| Login

AC 120-92 Used by SMS Pro for Design Considerations

What follows is AC No: AC 120-92 and how SMS Pro addresses the items outlined in this AC. You will see the original text with my comments in Blue. If you ever need a demo or more information how your organization can implement SMS Pro, please don't hesitate to contact me at [email protected] nwds-ak.com, 907.227.1676

For an unchanged version of AC 120-92, please follow Advisory Circular 120-92 link. This is a work in progress and we'll update this as time permits. The first stage is to put this document here for our subject matter experts to review and provide comments on how SMS Pro satisfies these requirements.

Background of Aviation SMS

The modern aviation system is characterized by increasingly diverse and complex networks of business and governmental organizations.  The rapidly changing aviation operational environment requires these organizations to adapt continuously to maintain their viability and relevance.  The aviation system is also becoming increasingly global.  Few business entities’ markets, supplier networks, and operations are confined entirely within the boundaries of a single country.  These characteristics of complexity, diversity, and change add to the importance of sound management of functions that are essential to safe operations.  While safety efforts in the aviation system have been highly successful to date, the rapid increase in the volume and variety of aviation operations push the limitations of current safety strategies and practices.  Along with this trend is the problem of decreasing resources to be applied by both business and government organizations.  These processes have forced a fresh look at the safety strategies of the future. The best approach to problems of increased aviation activity and decreased resources is to bring safety efforts into the normal management framework of aviation operations. Just as businesses and government organizations must manage these factors effectively to accomplish their missions or to maintain business viability, they must likewise provide sound management of safety.  This innovation in aviation system safety is best termed “Safety Management Systems” a term indicating that safety efforts are most effective when made part of business and government management of operations and oversight.

NWDS uses Web & database technologies to provide affordable safety management systems tools. SMS Pro was created to address the lack of tools to manage an aviation SMS.

Safety Benefits of an Aviation SMS

An SMS is essentially a quality management approach to controlling risk. It also provides the organizational framework to support a sound safety culture. For general aviation operators, an SMS can form the core of the company’s safety efforts. For certificated operators such as airlines, air taxi operators, and aviation training organizations, the SMS can also serve as an efficient means of interfacing with FAA certificate oversight offices. The SMS provides the company’s management with a detailed roadmap for monitoring safety-related processes.

SMS Pro is not an SMS, but a Web-based, database driven hazard reporting & management system. Many tools are available to communicate with users, create reports, perform trend analysis and more.

Business Benefits of an Aviation SMS

Development and implementation of an SMS can give the aviation service provider’s management a structured set of tools to meet their legal responsibilities but they can also provide significant business benefits. The SMS incorporates internal evaluation and quality assurance concepts that can result in more structured management and continuous improvement of operational processes. The SMS outlined in this AC is designed to allow integration of safety efforts into the operator’s business model and to integrate other systems such as quality, occupational safety, and environmental control systems that operators might already have in place or might be considering. Operators in other countries and in other industries who have integrated SMSs into their business models report that the added emphasis on process management and continuous improvement benefits them financially as well.

SMS Pro was designed using AC 120-92, ICAO & Transport Canada guidelines. SMS Pro provides tools to perform internal evaluations and manage quality assurance. SMS Pro does not measure or track "culture;" however, using SMS Pro is a great way to promote safety culture within an aviation organization.

Aviation SMS Principles

a. Safety Management. Modern management and safety oversight practices are moving increasingly toward a systems approach that concentrates more on control of processes rather than efforts targeted toward extensive inspection and remedial actions on end products. One way of breaking down SMS concepts is to discuss briefly the three words that make it up: safety, management, and systems. Then we’ll touch on another essential aspect of safety management; safety culture.

