tp 13881sms doc

A guide toimplementation

Prepared by the

Commercial andBusiness Aviation Branch and the Aircraft Maintenance and

Manufacturing Branch

FOR FLIGHT OPERATIONS AND AIRCRAFT MAINTENANCE ORGANIZATIONSSAFETY MANAGEMENT SYSTEMS

TP 13881 E

*TP13881E*03/2002

©Minister of Public Works and Government Services, Canada, 2002

Permission is granted by the Department of Transport, Canada, to copy and/orreproduce the contents of this guide or in whole or in part provided that fullacknowledgment is given to the Department of Transport, Canada, and that thematerial be accurately reproduced. While use of this material has been authorized,the Department of Transport, Canada, shall not be responsible for the manner inwhich the information is presented, nor for any interpretations thereof.

The information in this copy of this guide may not be updated to reflect amend-ments made to original content. For up-to-date information contact the Departmentof Transport, Canada.

The information in this guide or is to be considered solely as a guide and should notbe quoted as or considered to be a legal authority. It may become obsolete in wholeor in part at any time without notice. Please contact the Civil AviationCommunications Centre at 1-800-305-2059 (EST) for assistance.

RegulatoryReferences

This guide applies to proposedregulatory changes applicable to:

CAR 573.09(11)CAR 700.xxCAR 720.xx

CAR 705.07(2)(c)CAR 725.07(2)(a)(ii)

CAR 725.07(3)CAR 725.124(5)(o)CAR 725.135(oo)

CAR 706.07CAR 726.07

1

2

Acknowledgement

This guidance material was written by the staffof the Commercial and Business Aviation Branch and

Maintenance and Manufacturing Branchof Transport Canada Civil Aviation.

Transport Canada wishes to thank the following individuals,companies and regulatory authorities for

their assistance in developing this material:

* Professor James Reason, University of Manchester

* Operating Standards Division, the United Kingdom Civil Aviation Authority

* Clifford Edwards, The Royal Dutch/Shell Group of Companies

* Air Canada

* Boeing Commercial Airplane Group

* Safety Services Branch, Transport Canada Civil Aviation

This document is a living document and will be revised at intervalsto take into account changes in regulations, feedback from industry andrecognized best practice. Updates will be noted via the Transport Canada

Civil Aviation website.

REGULATORY REFERENCES ................................................................................................................................1

ACKNOWLEDGEMENTS ........................................................................................................................................2

INTRODUCTION ..........................................................................................................................................................5Foreword ..................................................................................................................................................................5

What is a Safety Management System? ....................................................................................................6

Key Generic Features Of The SMS Approach ......................................................................................7

Key Features Specific To The Regulatory Requirements: ................................................................8

Why Bother? ..........................................................................................................................................................9

SAFETY MANAGEMENT SYSTEM COMPONENTS ............................................................................10

1. SAFETY MANAGEMENT PLAN ..........................................................................................................11Safety Policy ..............................................................................................................................................11

Safety Objectives ................................................................................................................................12

Safety Performance Measurement..............................................................................................12

Non-Punitive Disciplinary Policies ..........................................................................................13

Roles And Responsibilities ..............................................................................................................14Documentation Of Roles And Responsibilities ................................................................15

Individual Roles and Responsibilities ......................................................................................16

Delegation Of Tasks To Effectively Operate the Safety Management System ..18

Safety Office ........................................................................................................................................18

Safety Committee ..............................................................................................................................18

Employee Involvement In The Development And Implementation OfThe System............................................................................................................................................19

Description of System Components ..........................................................................................19

2. DOCUMENTATION ....................................................................................................................................21Identification of Applicable Aviation Safety Regulations, Standardsand Exemptions ......................................................................................................................................21Documentation Describing System Components ............................................................22Implementing Changes To Company Documentation ..................................................22

Maintenance Of Current, Applicable And Effective Documentation ................22

3. SAFETY OVERSIGHT ................................................................................................................................25Reactive Processes..................................................................................................................................26

Occurrence and Hazard Reporting ..........................................................................................26

Systems for Reporting Hazards, Events and Safety Concerns ....................................27

Why report? ..........................................................................................................................................28

What should be reported? ............................................................................................................28

3

Contents

Report Investigation and analysis ..............................................................................................28

Event Investigation............................................................................................................................29The MEDA Process ..........................................................................................................................30

The PEAT Process ............................................................................................................................31

Pro-Active: Safety Assessment ......................................................................................................32

Hazard Identification ......................................................................................................................32

Assessment frequency ......................................................................................................................33

Common Elements ................................................................................................................................34

Reporting Procedures ......................................................................................................................35

Data Collection ..................................................................................................................................35

Data Collection Systems ................................................................................................................35

Risk Management..............................................................................................................................36

Corrective Action Plan ....................................................................................................................38

On-Going Monitoring ....................................................................................................................39

Information Dissemination ..........................................................................................................39

4. TRAINING ........................................................................................................................................................41

5. QUALITY ASSURANCE ............................................................................................................................43

6. EMERGENCY RESPONSE PLAN ..........................................................................................................47

CONCLUSION ............................................................................................................................................................48

4

Contents

F o r e w o r d

In Canada we enjoy an enviable aviationsafety record and our Civil Aviation safetyprogram has been cited by the InternationalCivil Aviation Organization as one of thebest in the world. However, with the pre-dicted increase in air transportation and theprobability that this will bring with it anattendant increase in the accident rate, weclearly cannot afford to maintain the statusquo. To remain successful we must constan-ly challenge ourselves to improve the safetystandard and work towards achieving a posi-tive shift in the accident rate.

In response to this challenge, the Commer-cial and Business Aviation Branch and theAircraft Maintenance and ManufacturingBranch have promulgated amendments tothe Canadian Aviation Regulations (CAR)requiring the establishment of safety mana-gement systems (SMS) in certain types of

operations.i This guidance material providesclarification regarding the intent and appli-cation of the proposed regulatory require-ments. It is designed as a practical guide forthe development and implementation of asafety management system within flight andmaintenance operations.

The following information is not intendedas a prescriptive formula for the develop-ment of a company’s safety managementsystem. The material contained herein is forexplanatory purposes only. Where existingsystems or components have been referen-ced, the example is used for the purpose ofclarity and to demonstrate that there areexisting systems available. It is not the in-tention of the authors to advocate that anyone particular system be used. In keepingwith performance based regulations, thisguide is intended to provide details of thevarious SMS regulatory requirements andto offer examples of possible ways these ele-ments can be enabled.

5

Introduction

[ ]

W h a t i s a s a f e t yM a n a g e m e n t S y s t e m ?

A safety management system is a systematic,explicit and comprehensive process for themanagement of safety risks, that integratesoperations and technical systems with finan-cial and human resource management, forall activities related to an air operator or anapproved maintenance organization’s certificate.

A safety management system is a business-like approach to safety. In common withall management systems a safety manage-ment system provides for goal setting, plan-ning, and measuring performance. It con-cerns itself with organizational safety ratherthan the conventional health and safety atwork concerns. A company’s SMS defines

how it intends the management of air safetyto be conducted as an integral part of thecompany’s business management activities.A Safety Management System is woveninto the fabric of an organization. It be-comes part of the culture; the way peopledo their jobs.

The organizational structures and activitiesthat make up a safety management systemare found throughout an organization.Every employee in every department con-tributes to the safety health of the organiza-tion. In some departments safety manage-ment activity will be more visible than inothers, but the system must be integratedinto “the way things are done” throughoutthe establishment. This will be achieved bythe implementation and continuing supportof a safety program based on a coherentpolicy, that leads to well designed procedures.

6

[ ]

Introduction

K e y G e n e r i c F e a t u r e so f t h e S M S A p p r o a c h

There is no definitive meaning attached tothe term “safety management system”, everyorganization, and industry, for that matter,has its own interpretation of what it is.From the Civil Aviation perspective thereare five features that characterise a safetymanagement system. These are:

• A comprehensive systematic approachto the management of aviation safety within the aircraft operating company, including the interfaces between the company and its suppliers, sub-contrac-tors and business partners.

• A principal focus on the hazards of the business and their effects upon those activities critical to safety.

• The full integration of safety considera-tions into the business, via the applica-tion of management controls to all aspects of the business processes critical to safety.

• The use of active monitoring and audit processes to validate that the necessary controls identified through the hazard management process are in place and to ensure continuing active commitment to safety.

• The use of Quality Assurance princi-ples, including improvement and feed-back mechanisms.

