective Action Plan
- Once a safety event report has been investigated and analysed, or a hazard identified, a safety report outlining the occurrence, and if available, the results of a hazard assessment, should be given to the appropriate director for determination of corrective or preventative action. The functional director should develop a corrective action plan (CAP), a plan submitted in response to findings, outlining how the organization proposes to correct the deficiencies documented in the findings. Depending on the findings the CAP might include short-term and long-term corrective actions. As an example, TC's oversight documentation defines these in the following manner
- Short-Term Corrective Action - This action corrects the specific issue specified in the audit finding and is preliminary to the long-term action that prevents recurrence of the problem. Short-term corrective action should be completed by the date/time specified in the corrective action plan.
- Long-Term Corrective Action - Long-term corrective action has two components. The first component involves identifying the contributing factors of the problem and indicating the measures the responsible manager will take to prevent a recurrence. These measures should focus on a system change. The second component is a timetable for implementation of the long-term corrective action. Long-term corrective action should include a proposed completion date.
- Some long-term corrective actions may require periods in excess of the organization's established acceptable timeframe, for example, where major equipment purchases are involved. Where applicable, the organization should include milestones or progress review points not exceeding the established timeframe leading up to the proposed completion date. Where the short-term corrective action taken meets the requirements for long-term corrective action, this should be stated in the long-term corrective action section on the corrective action form.
7.6.3 On-Going Monitoring
In order to ensure the effectiveness of the remedial measures, the corrective actions should be monitored and evaluated on a regular basis. Follow-up activity should be conducted through the internal audit process. This should include comprehensive documentation of audit findings, corrective actions and follow-up procedures.
7.6.4 Information Dissemination
- All safety related information should be disseminated throughout the organization. Keeping current on safety provides better background for understanding aspects of the organization's safety condition and developing novel solutions to difficult problems. This can be accomplished by subscribing to safety related programs, making relevant Transportation Safety Board (TSB) reports available, and encouraging staff to participate in safety related training, seminars and workshops. Manufacturers can also provide important safety information and reliability data related to the organization's specific needs.
- Another aspect of information dissemination is feedback on safety reports submissions. Employees should be notified when a safety report is received or when a potential safety threat is discovered. Further information should be provided pursuant to investigation, analysis and corrective action. Information dissemination can also be achieved through the publication of a corporate magazine or through the organization's website. The organization should endeavour to inform all employees as to where safety related information can be found. In this way, the entire organization becomes aware of safety issues and understands that the organization is actively seeking to address these issues.
7.7 How do you know if your SMS is working?
|Component 3 - Safety Oversight||Yes/No|
|Element 3.1 - Reactive Process - Reporting|
|The organization has a process or system that provides for the capture of internal information including incidents, accidents and other data relevant to SMS|
|The reactive reporting system is simple, accessible and commensurate with the size of the organization|
|Reactive reports are reviewed at the appropriate level of management|
|There is a feedback process to notify contributors that their reports have been received and to share the results of the analysis|
|There is a process in place to monitor and analyze trends documented|
|Corrective and preventive actions to respond to event analysis|
|Element 3.2 - Proactive Process - Hazard ID|
|The organization has a proactive process or system that provides for the capture of internal information identified as hazards and other data relevant to SMS|
|The proactive reporting process is simple, accessible and commensurate with the size of the organization (Part V &VII only)|
|Proactive reports are reviewed at the appropriate level of management|
|There is a feedback process to notify contributors that their proactive reports have been received and to share the results of the analysis|
|There is a process in place to monitor and analyze trends|
|The organization has planned self-evaluation processes, such as regularly scheduled reviews, evaluations, surveys, operational audits, assessments, etc.|
|Corrective and preventive actions are generated in response to hazard analysis|
|Element 3.3 - Investigation and Analysis|
|There are procedures in place for the conduct of investigations|
|Measures exist that ensure all reported occurrences and deficiencies reported are analyzed to identify contributing and root causes|
|Corrective and preventative actions are generated in response to event investigation and analysis|
|Element 3.4 - Risk Management|
|There is a structured process for the assessment of risk associated with identified hazards, expressed in terms of severity, level of exposure and probability of occurrence|
|There are criteria for evaluating risk and the tolerance level of risk the organization is willing to accept|
|The organization has risk control strategies that include corrective/preventive action plans to prevent recurrence of reported occurrences and deficiencies|
|The organization has a process for evaluating the effectiveness of the corrective/preventive measures that have been developed|
|Corrective/preventive actions, including timelines, are documented|
8.0 COMPONENT 4 - TRAINING
8.1 General Training Requirements
- In order for employees to comply with all safety requirements, they need the appropriate information, skills and training. To effectively accomplish this, the organization should document the training requirements for each area of work within the organization. The type of training to be offered is already mandated via regulation for certain positions in the organization. This includes initial, recurrent and update training requirements and, where required, training specific to the operation of the SMS. These regulations will provide a good starting point to identify what training is required.