(1) Safety: Requirements Based on Risk Management. The objective of an SMS is to provide a structured management system to control risk in operations. Effective safety management must be based on characteristics of an operator’s processes that affect safety. Safety is defined in dictionaries in terms of absence of potential harm, an obviously impractical goal. However, risk, being described in terms of severity of consequences (how much harm) and likelihood (how likely we are of suffering harm) is a more tangible object of management. We can identify and analyze the factors that make us more or less likely to be involved in accidents of incidents as well as the relative severity of the outcomes. From here, we can use this knowledge to set system requirements and take steps to insure that they are met. Effective safety management is, therefore, risk management.
(2) Management: Safety Assurance Using Quality Management Techniques. In a recent set of working papers and guidance documents, the International Civil Aviation Organization (ICAO) emphasized that safety is a managerial process, shared by both the state (government regulators such as the FAA) and those who conduct aviation operations or produce products or services that support those operations.1  This is compatible with the goals set forth for the FAA and industry in the Federal Aviation Act of 1958.  The safety management process described in this AC starts with design and implementation of organizational processes and procedures to control risk in aviation operations. Once these controls are in place, quality management techniques can be used to provide a structured process for ensuring that they achieve their intended objectives and, where they fall short, to improve them. Safety management can, therefore, be thought of as quality management of safety related operational and support processes to achieve safety goals.
(3)  Systems: Focusing on a Systems Approach.Systems can be described in terms of integrated networks of people and other resources performing activities that accomplish some mission or goal in a prescribed environment. Management of the system’s activities involves planning, organizing, directing, and controlling these assets toward the organization’s goals. Several important characteristics of systems and their underlying process are known as “process attributes” or “safety attributes.2” when they are applied to safety related operational and support processes. As in the previous discussion of quality, these process attributes must have safety requirements built in to their design if they are to result in desired safety outcomes. The attributes include:

(a) Responsibility and authority for accomplishment of required activities

(b) Procedures to provide clear instructions for the members of the organization to follow

(c) Controls which provide organizational and supervisory controls on the activities involved in processes to ensure they produce the correct outputs

(d) Measures of both the processes and their products

(e) An important aspect of systems management also is recognizing the important interrelationships or interfaces between individuals and organizations within the company as well as with contractors, vendors, customers, and other organizations with which the company does business


b. Safety Culture: The Essential Human Component of Organizations. “An organization’s culture consists of its values, beliefs, legends, rituals, mission goals, performance measures, and sense of responsibility to its employees, customers, and the community.3” The principles discussed above that make up the SMS functions will not achieve their goals unless the people that make up the organization function together in a manner that promotes safe operations. The organizational aspect that is related to safety is frequently called the “safety culture.” The safety culture consists of psychological (how people think), behavioural (how people act), and organizational elements. The organizational elements are the things that are most under management control, the other two elements being outcomes of those efforts. For this reason, the SMS standard that is contained in Appendix 1 of this AC includes requirements for policies that will provide the framework for the SMS and requirements for organizational functions such as an effective employee safety reporting system and clear lines of communications both up and down the organizational chain regarding safety matters.

1 ICAO Document 9734, Draft Safety Oversight Manual; ICAO Document 9859, Safety Management Manual, March 2006; and ICAO Working Paper from the ICAO Air Navigation Commission, Approval of Draft Report to Counsel on Amendment 30 to Annex 6, part 1.

2 The six system characteristics, responsibility, authority, procedures, controls, process measures, and interfaces, are called “safety attributes” in the FAA’s Air Transportation Oversight System (ATOS).


a. System Goals: Production and Protection. The global aviation system is really a “system of systems.” Figure 1 depicts the relationship between the systems that are related to safety. The Figure depicts the relationships between the technical and management functions in the company that are related to providing customers with products or services and the functions that are related to controlling risk that is often a by product of the operations. The dichotomy between “production” and “protection” in the Figure, therefore, refers to the functions and requirements that are attendant to producing products or services (e.g. flight operations, flight training) and those that are involved in ensuring safety. As pointed out by Dr. James Reason, a prominent organizational safety researcher, these functions must be kept in harmony if the organization is to remain financially viable while controlling safety risk.4

NOTE: The depiction in Figure 1 refers to functional roles and not organizational structures. It is not meant to suggest that safety management is the sole responsibility of a “safety department” or “safety manager.” In fact, the SMS standard stresses the role of those who manage the productive “line operation's processes in safety management.

(1) Production in Aviation Systems: Conducting Operations. The production system that produces the product or service that is the mission of the aviation service provider’s organization. For operators, these services usually involve provision of transportation services but may also include providing additional services to other companies such as maintenance and flight crew training. One of the first tasks in effective risk management and safety assurance is for both the operator and an oversight organization to have a thorough understanding of the configuration and structure of this system and its processes. A significant number of hazards and risk factors exist from improper design of these processes or a poor fit between the system and its operational environment. In these cases, hazards to operational safety may be poorly understood and, therefore, inadequately controlled.
(2) Protection in Aviation Systems: Controlling Risk. Safety risk is a by product of activities related to production. The aviation service provider’s customers and employees are, therefore, the potential direct victims of the consequences of failures in the safety system. It is a primary responsibility of the aviation service provider to identify hazards and to control risk in the processes they manage and their operational environment. The aviation service provider is primarily responsible for safety management. The aviation service provider’s SMS (denoted as the SMS-P to differentiate it from the FAA’s safety oversight system, later referred to as the SMS-O) provides a formal management system for the operator’s management to fulfil this obligation.


b. Safety Management Systems for Certificated Organizations. As aviation service providers develop SMSs, a natural interaction between the safety management efforts of the FAA and those of aviation service providers also develops. This relationship can leverage the efforts of both parties to provide a more effective, efficient, and proactive approach to meeting safety requirements while at the same time increasing the flexibility of companies to tailor their safety management efforts to their individual business models. There are distinct roles, responsibilities, and relationships (the “three Rs”) for both regulators (FAA) and aviation service providers in the “system of systems” that is involved in management of safety.