In searching for ways to enable the afore-mentioned features, an organization maychoose to utilize a commercial “off-the-shelf ” system. Whilst this might be appro-priate for some companies, the programshould be tailored to meet the requirementsof the individual organization rather thanassuming that one size fits all. Attentionshould also be given to the linkages betweenthe individual components; they should belinked in a systematic way, rather thanappearing to be stand alone units.ii

7

[ ]

Introduction

K e y F e a t u r e s T o T h eR e g u l a t o r y R e q u i r e m e n t s

• A safety management plan;

• Clear authorities, responsibilities and accountabilities for safety at all levels within the organization.

• Occurrence and Hazard reporting,

• Data collection procedures • Incident analysis

• Hazard identification and riskmanagement

• Documentation

• Safety management trainingrequirements

• Emergency response plan

8

Introduction

[ ]

W h y B o t h e r ?

It’s often said that safety makes economicsense. Unless a company experiences a loss,or critically assesses both the direct andindirect costs of an occurrence, it is oftendifficult to relate to this statement. Thedirect costs are usually easy to quantify,they include damage to the aircraft, com-pensation for injuries and damage to pro-perty and are usually settled through aninsurance claim.

The indirect costs are a little more difficultto assess, these are often not covered or fullyreimbursed by the company’s insurance andthe impact is often delayed. This includesitems such as:

• Loss of business and reputation;

• Legal fees and damage claims;

• Medical cost not covered by workman’s compensation;

• Cost of lost use of equipment (loss of income);

• Time lost by injured person(s) and cost of replacement workers;

• Increased insurance premiums;

• Aircraft recovery and clean-up;

• Fines.

The economic argument is even more salientwhen one considers the following figuresproduced by the Boeing Aircraft Corpora-tion. In 1996, Boeing estimated the averagecost in U.S. dollars of the following:

• In-flight shutdown $500, 000 • Flight cancellation $ 50, 000• Flight delay per hour$ 10, 000

The cost of implementing and maintain-ing a safety management system becomesless significant and well worth the invest-ment when contrasted with the cost ofdoing nothing.

9

Introduction

[ ]

SAFETYMANAGEMENTSYSTEMCOMPONENTS

In order to implement an effective safety management

system it is necessary to define what the organization’s

safety objectives are, what form the system will take and

who will assume responsibility for the system.

Essentially, this involves defining the organization’s

philosophical approach to integrating safety as a

primary business function.

1 safetymanagement plan

11

S a f e t yM a n a g e m e n t

P l a n

An operator's safety managment plan shouldcontain three principle things:

1. A definition of the fundamental approach a company will adopt formanaging safety within their organi-zation. This includes a safety policy that clearly defines what the company’s philosophical approach to safety and the performance goals it has established for itself.

2. Clearly defined roles and responsi-bilities for all personnel involvedin safety.

3. A description of the safety manage-ment system components.

Safety Policy

An operator’s safety policy should clearlystate the company’s intentions, managementprinciples and aspirations for continuous im-provements in the safety level. This can beachieved through documented policies des-cribing what organizational processes andstructures it will use to achieve the safetymanagement system. This should also con-tain a statement outlining the company’sobjectives and the outcomes it hopes toachieve through its safety management system.

It is recommended that the safety policyinclude a description of each element of thesystem as required by the Canadian Avia-tion Regulations. This would resemble thedescription of other systems as detailed in amaintenance control manual (MCM),maintenance policy manual (MPM) or acompany operations manual (COM).

[ ]

Safety ManagementSystem Components

12

Safety Objectives

Mission Statement > The safety objectivesof the organization should provide a startingpoint for the company’s safety policy. Itshould be accompanied by top level statementregarding the company’s commitment toachieving improvements in safety and shouldbe widely publicized and distributed. Forexample, Transport Canada’s mission is todevelop and administer policies, regulationsand services for the best possible transportationsystem for Canada and Canadians - one thatis safe, efficient, affordable, integrated andenvironmentally friendly.

A similar type of pronouncement should bemade by the organization. A typical state-ment outlining the objectives of a safetymanagement program could read:

It is important to ensure that the statedobjectives are achievable and clearly definethe limits within which the company willoperate. They should be unambiguous, welldocumented, readily accessible and shouldbe reviewed on a regular basis.

Safety Goals

Goal setting is vital to an organization’s per-formance. All organizations have their own

ways of setting and expressing goals. In someorganizations the goals are not stated veryexplicitly. Other organizations set goals for-mally and document the process. Regardlessof how management goals are set, feworganizations are good at developing safetygoals. The most common weakness in settingsafety goals is focusing on outcomes. Thisusually means counting accidents, but weknow that safe companies can have accidentswhile less safe operations can be lucky andavoid accidents. Although the ultimate goalis ‘no accidents’, there are more precise anduseful ways of measuring safety, especially ina safe system, than counting accidents.

It is a never-ending struggle to identifyand eliminate or control hazards. We willnever run out of things to do to make the

system safer. Sound man-agement requires that weidentify them, decidehow to achieve them, and hold ourselvesaccountable for achie-ving them. Risk manage-ment procedures canhelp managers decidewhere the greatest risks

are and help set priorities. Sound safety goalsetting concentrates on identifying systemicweaknesses and accident precursors, andeither eliminating or mitigating them.

Safety Performance Measurement

The safety performance of the operationneeds to be monitored, proactively andreactively, to ensure that the key safety goalscontinue to be achieved. Monitoring by

The safety management program aims to continually improvethe safety of ABC airline’s flight operations by identifying,eliminating or mitigating any deficiencies in conditions,policies and procedures, and by ensuring that staff consider atall times the safety implications of their own actions, andthose of their colleagues.


13

audit forms a key element of this activityand should include both a quantitative andqualitative assessment. The results of allsafety performance monitoring should bedocumented and used as feedback toimprove the system.

It is widely acknowledged that accident ratesare not an effective measurement of safety.iii

They are purely reactive and are only effec-

tive when the accident rates are highenough. Furthermore, relying on accidentrates as a safety performance measure cancreate a false impression; an assumptionthat nil accidents indicate the organizationis safe. In reality, there will always be latentconditions within the system that might,if left unattended, lead to an accident.A more effective way to measure safetymight be to address the individual areas ofconcern. For example, an assessment of theimprovements made to work proceduresmight be far more effective than measuringaccident rates.

Performance measurement should be inte-grally linked to the companies stated overall

objectives. This requires two things: thedevelopment and implementation of acoherent set of safety performance measures;and, a clear linkage between the safety per-formance measures and the organization’sbusiness performance measures. This showsa clear relationship between the company’ssafety objectives and the achievement of itsorganizational and business goals.iv A sim-ple example is given in the table below.

Non-Punitive Disciplinary Policies

The company should strive to develop anon-punitive, disciplinary policy as part ofits safety management system. Employeesare more likely to report events and cooper-ate in an investigation when some level ofimmunity from disciplinary action isoffered. When considering the applicationof a non-punitive disciplinary policy, thecompany might want to consider whetherthe event involved willful intent on the partof the individual involved and the attendantcircumstances. For example, has the indivi-dual been involved in an event like thisbefore and did the individual participatefully in the investigation.


Objective Safety Performance measuresv

Business Objective: Reduce Costs Reduction in insurance rates

Safety Objective: Decrease number and • Total number of eventseverity of hangar • Number of damage-only eventsincidents • Number of near-miss accidents

• Lessons learned from event analyses• Number of corrective action plans

developed and implemented

14

A typical disciplinary policy might includethe following statements:

• Safe flight operations are ABC airlines most important commitment. To ensure that commitment, it is imperative that we have uninhibited reporting of all incidents and occurrences that compromise thesafety of our operations.

• We ask that each employee accept the responsibility to communicate any infor-mation that may affect the integrity of flight safety. Employees must be assured that this communication will never result in reprisal, thus allowing a timely, unin-hibited flow of information to occur.

• All employees are advised that ABC Air-lines will not initiate disciplinary actions against an employee who discloses an incident or occurrence involving flight safety. This policy cannot apply to criminal, international or regulatory infractions.

• ABC Airlines has developed Safety Reports to be used by all employees for reporting information concerning flight safety. They are designed to protect the identity of the employee who provides information. These forms are readily available in yourwork area.

