Advisory Circular (AC) No. 505-003

Safety Management Systems for Design Organizations

Issuing Office: Standards
Activity Area: Qualifying Document No.: AC 505-003
File No.: A 5009-32-4 U Issue No: 02
RDIMS No.: 4454462 – v4 Effective Date: 2008-12-01


This Advisory Circular (AC) is provided for information and guidance purposes. It may describe an example of an acceptable means, but not the only means, of demonstrating compliance with regulations and standards. This AC on its own does not change, create, amend or permit deviations from regulatory requirements, nor does it establish minimum standards.

1.1 Purpose

The purpose of this AC is to propose implementation plan and provide guidance on the development process, format, and content of a SMS for design organizations that choose to establish an SMS prior to the regulation coming into force.

1.2 Applicability

This document is applicable to Transport Canada Civil Aviation (TCCA) Aircraft Certification personnel, and to industry.

1.3 Description of Changes

This document, formerly AC 505-003 Issue 01, has been reissued as AC 505-003 Issue 02. With the exception of minor editorial changes and updated references, the content is unaltered.


2.1 Reference Documents

It is intended that the following reference materials be used in conjunction with this document:

  1. Part I Subpart 06 of the Canadian Aviation Regulations (CARs)—Accountable Executive;

  2. Subpart 107 of the CARs—Safety Management Systems;

  3. Civil Aviation Directive (CAD) 30—Risk Management and Decision-Making in Civil Aviation;

  4. Staff Instruction (SI) SUR-001 Issue 01—Safety Management System Assessment and Program Validation Procedures;

  5. Transport Canada Publication (TP) 13521—Flight 2005 – A Civil Aviation Safety Framework for Canada;

  6. TP 13739—Introduction to Safety Management Systems;

  7. TP 14343—Safety Management Systems Implementation Procedures Guide;

  8. TP 14469—Flight 2010 – A Strategic Plan for Civil Aviation;

  9. Transport Canada Civil Aviation Safety Management Systems Website, and

  10. Canadian Standards Association Standard CAN/CSA-CEI/IEC 300-9-97—Dependability Management.

2.2 Cancelled Documents

As of the effective date of this document, the following document is cancelled:

  1. AC 505-003 Issue 01 Issue 01 2006-05-01—Safety Management Systems for Design Organizations.

2.3 Definitions and Abbreviations

The following definitions and abbreviations are used in this document:

  1. Assessment means a process of examining an organization’s SMS and evaluating its effectiveness, based on the SMS components and elements. This extends from an evaluation for regulatory compliance;

  2. Design means the preparation of drawings, processes, material specifications and reports that, in total, define an aeronautical product or a modification or a repair to an aeronautical product;

  3. Design Organization means an organization that designs, modifies or repairs aeronautical products for the purpose of obtaining a design approval;

  4. Organization when used alone means all functions of a civil aviation company. It encompasses the design organization, maintenance and manufacturing, finance and administration, contracted suppliers, etc.;

  5. Regulation In-force Date means the date that the amendments to the CARs, incorporating the requirement for a design organization to have an SMS, are published in Canada Gazette II. This date is anticipated to be in 2010; and

  6. Safety Management System (SMS) means a documented process for managing risk that integrates operations and technical systems with the management of financial and human resources to ensure aviation safety or the safety of the public. This is the same definition found in Section 101.01 of the CARs.


  1. In Flight 2005 A Civil Aviation Safety Framework for Canada, refer to TP 13521, TCCA committed to the implementation of SMS in civil aviation organizations. The continuing aim is to improve safety through proactive management rather than reactive compliance with regulatory requirements. The goals of SMS are to increase industry accountability, to instil a consistent and positive safety culture, and to help improve the safety performance of aviation organizations.

  2. Introduction to Safety Management Systems is a document that outlines the theories, principles and philosophies related to this initiative. The information presented is applicable to all organizations. In that document, TCCA affirmed that Canada has an enviable civil aviation safety record. However, TCCA also concluded “the most efficient way to make the Canadian aviation system even safer will be to adopt a systems approach to safety management”. Subsequently, TCCA began implementing SMS, using a phased-in approach.

  3. In 2005, in accordance with Section 107.01 of the CARs, SMS regulations applying to certain applicants for, or holders of, approved maintenance organization certificates or air operator certificates came into force. In TP 14469 Flight 2010, amendments to these regulations are anticipated to enter into force and will thereafter apply to design organizations.

  4. In all cases, the SMS shall apply to the organization as a whole, and not to discrete entities within it. An organization may conduct multiple gap analyses while implementing their SMS as a result of the various regulation in-force dates for the TCCA branches. However, there will be one SMS that encompasses all activities within that organization, as intended by Subpart 107 of the CARs. Each SMS should be tailored to the organization, and while no two systems will be identical, they may have some common components. SMS is performance based; organizations shall be held more accountable for their day-to-day operations, but should have the flexibility required to create the most appropriate system for them. The SMS shall require the organization to integrate safety into written management and employee policies, practices and procedures. The identification of hazards, and risk strategies to mitigate them are the foundations of an SMS that will help an organization continually improve its safety record. SMS is a tool with which to manage safety. It is not a substitute for compliance with regulations.

  5. TCCA has created a website dedicated to development and implementation which contains many of the reference documents cited in this AC, as well as frequently asked questions. It also contains examples of how other civil aviation areas such as Aircraft Maintenance and Manufacturing, are addressing the various components and elements which comprise an SMS. Design organizations are encouraged to adapt and personalize any of the information to meet their own requirements, refer to section 2.3, of this AC for additional reference and guidance documents.


  1. Design organizations are encouraged to begin well in advance of the regulation in-force date. A mature SMS takes considerable time to develop, validate and expand. The development of SMS is progressive, but it must also remain relevant and sustainable. The regulatory requirements for SMS in design organizations are anticipated to be implemented in four phases, extending over a three-year period. As the SMS matures, design organizations shall be required to verify and improve the policies, processes, documentation, etc. Management requirements, safety scope (such as product safety, employee safety, and property safety), employee roles, responsibilities and accountabilities, and applicable regulations or standards should be detailed and verified. By the end of the implementation period, all components and elements should be in place, and should result in a comprehensive SMS in which stakeholders have confidence.