(1) Responsibilities of Certificated Operators and Aviation Service Providers. Operators who hold out to provide services in common carriage to the public have a special responsibility to provide their customers with safe, reliable transportation. Title 49 of the United States Code, subtitle VII, chapter 447, section 44702 states, in part, that “When issuing a certificate under this chapter, the Administrator shall consider the duty of an air carrier to provide service with the highest possible degree of safety in the public interest and differences between air transportation and other air commerce….” This section of the public law makes management of safety a specific legal responsibility for air carrier management teams and, as such, is a fundamental principle of the FAA oversight doctrine. While this section applies specifically to air carriers, the FAA expects all certificated organizations to make safety a top priority and holds their managements accountable for doing so.
(2) Oversight Responsibilities of the FAA. United States Code Title 49 Subtitle VII Chapter 447 also prescribes roles and responsibilities of the FAA. The FAA is tasked with developing and implementing regulations and standards of other safety oversight activities that ensure operators apply those regulations and standards to the design and continuing operational safety of their organizations. These regulations and standards and the processes that apply them to certificate holders should be thought of as important safety risk controls, rather than just bureaucratic requirements.
(3) Oversight Systems. The other system on the “protection” side of the model in Figure 2 is the SMS-O, the system that is used by the regulator to provide oversight of the aviation service provider’s operations. Traditional oversight of aviation service providers consists of activities such as certification, surveillance, investigation, and enforcement of regulations. The FAA is transitioning the traditional oversight process from a quality control approach with principal emphasis on surveillance of compliance with technical standards to a systems approach that stresses the systemic nature of aviation businesses and the larger system as a whole. While traditional oversight functions will continue to exist in future safety oversight systems, the primary means of safety oversight will shift more toward system safety methods and an emphasis on operator safety management. Moreover, the ability of the government to provide the resources that would be required to manage safety through intensive direct intervention in aviation service provider’s activities is questionable at best.
(4) Relationships between Aviation Service Provider’s SMS and Oversight. Figure 2 depicts the functional relationships between the productive processes in aviation service provider organizations, their safety management functions, and the functions of FAA oversight activities. On the “protection” side of the model depicted in Figure 2, two management systems exist: the aviation service provider’s SMS (noted as SMS-P) and that of the oversight organization or regulator (noted as SMS-O).
(5) Voluntary Programs and the SMS. The FAA is seeking to increase the use of voluntary programs in the process of safety management, particularly use of the Aviation Safety Action Program (ASAP) and internal evaluation programs (IEP). Both of these programs have strong relationships to the functions of safety assurance and safety promotion in an SMS. Aviation service providers are encouraged to consider integrating these programs into a comprehensive approach to safety management.


c. Future Developments in Safety Management. A well-developed SMS and a strong relationship with the oversight system provide an excellent place from which to develop an integrated program between regulatory programs, voluntary programs, and the operator’s own systems. The FAA Flight Standards Service is developing procedures to provide more effective interfaces in this process and to make both voluntary and regulatory programs more standardized and interoperable. These processes include improved, joint-use auditing tools and processes, procedures for information sharing and protection, and voluntary disclosure procedures. In the interim, certificated organizations should work closely with their certificate-holding district office (CHDO) or certificate management office (CMO) to build an SMS that will interface smoothly with regulatory oversight programs. For example, an SMS that incorporates the operator’s continuing analysis and surveillance system (CASS — for certificated operators), an IEP, and an ASAP would allow the operator to derive the multiple benefits of these programs with a minimum of duplication. For operators that desire to implement Flight Operations Quality Assurance (FOQA) programs, these programs can also contribute to the safety assurance function.


a. The Need for Safety Management Standards.