• We urge all employees to use this program to help ABC Airlines continue its leadership in providing our customers and employees with the highest level offlight safety.vi

A non-punitive approach to discipline doesnot preclude the use of a general progressiveapproach to discipline in cases where an

employee is involved in similar, recurrentevents. This might involve the followingsteps:

• First offense-Verbal warning

• Second offense-Formal written warning

• Third offense-final written warning (may include suspension)

• Fourth offense-Termination.

Written warnings can remain active for oneyear, after which a letter of recognition forpositive change will be written and attachedto the formal written warning in the person-nel file by the individual’s direct supervisor.

Roles And Responsibilities

An organization should document anddefine the roles and responsibilities of allpersonnel in the safety management system.Furthermore, a statement should be madeattesting that everyone has a responsibilityfor safety. This includes a commitment onthe part of top management to be accoun-table for safety within the company. Thededication and involvement of top manage-ment towards safety and safety practicesshould be clearly visible. It is important thatsenior management is seen to provide astrong and active leadership role in the safe-ty management system. This includes acommitment to provide the resources neces-sary to attain the strategic safety objectivesestablished by the organization. The follow-ing is a list of activities that demonstratetop management’s active commitment to


15

SMS, these include:

• Putting safety matters on the agendaof meetings, from the Board leveldownwards

• Being actively involved in safety activi-ties and reviews at both local and remote sites

• Allocating the necessary resources, such as time and money, to safety matters

• Setting personal examples in day-to-day work

• Receiving and acting on safety reports submitted by employees

• Promoting safety topics in company publications.vii

The ideal safety culture embodies a spirit ofopeness and should also demonstrate sup-port for staff and the systems of work.Senior management should be accessibleand dedicated to making the changes neces-sary to enhance safety. They should be avail-able to discuss emerging trends and safetyissues identified through the System. A posi-tive safety culture reinforces the entire safetyachievement of the company and is criticalto its success.

Documentation Of Roles And Responsibilities

The following guidelines highlight some ofthe key areas that should be documented:

• The safety responsibilities for eachposition and task

• The competencies required for each position

• The line of responsibility for ensuring all staff are competent and trained for their duties and for ensuring that training takes place, and

• The responsibilities of the manager responsible for externally suppliedservices. All unapproved contracting companies should meet the company’s own SMS standards or an equivalentto them.


16

This diagram shows where existing organi-zational bodies, such as the safety office, fitinto the safety management system. To putthis in today’s context, in many organiza-tions the safety office is considered to be astand-alone entity equal to any other opera-tional body. The functions specific to thesafety management system are concentratedwithin this silo and are not distributed throughout the organization. Safety man-agement is a business function comparableto any other function in the operation. Inthe same way that financial considerationsare integrated into the organization, so

should safety management considerations.In SMS, safety is considered to be every-one’s responsibility and is not unique to thesafety office.

Individual Roles and Responsibilities

The effective management of safety requiresa clear delineation of all lines of authoritywithin the organization. There should be aclear understanding of the accountability,responsibility and authority of all individu-als involved in the system. An effort shouldbe made to document and distribute theorganogram throughout the company,

Figure I demonstrates one possible organizational scenario that would meet the organiza-tional requirements and reporting relationships, as detailed in the approved notice of pro-posed amendments to the Canadian Aviation Regulations. The solid lines represent reportingrelationships, whilst the broken line represents lines of communication.

Figure I: Sample SMS Organogram


17

thereby promoting a common understan-ding of everyone’s role in the safety manage-ment system. Figure I offers an example ofhow the lines of responsibility might beestablished. In this diagram the safety man-agement system functions are performed bythe quality assurance manager and the flightsafety officer. In other organsiations, thesefunctions might be dispersed throughoutthe technical or operational area, therebyproviding a safety management system thatis fully integrated into all line activities.

Management’s role, responsibilities andaccountabilities for the SMS and organiza-tional deficiencies identified through thesystem should be well defined and the linesof authority clearly understood. As stated inthe proposed regulatory requirements, theserequirements include:

• The accountable executive is responsible for establishing and maintaining the safety management system;

• The functional area, that is the area of direct responsibility, maintenance or flight operations for example, is respon-sible for the safety program;

• Everyone is responsible for safety in the organization. This includes operations and maintenance personnel as well as individuals in other non-technical areas such as marketing and customer service;

• SMS specific functions must be exerci-sed by an individual employed within the operational area in which he/she works. The exception to this rule is in cases where the size of the operation,

reasonably precludes the application of dedicated resources to this activity;

• The person responsible for the affected functional area, the Director of Opera-tions or Maintenance for example, is accountable for determining and implementing appropriate comprehensive corrective actions. The reason for thisis threefold:

> The functional director, that is the person with direct line responsibility forthe affected area, is directly involved inthe decision making process. In mostcases, he/she has the knowledge andexpertise to recommend effective cor-rective and preventative actions and hasthe authority to assign the appropriateresources where required.

> The functional director must assumeresponsibility for safety within his/herown area of responsibility. In this wayhe/she is involved in the “safety” processand is accountable for issues that arisein his/her functional area.

> A quality assurance function is pro-vided because event investigations andcorrective actions, are separate activities.This eliminates the potential for con-flict of interest because the person whoidentifies the problem is not the personwho determines what the correctiveaction is. This does not preclude discus-sion of safety findings within a safetycommittee environment; however, thefinal say on any remedial action resideswith the responsible functional director.


18

The development of a positive safety cultureis predicated on the involvement of all facetsof the organization in the safety process.The objective of this requirement, therefore,is to involve all parties in the safety manage-ment system, thereby fostering a companywide commitment to safety management.

Delegation Of Tasks To Effectively Operatethe Safety Management System

To ensure that the SMS operates effectivelyit is essential that the following tasks be dele-gated to company personnel as appropriate.The roles, responsibilities and accountabili-ties of each individual/position should bewell defined and the lines of responsibilityclearly understood. As stated in the pro-posed regulatory requirements, he/she isresponsible for:

• Establishing and maintaining a reporting system to collect safety related data

• Conducting hazard identification and risk management analysis

• Conducting periodic reviews to determine the effectiveness of the program

• Developing and evaluating the results of safety initiatives

• Monitoring industry safety concerns that could affect the organization

• Determining the adequacy of training programs, and

• Advising reporters of the results of event analyses.

Safety Office

There is no regulatory requirement to havea safety office. It is recognized, however,that larger organizations may choose toemploy a safety office as a consultative oradministrative body. In these cases, the safe-ty office may act as a repository for safetyrelated reports and information, occupa-tional health and safety issues, as well asprovide risk assessment and data analysisexpertise to the functional managers. Thesafety office may provide data directly to theaccountable executive regarding major safetyissues identified by the system. It should benoted that the responsibility for informingthe accountable executive of major safetydeficiencies identified within their responsi-ble area remains with the appropriate func-tional director. Furthermore, whilst the safe-ty office may be involved in discussionsregarding possible corrective action, it is theresponsibility of the functional director todetermine what the corrective action will beand to ensure the outcome is monitoredand evaluated. The safety office does nothave the authority to overturn operationaldecisions related to safety issues identifiedby the system or the safety managementsystem itself.

Safety Committee

The use of a safety committee in larger,more complex organizations can providebenefits to the organization. Safety commit-tees provide a forum for discussing safetyrelated issues from a cross-functional per-spective and may lead to the inclusion ofissues that look at safety from a broaderviewpoint. Conventional health and safety


19

at work concerns are a good example ofthis. Frequently, safety issues are not limitedto one specific area and require inputs andexpertise from a variety of different fields.Safety committees provide a forum for thisdialogue and can be utilized to assess the effec-tiveness of the system from a “big picture”perspective. They also provide a means bywhich safety achievements can be reviewedand safety information broadcast.

The safety office may coordinate and pro-vide administrative assistance to the safetycommittee. It can also be a stand-aloneentity; meaning, one can exist without theother. The accountable executive could bethe chair of this committee and all parts ofthe organization must be represented. Thisdoes not preclude the existence of sub-com-mittees with specific areas of responsibility.

Employee Involvement In The DevelopmentAnd Implementation Of The System

A successful safety management systemrequires a focused sense of ownershipthroughout the system. Whilst it is essentialthat top management commit to doingwhatever it takes to improve safety, it isequally important that all employees feelthey have a system that values their inputand is responsive to their contributions andideas. In order to achieve this, all employeesshould have the opportunity to contributeto the development and implementation ofthe safety management system. Employeesare ideally placed to understand the mostefficient and appropriate safety manage-ment mechanisms for their work environ-ment. Their involvement in the decision-

making process not only fosters ownershipof the system, it also promotes a positivesafety culture.