  2. At the regulation in-force date, design organizations will be exempt from regulatory requirements only if they comply with the deadlines and required elements for each of the four phases. Alternatively, design organizations that do not take advantage of the exemption(s) must be in full compliance with the applicable SMS regulations within 30 days of publication in the Canada Gazette II. No extensions shall be granted, and not meeting the requirements may result in suspension of privileges.

  3. Appendix A of this document identifies the components and elements that an organization shall have in place at the end of each phase. It also outlines additional requirements such as an organizational implementation plan.


  1. The focus of SMS is to improve aviation safety. To achieve this focus, it is necessary to implement effective processes and procedures driven by defined performance criteria. Each must be consistent with the others; they shall be fully documented, effectively implemented, continually reviewed and improved by feedback processes. Consequently, design organizations shall be required to describe their SMS in terms of components, inputs, business processes, outputs and feedback. As well, they shall be required to provide traceable, verifiable and auditable links that describe interactions between the elements of the system.

  2. Based on the requirements of Section 107.03 of the CARs, TCCA has developed an SMS model. This model has six components and corresponding elements, which will be defined in sections 6.0 to 11.0 of this AC:

    1. Safety Management Plan;

    2. Documentation Management;

    3. Safety Oversight;

    4. Training;

    5. Quality Assurance; and

    6. Emergency Preparedness.

  3. Fundamental changes concerning the roles and accountability of both the design organization and the regulator are introduced by SMS regulations. The requirement for an SMS, however, is based on existing airworthiness standards and many elements identified in this model will already be present in the existing organizational structure. A gap analysis should determine what components and elements are already in place, and identify those that are missing. Design organizations shall be required to complete the gap analysis by the end of Phase I.

  4. The components and elements of an SMS outlined in this AC parallel the structure of the Master Protocol contained within Safety Management Systems Assessment Guide. Although the focus of this document is on air operators and approved maintenance organizations, the implementation of SMS for design organizations will be similar, and the general information contained in the Implementation Guide may provide additional guidance. The Master Protocol expands the six components of the SMS model and the associated elements by defining the expectations for each. The Assessment Guide and this AC should be used by design organizations when conducting the gap analysis. The guide is the tool that TCCA should use to systematically assess SMS, and it should be used in support of the assessment activity to generate a case-specific protocol for a design organization. The assessment should not be an inspection or compliance audit but should focus on the effectiveness of the SMS itself.


The first component of SMS is a Safety Management Plan. It is comprised of the elements outlined in this section, and each should be fully described and documented. The completed safety management plan is required by the end of Phase 2.

6.1 Safety Policy

  1. The written safety policy of an organization should be a concrete expression of the organization’s philosophy and its commitment to safety. It shall be signed by the accountable executive, who in accordance with Subsection 106.01(2) of the CARs, is the person that has financial and human resources control for the organization. Each organization shall appoint only one accountable executive, and they should identify the name of this person to TCCA by the end of Phase 1.

  2. The safety policy should be a concise and straightforward statement. It is an expression of the direction that management intends to take in accomplishing the organizational safety goals. As a minimum, it should include a commitment:

    1. To develop, establish and continually implement an SMS for all facets for the organization;

    2. To dedicate safety as a core value of the organization, and to stipulate that identical safety requirements are applied to all employees, contractors, and partners of the organization;

    3. To review the safety policy periodically;

    4. To promote participation of employees, contractors and partners in implementing the safety policy and the SMS;

    5. To establish and practice formalized and interactive communication avenues;

    6. To establish a non-punitive reporting policy for all employees and stakeholders; and

    7. That the ultimate responsibility for safety rests with the accountable executive.

  3. The safety policy shall be in writing, and may be formatted in many ways. However, a simple statement is preferable to a complex one. The safety policy should address and integrate the entire organization; for an organization with design and certification responsibilities, it should not only address organizational safety issues but should also specifically address product safety.

  4. Once the safety policy is defined, procedures that are consistent with that policy should be devised to implement it. Well thought out and documented procedures help ensure that practices are consistent with the company’s safety policy and clarify management’s intent. As well, other documents such as organization charts, lines of authority and responsibility, applicable regulations and standards, and performance measures shall be written in support of the safety policy.

6.2 Non-Punitive Reporting Policy

  1. The organization shall have a written non-punitive reporting policy. Error is a normal component of human performance and can never be completely eliminated. An effective safety culture develops the capacity of employees to perform their duties and does not focus on assessing blame or punishing an employee for honest errors. At the same time, it encourages the reporting of safety related hazards and concerns. Such a safety culture encourages an atmosphere of cooperation and openness in which employees feel comfortable about reporting and discussing errors or potentially unsafe actions and conditions to foster improvement. An error-tolerant SMS nevertheless requires appropriate responsibility and accountability. To encourage the reporting of safety concerns, the environment should be non-punitive, and the employee should receive timely feedback on the disposition of the concern.

  2. However, even within a non-punitive reporting environment there are certain acts that should require disciplinary action (for example, wilful negligence, criminal intent or use of illicit substances). The safety policy statement should therefore clearly differentiate between those errors that are tolerated, and those for which employees could be disciplined.

6.3 Roles, Responsibilities and Employee Involvement

  1. Employees should have the opportunity to contribute to the development and implementation of an SMS, as they are ideally placed to provide initial identification of safety concerns in their particular areas of expertise. Their involvement in the decision making process not only fosters ownership of the system, it also promotes a positive safety culture. This reinforces the entire safety objective of the organization and is critical to its success.

  2. The organization shall document and define the roles and responsibilities of key personnel. The safety policy should contain statements that consider the following principles:

    1. Everyone has a responsibility for safety;

    2. Senior management should be dedicated to, and involved in implementing safety and safety practices. Management should commit to undertake a leadership role in the SMS; and

    3. The commitment to provide the resources necessary to attain the strategic safety objectives established by the organization, and to be accountable for safety within the organization, should be explicitly stated.

  3. Additionally, the organization should highlight key information for each position. For example, supporting documentation should include the:

    1. Safety responsibilities for each position and task;

    2. Competencies required for each position;

    3. Lines of responsibility for ensuring all staff are competent and trained for their duties, and for ensuring that training takes place;

    4. Safety goals, standards and procedures applicable to each employee;

    5. Managerial responsibilities for externally supplied services; and

    6. Responsibilities for ensuring that all associated contracting companies meet the organization’s SMS standards or an equivalent to them.