(1) Standardization. The FAA Associate Administrator for Aviation Safety (AVS) is interested in developing an integrated SMS in which business and governmental roles and relationships are well defined, requirements are based upon sound systems engineering and system safety principles, and both regulators and regulated industries participate in a unified safety effort. The SMS standard in appendix 1 of this AC provides functional requirements for an aviation safety SMS. It is similar in scope to internationally recognized standards for quality management, environmental protection, and occupational safety and health management.
(2) International Harmonization. ICAO, in a recent set of working papers, manuals, and proposals5 for changes to key annexes to the ICAO Conventions, is revamping its standards and recommended practices to reflect a systems approach to safety management. This coincides with the FAA’s move toward a systems approach for oversight over the past several years. Because of the many diverse relationships between organizations and the above stated global nature of the aviation system, it is critical that the functions of an SMS be standardized to the point that there is a common recognition of the meaning of SMS among all concerned, both domestically and internationally.
(3) Alignment with International Organization for Standardization (ISO) Standards. The SMS standard is written at the approximate scope and scale of the international standards for quality management (QMS) and management of environmental protection (EMS), ISO 9000-2000 and ISO 14001, respectively. The FAA also reviewed the British Standards Institutes's standard for occupational health and safety management systems (OHSMS), which is based on ISO 14001. The clause structure of the aviation service provider SMS standard initially was developed to parallel ISO 14001, with the clauses then being arranged around the four building blocks discussed below under “The Four Pillars of Safety Management.”
(4) Alignment with Other Industry Standards. The SMS standard was developed after an extensive review of documented SMS systems used by other countries around the world.6 This review included literature reviews of regulations, policy documents, and advisory material, as well as interviews with both government and industry personnel who promulgated and used the systems. Existing management system standards from the International Standardization Organization (ISO) and the American National Standards Institute (ANSI) were reviewed cross-mapped.7 The review also included consideration of third-party systems developed by user organizations such as the International Air Transport Association (IATA), the Medallion Foundation, and the International Business Aviation Council (IBAC)8.
(5) Auditability. The SMS standard is designed to provide definitive functional requirements in a manner that can be audited by the organization’s own personnel, regulators, or other third-party consultants. The language in the standard is, therefore, written in a requirements-oriented tone. To the maximum extent possible, each indexed statement defines a single requirement so that it can easily be used in audits of the system.
(6) Integration with Other Management Systems. While the SMS standard’s stated scope is on product and service safety, the FAA recognizes that managers in real-world organizations may often, if not usually, be required to manage not only this aspect of safety, but also occupational safety and environmental protection, as well. Managers of these organizations typically are required to fit their activities into the framework of the organization’s mission or commercial objectives and may operate under an integrated management system. The SMS standard therefore can be mapped to other existing standards covering these areas so that organizations may develop integrated management systems. Appendix 2 provides a cross-reference between the SMS standard presented in Appendix 1 and several other commonly used management standards.


b. Structure and Organization.

(1) Functional Orientation. The SMS Standard is written as a functional requirements document. It stresses “what” the organization must do rather than “how” it will be accomplished. The FAA feels that each of the functions detailed in the standard are essential for a comprehensive SMS. At the same time, the standard needs to be applicable to a wide variety of types and sizes of operators. Therefore, it is designed to allow operators to integrate safety management practices into their unique business models. Operators are not expected to configure their systems in the format of the standard or to duplicate existing programs that accomplish the same function. This was a further reason for using a similar scope, scale, and language to the ISO standards, which also are designed for broad application. The standard document contained in Appendix 1, therefore, attempts to strike a balance between flexibility of implementation and functional standardization of essential safety management processes.
(2) Four Pillars of Safety Management. The standard is organized around four basic building blocks of safety management. These four areas are essential for a safety-oriented management system, and derive from the SMS principles discussed earlier.
(a) Policy. All management systems must define policies, procedures, and organizational structures to accomplish their goals. Requirements for these elements are outlined in Appendix 1, par 4 which in turn provide the framework for SMS functional elements.
(b) Safety risk management. A formal system of hazard identification and safety risk management in Appendix 1, par. 5 is essential in controlling risk to acceptable levels. The safety risk management component of the SMS is based upon the system safety process model that is used in the system safety training course that is taught at the FAA Academy.
(c) Safety assurance. Once these controls are identified, the operator must ensure they are continuously practice and continue to be effective in a changing environment. The safety assurance function in Appendix 1, par 6 provides for this using quality management concepts and processes.
(d) Safety promotion. Finally, the operator must promote safety as a core value with practices that support a sound safety culture. Appendix 1 par. 7 provides guidance for setting up these functions.