- It is recommended that a training file be developed for each employee, including management, to assist in identifying and tracking employee training requirements.
- All employees will require some level of SMS training; the extent to which they are trained will depend on their function in the SMS. For example, a line employee will need to be trained how to report into the SMS reporting system. This would include how, where and what to report.
- Additionally, employees should be given basic human factors training to develop an awareness of the individual factors that can impact human performance and lead to errors. This might include coverage of issues such as fatigue, communication, stress, human performance models and lack of awareness.
- Employees with an assigned function in the SMS should receive more in-depth training. Training should include:
- Event investigation and analysis techniques;
- Hazard identification;
- Audit principles;
- Communication techniques;
- System analysis and implementation;
- Emergency response preparedness; and
- Human and organizational factors.
- Senior executives and the accountable executive should receive general awareness training related to all aspects of the SMS. The accountable executive is responsible for the establishment and maintenance of the SMS. A general awareness of the SMS is therefore advisable.
8.2 How do you know if your SMS is working?
|Component 4 - Training||Yes/No|
|Element 1 - Awareness and Competence|
|There is a documented process to identify training requirements so that personnel are competent to perform their duties|
|There is a validation process that measures the effectiveness of training|
|The training includes initial, recurrent and update training, as applicable|
|The organization's safety management training is incorporated into indoctrination training upon employment|
|Training includes human and organizational factors|
|There is emergency preparedness and response training for affected personnel|
9.0 COMPONENT 5 - QUALITY ASSURANCE PROGRAM
- A quality assurance program (QAP) defines and establishes an organization's quality policy and objectives. It also allows an organization to document and implement the procedures needed to attain these goals. A properly implemented QAP ensures that procedures are carried out consistently, that problems can be identified and resolved, and that the organization can continuously review and improve its procedures, products and services. It is a mechanism for maintaining and improving the quality of products or services so that, according to the Standards Council of Canada, they consistently meet or exceed the organization's implied or stated needs and fulfill their quality objectives (The Standards Council of Canada).
- An effective quality assurance system should encompass the following elements:
- Well designed and documented procedures for product and process control
- Inspection and testing methods
- Monitoring of equipment including calibration and measurement
- Internal and external audits
- Monitoring of corrective and preventive action(s), and
- The use of appropriate statistical analysis, when required
9.1 Quality Assurance General
In a SMS, the quality assurance program elements can be applied to an understanding of the human and organizational issues that can impact safety. In the same way that a QAP measures quality and monitors compliance, the same methods are used to measure safety within the organization. In the SMS context, this means quality assurance of the SMS, as well as quality assurance to ensure compliance to the CARs, Standards and procedures utilised by the organization.
- Quality assurance is based on the principle of the continuous improvement cycle. In much the same way that SMS facilitates continuous improvements in safety, quality assurance ensures process control and regulatory compliance through constant verification and upgrading of the system. These objectives are achieved through the application of similar tools: internal and independent audits, strict document controls and on-going monitoring of corrective actions.
- As discussed in Chapter 1, most modern management systems follow the Plan, Do, Check, and Act (PDCA) cycle of continuous improvement. In this model, all of the individual processes in an organization are planned (PLAN), performed as planned (DO), reviewed to ensure use and effectiveness (CHECK), and modified as necessary to ensure that they are safe, effective and efficient (ACT).
- Simply stated, the Quality Assurance Program provides the CHECK component of PDCA and ensures that the ACT portion of the cycle achieves the desired results.