  4. Reporting relationships and lines of authority should be clearly indicated for all staff within the organization. An organizational diagram may assist in clarifying the lines of responsibilities so that the function of safety may be realized. Once established, the diagram should be widely distributed.

  5. The following figure offers an example of how the lines of responsibility might be established. In this sample diagram for an enterprise (multiple-certificate) organization, formal reporting relationships for line responsibilities are grouped together. The dotted lines represent lines of communication between all employees irrespective of function, reflecting the principle that safety is the responsibility of everyone in the organization. This results in an SMS that is fully integrated into all line activities, and to which all staff contribute. Each functional head receives input from the staff for which he is responsible, but there is also communication between them, at all levels. In accordance with Section 106.04 of the CARs, there is only one accountable executive who shall be responsible for the operations or activities authorized under the certificates. The SMS is integrated into, and across the organization.


    Click on image to enlarge
  6. Roles, responsibilities and accountabilities should be well defined, and lines of authority should be clearly understood. The following principles apply:

    1. The accountable executive shall be responsible for establishing and maintaining the SMS.

    2. The manager of each functional area should be directly responsible for the safety program, including assigning goals and identifying standards of safety and procedures in effect for his functional area. This is the person with direct line responsibility for the affected area, and who is directly involved in the decision making process. He should have the knowledge and expertise to recommend effective corrective and preventative actions and have the authority to assign the appropriate resources where required. Management should demonstrate its own active commitment to SMS by:

      1. Putting safety matters on the agenda of meetings at all levels;

      2. Being actively involved in safety activities and reviews at both local and remote sites;

      3. Allocating the necessary resources, such as time and money to safety matters;

      4. Setting personal examples in day-to-day work;

      5. Receiving and acting on safety reports submitted by employees; and

      6. Promoting safety topics in organizational publications.

    3. All employees, including authorized persons and other persons in non-technical areas such as type certification program management, are responsible for determining and implementing appropriate comprehensive safety actions (both proactive and reactive) within the organization.

    4. Individuals employed within an operational area should exercise the SMS functions within that specific operational area.

    5. To ensure that the SMS operates effectively, the following tasks should be delegated to organization personnel as appropriate:

      1. Determine safety goals;

      2. Establish safety standards and procedures;

      3. Establish and maintain an issue reporting process to collect and analyze safety related data;

      4. Conduct hazard identification and risk management analysis;

      5. Conduct periodic reviews to determine the effectiveness of the program;

      6. Develop and evaluate the results of safety initiatives;

      7. Monitor aviation industry safety concerns that could affect the organization;

      8. Monitor technological developments that could affect aviation safety;

      9. Determine the adequacy of training programs; and

      10. Advise safety concern reporters of the results of safety concern analyses.

    6. Although enterprise organizations may choose to employ a safety office as a consultative or administrative body, there is no regulatory requirement to have one. Currently in many organizations, the safety office is considered to be a stand-alone entity equal to any other operational body. In SMS, safety is considered to be the responsibility of every person and should not be unique to the safety office. Where a safety office exists however, it may act as a repository for safety related reports, information, and occupational health and safety issues. It may provide risk assessment and data analysis expertise to the design organization’s functional directors. The safety office may provide data directly to the accountable executive regarding major safety issues identified by the system. However, the responsibility for informing the accountable executive of safety deficiencies identified within his responsible area remains with the appropriate functional director. Furthermore, while the safety office may be involved in discussions regarding possible corrective action, the functional director should be responsible to determine what the corrective action will be, and to ensure that the outcome is monitored and evaluated. A safety office shall not have the authority to overturn operational decisions related to safety issues identified by the functional director or by the safety management system itself.

    7. Enterprise organizations may also benefit from the use of a safety committee. Safety committees provide a forum for discussing safety related issues from a cross-functional perspective and may lead to the inclusion of issues that look at safety from a broader viewpoint. They also provide a means by which safety achievements can be reviewed and safety information can be broadcast. A safety office may coordinate and provide administrative assistance to the safety committee, but the safety committee may also exist as a stand-alone entity, and either may exist without the other. The accountable executive should be the chair of the safety committee, on which all parts of the organization shall be represented. The existence of a safety committee does not preclude the possibility of establishing sub-committees with specific areas of responsibility.

6.4 Communication

  1. Good communication between management and staff is an essential element of an effective SMS. The ideal safety culture embodies a spirit of openness and demonstrates support for staff and the systems of work. Senior management should be accessible and dedicated to making the changes necessary to enhance safety. They should be available to discuss emerging trends and safety issues that are identified through the SMS.

  2. Management should communicate established safety policies to all employees. Communication of policies should be timely, comprehensive, relevant and clear. The most effective and efficient means of communication should be dependent on the size and nature of the organization, but all safety related information should be disseminated to all personnel.

  3. Section 107.03 of the CARs requires that organizations establish procedures for employees to report issues, hazards and concerns as they arise, and to ensure that reports are acknowledged, analyzed and resolved in a timely manner. An issues reporting process that is not trusted or that employees do not use will not meet this requirement. The issues reporting process should be maintained and updated in order to remain relevant. Providing feedback to employees is important; they should be notified when a safety report is received, or when a potential safety threat is discovered. Further information should be provided pursuant to investigation, analysis and corrective action. Manufacturers and operators may also provide important safety information and reliability data related to the design organization’s specific needs. Any safety concern, whether it is in regards to the organization or the product should be reported. Some examples relevant to a design organization are:

    1. Introduction of unsafe design elements;

    2. Poor communication within the organization;

    3. Time constraints affecting the checks and balances related to design;

    4. Inadequately designed or ineffective tests;

    5. Inadequate checklists;

    6. Inadequate quality control systems;

    7. Non-compliance with standards and regulations;

    8. Failure to follow established procedures;

    9. Use of outdated information, materials, etc.;

    10. Inadequate tool or equipment control;

    11. Difficulty obtaining parts;

    12. Resource constraints;

    13. Budget issues;

    14. Poor scheduling;

    15. Confusing instructions;

    16. Sub-contractor design or process changes;

    17. Service Difficulty Reports; or

    18. Airworthiness Directives.

  4. Existing paperwork such as reports or logs may be incorporated into the issue reporting process, and the gap analysis will help to determine whether additional functionality is required. Once received, reports shall be analyzed as part of the safety oversight component (described in section 8.0 of this AC), to determine what action must be taken. When the issue requires action, that information must go to the person who has the responsibility and the authority to take it. The credibility of the process is preserved when the outcome is fed back to the person who made the initial suggestion or report of a safety concern. If it is decided that no action is appropriate, that decision and the reasons for it should also be fed back to the reporter.