In effect, the organization is striving to cre-ate a shared vision. As such, it is not suffi-cient for the accountable executive to makea safety policy statement outlining what theorganization is committing to, without firstacquiring feedback from all employees. Theproblem with top down vision statements isthat they reflect management’s vision anddo not always build on the individual’s per-sonal vision. The result can be an authori-tarian statement that does not inspire theachievement of a common goal - in thiscase safety. When people truly share a com-mon vision they are united in a commonaspiration, they have a common identityand they have ownership in the system.viii

Description of System Components

The safety management system plan mustinclude a description of each componentof the system and should clearly describethe interrelationships between each ofthese components. This is essential if com-pany personnel, and the regulator, are tounderstand how the whole system is inte-grated. The documentary requirements forthis element are discussed under the docu-mentation section.


2 documentation

21

d o c u m e n t a t i o n

Up to date documentation is essential if the company is to operate in a safe and efficientmanner in accordance with current aviationsafety regulations, standards and exemp-tions. For this reason an operator’s SafetyManagement System must address the fourfollowing documentary requirements.

• The identification of applicable aviation safety regulations

• Consolidated documentation describing the systems for each component of the safety management system.

• The implementation of changes to com-pany documentation required by changes to aviation safety regulations, standards and exemptions.

• The maintenance of current, applicable and effective documentation.

The following paragraphs provide detail asto how this might be accomplished.

Identification of ApplicableAviation Safety Regulations,Standards and Exemptions

The company must have a process for docu-menting the regulations, standards andexemptions by which it is regulated for thevarious activities it conducts. This docu-mentation may reside in the company oper-ations, maintenance policy manual, main-tenance control manual or the companysafety management program documentationas appropriate, but must be available toemployees. The statement could be assimple as:

This company is governed by the followingaviation safety regulations, standards andexemptions…(list as appropriate).

The company must provide employees withaccess to all pertinent technical and regulato-ry information. This can be accomplished byhaving appropriate documentation on site, orby having access to the information throughother appropriate means that provides thesame accessibility as on site documentation.

[ ]


22

Documentation DescribingSystem Components

The requirement for a description of eachcomponent of the safety management sys-tem was discussed as an element of the safe-ty management plan. Consolidated docu-mentation describing each component ofthe system is essential if company person-nel, and the regulator, are to understandhow the whole system is integrated.

For air operators, this documentation mustreside in the company operations manual.Current regulation requires that air opera-tors have a description of their operationalcontrol systems. The requirement for safetymanagement system components could beaddressed in the same fashion.

Implementing Changes ToCompany Documentation

When changes to company documentationare required the company must have a pro-cess in place to ensure these changesare implemented.

It is recommended that the process usedidentify the individual responsible for theactivity and the procedure to be followed.The process should provide for early identi-fication of amendments. This will allow thecompany to be proactive in addressing anyrequired changes to company documentsand procedures.

This process could be as simple as designa-ting an individual with the appropriate

knowledge as responsible for receiving anyincoming correspondence of a regulatorynature i.e. CBAACs, AIP amendments,Airworthiness Notices, etc. These would bereviewed to identify any changes pertinentto the company operation. If changes werenecessary the process would allow for a trig-ger to commence the amendment process tocompany documentation as necessary.

Maintenance Of Current,Applicable And EffectiveDocumentation

It is the company’s responsibility to main-tain current regulatory and company docu-mentation. This includes regulations, stan-dards and exemptions as well as the COM,the MPM and the MCM. Any changes inSMS documentation, if this is containedin a stand-alone manual, should alsobe included.

Activities that cause company documenta-tion to become outdated are mainly due tochanges within the company itself orchanges to regulatory information. Toaddress these occurrences the companymust have processes in place to:

• Identify any changes within the organi-zation that could affect company docu-mentation.

• Periodically review regulatory informa-tion to ensure the most current infor-mation is available.

• Periodically review documentation such as the Maintenance Policy Manual, Company Operations Manual or Safety


23

Management Program documentation to ensure compliance with currentregulations.

A process to address changes within theorganization could consist of a trigger toreview company documentation at any timea change to the company operations orstructure occurs or is planned to occur.

Specific events or dates could triggerprocesses for periodic reviews of regulatoryinformation and company documentation.These dates could be selected to augmentother company activities.


safetyoversight3

25

S a f e t yO v e r s i g h t

Safety oversight is fundamental to the safetymanagement process. A principal tenet ofsafety management policies, principles andprocedures requires an organization to criti-cally review its existing operations, proposedoperational changes and additions or replace-ments, for their safety significance. This isachieved through two principal means:

• Reactive - Occurrence/hazard reporting, and

• Proactive - Safety assessments.

For the most part these are two distinct ele-ments in the safety management system:one is reactive, the other proactive. Thebasic difference is the method of discovery:the reactive process responds to events that

have already occurred, whilst the proactivemethod actively seeks to identify potentialhazards through an analysis of the everydayactivities of the company. The exception tothis rule occurs when a potential hazard hasbeen reported through the company’s safetyreporting program.

Once an occurrence has been reported, or ahazard identified, the procedures for dealingwith these issues follow the same process, asshown in figure 2. This section will reviewthe specifics involved with the reactive andpro-active processes and will discuss thecommonalities involved.

[ ]


26

Reactive Processes

Occurrence and Hazard Reporting

Every event is an opportunity to learn valu-able safety lessons. The lessons will only beunderstood, however, if the occurrence isanalyzed so that all employees, includingmanagement, understand not only whathappened, but also why it happened. Thisinvolves looking beyond the event andinvestigating the contributing factors, the

organizational and human factors within theorganization, that played a role in the event.

To achieve this, the company should main-tain procedures for the internal reportingand recording of occurrences, hazards andother safety related issues. The collection oftimely, appropriate and accurate data willallow the company to react to informationreceived, and apply the necessary correctiveaction to prevent a recurrence of the event.

Figure 2: Safety Management System Process Flow

Figure 2 shows the process flow involved with the collection of data within a safety manage-ment system.


27

The key to accomplishing this is to have areporting system that meets the needs of thepeople who will be using it - the employees.As such, employee input into the develop-ment of the system is vital. A safety report-ing system is worthless if no one uses it; theimportance of the employee in the wholeprocess, therefore, should not be minimized.An attendant non-punitive discipline policy,and a real and demonstrated commitment bymanagement to achieve the company’s safe-ty goals, will help to foster the developmentof a reporting culture within the company.

An operator’s safety reporting system shouldencompass the following fundamentalelements:

1. Systems for reporting hazards, events or safety concerns;

2. Systems for analyzing data, safety reports and any other safety related information;

3. Methods for the collection, storage and distribution of data;

4. Corrective action and risk reduction strategies;

5. On-going monitoring, and

6. Confirmation of the effectiveness of corrective action.

Systems for Reporting Hazards, Events andSafety Concerns

Employees must have a means of reportingall events and emerging hazards to anappropriate manager, as identified in thecompany manual. The manager will thenforward it to the data bank for processing.

The reporting system should be simple,confidential and convenient to use andshould be complemented with a non-puni-tive disciplinary policy. These attributes,accompanied by efficient follow-up mecha-nisms acknowledging to the reporter that areport has been received, investigated andacted upon, will encourage the developmentof a reporting culture. The results should bedistributed to the individual involved andthe population at large.

There are many reporting programs in placefor all types of operations. It is important toestablish a system that suits the size andtechnology level of the operational environ-ment. In smaller operations, reportingmight be achieved through a simple writtenform deposited in a conveniently situated,secure box. Larger organizations may employa more sophisticated, on-line safety report-ing system. Under certain conditions it maybe more expedient to submit a verbalreport; without exception, however, thisshould be augmented with a written report.

At a minimum, report forms should allowfor a full description of the event and pro-vide space for the reporter to offer sugges-tions as to possible solutions to the problembeing reported. Reports should employ acommon and clearly understood taxonomyfor error classification. Simply put, this isthe division of error types into orderedgroups or categories. It is important thatreporters and investigators share a familiarlanguage to explain and understand thetypes of errors that are contributing toevents. This will facilitate more accuratedata inputs and trend analysis.


28

No matter what reporting system is utilized,its effectiveness will depend on four things:

• Employees clearly understand what they should report;

• All reports are confidential;

• Individuals are provided feedback on their reports in a timely fashion;

• The company as a non-punitive disci-plinary policy in place.