9.3 Focus on Process
It has been said that «the emphasis with assuring quality must focus first on process because a stable, repeatable process is one in which quality can be an emergent property.» This emphasizes the importance of focusing on process and on the need to ensure that processes are documented. The reason we need to do this is that in order to verify the effectiveness of a process, it must be used; in order to improve a process, we must be assured that the process we are improving was in fact the process that was originally being used. Remember, you cannot improve a process unless that process has been documented. So, what is meant by process? Process is the sequence of steps taken to arrive at a given output, and in the context used here, is the output from planning
9.4 Operational and System QA
- Operational and System QA are two distinct activities and are basic requirements of the Canadian Aviation Regulations. Operational QA verifies that all activities are being conducted in accordance with regulatory and organizational requirements documented in the appropriate approved manual, while System QA evaluates the overall effectiveness of the organization's SMS and the interaction of the individual processes within the organization.
- From TC's perspective, the purpose of Operational QA is similar to that of inspections and audits currently conducted by TC inspectors, specifically to provide assurance that the certificate holder is operating in compliance with regulatory requirements by following the processes documented in the appropriate manual. Subtle but very important differences are that the organization's operational QA will also look at non-regulatory activities and in addition, assess the presence, effectiveness and efficiency of existing processes and make recommendation for improvements. Follow-up of process changes resulting from corrective actions will also be a responsibility of the organization's QA.
- As mentioned above, System QA assesses the overall effectiveness of the SMS and from a regulatory standpoint, an organization is required to review or audit their SMS periodically and for cause. This System QA will typically be provided by a third party, or at a minimum, by personnel other that those assigned regular QA responsibilities. The reason for this is that QA, as a major component of the SMS, will be subject to scrutiny during this review in the same manner as all other SMS component/elements, and you can't have the auditors «auditing themselves». To maintain objectivity, persons not directly involved in the day-to-day operation of the SMS must conduct this activity.
- As the Operational QA capability of an organization matures, it is planned that TC will gradually back away from conducting operational level inspections and audits and focus more on assessing the overall effectiveness of the SMS. This activity will be similar to System QA and will be accomplished in accordance with guidance provided in TC's documentation relating to oversight.
- You will find that the distinction between Operational QA and System QA will lessen where internal audits begin to focus more on process than simply on results. This is especially true if SMS components/elements have been truly integrated into the existing management system.
- The use of audit functions, to verify compliance and standardization, is an integral part of the quality assurance system. An initial audit, covering all technical activities, should be conducted, followed by a recurring cycle of further internal audits. Detailed records of audit findings, including issues of compliance and non-compliance, corrective actions and follow-up inspections should be kept. The cyclical period for recurrent audits is not fixed (at this time) although it is generally accepted that all areas of the organization should be evaluated within each three-year period. The results of the audit should be communicated throughout the organization.
- Depending on the size of the organization, these functions may be performed by individuals within the organization or assigned to external agents. Wherever practical, having regard to the size of the organization, these functions should be undertaken by persons who are not responsible for, and have not been involved in, the certification or performance of the tasks and functions being audited. In this way, the quality assurance function remains neutral and is independent from the operational aspects of the organization.
9.6 Establishing an Internal Audit Program
- The first step in establishing your internal audit (evaluation) program is to develop the policy and procedures under which the program will operate. This policy, which will reside in the approved manual, or if developed, in an SMS Policy Manual that is cross-referenced from the approved manual, is the «higher-level» guidance that describes the QA program in general terms and is normally linked to regulatory requirements. Items included will typically be the commitment to having a QA program, a general description of the program including its purpose, position descriptions including qualifications and training, reporting responsibilities, declaration of the recurrent audit cycle, and reference to a procedures document that will exist outside of the approved manual. The reason for this is that audit procedures will be dynamic and are likely to change as the program itself is subjected to the PDCA cycle of continuous improvement, and you don't want to include this type of material in a document that requires TC approval each time you make changes.
- The procedures document will focus on the specific processes that will be used by QA personnel as they conduct their QA activities. There is ample reference material to guide you in the development of these processes. One source is the TC Inspection and Audit Manual and any of the reference materials such as the Aircraft Maintenance and Manufacturing Inspection and Audit Manual, Commercial and Business Aviation Inspection and Audit Manual or the National Aerodrome Safety Database (NASD). These sources will help you to identify audit specialty areas, prepare checklists, determine audit procedures and define the format and reporting requirements for audit findings and audit reports. Pay particular attention to the development of checklists during this phase of program development, as this is the principle means of identifying the processes that personnel are expected to follow (and will be audited to) for any given activity.