  5. All employees should be able to access and use safety information relating to the organization’s own performance. Therefore, management shall establish a process to collect and analyze safety data. The safety information process should be appropriate to the size of the organization. At a minimum, it shall include:

    1. Safety goals and evaluation of progress towards those goals;

    2. Performance measurement criteria (more information on performance measurement may be found in section 6.6);

    3. Records of errors, including internal and external investigations;

    4. Findings and corrective actions;

    5. Preventative actions and their effects;

    6. Safety concerns raised by employees including analysis and the resultant action;

    7. Results of safety reviews and audits, and when appropriate, corrective action; and

    8. Records of all safety initiatives or interventions.

  6. Information may be disseminated in a variety of ways (for example, an organizational publication or website may be used). All employees should remain informed as to where safety related information may be found. The entire organization should be aware of safety issues and understand that the organization is actively seeking to address them. Examples of information that should be communicated include:

    1. Those listed in paragraph 6.4(5) of this AC;

    2. Regulations applicable to the activities carried out by the organization;

    3. Policies related to standards of safety;

    4. Safety procedures;

    5. Performance measurement procedures;

    6. Practices which are not acceptable;

    7. Best practices followed specifically within the organization, and generally in industry;

    8. Information on compliance findings; and

    9. Updates on safety issues.

6.5 Safety Planning, Objectives and Goals

  1. Safety involves everyone. The owner, the accountable executive, or any other individual in an organization does not accomplish it in isolation. The best way to establish safety, as a core value is to make it an integral part of the management plan. Safety goals, priorities and key results should be determined, and managers and employees should be held accountable for achieving them. To be effective, goals and objectives should be practical, achievable and verifiable. Deadlines to meet them should be established. Success or failure in meeting safety goals should be treated in the same way as success or failure at meeting any other type of goal.

  2. From a design perspective, the overall safety objective is the identification and elimination of design features that could compromise the safety of the aircraft during its entire life cycle. If all possible safety risks are identified and mitigated during the design stage, then development of performance goals and maintenance programs will be easier. The life cycle of an aircraft includes:

    1. Research and development;

    2. Advance design;

    3. Detailed design;

    4. Flight Testing;

    5. Certification;

    6. Production;

    7. Ongoing product improvements;

    8. Operation; and

    9. Continuing Airworthiness.

  3. Safety analysis, that is, all the analyses required to ensure product safety, should be implemented at the beginning of the product life cycle, in order to mitigate the risks to an acceptable level. However, because SMS is intended to address all facets of the organization, safety analysis should be applied to more than design review. Common daily activities, test facilities and schedules for example, should also be considered.

  4. When safety analysis is being directed to an innovative design element or new technology, the safety analysis should evaluate whether the technology is mature, whether the company has sufficient expertise and whether the benefits outweigh the risks. The safety analysis should consider that failures, operating procedures, human factors etc. may also contribute to hazards.

  5. The safety analysis may be complemented by a reliability evaluation encompassing tools for functional hazard, failure mode and effects criticality, or fatigue analyses.

6.6 Performance Measurement

  1. The safety performance of the organization should be monitored, both proactively and reactively, to ensure that the key safety goals continue to be achieved. Monitoring by assessment forms a key element of this activity and should include both a quantitative and qualitative assessment. Performance measurement should be integrally linked to the company’s stated overall safety policy and objectives, and against explicitly stated criteria. Safety performance targets must be realistic, and the parameters must be measurable.

  2. Establishing effective performance measurement criteria is one of the most important and potentially challenging aspects of creating an SMS. The right things must be measured, and they must be measured in the right way. In some cases, a numerical count is sufficient, but in many others, performance measurement indicators must be established and then supported with corresponding data elements and sources to measure them.

  3. Each indicator, measuring tool, and supporting data source should be documented. As well, it is important to identify who is responsible for data collection, for writing narrative conclusions and for managing the project. The analysis and evaluation of each performance measure should address the following information:

    1. An overall summary of what has been accomplished in the past year;

    2. Further details demonstrating how the results have been achieved; and

    3. A description of the need for and the impact of these results.

  4. The summary information may then be consolidated with other information to provide further conclusions in the context of the overall organization, and to create a final performance measurement report.

  5. When establishing the performance metrics, consider the following activities for all areas of the organization’s operation:

    1. Describe the major activity areas or results. These are the means to achieve the outcome. All activity areas that support the performance measure should be included;

    2. Identify the key outputs. Each activity area results in various measurable outputs;

    3. Establish a performance goal for the outputs. Consider the importance, potential gain, and achievability of each goal. Where possible, assign objective criteria so that changes may be measured;

    4. Define the measures for the outputs. These should reflect the output, and not the procedures. They should be based on measurable data, and reflect the activity areas and results. They should contain metrics for bench-marking, be practical and easily understood; and

    5. Identify the required metrics. The performance metrics must be specific, measurable, realistic and timely. The best approach may be to measure everything, until the organization determines which metrics are the most useful to them. For example, metrics may include:

      1. Trend against known standards;

      2. Trends for the new standards to be established; or

      3. Milestones achieved.

  6. Reactive measuring of safety concerns involves counting why and how often an undesirable outcome, such as an accident or incident, occurs. A common weakness in assessing safety goals is focusing only on reactive measures. Although this information is important, the overall goal in a design organization remains the initial and continued safety of the product during its life cycle. In an SMS, there may be more precise and useful ways of measuring achievement of this goal than counting undesirable outcomes.

  7. Identifying and qualitatively analyzing proactive measures taken to prevent undesirable outcomes is a useful approach. For example, it may be more valuable to the organization to assess how often and how effectively the design organization used appropriate testing to avoid creating unsafe conditions than to count how often corrective action was taken to fix an unsafe condition.

  8. Proactively, there are always measures that can be taken to make a system safer. Sound management requires that such measures are identified and examined to determine how they may be achieved, how success in achieving them may be measured, and who will be held accountable for the results. Risk management procedures may help managers decide where the greatest risks are, and help set priorities. Sound safety goal setting concentrates on identifying systemic weaknesses and precursors to undesirable outcomes, and either eliminating or mitigating them. The results of all safety performance monitoring should be documented and used as feedback to improve the system.