Why report?

All events require appropriate investigationin order to:

• Establish their root cause, that is the underlying initial contributing factor(s) that caused the event, and identify actions to minimize the chance ofrecurrence;

• Satisfy any regulatory requirements for reporting and investigation as per the Canadian Aviation Regulations;

• Provide a factual record of the circum-stances of the event or hazard to allow others to learn from the situation; and

• Categorize the underlying causes and establish the appropriate remedial and continuous improvement action.ix

What should be reported?

Knowing what to report plays a key role inan active reporting program. As a generalrule, any event or hazard with the potentialto cause damage or injury should be report-ed. Examples of these issues are:

• Excessive duty times

• Crews rushing through checks

• Inadequate tool or equipment control

• Unruly passengers

• Emergency exit paths blocked

• Incorrect or inadequate procedures,and a failure to adhere to standardprocedures

• Poor communication between opera-tional areas

• Lack of up to date technical manuals

• Poor shift changeovers

• Runway incursions

• Lack of adequate training and recurrent training.

Report Investigation and analysis

Every event should be investigated. Theextent of the investigation will depend onthe actual and potential consequences of theoccurrence or hazard. This can be determinedthrough a risk assessment (see figure 2).Reports that demonstrate a high potentialshould be investigated in greater depth thanthose with low potential.

The investigative process should be compre-hensive and should attempt to address thefactors that contributed to the event, ratherthan simply focusing on the event itself -the active failure. Active failures are theactions that took place immediately prior tothe event and have a direct impact on thesafety of the system because of the immedi-acy of their adverse effects. They are not,however, the root cause of the event; assuch, applying corrective actions to theseissues may not address the real cause of theproblem. A more detailed analysis is requiredto establish the organizational factors thatcontributed to the error.


29

The investigator, or team of investigatorsmust be technically competent and eitherpossess or have access to background infor-mation, so the facts and events are inter-preted accurately. The investigator shouldhave the confidence of the staff and theinvestigation process should be a search tounderstand how the mishap happened, nota hunt for someone to blame.

Event Investigation

There are many tools that can be utilized toinvestigate events. An initial risk assessmentmay help determine the type of investiga-

tion that is conducted, or a company mayemploy a predetermined event investigationformat regardless of the event. It is up tothe individual company to determine whichis the most appropriate method for theirorganization.

The Maintenance Error Decision Aid(MEDA) and the Procedural Event AnalysisTool (PEAT) developed by Boeing areexamples of tools designed to investigatemaintenance and operational events. BothMEDA and PEAT apply the followingprocess flow:

Figure 3: MEDA/PEAT Process Flow


30

Boeing developed MEDA and PEAT toaddress the human performance factors thatmust be considered during an event investi-gation. There are slight differences with theinvestigative process employed in MEDAand PEAT. For example, PEAT focuses onthe key event elements and identifies keyunderlying cognitive factors that contribu-ted to the procedural deviation. The objec-tive of the process is to help the investigatorto arrive at valid, effective recommendationsaimed at preventing the occurrence of simi-lar types of procedural deviation. In con-trast, MEDA looks at the organizationalfactors that can contribute to human errorsuch as poor communication, inadequateinformation and poor lighting.

Both MEDA and PEAT are based on thephilosophy that traditional efforts to investi-gate errors are often aimed at identifyingthe employee who made the error. The usualresult is that the employee is defensive andis subjected to a combination of disciplinaryaction and recurrent training. Becauseretraining often adds little or no value towhat the employee already knows, it may beineffective in preventing future errors.

In addition, by the time the employee isidentified, information about the factorsthat contributed to the event has been lost.Because the factors that contributed to theerror remain unchanged, the error is likelyto recur, setting what is called the “blameand train” cycle in motion again. To breakthis cycle, both MEDA and PEAT employinvestigative techniques that look for thefactors that contributed to the error, ratherthan looking for someone to blame.

The MEDA Process

Both MEDA and PEAT employ a basicfive-step process for operators to follow(see figure 3 for the process flow). As pre-viously stated, there are slight differencesin the investigative focus between PEATand MEDA, the process flow, however, isthe same. In the MEDA process there arefive steps:

• Event - An event occurs, such as a gate return or air turn back. It is the respon-sibility of the of the maintenance organisation to select the error-caused events that will be investigated.

• Decision - After fixing the problemand returning the airplane to service, the operator makes a decision: Wasthe event maintenance-related? If yes, the operator performs a MEDAinvestigation.

• Investigation - Using the MEDA results form, the operator carries out an investigation. The trained investigator uses the form to record general informa-tion about the airplane, when the main-tenance and the event occurred, the event that began the investigation, the error that caused the event, the factors that contributed to the error, and a list of possible prevention strategies.

• Prevention Strategies - The operator reviews, prioritizes, implements, and then tracks prevention strategies (process improvements) in order to avoid or reduce the likelihood of similar errors in the future.

• Feedback - The operator provides feed-back to the maintenance workforce so


31

technicians know that changes have been made to the maintenance system as a result of the MEDA process. The operator is responsible for affirming the effectiveness of employees’ participation and validating their contribution to the MEDA process by sharing investigation results with them.x

The PEAT Process

The primary focus of PEAT is to find outwhy a serious event occurred and if a proce-dural deviation is involved. As such, PEATrelies heavily on the investigative philosophythat professional flight crews very rarely failto comply with a procedure intentionally,especially if doing so is a safety risk. ThePEAT methodology comprises threeelements:

• A process - PEAT provides an in-depth, structured analytic process consisting of a sequence of steps that guides the investigator through the identification of key contributing factors and the development of effective recommenda-tions aimed at the elimination of similar errors in the future. This includes col-lecting information about the event, analyzing the event for errors, classifying the error and identifying prelimi-nary recommendations.

• Data storage - to facilitate data analysis PEAT provides a database for the stor-age of procedurally related event data. Although designed as a structured tool, PEAT also provides the flexibility to allow for the capture and analysis of narrative information as needed. This allows airlines to track their progress in

addressing issues revealed by PEAT analyses and to identify emerging trends.

• Analysis - using the PEAT tool in atypical analysis of a procedurally related event, a trained investigator will consi-der the following areas and assess their significance in contributing to flight crew decision errors:

> Flight Phase where error occurred> Equipment factors

" The role of automation" Airplane deck indications" Airplane configuration

> Other stimuli (beyond indications)> Environmental factors> The procedure from which the error

resulted" The status of the procedure" Onboard source of the

procedure" Procedural factors

(e.g. negative transfer, imprac-tical, complexity, etc)

" Crew interpretation of the rele-vant procedure

" Current policies, guidelines/ policies aimed at preventionof event)

> Crew Factors" Crew intention" Crew understanding of situa-

tion at the time of procedure execution

" Situation awareness factors (e.g. Vigilance, attention, etc.)

" Factors affecting individual performance (e.g. fatigue, workload, etc.)


32

" Personal and corporatestressors, management or peer pressure, etc.)

" Crew coordination/communication

" Technical knowledge/skills/experience

> Other factors…

PEAT provides consistency in applicationand results. The PEAT form is designed tofacilitate the investigation of specific typesof events, i.e. those involving non-adher-ence to procedures. As such, it addresses allthe pertinent elements.xi

Pro-Active: Safety Assessment

For a safety management system to transi-tion from a reactive to a proactive, it mustactively seek out potential safety hazardsand evaluate the associated risks. This canbe achieved through a safety assessment. Asafety assessment allows for the identifica-tion of potential hazards and then appliesrisk management techniques to effectivelymanage the hazard.

A certificate holder’s safety assessment sys-tem should encompass the following basicelements:

1. Systems for identifying potential hazards2. Risk management techniques3. On-going monitoring/quality assurance.

Hazard Identification

Hazard identification is the act of identify-ing any condition with the potential ofcausing injury to personnel, damage to

equipment or structures, loss of material, orreduction of the ability to perform a pre-scribed function. In particular, this includesany conditions that could contribute to therelease of an un-airworthy aircraft, or to theoperation of aircraft in an unsafe manner.This can be achieved through internalreporting mechanisms, such as flight datamonitoring programs, or through an assess-ment of the processes used to perform aspecific operation. This involves an on-going assessment of the functions and sys-tems, and any changes to them, and thedevelopment of a safety case to proactivelymanage safety. Safety assessments are a coreprocess in the safety management constructand provide a vital function in evaluatingand maintaining the system’s safety health.