(3) Integration of Safety Risk Management and Safety Assurance. Figure 3 shows how the safety risk management and safety assurance processes are integrated in the SMS. The safety risk management process provides for initial identification of hazards and assessment of risk. Organizational risk controls are developed and, once they are determined to be capable of bringing the risk to an acceptable level, they are employed operationally. The safety assurance function takes over at this point to ensure that the risk controls are being practice and they continue to achieve their intended objectives. This system also provides for assessment of the need for new controls because of changes in the operational environment.


a. General Organization of the SMS Standard. The first part of the SMS functional requirements (SMS Standard) included as Appendix 1 of this AC follows the general organization of ISO 9000-2000 and ISO 14001. The first three clauses describe scope and applicability, references, and definitions. The following four clauses address each of the four pillars of SMS, as described previously in paragraph 7b(2).


b. Policy: Setting the Framework.

(1) Safety and Quality: Striking a Balance. As discussed above, the SMS standard uses quality management principles, but the requirements to be managed by the system are based on an objective assessment of safety risk, rather than customer satisfaction with products or other conventional commercial goals. However, management of process quality, with emphasis on those characteristics of those processes that affect safety, is an important aspect of safety management. The standard specifies that the aviation service provider should prescribe both quality and safety policies. The coverage of quality policies is limited in scope to quality in support of safety, although operators are encouraged to integrate their management systems as much as feasible. However, safety objectives should receive primacy where conflicts are identified.
(2) Roles, Responsibilities, and Relationships: The “Three Rs” of Safety Management. Figures 1 and 2 show the relationship between the productive processes of the aviation service provider as well as the joint protective processes of the regulator (FAA) in the form of an oversight system (SMS-O) and the aviation service provider’s SMS (SMS-P). As before, it is important to recognize that the two aviation service provider systems shown (Protection and Production) are functional rather than departmental or organizational depictions. One of the principal roles of the oversight system (SMS-O) is to promulgate risk controls in the form of regulations, standards, and policies. It follows that regulatory compliance, in a manner that accomplishes the regulation's safety objectives, is also part of the aviation service provider’s role in safety management.
(3) Importance of Executive Management Involvement. The standard specifies that top management is primarily responsible for safety management. Managements must plan, organize, direct, and control employee's activities and allocate resources to make safety controls effective. A key factor in both quality and safety management is top management’s personal, material involvement in quality and safety activities. The standard also specifies that top management must further clearly delineate safety responsibilities throughout the organization. While it is true that top management must take overall responsibility for safe operations, it also is true that all members of the organization must know their responsibilities and be both empowered and involved with respect to safety.
(4) Procedures and Controls. Two key attributes of systems are procedures and controls. Policies must be translated into procedures in order for them to be applied and organizational controls must be in place to ensure that critical steps are accomplished as designed. Organizations must develop, document, and maintain procedures to carry out their safety policies and objectives. The standard also requires organizations to ensure that employees understand their roles. Moreover, supervisory controls must be used to monitor the accomplishment of the procedures.


c. Safety Risk Management: Setting Requirements for Safety Management. The safety risk management process is used to examine the operational functions of the company and their operational environment to identify hazards and to analyze associated risk. The safety risk management process follows the same sequence of steps as the system safety process model that is used in the FAA’s System Safety training course at the FAA Academy. These are also the same general steps that are used in operational risk management programs within several of the military services.

(1) Systems and Task Analysis. Safety risk management begins with system design. This is true whether the system in question is a physical system, such as an aircraft, or an organizational system such as an operator, maintenance or training establishment. These systems consist of the organizational structures, processes, and procedures, as well as the people, equipment, and facilities used to accomplish the organization’s mission. The system or task descriptions should completely explain the interactions among the hardware, software, people, and environment that make up the system in sufficient detail to identify hazards and perform risk analyses. While systems should be documented, no particular format or is required. System documentation would normally include the operator’s manual system,10 check-lists, organizational charts, and personnel position descriptions. A suggested breakdown of operational and support processes for air operators includes:
(a) Flight operations
(b) Dispatch/flight following
(c) Maintenance and inspection
(d) Cabin safety
(e) Ground handling and servicing
(f) Cargo handling
(g) Training

NOTE: Long and excessively detailed system or task descriptions are not necessary as long as they are sufficiently detailed to perform hazard and risk analyses. While sophisticated process development tools and methods are available, simple brainstorming sessions with managers, supervisors, and other employees are often most effective.