6.7 Management Review

  1. The accountable executive shall initiate regular reviews, in which the employees take an active part, to determine if the SMS is operating effectively. An internal assessment of the SMS should document whether or not the system works, how communication of safety issues is effected, what specific safety goals have been set, and whether or how they have been met, the success of any corrective action plans that have been undertaken and the risk reduction strategies that have been implemented. One of the results of the review should be to indicate whether the safety objectives in the SMS policy and the safety performance goals need revision.

  2. The management review is part of the continuous improvement loop for the entire system. It provides a means by which the accountable executive can determine what action needs to be taken to improve the system. SMS is a continuous effort to make the organization safer by identifying and eliminating or controlling the hazards. No SMS is perfect, and it should continue to evolve and improve. Sometimes corrective actions or risk reduction strategies create other problems. The management review helps in identifying these problems and ensures that they are being addressed.


Document management is the second component of an SMS, and is comprised of these elements:

  1. Identification and maintenance of applicable regulations;

  2. SMS documentation; and

  3. Records Management.

.1 Identification and Maintenance of Applicable Regulations

  1. The organization shall document the regulations, standards and exemptions, which regulate the various activities it conducts. This information may be included in a policy and/or procedures manual, or in the SMS documentation as appropriate, and should be made known to employees.

  2. Applicable regulatory instruments should be readily accessible to all employees, by having the appropriate documentation on site, or by providing access to the information through other appropriate and approved means such as the Internet. The organization shall have procedures in place to identify when applicable changes occur in regulations, and to ensure that such instruments are maintained in a complete and current state. The organization should proactively monitor any regulatory changes that are pertinent to the organization’s operation, and address how such changes may affect the organization’s documents and procedures.

  3. The procedures should be appropriate to the size of the organization. They may be as simple as designating an individual with the appropriate knowledge to be responsible for receiving any incoming correspondence connected with regulatory documents. They may be more elaborate, involving regular consultation of resources such as Canadian Aviation Regulatory Advisory Council information, the Internet, industry news and other news sources to remain informed of proposed and actual changes to regulations. However, they should sufficiently define when regulations and company documentation will be reviewed.

7.2 SMS Documentation

  1. Approved design organizations will already have developed policies and procedures manuals. This documentation may include policies, procedures for compliance of design standards, system safety evaluations, best practices and work practices, forms for identifying potential hazards and risks or for reporting defects, and standing instructions. This documentation may be useful in establishing the required documentation for SMS.

  2. However, some information will not exist as part of the policies and/or procedures manuals and shall be required by SMS. One of the key features of SMS is that it requires organizations to document the way that objectives are to be achieved, and to measure that performance against certain criteria. Consequently the actual processes involved in the SMS must be thoroughly documented and described.

  3. Documentation describing each component of an SMS is essential if both organization personnel and TCCA are to understand how the whole system is integrated. For design organizations, this documentation may be a separate document that is incorporated by reference in the procedures manual. The information required by this AC and Safety Management Systems Assessment Guide is outlined in Appendix B.

  4. SMS documentation shall be maintained in a consolidated and current state, and should be readily available to employees. Enterprise organizations may choose to maintain separate SMS information specific to each certificate or authorization, but they shall all be consistent with the others and shall be subject to revision, reflecting any changes made to the SMS. All documentation should be reviewed regularly to ensure that the same information is available to all employees within the organization.

7.3 Records Management

  1. Records created during the course of safety management initiatives provide information on the processes, results and effectiveness of the SMS. To be an asset for both present and future use, records management procedures shall be developed for the entire life cycle of the records, including how they are created or received, distributed and maintained, and eventually, permanently archived or destroyed.

  2. The records management process should be well organized. Records and documents should be easily retrieved. The organization shall have procedures in place to ensure that documentation is periodically reviewed, and that necessary revisions are made to the organization’s documentation when required. Such revisions may be prompted by changes in regulations applicable to the organization, by changes in processes within the organization, from the results of self-audits, or from problems identified through the safety issue reporting process.

  3. The process for records management should be available to all employees, and should include details of:

    1. What constitutes a record (outputs from processes, internal audit reports, best practice reports, incident reports, safety hazard identification documents, records in the issue reporting system, forms, training forms and reports, meeting minutes, test results, etc);

    2. The legal requirements involved in making and maintaining records;

    3. The specific means of dealing with records in various formats, such as paper or electronic media;

    4. The procedures and schedule for conducting a records inventory; and

    5. The retention, disposal and archiving requirements and schedules for records, which may vary depending on the type of record involved (i.e. effective storage may differ depending on the media).


  1. Safety oversight is fundamental to the safety management process. A principal tenet of safety management requires an organization to critically review its existing operations, policies, principles and procedures and any proposed operational changes, additions or replacements for their safety significance. An organization should proactively identify and address primary causes of unsafe conditions, but should also be able to react when necessary to events that have an impact on safety.

  2. An organization’s safety reporting process should include procedures for reporting hazards, events or safety concerns, for recording best practices, and for analyzing data, safety reports and other safety related information. It should include the procedures for collection, storage and distribution of data. It should provide strategies for corrective action and risk reduction, and procedures for ongoing monitoring. Employees should understand what to report. The process should be simple, confidential and convenient to use, and should be complemented by the organization’s non-punitive reporting policy. Finally, it should detail how the effectiveness of corrective actions will be determined.

  3. Like the SMS itself, the reporting process should correspond to the size, nature and complexity of the operations, activities, hazards and risks associated with the organization. In smaller organizations, for example, reporting might be achieved through a simple written form deposited in a conveniently situated, secure box. Larger organizations may employ a more sophisticated, on-line safety reporting process.

  4. Appendix C illustrates the safety oversight processes. As the third component of an SMS, safety oversight is comprised of the following elements:

    1. Reactive Processes;

    2. Proactive Processes;

    3. Investigation and Analysis; and

    4. Risk Management.

8.1 Reactive Processes

  1. A reactive process responds to events that have already occurred such as service difficulty reports, accidents, errors, incidents, occurrences and hazard reporting. While the emphasis in safety oversight shall be to address the primary causes of unsafe conditions before they have an effect, nonetheless there will be situations where a reactive process is required. It is therefore necessary to have simple, straightforward procedures in place to react to reported incidents and occurrences and to generate corrective actions that restore a satisfactory level of product safety. In a design organization, a reactive process should be required to address any design element failures, and may be required to address other situations as well.