- There is also a wealth of information on quality auditing available from the International Organization for Standardization (ISO). Valuable information can also be obtained from the International Air Transport Association (IATA), specifically information pertaining to the Operation Safety Audit (IOSA).
9.7 Process versus Results Auditing
As previously stated, the distinction between Operational QA and System QA begins to lessen where audits focus more on process than on results. If you are auditing by specialty area (ex, training programs, operational control system, technical dispatch, defect rectification and control, etc.), and if audit checklists have been developed with reference to documented processes that include SMS component/element processes where applicable (training programs for example), then you are doing process auditing. Process auditing involves looking at an entire process including inputs and outputs and related requirements to determine a) if personnel are doing what they are supposed to be doing, and b) if by so doing, that the desired results are being achieved. This will also provide the opportunity to identify the absence of documented processes.
- Audit checklists should be employed to identify all of the technical functions controlled by the approved manual. These should be sufficiently detailed to ensure that all of the technical functions performed by the organization are covered. Accordingly, the extent and complexity of these checklists will vary from organization to organization.
- In the case of a quality audit on an organization's SMS, the checklist should provide a detailed account of the following areas:
- Safety policy
- Safety standards
- Safety culture
- Contractor's safety organization
- Structure of safety accountabilities
- Hazard management arrangements
- Safety assessment, and
- Safety monitoring.
- Examples of detailed audit checklists are provided in TC's Inspection and Audit Manual and Maintenance and Manufacturing, Commercial and Business Aviation companion documents and NASD.
9.9 On-Going Monitoring
The on going monitoring of all systems and the application of corrective actions are functions of the quality assurance system. Continuous improvement can only occur when the organization displays constant vigilance regarding the effectiveness of its technical operations and its corrective actions. Indeed, without on-going monitoring of corrective actions, there is no way of telling whether the problem has been corrected and the safety objective met. Similarly, there is no way of measuring if a system is fulfilling its purpose with maximum efficiency.
9.10 QA Personnel
The quality of the QA program will, in the end, be determined by the quality of the personnel who do the QA work. You will want to ensure that personnel have the knowledge, experience and personal suitability to undertake QA tasks and that they have been provided with audit training such as the TC Audit Procedures Course or with industry courses such as the ISO Lead Auditors Course, the Canadian Standards Association or the International Air Transport Association (IATA) Audit Course.
9.11 Existing Systems
There are many existing quality assurance standards. The most appropriate system for your organization will depend upon the size and complexity of your operation. It should be tailored to meet your specific requirements. As with all components of the SMS it can be as simple or complex as you want and should be monitored to ensure it remains appropriate.
9.12 Role of QA
The role of QA can be summarized as follows:
- Identifies the processes that personnel are expected to follow for a given activity;
- Verifies that personnel are following the required processes;
- Validates the processes by ensuring that the desired outcomes are achieved;
- Identifies undocumented processes and processes that are ineffective and/or inefficient;
- Follows-up on processes that have been changed (corrective actions) to ensure that they are being used and are effective; and
- Provides senior management with the documentary evidence of the above activities.
9.13 How do you know if your SMS is working?
|Component 5 - Quality Assurance||Yes/No|
|A quality assurance program is established and maintained, and the program is under the management of an appropriate person|
|There exists an operationally independent audit function with the authority required to carry out an effective internal evaluation program|
|The organization conducts reviews and audits of its processes, its procedures, analyses, inspection and training|
|The organization has a system to monitor for completeness the internal reporting process and the corrective action completion|
|The quality assurance system covers all functions defined within the certificate(s)|
|There are defined audit scope, criteria, frequency and methods|
|A selection/training process to ensure the objectivity and competence of auditors as well as the impartiality of the audit process|
|There is a procedure to record verification of action(s) taken and the reporting of verification results|
|The organization performs a periodic Management review of safety critical functions and relevant safety or quality issues that arise from the internal evaluation program|
|There is a procedure for reporting audit results and maintaining records|
|There is a procedure outlining requirements for timely corrective and preventive action in response to audit results|
10.0 COMPONENT 6 - EMERGENCY RESPONSE PLAN
- Emergency planning should aim, where possible, to prepare an organization in the event that an emergency situation occurs. This preparation should, through good planning, reduce, control or mitigate the effects of the emergency. It is a systematic and ongoing process, which should evolve as lessons are learnt and circumstances change.