Understanding the hazards and inherentrisks associated with everyday activitiesallows the organization to minimize unsafeacts and respond proactively, by improvingthe processes, conditions and other systemicissues that lead to unsafe acts. These include- training, budgeting, procedures, planning,marketing and other organizational factorsthat are known to play a role in many sys-tems-based accidents.xii In this way, safetymanagement becomes a core-business func-tion and is not just an adjunct managementtask. It is a vital step in the transition froma reactive culture - one in which the organi-zation reacts to an event, to a proactive cul-ture, in which the organization activelyseeks to address systemic safety issues beforethey result in an active failure.


33

Assessment frequency

A safety assessment should be undertaken,at a minimum:

• During implementation of the safety management system and then at regular intervals;

• When major operational changes are planned;

• If the organization is undergoing rapid change, such as growth and expansion, offering new services, cutting back on existing service, or introducing new equipment or procedures; and

• When key personnel change.xiii

Information Sources for DeterminingPotential Risks > Assessing potentialrisk is often perceived as resource intensiveand unduly onerous. It doesn’t have to be.There are numerous sources of readilyaccessible information that can be utilizedto better understand potential risk withinan organization. The following list detailssome of the possible resources:

• Company Experience - Existing safety reports detailing events and near misses. Minutes of safety meetings and comit-tee meetings can also reveal potential areas of concern.

• Line management Judgement - All linemanagers will have perceptions of where the greatest risks are in their areas of accountability.

• Workplace opinions - Actively seekthe input of the workforce. This can be achieved through focus groups, consul-ting employee representatives and con-ducting structured vulnerability analyses with subordinate managers andsupervisors.

• Audit Reports - The company’s internal audit system should contain a struc-tured record of areas of concern in a prioritized format. A review of audit reports and remedial action plans (including an assessment of follow-up action completions) should conducted. Corporate memories are often much shorter than the current incumbents realize and research beyond 5 to 10 yearscould reveal important information.

• Corporate hazard analysis - Records of previously conducted formal hazard analyses may reveal risk exposures, which did not appear very significant at the time, but do now, in light of the changed circumstances.

• Industry generic hazard register - Hazards/risks identified by other orga-nizations might trigger concerns that should be addressed by the company.

• Safety data recording systems - Mandatory occurrence reporting pro-grams such as CADORs and industry safety data exchange programs like BASIS can be consulted.xiv


34

Active Monitoring Techniques >There are several active monitoring methodsthat can be employed in safety assessment,these include:

• Inspections - Determines adherence to requirements, plans and procedures by inspection of premises, plant and equip-ment or activities. Usually achieved through detailed inspection of actual specific target area activities against planned methods of procedures. Tends to be focused at the task level.

• Management safety inspections - Determines the effectiveness of systems and demonstration of line commitment. Usually achieved through examination of managers or teams that focus on peo-ple’s activities and the system they use.

• Audits - Verifies conformance with esta-blished guidelines and standards. Usually achieved through systematic independent review of an organization’s systems personnel, facilities, etcetera using a predetermined targeted scope of coverage. Tends to be focused at the process level.

• Process and practice monitoring - Identifies whether the procedure in use is relevant and actively used and the practices employed are in line with the requirements of the procedures.

• Review - Provides an overview of the processes involved in a work area orsystem for their effectiveness and appro-priateness. Resource allocation is often a target of a review.xv

Checklist Usage > In most qualityassurance systems, audit checklists are usedto collect data related to the system. Thesame type of checklist should be utilized toprovide a safety assessment of the company.This will allow the company to develop asafety case, an analysis of safety issues with-in the organization that adequately portraysthe safety level of the company.

Safety Risk Profiling > Once potentialrisks have been identified it is useful to fullyunderstand the impact that they might haveif they remain unchecked. In order to deter-mine this, a full risk assessment should beconducted. This process is described inCommon Elements below and should beapplied to both the reactive investigationsand pro-active safety assessments an organi-zation conducts.

Safety risk profiling should look at theentire organization and identify levels ofrisk within the company. Examples of areasthat should be considered are:

• Operational factors, such as weather information and approach aids

• Technical factors, such as parts inter-changeability and aircraft type

• Human factors, such as availability of equipment, working environment and human resources.

Common Elements

Occurrence and hazard reporting and safetyassessment are two individual functionswithin the safety management system.


35

Once a report has been submitted, however,the process flow is the same. The followingrepresent common element in both ele-ments that should be considered whendeveloping a safety management system.

Reporting Procedures

The process for reporting an event or a haz-ard should be as simple as possible. Reportsubmission procedures should be well docu-mented and should include details of whereand to whom reports should be submitted.This will reduce confusion over where safetyreports go and will ensure that all events arebrought to the attention of the appropriateperson.

When designing a safety report form it isimportant to consider that the form may beused to submit information regarding eventsand hazards. The form should be structuredin such a manner that it can accommodateboth the reactive and proactive type ofreporting. Sufficient space should beallowed for reporters to identify suggestedcorrective actions related to the issue theyare reporting.

There are many possible ways in which areport can be submitted. The size and com-plexity of the organization will determinehow sophisticated the system is. In somecases this might involve having a lockedpostbox on the hangar floor, in other casesit might be more effective to submit reportsdirectly to the safety office. It is up to theindividual organization to determine themost suitable method.

Data Collection

When producing an occurrence or hazardreport every effort should be made to ensurethat the form is easy to understand and userfriendly. The company should strive tomake all reporting forms compatible foreach area of the operation. This will facili-tate data sharing, trend analysis and willalso make the occurrence or hazard investi-gation process easier.

Depending on the size of the organization,the most expedient data collection methodmight be to utilize existing paperwork, suchas flight and maintenance reports. The useof hand written reports or the informationderived from verbal reports is equallyacceptable. As previously stated, however,verbal accounts should always be followed-up with a written report.

Reporting can also be achieved through theuse of a dedicated occurrence and hazardreport. A general off-the-shelf softwarepackage can be used or a predefined report,generated from integrated systems such asthe British Airways Safety InformationSystem (BASIS), the Aviation QualityDatabase (AQD) report or the AviationEvents Reports Organiser (AERO). Thesetypes of system are all inclusive; they gener-ate reports, collect and store data and canbe used to provide trend analysis and safetyreports.

Data Collection Systems

BASIS, AQD and AERO are examples ofelectronic data collection systems designed


36

for use in a variety of different sized organi-zations. The use of pre-existing electronicdata collection and storage is not a safetymanagement system requirement. A simpleMicrosoft ACCESS database or a manualfiling system can be utilized.

Risk Management

Risk management is a proactive activity thatlooks at the risks associated with identifiedhazards and assists in selecting actions tomaintain an appropriate level of safety whenfaced with these hazards.

Once hazards have been identified, eitherthrough occurrence/hazard reporting, or asafety assessment the risk management pro-cess begins. Risk management is an evalua-tion of the potential for injury or loss dueto a hazard and the management of thatprobability. This concept includes both thelikelihood of a loss and the magnitude. Thebasic elements of a risk managementprocess are:

• Risk Analysis• Risk Assessment• Risk Control• Monitoring

Risk Analysis is the first element in the riskmanagement process. It encompasses riskidentification and risk estimation. Once ahazard has been identified the risks associa-ted with the hazard must be identified andthe amount of risk estimated.

Risk Assessment takes the work completedduring the risk analysis and goes one step

further by conducting a risk evaluation.Here the probability and severity of the hazard are assessed to determine the levelof risk. Figure 4 shows one example of arisk assessment matrix. In this diagram thematrix defines a method to determine thelevel of risk.

To use the risk assessment matrix effectivelyit is important that everyone has the sameunderstanding of the terminology used forprobability and severity. For this reason de-finitions for each level of these componentsshould be provided.

It is up to individual company to definewhen intervention is required, in otherwords, the company must decide where itstolerable level of risk is. Figure 5 providesan example of what this risk classificationindex might look like. The description

Figure 4: Risk Analysis Matrix


37

should indicate the action required and ifnecessary a timeframe for completion.

There are a number of examples of riskassessment and classification matrixes andtheir definitions available. Some of theseutilize economic indicators such as dollarfigures to define the level of acceptable risk.

Risk Control addresses any risks identifiedduring the evaluation process that requirean action to be taken to reduce the risks toan acceptable level. It is here that a correc-tive action plan is developed.

Monitoring is essential to ensure that oncethe corrective action plan is in place, it iseffective in addressing the stated issues orhazards.