  2. The specific procedures used by the organization under which incidents, accidents and hazards are reported, and the means by which corrective actions are researched, generated and applied should be clearly documented. These procedures shall accommodate at a minimum, the following activities:

    1. A safety issue or concern is raised, a hazard is identified, or an incident or accident happens;

    2. The event is reported or brought to the attention of management;

    3. The event is analyzed to determine the root cause or source of the event, as well as the risk of recurrence;

    4. Corrective action, control or mitigation is developed and implemented;

    5. The corrective action is evaluated to ensure it is effective; and

    6. The information is disseminated to the employees and stakeholders.

  3. Under certain conditions, it may be more expedient to initially submit a verbal report, although without exception, a written report shall follow. At a minimum, report forms should allow for a full description of the event and provide space for the reporter to offer suggestions as to possible solutions to the problem being reported. Reports should employ common and clearly understood categories for error classification. It is important for reporters and investigators to share a common language to explain and understand the types of errors that are contributing to events, and to facilitate more accurate data inputs and trend analysis.

  4. Some errors may require further investigation in order to reach an appropriate resolution. For example, additional analysis would be required for an error that could lead to a non-compliant or an unsafe design, or an erroneous assumption made during a finding of compliance that could affect the reliability of aircraft systems.

  5. Other errors by themselves may not warrant investigation, but a trend of similar errors may require corrective action. A single instance of a non-observance of a best practice established by the organization, for example, may be inconsequential on its own, but an increased number of instances may be indicative of behaviour patterns that require investigation and corrective action.

8.2 Proactive Process

  1. A proactive SMS should provide the organization the capability to actively seek out and identify potential safety hazards, evaluate the associated risks and generate preventative actions that eliminate or manage the hazard. A safety assessment may assist an organization in achieving such capability. In a design organization, elements such as the introduction of new or unusual design features, or the discovery of unsafe conditions following certification should be proactively recognized and dealt with.

  2. An assessment shall be a core process in the SMS, providing a vital function in evaluating and maintaining the health and effectiveness of the system. A design organization’s safety assessment process should encompass the following elements:

    1. Hazard identification—the act of identifying any condition that has the potential to compromise safety. These conditions may cause injury to personnel, damage to equipment or structures, loss of material, or reduction of the ability to perform a prescribed function. For a design organization, hazard identification involves examining any proposed design element that could result in an unsafe condition, a reduction of existing safety levels, or non-compliance to regulations. Hazard identification can be achieved through risk analyses, internal reporting mechanisms, or assessment of the processes used to find compliance to the standards. Hazard identification requires continuous review, focusing on the impact that organizational procedures, decision-making processes, functions, systems, decisions and actions, and any changes to them, could have on the safety of the design;

    2. Best practices—effective safety measures identified during the design process that may be applied throughout the organization. Organizations should have well-documented and accessible procedures to record and implement best practices;

    3. Risk management techniques—understanding the implications for safety made in the design process allows the organization to minimize unsafe design elements by proactively seeking to increase safety, or by eliminating actions and decisions that lead to an unsafe design. The criteria for evaluating risk, and the tolerable level of risk that the organization is willing to accept become part of the safety assessment. More information on risk management may be found in section 8.4 of this AC; and

    4. On-going monitoring and quality assurance—the safety assessment process is a repetitive, reiterative one that seeks to identify potential hazards through constant analysis of the organization’s activities. Safety assessments must be regularly scheduled and carried out to be effective. Moreover, because the safety assessment process is essentially another process that is carried out by the organization, it too shall be subjected to review to ensure that it is, in itself effective. More information on quality assurance may be found in section 10.0 of this AC.

8.3 Investigation and Analysis

  1. Safety reporting procedures are only effective where the reports are also investigated and analysed. Every event is an opportunity to learn valuable safety lessons. However, these lessons may only be learned if employees and management understand not only what happened, but also why it happened. This analysis involves looking beyond the event and investigating the contributing organizational and human factors that played a role in it. The organization should therefore develop and maintain procedures for the internal reporting and recording of occurrences, hazards and other safety related issues. The collection of timely, appropriate and accurate data will allow the organization to react to the information received. As well, it allows the organization to apply the necessary corrective action to restore product safety.

  2. All reported events should be investigated, the extent of which should depend on the actual and potential consequences of the occurrence or the hazard. Each event should be analyzed until it is resolved. The investigation should:

    1. Establish the root cause (i.e. the underlying contributing factors which caused the event). In this way actions that will minimize the chance of recurrence may be identified and implemented;

    2. Categorize any additional underlying causes and establish the appropriate remedial and continuous improvement actions;

    3. Satisfy any regulatory requirements for reporting and investigating called out in the CARs; and

    4. Provide a factual record of the circumstances surrounding the event or hazard to the stakeholders, to allow others to learn from the situation. At this stage, the reactive process may become a proactive process.

  3. Investigation and analysis through ongoing monitoring results in a quality assurance practice. In a proactive process, all elements of the problem or process (both separately and together) should be investigated in order to determine the probable effect on safety. An investigation in a reactive process however, should address the factors that contributed to an event, rather than focusing solely on the active failures that initiated the event. Active failures are the actions that took place immediately prior to the event that had a direct impact on the safety of the system because of the immediacy of their adverse effects. However, they may not be the root cause of the event, and applying corrective actions to these failures may not address the real cause of the problem. A more detailed analysis may be required to determine all the contributory factors so that the underlying causes may be addressed to prevent recurrence.

  4. The investigators must be technically competent to perform a comprehensive investigation and analysis. They should either possess or have access to background information, so that facts and events are interpreted accurately. The goal of the investigative process should be to understand the nature of the system, problem or incident, and not to seek out someone to blame.