- Emergency planning should be viewed as part of a cycle of activities beginning with the establishment of a risk profile to help determine what the priorities are before developing plans and ending with review and revision.
- The maintenance of plans involves more than just their preparation. Once a plan has been prepared, it must be maintained systematically to ensure it remains up-to-date and fit for purpose at any time in case an emergency occurs. In cases where the organization is the holder of multiple certificates or deals with external service providers they may choose to develop a joint emergency plan with a formal set of procedures governing them all. For example, in the event that an aircraft evacuation is required on the manoeuvring area of an airport, the police would need carefully pre-planned co-operation from various other organisations such as fire and ambulance services and the local authority, as well as involvement of others such as passenger transport organisations listed in respective plans.
10.1.1 Who do we plan for?
- Plans should focus on at least three key groupings of people - the vulnerable, victims (including survivors, family and friends) and responder personnel
- Vulnerable people may be less able to help themselves in an emergency. Those who are vulnerable will vary depending on the nature of the emergency, but plans should consider: those with mobility difficulties (e.g. those with physical disabilities or pregnant women); those with mental health difficulties; and other who are dependent, such as children.
- Victims of an emergency – which includes not only those directly affected such as aircrew but also those who, as family and friends, suffer bereavement or the anxiety of not knowing what has happened.
- Responder personnel should also be considered. Plans sometimes place unrealistic expectations on management and personnel. Organisations should ensure their plans give due consideration to the welfare of their own personnel. For instance, the emergency services have health and safety procedures, which determine shift patterns and check for levels of stress.
10.1.2 What do we plan for?
Organisations should aim to maintain plans which cover three different areas:
- Plans for preventing an emergency - in some circumstances there will be a short period before an emergency occurs when it might be avoided by prompt or decisive action.
- Plans for reducing, controlling or mitigating the effects of an emergency - the main bulk of planning should consider how to minimise the effects of an emergency, starting with the impact of the event (e.g. alerting procedures) and looking at remedial actions that can be taken to reduce effects. For example, the emergency services may be able to stem the emergency at source by fighting fires, combating the release of toxic chemicals or the extent of floods. The evacuation of people may be one direct intervention, which can mitigate the effects of some emergencies. Recovery plans should also be developed to reduce the effects of the emergency and ensure long-term recovery.
- Plans for taking other action in connection with an emergency - Not all actions to be taken in preparing for an emergency are directly concerned with controlling, reducing or mitigating its effects. Emergency planning should look beyond the immediate response and long-term recovery issues, to the secondary impacts. For example, the wave of reaction to an emergency can be quite overwhelming in terms of media attention and public response. Plans may need to consider how to handle this increased interest.
10.1.3 When do we activate the plan?
As obvious as it may sound, emergency plans should include procedures for determining whether an emergency has occurred, and when to activate the plan in response to an emergency. This should include identifying an appropriately trained person who will take the decision, in consultation with others, on when an emergency situation has occurred.
10.1.4 Why is it important to practice emergency response and to train staff appropriately?
- Organisations should test the effectiveness of their emergency plans by carrying out exercises, and should ensure that key staff involved in the planning for or response to an emergency receives appropriate training. Training plans should also consider other people who have a role in the emergency plans such as contractors and volunteer partners. The plans themselves should explicitly identify the nature and frequency of training and exercising required.
- The plans are normally evaluated by conducting communication (desk top) exercises that include all aspects of their emergency response plan. These exercises should involve all intervening agencies. An exercise performance report should be created and forwarded to the key agencies in a timely manner.
- Operational exercises such as, on board emergency, fuel spill response, fire drill, involving all intervening agencies listed in the plans for a defined scenario should be conducted on a regular schedule to test individual applications or the entire emergency plan.
- The emergency response plan should include sections dealing with the conducting of operational exercises such as the following involving the simulated response of one or more specialized agencies:
- Specialty exercises;
- Minor exercises;
- Local exercises;
- Other types of exercises as required by regulations specific to the certificate.
- The activation of the plan for a real event or an exercise should be followed by a discussion/critique of the incident or exercise.