(2) Hazard Identification. Hazards in the system and its operating environment must be identified, documented, and controlled. It also requires that the analysis process used to define hazards consider all components of the system, based on the system description described above. The key question to ask during analysis of the system and its operation is “what if?” As with system and task descriptions, judgement is required to determine the adequate level of detail. While identification of every conceivable hazard would be impractical, aviation service providers are expected to exercise due diligence in identifying significant and reasonably foreseeable hazards related to their operations.
(3) Risk Analysis and Assessment The standard’s risk analysis and risk assessment clauses use a conventional breakdown of risk by its two components: likelihood of occurrence of an injurious mishap and severity of the mishap related to an identified hazard, should it occur. A common tool for risk decision-making and acceptance is a risk matrix similar to those in the U.S. Military Standard (MIL STD 882) and the ICAO Safety Management Manual11. Figure 4 shows an example of one such matrix. Operators should develop a matrix that best represents their operational environment. Separate matrices with different risk acceptance criteria may also be developed for long-term versus short-term operations.
(4) Severity and Likelihood Criteria. The definitions and final construction of the matrix is left to the aviation service provider’s organization to design. The definitions of each level of severity and likelihood will be defined in terms that are realistic for the operational environment. This ensures each organization’s decision tools are relevant to their operations and operational environment, recognizing the extensive diversity in this area. An example of severity and likelihood definitions is shown in Table 1 below. Each operator’s specific definitions for severity and likelihood may be qualitative but quantitative measures are preferable, where possible.




Put in table here....

c. Acceptable with Mitigation (Yellow). Where the risk assessment falls into the yellow area, the risk may be accepted under defined conditions of mitigation. An example of this situation would be an assessment of the impact of a non-operational aircraft component for inclusion on a Minimum Equipment List. Defining an Operational (“O”) or Maintenance (“M”) procedure in the MEL would constitute a mitigating action that could make an otherwise unacceptable risk acceptable, as long as the defined procedure was implemented. These situations may also require continued special emphasis in the safety assurance function.


Put safety matrix here....

(6) Other Risk Assessment Tools for Flight and Operational Risk Management. Other tools can also be used for flight or operational risk assessment such as the Controlled Flight into Terrain (CFIT), Approach and Landing Accident Reduction (ALAR), operational control, and ground operations risk assessment tools available from the Flight Safety Foundation (www.flightsafety.org) or the Medallion Foundation (http://www.medallionfoundation.org).
(7) Causal Analysis. Risk analyses should concentrate not only on assigning levels of severity and likelihood but on determining why these particular levels were selected. This is often called “root cause analysis,” and is the first step in developing effective controls to reduce risk to lower levels. Several structured software systems are available to perform root cause analysis. However, in many cases, simple brainstorming sessions among the company’s pilots, mechanics, or dispatchers other experienced subject matter experts is the most effective and affordable method of finding ways to reduce risk. This also has the advantage of involving employees who will ultimately be required to implement the controls developed.
(8) Controlling Risk. After hazards and risk are fully understood though the preceding steps, risk controls must be designed and implemented. These may be additional or changed procedures, new supervisory controls, addition of organizational, hardware, or software aids, changes to training, additional or modified equipment, changes to staffing arrangements, or any of a number of other system changes.
(9) Hierarchy of Controls. The process of selecting or designing controls should be approached in a structured manner. System safety technology and practice has provided a hierarchy or preferred order of control actions that range from most to least effective. Depending on the hazard under scrutiny and its complexity there may be more than one action or strategy that may be applied. Further, the controls may be applied at different times depending on the immediacy of the required action and the complexity of developing more effective controls. For example, it may be appropriate to post warnings while a more effective elimination of the hazard is developed. The hierarchy of controls is:
(a) Design the hazard out – modify the system (this includes hardware/software systems involving physical hazards as well as organizational systems)
(b) Physical guards or barriers – reduce exposure to the hazard or reduce the severity of consequences
(c) Warnings, advisories, or signals of the hazard
(d) Procedural changes to avoid the hazard or reduce likelihood or severity of associated risk
(e) Training to avoid the hazard or reduce the likelihood of an associated risk
(10) Residual and Substitute Risk. It is seldom possible to entirely eliminate risk, even when highly effective controls are used. After these controls are designed but before the system is placed back on line, an assessment must be made of whether the controls are likely to be effective and/or if they introduce new hazards to the system. The latter condition is referred to as “substitute risk,” a situation where “the cure is worse than the disease.” The loop seen in Figure 3 back to the top of the diagram depicts the use of the preceding systems analysis, hazard identification, risk analysis, and risk assessment processes to determine if the modified system is acceptable.
(11) System Operation. When the controls are acceptable, the system is placed into operation. The next process, safety assurance, uses auditing, analysis, and review systems that are familiar from similar quality management systems. These processes are used to monitor the risk controls to ensure they continue to be implemented as designed and continue to be effective in a changing operational environment.


d. Safety Assurance: Managing the Requirements.The safety assurance function applies the processes of quality assurance and internal evaluation to the process of making sure that risk controls, once designed, continue to conform to their requirements and that they continue to be effective in maintaining risk within acceptable levels. These assurance and evaluation functions also provide a basis for continuous improvement.