8.4 Risk Management

  1. Risk management is a proactive activity that examines the risks associated with potential and identified hazards, and assists in selecting actions to maintain an appropriate level of safety when faced with these hazards. It involves a structured decision making process that is:

    1. Suitable to the size of the organization;

    2. Easily understandable;

    3. Adaptable to different decision-making situations;

    4. Flexible in using a range of tools to gather risk information;

    5. Defensible;

    6. Open to stakeholder consultation; and

    7. Founded on open communication.

  2. Risk management allows for the review and evaluation of actions, decisions and situations that may have a potentially negative impact on safety, and seeks to maximize the benefits of a risk, while minimizing the risk itself. A plan that details how the results of the evaluation are dealt with in order to proactively manage safety is required.

  3. Civil Aviation Directive 30 provides information on existing processes that are accepted by TCCA, and specifically outlines the process used within TCCA (Risk Management, Type 2A, Short Process). Additionally, organizations may benefit from the Canadian Standards Association Standard CAN/CSA-CEI/IEC 300-9-97. This document provides the guidelines for selecting and implementing risk analysis techniques, primarily for risk assessment of technological systems.

  4. There are four principles that shall be addressed when defining the risk management process:

    1. Analysis, which includes:

      1. Identifying the risk;

      2. Listing possible outcomes, both favourable and unfavourable;

      3. ) Estimating the consequences associated with each outcome; and

      4. Estimating the probabilities of each outcome.

    2. Evaluation of the risk based on the work done in the analysis stage. The probability and the severity of a hazard are evaluated to determine the level of risk. Each organization should define the terms “probability” and “severity”, so that the understanding of each is common. Each organization should also determine what it’s tolerable level of risk is, and at what point intervention is required;

    3. Control, which involves taking action to reduce an identified risk to an acceptable level. Once an identified risk has been analyzed and evaluated, a report outlining the risk and its evaluation should be prepared. This report shall be the basis by which corrective or preventive actions are determined. The responsible functional director should develop a corrective action plan (CAP) outlining how the organization proposes to correct or mitigate the risk documented in the findings. The CAP may include short-term corrective actions, to provide immediate and specific relief of the problem as well as long term corrective actions, to identify the root cause and any underlying causes that contributed to the risk. If such causes are found, the CAP should also initiate actions that will prevent any recurrence; and

    4. Monitoring, to ensure the effectiveness of any corrective actions over a suitable period of time. The results generated by corrective actions should be monitored and evaluated on a regular basis. This activity should be included in the internal audit processes and include comprehensive documentation of audit findings, corrective actions and follow-up procedures.

  5. The risk management process can be highly effective in identifying hazards and deficiencies in complex systems such as aircraft. In a design organization, potential hazards may be identified during planning and safety assessment analysis of new or innovative design elements, or in response to service difficulty or occurrence reporting. Once hazards have been identified or events have been reported, the risk management process begins.

  6. A risk assessment may be conducted to determine how the event may impact safety. Reports that demonstrate an event or condition with a high potential impact on safety should be investigated in greater depth than those with low potential. In the context of the design organization, risk management is an evaluation of the probability of creation or continuance of an unsafe design element and the management of that probability. Examples of areas in a design organization that may be subject to a risk management process include:

    1. Introduction of new or unusual design elements;

    2. Introduction of new technologies or capabilities;

    3. Study of human factors in connection with equipment, controls and processes and the integration of humans and technology;

    4. Identification of training requirements;

    5. Service difficulty reports; and

    6. Projections of potential results if established procedures are not followed.


  1. The creation of an SMS introduces the requirement for training specific to the operation of the SMS. Such training will be required at phases 2, 3 and 4 during the implementation period. Thereafter, it should involve three stages of instruction: initial training, scheduled recurrent training, and ad hoc training whenever there are changes to the system. SMS training should focus on providing employees with the information and skills required to meet safety requirements of the SMS. Organizations shall identify the training requirements, and document the satisfactory completion of training for each employee.

  2. SMS training should incorporate the following subjects:

    1. Organization’s safety policy;

    2. SMS Policy Manual (documentation);

    3. Applicable regulatory documents;

    4. Operations Manual;

    5. Roles and responsibilities;

    6. Non-punitive safety reporting policy;

    7. Safety reporting process;

    8. Analysis of accidents or incidents;

    9. Emergency response plan;

    10. Special procedures; and

    11. Corrective action process.

  3. In addition, employees should be encouraged to develop and apply their own skills and knowledge to enhance organizational safety. Keeping current on safety provides better background for understanding aspects of the organization’s safety condition and for developing novel solutions to difficult problems. Subscribing to safety related programs, making relevant Transportation Safety Board reports available, and encouraging staff to participate in safety related training, seminars and workshops all contribute to keeping current.


  1. In accordance with Subsection 107.03(g) of the CARs, organizations shall provide a process for conducting periodic reviews or assessments of their operations and their SMS. Organizations may meet this requirement by establishing a quality assurance process that considers how human and organizational factors are addressed in order to enhance safety.

  2. In a design organization, the focus of the SMS quality assurance process is to assure that all of the organization’s obligations, both internal and external, have been met. For example, the quality assurance process should examine:

    1. The design and documentation of procedures for product and process control;

    2. The structure and function of the SMS in the context of the organization’s work, objectives and management;

    3. Design philosophy and testing methods;

    4. Product airworthiness;

    5. Internal and external assessment processes and results;

    6. Means and effectiveness of communication, implementation and assessment of corrective and preventive actions; and

    7. Effectiveness and rigour of investigation and analysis of identified hazards and concerns.

  3. Quality assurance is based on the principle of a continuous improvement cycle. In much the same way that the SMS facilitates continuous improvements in safety, quality assurance ensures that the SMS is effective, and that it complies with regulations, through constant verification and upgrading of the system. These objectives are achieved through the application of similar tools: internal and independent assessments and on-going monitoring of the system.

10.1 Assessments

  1. The purpose of an assessment is to verify the consistency and regulatory compliance of the SMS, and to determine the strength of the safety culture. An initial assessment covering all technical activities should be conducted, followed by a recurring cycle of further internal audits. During the implementation period, assessments should be done quite frequently in order to identify problems and to optimize the system. As the system matures and the organization understands it, the frequency of assessments may decline. In any case, the organization shall establish a schedule and ensure that assessments reoccur.

  2. Qualified individuals, who may or may not be part of the organization, should perform assessments. Assessors should have a firm understanding of the nature and purpose of an SMS and of the work being reviewed, but should also be persons who are not directly involved with performing the work or procedures being assessed. Assessors should have sufficient expertise and be able to act without possible bias arising from self-interest, in order to assure an assessment that is both comprehensive and objective. An assessment is an activity in which the non-punitive reporting processes with the organization are essential to the success. Assessors must not feel that there are any constraints upon reporting their findings. As with any other records generated within the SMS, assessment findings and actions resulting from them should be recorded and made available to all employees.