10.1.5 Plan Coordination
- A resource identified in an emergency plan should be available in a timely manner and should have the capability to do their intended function. Restriction on the use of the resource should be taken into account, be reviewed by legal counsel, be signed by a responsible official, define liability and detail funding and cost arrangements. The term “mutual aid agreement” as used here includes cooperative assistance agreements, or other terms commonly used for the sharing of resources.
- It is important for plans to be coordinated and integrated to ensure responsible managers are competent in other organisations' roles. As an example, a fuelling operator should provide a copy of their emergency response plan to the aerodrome operator and the airline for which it is operating. The emergency response plan should be updated by the fuelling operator and forwarded to the other operators when there is a change within any of the components of the emergency response plan. The fuelling operator should ensure its emergency response plan is compatible with the airport and airline emergency plan.
10.1.6 Using External Volunteers
Where appropriate, organisations should consider at an early stage in planning whether voluntary organisations might have capabilities, which could assist in responding to an emergency. The voluntary sector can provide a wide range of skills and services in responding to an emergency. These include: practical support (e.g. first aid, transportation, provisions for responders); psycho-social support (e.g. counselling, help lines); equipment (e.g. radios, medical equipment); and information services such as public training and communications). Specialized volunteer groups (e.g. Red Cross, amateur radio, religious relief organizations, charitable agencies can be very helpful in most situations.
10.1.7 Continuous Improvement
Unless specified in the CARs, the plan should be reviewed at least annually and updated as necessary. It should also be re-evaluated when any of the following occur:
- Regulatory changes;
- New hazards are identified or existing hazards change;
- Resources or organizational structures change;
- After tests, drills, or exercises;
- After disaster/emergency responses; and
- Infrastructure, economic, geopolitical changes.
10.1.8 What are incident management and business continuity?
- A sound response planning program goes a long way in ensuring that the effect of an event on the certificate holder's business is minimised. The plans should highlight the business continuity elements to educate employees, partners and stakeholders of the necessity for advance planning to allow the resumption of business as soon as safely practicable following an event.
- In aviation a single event can impact multiple operations including but not limited to, air traffic control, information technology, military, police, air crews, ground crews, hangar operations, transportation, maintenance, suppliers, engineering, personnel, public relations, medical services, environment, legal, finance, risk management, customs, immigration, food inspection health and safety, security, stakeholders, and fire fighting/rescue.
- When determining the inclusion of the above in an emergency plan, consideration should be given to establish a coordinated and cooperative approach to the incident management.
- Decisions made and actions taken in the day-to-day administration of the emergency plan crucially affect the ultimate implementation of the incident management system in times of disaster/emergency. Therefore, the plan should be developed in consultation with those persons representing key functional areas.
- All planning elements cross boundaries during each of the four phases of disaster/emergency management (mitigation, preparedness, response, recovery). Each element should not be considered independently, but in relation to each of the four phases. For example, an entity might have the appropriate authority to conduct disaster/emergency operational response but lack authority to take action at an event to mitigate the occurrence or assist an operator in the recovery and business resumption plan.
- There should be a responsive financial management and administrative framework that complies with the operator's program requirements and is uniquely linked to disaster/emergency operations. The framework should provide for maximum flexibility to expeditiously request, receive, manage, and apply funds in a non-emergency environment and in emergency situations to ensure the timely delivery of assistance. The administrative process should be documented through written procedures. The program should also be capable of capturing financial data for future cost recovery, as well as identifying and accessing alternative funding sources and managing budgeted and specially appropriated funds.
- Business continuity planning incorporates both the initial activities to respond to a disaster/emergency situation and the restoration of the business and its functions to pre-disaster levels.
- Specific areas to consider in continuity plans include:
- Succession to ensure that the leadership will continue to function effectively under disaster/emergency conditions.
- Pre-delegation of emergency authorities to ensure sufficient enabling measures are in effect to continue operations under disaster/emergency conditions.
- Emergency action steps that facilitate the ability of personnel to respond quickly and efficiently to disasters/emergencies. Checklists, action lists, and/or standard operating procedures (SOPs) have been written that identify disaster/emergency assignments, responsibilities, and emergency duty locations. Procedures should also exist for alerting, notifying, locating, and recalling key members of the entity.
- Primary emergency operations centre from which direction and control is exercised in a disaster/emergency. This type of centre is designated to ensure that the capability exists for the leadership to direct and control operations from a centralized facility in the event of a disaster/emergency.