(1) Relationship between Safety Risk Management, Safety Assurance, and Internal Evaluation. Quality assurance processes concentrate on proving, through collection and analysis of objective evidence, that process requirements have been met. In an SMS, the system’s requirements are based on assessment of risk in the organization’s operation or in the products that it produces, as discussed above. Quality assurance techniques, including internal auditing and evaluation, can be used to determine if risk controls that are designed into the operator’s processes are being practiced and that they perform as designed. The process is, therefore, appropriately termed “safety assurance.” If an operator already has an IEP, it should be reviewed to ensure that it conforms to the SMS safety assurance standards.13

NOTE: the safety assurance function does not need to be extensive or complex to be effective. Smaller organizations may find available tools such as the Internal Evaluation Program Audit tools produced by the Medallion Foundation (http://www.medallionfoundation.org) to be a good foundation for their organization’s safety assurance processes.

(2) Role of Other Management Systems. As discussed above, safety assurance uses many of the same practices as those used in quality management systems (QMS). In an SMS however the requirements being managed relate to ensuring risk controls, once designed and put into place, perform in a way that continues to meet their safety objectives. While operators may find it beneficial to integrate their management systems for these other areas, such as quality, employee health and safety, or environmental protection with the SMS, it is beyond the scope of the safety management standard to address these areas directly. Appendix 2 to this AC contains a table of cross-references between ISO standards and other recognized standards for quality (ISO 9000:2000), environmental protection (ISO 14001), and employee health and safety management (BSI OHSAS 18001). These are provided for convenience for organizations that desire to develop integrated management systems or that may already have existing systems in one or more of these areas.
(3) Information for Decision-making. Information for safety assurance comes from a variety of sources, including formal program auditing and evaluation, investigations of safety-related events, and continuous process monitoring of day-to-day activities and inputs from employees through employee reporting systems. While each of these types of information sources exist to some degree in every organization, the standard formalizes requirements for each. Specifications for these and other related safety assurance processes are left at a functional level, allowing individual organizations to tailor them to the scope and scale appropriate for their size and type of organization.
(4) Internal Audits by Operating Departments. The primary responsibility for safety management rests with those who “own” the operator’s technical processes. It is here where hazards are most directly encountered, where deficiencies in processes contribute to risk, and where direct supervisory control and resource allocation can mitigate the risk to acceptable levels. The standard specifies a responsibility for internal auditing of the operator’s productive processes (the Production/Operation side of Figures 1 and 2). As with other requirements, the standards auditing requirements are left at a functional level, allowing for a broad range of complexity, commensurate with the complexity of the organization.
(a) Line Management Responsibilities. Line managers of operational departments have the direct responsibility for quality control and for ensuring that the processes in their areas of responsibility function as designed. Moreover, line organizations are the domain technical experts in any organization and thus the most knowledgeable about the technical processes involved. Line managers of the operational departments should be given the responsibility for monitoring these processes and periodically assessing the status of risk controls though an internal auditing and evaluation program.
(b) Audit Programs and Tools. In order to promote system integration and a minimum of duplication, operators may want to consider using available technical system audit tools such as those provided by the Air Transportation Oversight System (ATOS)14 or third party tools such as those in the IATA Operational Safety Audit (IOSA). This can be particularly advantageous if the operator is already involved with using these programs.
(5) Internal Evaluation. This function involves evaluation of the technical processes of the operator as well as the SMS-specific functions. Audits conducted for the purpose of this requirement must be conducted by persons or organizations that are functionally independent of the technical process being evaluated. A specialist safety or quality assurance department or another sub-organization as directed by top management may accomplish it. The internal evaluation function also requires auditing and evaluation of the safety management functions, policy making, safety risk management, safety assurance, and safety promotion. These audits provide the management officials designated responsibility for the SMS to inventory the processes of the SMS itself.

NOTE: In very small organizations, the top management may elect to conduct the internal evaluation function themselves, in conjunction with the management review function.

(6) Integration of Regulatory and Voluntary Programs. The provisions of the SMS standard are not intended to duplicate the functions of required CASS (required for operators under part 121 or part 135 of Title 14 of the Code of Federal Regulations) (14 CFR) or IEPs. In fact, the FAA encourages an integrated approach where these programs are all part of a comprehensive SMS.
(7) External Audits. External audits of the SMS may be conducted by the regulator (FAA), code-share partners, customer organizations, or other third parties selected by the operator. These audits not only provide a strong interface with the oversight system (SMS-O) but also a secondary assurance system. Organizations may elect to have third-party audits of their SMS from organizations such as the IATA or other consultant organizations.