  3. Sample checklists for the SMS assessment are available on the TCCA SMS website. The Safety Management Systems Assessment Guide is the document that TCCA uses when conducting an assessment of an organization. The Master Protocol will continue to be useful for organizations establishing an SMS quality assurance process. At a minimum, an organization’s assessment checklist should provide a detailed account of the following areas:

    1. Safety policy;

    2. Establishment and active promotion of safety culture within the organization;

    3. Availability, knowledge of and adherence to non-punitive safety reporting policy;

    4. Effectiveness and appropriateness of assigned roles and responsibilities;

    5. Level and effectiveness of employee involvement in SMS;

    6. Effectiveness of safety issues communication process;

    7. Establishment and measurement of safety objectives and goals;

    8. Effectiveness of performance measurement procedures;

    9. Level of involvement and effectiveness of management review;

    10. Recognition and updating of applicable safety regulations and standards;

    11. Creation, control and updating of SMS documentation;

    12. Effectiveness of records management processes;

    13. Safety oversight process function and effectiveness;

    14. Safety assessment, monitoring, investigation and analysis;

    15. Application of risk management techniques and procedures;

    16. Identification and delivery of required training; and

    17. Emergency preparedness process.

10.2 On-going Monitoring

In addition to recurrent assessments, the quality assurance process should include continuous monitoring of all elements of the SMS. Constant examination of the system and its function will result in early identification of problems and areas for improvement. In turn, corrective actions will be generated to optimize the effectiveness of the system. Without such examination, there is no way to determine whether the system is performing as it should.


  1. Even the most safety-conscious organization can generate hazards that must be corrected. An effective SMS should reduce the likelihood of creating unsafe conditions, but will never eliminate human error. Therefore, the organization shall have an emergency preparedness plan for dealing with unexpected incidents and hazards.

  2. A design organization’s emergency response plan shall be an integral part of the SMS. It should involve responses both to aviation emergencies and hazards to employees. The following information should be included:

    1. Design organization policy;

    2. Emergency call list;

    3. Response team mobilization procedures;

    4. Regulatory agencies notification procedures;

    5. Public welfare measures;

    6. Preservation of evidence;

    7. Media relations;

    8. Claims and insurance procedures;

    9. Emergency response training;

    10. Personnel briefings;

    11. Useful forms for on-duty personnel;

    12. Procedures and forms for identifying hazards and risks;

    13. Procedures and forms for reporting defects and near-misses;

    14. Procedures and forms for injuries and accidents; and

    15. Procedures for notifying next of kin.

  3. An emergency preparedness and response plan should be in scale to the size of the organization, but may be structured with different components for different personnel. It should be made available to everyone, and be readily accessible in the event of an emergency. Instruction on emergency preparedness procedures should form part of the training program for the organization.


For more information, please contact the:
Manager, Policies and Procedures (AARTC)

Phone: 613-990-3923
Facsimile: 613-952-3298

Suggestions for amendment to this document are invited, and should be submitted via the Transport Canada Civil Aviation Issues Reporting System (CAIRS) at the following Internet address:

or by e-mail at:

D.B. Sherritt
Director, Standards
Civil Aviation


The proposed implementation of SMS for organizations is as follows:

  • Phase 1—Regulation in-force date + 90 days
  • Phase 2—Regulation in-force date + one year
  • Phase 3—Regulation in-force date + two years
  • Phase 4—Regulation in-force date + three years
Component Required Element Phase
Safety Management System

Initial submission, which:

  • Identifies the name of the Accountable Executive
  • Identifies the name of the person responsible for implementing the SMS
  • Contains a statement committing the organization to implementing that system
Gap analysis comparing the organization’s existing systems to the SMS requirements in the appropriate CAR 1
Implementation project plan, based on the requirements of the exemption and the certificate holder’s internal gap analysis. 1
Safety Management Plan Safety Policy 2
Non-punitive reporting policy 2
Roles, Responsibilities and Employee Involvement 2
Communication 2
Safety Planning, Objectives and Goals 2
Performance Measurement 2
Management Review 2
Document Management Identification and Maintenance of Applicable Regulations 2,3,4***
SMS Documentation 2,3,4***
Records Management 2,3,4***
Safety Oversight Reactive Processes 2
Proactive Processes 3
Investigation and Analysis 2
Risk Management 2
Training Training, Awareness and Competence 2,3,4***
Quality Assurance Operational Quality Assurance 4
Emergency Preparedness Emergency Preparedness and Response Plan 4

***The Document Management and Training components are common to all phases and are implemented as they apply to the other components or elements in that phase.


This appendix provides an outline of all information that shall be contained in an organization’s SMS written documentation.

  1. Safety Management Plan

    1. Safety policy;

    2. Non-punitive disciplinary policy;

    3. Description of roles, authorities, responsibilities, and accountabilities for safety;

    4. Safety objectives and goals;

    5. Means of performance measurement with respect to meeting safety goals; and

    6. Description of how the management review of the system shall be performed.

  2. Document Management

    1. Description of how applicable regulations are identified, and how changes to the regulations are incorporated into organization documentation;

    2. Description of the process and schedule for review and revision of SMS documentation;

    3. Description of how safety meetings are documented; and

    4. Description of how details of reviews and corrective actions are recorded.

  3. Safety Oversight Plan

    1. Description of the processes for reporting and responding to hazards, safety concerns, accidents and incidents;

    2. Description of how risks are evaluated and classified;

    3. Description of how risk analyses are proactively performed;

    4. Description of how events are investigated and analyzed; and

    5. Description of how risk control strategies are monitored, and how their effectiveness is recorded.

  4. Training

    1. Outline of the SMS training program; and

    2. Description of how staffs training records are maintained.

  5. Quality Assurance

    1. Description of the processes for conducting and documenting internal audits or reviews of operations;

    2. Description of how internal system reviews are conducted;

    3. Description of how results of reviews are communicated to senior management; and

    4. Descriptions of how corrective actions are implemented.

  6. Emergency Response Preparedness—a description of the responsibilities and actions required in the event of an emergency.








Please click on image to enlarge