- An alternate facility from which direction and control is exercised in a disaster/emergency should the primary centre become unavailable, or should it be determined that the alternate facility is a more appropriate location from which to handle the disaster/emergency.
- The measures that are taken by the operator to protect vital records for example, financial, data, passenger lists, personnel records, and engineering drawings for the effective functioning of the organisation under disaster/emergency conditions and to maintain the continuity of operations.
- The measures that are taken to disperse resources and personnel in a manner that will provide redundancy to ensure the entity can continue to function during disaster/emergency conditions.
- Plans should address deployment procedures to relocate/replicate resources or facilities, increase protection of facilities, and inform and train personnel in protective measures.
10.1.9 Incident Management Facilities
Facilities identified in the plan should be capable of accommodating any combination of essential representatives who are identified in the operator's plan. Facilities should have adequate workspace, communications, and back-up utilities and should meet other basic human needs for each representative. Essential functions include gathering essential information capable of providing centralized direction and control, and warning for response and recovery actions. Facilities should be located so that they are not impacted by the same event.
10.2 How do you know if your SMS is working?
|Component 6 - Emergency Response Preparedness||Yes/No|
|The organization has an emergency preparedness procedure, appropriate to the size, nature and complexity of the organization|
|The Emergency preparedness procedures have been documented, implemented and assigned to a responsible manager|
|The emergency preparedness procedures have been periodically reviewed as a part of the management review and after key personnel or organizational change|
|The organization has a process to distribute the ERP procedures and to communicate the content to all personnel|
|The organization has conducted drills and exercises with all key personnel at intervals defined in the approved control manual|
- The implementation of SMS represents a fundamental shift in the way we all do business. SMS require organizations' to adopt the components and elements detailed in this document and to incorporate them into their everyday business practices. In effect, safety becomes an integral part of the everyday operations of the organization, it becomes, quite simply, the way you do business.
- SMS is also being integrated into the international arena with the introduction of International Civil Aviation Organization (ICAO) SMS requirements for all ICAO signatories in January 2009.
- For SMS to be a success, however, TC, like the industry we regulate, must undertake numerous changes internally and externally. We have established an internal discipline policy that promotes and rewards the behaviours we are striving to achieve. Likewise we have made changes to the external enforcement policy to promote this within our stakeholders
- Fundamental to the SMS journey is the development of a robust yet flexible regulatory framework that accommodates safety management systems. To facilitate this change TC has introduced performance based regulations and has adopted a framework for SMS that obliges the industry to acquire an improved capacity to assure for itself that it is safe and compliant, and TC has new expectations related to this capacity.
- Accordingly, TC has made changes to the system of oversight to accommodate this. In the future, the regulator will oversee the effectiveness of the SMS and withdraw from the day-to-day involvement in the companies it regulates. Interventions will focus on the systems in place to manage the organization's operations and the outputs of the system, rather than assuring line-by-line adherence to the regulations through forensic auditing. It is the responsibility of the organization to identify the day-to-day issues operational issues.
- The operator must have effective programs in place to discover, analyse and correct safety issues, with minimal intervention at the operational level from TC. This shift does not constitute self-regulation nor does it represent an abrogation of the role of the regulator for the oversight of the Civil Aviation system. It represents an opportunity for organization's to work in conjunction with TC to demonstrate compliance within a performance-based framework. Organization's will be required to involve TC when issues are identified through their SMS. This will provide TC with an awareness that the organization's SMS is working effectively.
- The success of the system will hinge on the development of a safety culture that promotes open reporting, through the adoption of safety reporting policies and continual improvement through, proactive safety assessments and quality assurance.
- The SMS philosophy requires that responsibility and accountability for safety be retained within the management structure of the organization. The accountable executive and senior management are ultimately responsible for safety, as they are for other aspects of the enterprise. The responsibility for safety, however, resides with every member of the organization; in safety management, everyone has a role to play.
12.0 CONTACT OFFICE
For more information please contact:
Technical and National Programs (AARTM)
Suggestions for amendment to this document are invited and should be submitted via the Transport Canada Civil Aviation Issues Reporting System (CAIRS) at the following Internet address:
or by e-mail at: CAIRS_NCR@tc.gc.ca