Existing Risk Management Processes.There are a number of existing processesthat can assist a company in meeting theregulatory requirements for a risk assess-ment component to their safety manage-ment system. These processes vary consider-

ably in their scope and complexity. It isimportant that the process selected meets

the capabilities and requirements of thecompany in question. Following are only afew examples of processes that include therequired components:

Canadian Standards Association (CSA)Standard CAN/CSA-CEI/IEC 300-9-97,Dependability management - Part 3Application Guide - Section 9: Risk Analysisof Technological Systems. This document pro-vides the guidelines for selecting and imple-menting risk analysis techniques, primarilyfor risk assessment of technological systems.It contains guidelines regarding:

> Risk analysis concepts> Risk analysis processes> Risk analysis methods

CSA Standard CAN/CSA-Q850-97 RiskManagement: Guideline for Decision Makers.This guideline is intended to assist decisionmakers in effectively managing all types of

Values Risk Levels Action

1 - 6 Minimum Risk Proceed after considering all elements of risk.

6 - 14 Moderate Risk Continue after taking action to manage overall level of risk.

15 - 25 High Risk STOP: Do not proceed until sufficient control measures have been implemented to reduce risk to an acceptable level.

Figure 5: Risk Analysis Matrix


38

risk issues, including injury or damage tohealth, property, the environment, or some-thing else of value. It describes a process foracquiring, analyzing, evaluating, and com-municating information that is necessary fordecision-making. The guideline provides adescription of the major components of therisk management decision process using astep-by-step process as follows:

> Initiation> Preliminary Analysis> Risk Estimation> Risk Evaluation> Risk Control> Action/Monitoring

Tripod Delta. > This program is a proac-tive error management tool that encompass-es risk analysis within its overall scope. Thisprogram was originally designed for the oiland gas exploration and production opera-tions of Shell Internationale PetroleumMattschappij, however, it has beenemployed in a wide variety of operations.Tripod Delta looks at the whole system andidentifies potential hazards. This programtakes its name from the three areas or ‘feet’on which it focuses. Each foot of the tripodhas an effect on the other. The feet are rela-ted as follows:

• The first foot represents hazards and unsafe acts.

• The second foot follows and focuses on accidents, incidents and losses that result when the performance of unsafe acts penetrate the defenses and produce bad outcomes.

• The third foot is concerned with what has been termed General Failure Types (GFTs) and addresses system failures, in part, through the identification of latent conditions that are associated with past occurrences (the second foot).

In the past most remedial measures wereaimed at the first two feet, however, theseare programmatic fixes and do not necessa-rily address system failures. By including thethird foot, and minimizing the impact ofGFTs, exposure in the first area or foot ofhazards and unsafe acts is reduced.xvi

Commercially available Software Programs. >There are a number of software programs,which advertise a risk analysis component,available to operators. Some are directlyfocused on the safety management aspectwithin aviation and others are more genericin nature, but may meet individual compa-ny requirements. Information on these pro-grams is readily available on the internet.

Corrective Action Plan

Once a safety event report has been investi-gated and analysed, or a hazard identified, asafety report outlining the occurrence, andif available, the results of a hazard assess-ment, should be given to the appropriatedirector for determination of corrective orpreventative action. The functional directorshould develop a corrective action plan(CAP), a plan submitted in response tofindings, outlining how the company pro-poses to correct the deficiencies documen-ted in the findings. Depending on the find-ings the CAP might include short-term andlong-term corrective actions. As an example,Transport Canada’s Inspection and Audit


39

Manual defines these in the followingmanner:

" Short-Term Corrective Action - This action corrects the specific issuespecified in the audit finding and is preliminary to the long-term action that prevents recurrence of the prob-lem. Short-term corrective action should be completed by the date/ time specified in the correctiveaction plan.

o Long-Term Corrective Action - Long-term corrective action has two components. The first element involves identifying the root cause of the problem and indicating the measures the auditee will take to pre-vent a recurrence. These measures should focus on a system change. The second component is a timetable for implementation of the long-term corrective action. Long-term correc-tive action should include a proposed completion date.

Some long-term corrective actions may require time periods in excess of the company’s established acceptable timeframe, for example where major equipment purchases are involved. Where applicable, the company shouldinclude milestones or progress review points not exceeding the established timeframe leading up to the proposed completion date. Where the short-term corrective action taken meets the requirements for long-term cor-rective action, this should be stated in the long-term corrective action section on the corrective action form.xvii

On-Going Monitoring

In order to ensure the effectiveness of theremedial measures, the corrective actionsshould be monitored and evaluated on aregular basis. Follow-up activity should beconducted through the internal auditprocess. This should include comprehensivedocumentation of audit findings, correctiveactions and follow-up procedures.

Information Dissemination

All safety related information should be dis-seminated throughout the organization.Keeping current on safety provides betterbackground for understanding aspects ofthe organization’s safety condition anddeveloping novel solutions to difficult pro-blems. This can be accomplished by sub-scribing to safety related programs, makingrelevant Transportation Safety Board (TSB)reports available, and encouraging staff toparticipate in safety related training, semi-nars and workshops. Manufacturers can alsoprovide important safety information andreliability data related to the company’sspecific needs.

Another aspect of information dissemina-tion is feedback on safety reports submis-sions. Employees should be notified when asafety report is received or when a potentialsafety threat is discovered. Further informa-tion should be provided pursuant to investi-gation, analysis and corrective action. Infor-mation dissemination can also be achievedthrough the publication of a company mag-azine or through the company website. Thecompany should endeavor to inform allemployees as to where safety related infor-mation can be found. In this way the entirecompany becomes aware of safety issues andunderstands that the company is activelyseeking to address these issues.


training4

41

Tr a i n i n g

In order for employees to comply with allsafety requirements, they need the appropri-ate information, skills and training. To effec-tively accomplish this, the company shoulddocument the training requirements foreach area of work within the company.

The type of training to be offered is alreadymandated via regulation for certain posi-tions in the company. This includes initial,recurrent and update training requirementsand, where required, training specific to theoperation of the safety management system.These regulations will provide a good start-ing point to identify what training is required.

It is recommended that a training file bedeveloped for each employee, includingmanagement, to assist in identifying andtracking employee training requirements.


[ ]

qualityassurance5

43

Q u a l i t yA s s u r a n c e

A quality assurance system (QAS) definesand establishes an organization’s quality po-licy and objectives. It also allows an organi-zation to document and implement the pro-cedures needed to attain these goals. A pro-perly implemented QAS ensures that proce-dures are carried out consistently, that pro-blems can be identified and resolved, andthat the organization can continuouslyreview and improve its procedures, productsand services. It is a mechanism for maintain-ing and improving the quality of productsor services so that they consistently meet orexceed the organization’s implied or statedneeds and fulfill their quality objectives.xviii

In a safety management system, these ele-ments are applied to an understanding ofthe human and organizational issues thatcan impact safety. In the same way that aQAS measures quality and monitors com-pliance, the same methods are used to mea-sure safety within the organization. In theSMS context, this means quality assuranceof the safety management system, which ineffect includes the entire operation.

An effective quality assurance system shouldencompass the following elements:

1. Well designed and documented proce-dures for product and process control

2. Inspection and testing methods

3. Monitoring of equipment includingcalibration and measurement

4. Internal and external audits

5. Monitoring of corrective and preventive action(s), and

6. The use of appropriate statisticalanalysis, when required.xix

Quality assurance is based on the principleof the continuous improvement cycle. Inmuch the same way that SMS facilitatescontinuous improvements in safety, qualityassurance ensures process control and regu-latory compliance through constant verifica-tion and upgrading of the system. Theseobjectives are achieved through the applica-tion of similar tools: internal and indepen-dent audits, strict document controls andon-going monitoring of corrective actions.


[ ]

44

Audits >The use of audit functions, to verify com-pliance and standardization, is an integralpart of the quality assurance system. An ini-tial audit, covering all technical activities,should be conducted, followed by a recur-ring cycle of further internal audits. Detailedrecords of audit findings, including issues ofcompliance and non-compliance, correctiveactions and follow-up inspections should bekept. The results of the audit should becommunicated throughout the company.

Depending on the size of the organization,these functions may be performed by indi-viduals within the company or assigned toexternal agents. Wherever practical, havingregard to the size of the organization, thesefunctions should be undertaken by personswho are not responsible for, and have notbeen involved in, the certification or per-formance of the tasks and functions beingaudited. In this way, the quality assurancefunction remains neutral and is indepen-dent from the operational aspects of theorganization.