Available at: http://www.faa.gov/safety/programs_initiatives/oversight/atos/library/data_collection

(8) Analysis and Assessment. Audits and other information-gathering activities are useful to management only if the information is distilled into a meaningful form and conclusions are drawn to form a bottom line. Recall that the primary purpose of the safety assurance process is to assess the continued effectiveness of risk controls put into place by the safety risk management process. Where significant deviations to existing controls are discovered, the standard requires a structured, documented process for preventive and corrective action to place the controls back on track.
(9) Corrective Action and Follow up. The safety assurance process should include procedures that ensure that corrective actions are developed in response to findings of audits and evaluations and to verify their timely and effective implementation. Organizational responsibility for the development and implementation of corrective actions should reside with the operational departments cited in audit and evaluation findings. If new hazards are discovered, the safety risk management process should be employed to determine if new risk controls should be developed.
(10) Monitoring the Environment. As part of the safety assurance function, the analysis and assessment functions must alert the organization to significant changes in the operating environment, possibly indicating a need for system change to maintain effective risk control. When this occurs, the results of the assessment start the safety risk management process, as depicted in Figure 3.


e. Safety Promotion: Supporting the Culture. An organizational safety effort cannot succeed by mandate or strictly though a mechanistic implementation of policy. As in the case of attitudes where individual people are concerned, organizational cultures set the tone that predisposes the organization’s behaviour. An organization’s culture consists of the values, beliefs, mission, goals, and sense of responsibility held by the organization’s members. The culture fills in the blank spaces in the organization’s policies, procedures, and processes and provides a sense of purpose to safety efforts.

(1) Safety Cultures. Cultures consist of psychological ( how people think and feel ), behavioural ( how people and groups act and perform ) and structural (the programs, procedures, and organization of the enterprise) elements. Many of the processes specified in the policy, risk management, and assurance components of the SMS provide the framework for the structural element. However, the organization must also set in place processes that allow for communication among employees and with the organization’s management. The aviation service provider must make every effort to communicate its goals and objectives, as well as the current status of the organization’s activities and significant events. Likewise, the aviation service provider must supply a means of upward communication in an environment of openness.
(2) Communication: A Two Way Street. Dr. James Reason, among other current organizational system safety theorists, stresses the need for a “reporting culture” as an important aspect of safety culture. The organization must do what it can to cultivate the willingness of its members to contribute to the organization’s knowledge base. Dr. Reason further stresses the need for a “just culture,” where employees have the confidence that, while they will be held accountable for their actions, the organization will treat them fairly.15 The standard specifies that the aviation service provider must provide for a means of employee communication that allows for timely submission of reports on safety deficiencies without fear of reprisal. Many certificated operators already have invested in ASAP. ASAP is a collaborative, reporting, analysis, and problem solving effort among the FAA, operators, and employee unions. This program is another example of a voluntary program that could be integrated into the SMS, having a strong potential to contribute to the safety assurance and safety promotion.
(3) Organizational Learning. Another of Dr. Reason’s principles of organizational safety culture is that of a “learning culture.”16 The information in reports, audits, investigation, and other data sources does no good if the organization does not learn from it. The standard also requires a means of analysis of this information and a linkage to the safety assurance process. The standard requires an analysis process, a preventive/corrective action process, and a path to the safety risk management process for the development of new safety controls, as environments change and new hazards are identified. It further requires that the organization provide training and information about risk controls and lessons learned.


9. CONTACT. For additional information or suggestions, please contact AFS-800 at (202) 267-8212, or AFS-900 at (703) 661-0526.


John M. Allen (for)


James J. Ballough 

Director, Flight Standards Service 

15Reason. Managing the Risks of Organizational Accidents.

16 Ibid.


Aviation SMS Products

Hazard Reporting Solution
Starting at

Hazard Reporting Solution offers incredible savings for thrifty companies needing high-quality aviation SMS software.

Risk Management Solution
Starting at

Risk Management Solution designed for operators with limited SMS budgets using simple user-friendly Web-based SMS tools.

Safety-Quality Assurance Solution allows operators to advance their ICOA SMS implementations to the top level.

Starting at

SMS Pro Enterprise provides unlimited file storage space for SMS activities and access to ALL SMS Pro modules.

Alaska Web Design Company