Checklists >Audit checklists should be employed toidentify all of the technical functions con-trolled by the MPM, the MCM or theCOM. These should be sufficiently detailedto ensure that all of the technical functionsperformed by the organization are covered.Accordingly, the extent and complexity ofthese checklists will vary from companyto company.

In the case of a quality audit on a compa-ny’s safety management system, the check-list, should provide a detailed account ofthe following areas:

• Safety policy• Safety standards• Safety culture• Contractor’s safety organization• Structure of safety accountabilities• Hazard management arrangements• Safety assessment, and• Safety monitoringxx

(Examples of detailed audit checklists areprovided in Transport Canada’s Inspectionand Audit Manual.)

On-going monitoring >The on-going monitoring of all systems andthe application of corrective actions arefunctions of the quality assurance system.Continuous improvement can only occurwhen the organization displays constantvigilance regarding the effectiveness of itstechnical operations and its corrective actions.Indeed, without on-going monitoring ofcorrective actions, there is no way of tellingwhether the problem has been correctedand the safety objective met. Similarly, thereis no way of measuring if a system is fulfil-ling its purpose with maximum efficiency.

Existing Systems >There are many existing quality assurancestandards. The most appropriate systemdepends on the size and complexity of theorganization and will be tailored to meetthese requirements. ISO 9000, a series ofinternational standards developed by quality


45

experts from around the world, is oneexample. ISO 9000 is for use by companiesthat either want to implement their own in-house quality systems or to ensure that sup-pliers have appropriate quality systems inplace. The standards were developed underthe auspices of the International Organi-zation for Standardization (ISO).

The current series, ISO 9000:2000, was deve-loped to assist all types and size of organiza-tion, to implement and operate effective qua-lity management systems. ISO standards areintended to be generic and not specific toany product or industry. They are intendedto document the elements required for aneffective quality system, however, they donot specify the technology requirements tobe utilized.xxi ISO 9000:2000 works on theprincipal that, to successfully operate anorganization, it is necessary to direct andcontrol it in a systematic and transparentmanner. The objective is to continuallyimprove performance whilst addressing theneeds of all interested parties.xxii

The ISO 9000:2000 standards are com-posed of a set of eight quality managementprinciples that contribute to improvedperformance:

• Customer Focus - Understanding what the customer wants and needs. In avia-tion some of these requirements are a safe, reasonably priced flight, that departson time.

• Leadership - Leaders set the goals and purpose of the organization. They shouldestablish and maintain the internal envi-ronment in which the individual becomesfully involved in attaining the organiza-tion’s objectives.

• Involvement of people - Safety is everyone’s responsibility. It is incumbent on all employees therefore to involve themselves and utilize their abilities for the organization’s benefit.

• Process Approach - A managed approach is applied to activities and related resources.

• System Approach to Management - Identifying, understanding and mana-ging interconnected processes as a sys-tem contributes to the organization’s effectiveness and efficiency in achieving its objectives.

• Continual Improvement - Continual improvement of the organization’s over-all performance should be a fixed objec-tive of the organization.

• Factual Approach to Decision Making - Decisions are made utilizing available information and current data.

• Mutually Beneficial Supplier Relations - Given that an organization and its sup-pliers are interdependent, a mutually beneficial relationship enhances the ability of both to create value.xxiii

There are several steps and organizationmust take to ensure a successful implemen-tation of ISO standards. The organizationmust clearly understand what it hopes toachieve and what the expectations of thestakeholders are. Furthermore, it mustidentify the gap between where it is nowand where it hopes to be in the future. Aplan must be developed to close these gapsand it must be monitored to ensure effec-tiveness. This consists of both internal andexternal audits.xxiv


emergencyresponse plan6

47

E m e r g e n c yR e s p o n s e P l a n

An Air operator emergency response plan isan integral part of the SMS. It must containthe following items:

• Air Operator Policy

• Air Operator Mobilization And Agencies Notification

• Passenger and Crew Welfare

• Casualty and Next Of Kin Coordination

• Accident Investigation On Behalf Of The Air Operator

• Air Operator Team’s Response To TheAccident Site

• Preservation Of Evidence

• Media Relations

• Claims And Insurance Procedures

• Aeroplane Wreckage Removal

• Emergency Response Training


[ ]

48

Conclusion

The implementation of safety management systems represents afundamental shift in the way we all do business. Safety managementsystems require organizations’ to adopt the elements detailed in this

document and to incorporate them into their everyday businesspractices. In effect, safety becomes an integral part of the every-

day operations of the organization and is no longer considered anadjunct function belonging to the safety office.

If SMS is to be a success, however, Transport Canada, like theindustry we regulate, must establish a disciplinary/enforcement

policy that promotes and rewards the behaviors we are striving toachieve. SMS involves a transferal of some of the responsibility foraviation safety issues, from the regulator to the individual organiza-tion. A role shift, in which the regulator oversees the effectiveness

of the safety management system and withdraws from a day-to-dayinvolvement in the companies’ it regulates. The day-to-day issuesare discovered, analysed and corrected internally, with minimal

intervention from Transport Canada. From the company perspec-tive the success of the system will hinge on the development of a

safety culture that promotes open reporting, through non-punitivedisciplinary policies and continual improvement through, proactive

safety assessments and quality assurance.

The safety management system philosophy requires that responsibi-lity and accountability for safety be retained within the manage-

ment structure of the organization. The directors and senior man-agement are ultimately responsible for safety, as they are for other

aspects of the enterprise. The responsibility for safety, however,resides with every member of the organization; in safety manage-

ment everyone has a role to play.

49

References

i In Approved Maintenance Organizations the requirement for safety management programs is limited to AMOs holding ratings in respectof aircraft types eligible for commuter or airline operations. In Air Operator Certificate holders, safety management programs are required in the following types of operations:

(a) Subpart 702 – date and applicability to be determined;(b) Subpart 703 – date and applicability to be determined;(c) Subpart 704 – date and applicability to be determined;(d) Subpart 705 – by 28 March 2004.

ii Alan Waring, Safety Management Systems,(UK: Chapman & Hall, 1996)

iii See James Reason, Managing the Risks of Organizational Accidents, (UK: Ashgate, 1987) and

Alan Waring, Safety Management Systems,(UK: Chapman & Hall, 1996) for a more detaileddiscussion of this subject.

iv Alan Waring, Safety Management Systems,(UK: Chapman & Hall, 1996)

v For additional examples of performance measurement seeAlan Waring, Safety Management Systems,

(UK: Chapman & Hall, 1996).vi Reproduced by permission of Air Canada.vii Shell Aircraft Aviation Safety Management Guidelines, Part 2, p.8.viii Peter M. Senge, The Fifth Discipline,

(New York: Doubleday, 1990).ix Shell Aircraft Aviation Safety Management Guidelines, Part 2: Safety

Management System Guidelines, January 2000.

x Reproduced By permission of the Boeing Company,AERO no.3, 1998.

xi R. Curtis Graeber and Mike Moodi, Understanding Flight Crew Adherence to Procedures: The Procedural Event Analysis Tool (PEAT).

Flight Safety Foundation, IFA/IASS, South Africa 1998.

50

xii James Reason, Managing the Risks of Organizational Accident,(UK: Ashgate, 1997)

xiii Transport Canada, Introduction to Safety Management Systems.TP 13739 E (04/2001)

xiv Shell Aircraft Aviation Safety Management Guidelines, part 4, page 21.xv Shell Aircraft Aviation Safety Management Guidelines, part 2,

appendix 1, page 2.xvi James Reason, Managing the Risks of Organizational Accident,

(UK: Ashgate, 1997)

xvii Inspection and Audit Manual, Transport Canada website:www.tc.gc.ca/civilaviation/maintenance/aarpf/menu.htm

xviii The Standards Council of Canada

xix James R. Evans and William M. Lindsay, The Management and Control of Quality,

(USA: South-Western College Publishing, 1999)

xx Shell Aircraft Aviation Safety Management Guidelines, part 2,appendix 1, page 3.

xxi Quality Assurance Planning, Course Manual, P.213,University of Manitoba.

xxii National Standard of Canada CAN/CSA-ISO 9000-00, Quality Management Systems-Fundamentals and Vocabulary.

xxiii Ibid.xxiv International Organization for Standardization.

References

tp 13881sms doc

Documents