Advisory Circular (AC) 107-001
Guidance on Safety Management Systems Development
Occurrence and hazard reporting and safety assessment are two individual functions within the SMS. Once a report has been submitted, however, the process flow is the same. The following represents common aspects that should be considered in these elements when developing a SMS.
The procedure for reporting an event or a hazard should be as simple as possible. Procedures for submitting the report should be clear, well documented and should include details of where and to whom reports should be submitted. This will reduce confusion over where safety reports go and will ensure that all events are brought to the attention of the appropriate person.
When designing a safety report form, it is important to consider that the form may be used to submit information regarding events and hazards. The form should be structured in such a manner that it can accommodate both the reactive and proactive type of reporting. Sufficient space should be allowed for reporters to identify suggested corrective actions related to the issue they are reporting.
- There are many possible ways in which a report can be submitted. The size and complexity of the organization will determine how sophisticated the system is. In some cases this might involve having a locked post-box on the hangar floor, in other cases it might be more effective to submit reports directly to the safety office. It is up to the individual organization to determine the most suitable method.
When producing an occurrence or hazard report every effort should be made to ensure that the form is easy to understand and user friendly. The organization should strive to make all reporting forms compatible for each area of the operation. This will facilitate data sharing, trend analysis and will also make the occurrence or hazard investigation process easier.
Depending on the size of the organization, the most expedient data collection method might be to utilize existing paperwork, such as flight, airport and maintenance reports. The use of hand written reports or the information derived from verbal reports is equally acceptable. As previously stated, however, verbal accounts should always be followed-up with a written report.
- Reporting can also be achieved through the use of a dedicated occurrence and hazard report. A general off-the-shelf software package can be used or a predefined report, generated from integrated systems such as the Aviation Quality Database (AQD) report or the Aviation Events Reports Organiser (AERO). These types of system are all inclusive; they generate reports, collect and store data and can be used to provide trend analysis and safety reports.
AQD and AERO are examples of electronic data collection systems designed for use in a variety of different sized organizations.
- The use of pre-existing electronic data collection and storage is not a SMS requirement. A simple Microsoft ACCESS database or a manual filing system can be utilized. Your choice of data collection should be based on the size and complexity of your organization.
Risk management is a proactive activity that looks at the risks associated with identified hazards and assists in selecting actions to maintain an appropriate level of safety when faced with these hazards.
Once hazards have been identified, through either occurrence/hazard reporting, or a safety assessment the risk management process begins. Risk management is an evaluation of the potential for injury or loss due to a hazard and the management of that probability. This concept includes both the likelihood of a loss and the magnitude. The basic elements of a risk
- Risk Analysis
Risk Analysis is the first element in the risk management process. It encompasses risk identification and risk estimation. Once a hazard has been identified, the risks associated with the hazard must be identified and the amount of risk estimated.
- Risk Assessment takes the work completed during the risk analysis and goes one step further by conducting a risk evaluation. Here the probability and severity of the hazard are assessed to determine the level of risk. Diagram 7 shows one example of a risk assessment matrix. In this diagram, the matrix defines a method to determine the level of risk.
|1 - 6||Minimum Risk||Proceed after considering all elements of risk|
|6 - 14||Moderate Risk||Continue after taking action to manage overall level of risk|
|15 - 25||High Risk||STOP: Do not proceed until sufficient control measures have been implemented to reduce risk to an acceptable level|
To use the risk assessment matrix effectively it is important that everyone has the same understanding of the terminology used for probability and severity. For this reason definitions for each level of these components should be provided. It is up to individual organizations to define when intervention is required, in other words, the organization must decide where its tolerable level of risk is. Figure 5 provides an example of what this risk classification index might look like. The description should indicate the action required and if necessary a timeframe for completion.
There are a number of examples of risk assessment and classification matrixes and their definitions available. Some of these utilize economic indicators such as dollar figures to define the level of acceptable risk.
Risk Control addresses any risks identified during the evaluation process that require an action to be taken to reduce the risks to an acceptable level. It is here that a corrective action plan is developed.
- Monitoring is essential to ensure that once the corrective action plan is in place, it is effective in addressing the stated issues or hazards.
7.6.1 Existing Risk Management Processes
There are a number of existing processes that can assist an organization in meeting the regulatory requirements for a risk assessment component to their SMS. These processes vary considerably in their scope and complexity. It is important that the process selected meets the capabilities and requirements of the organization in question. Following are only a few examples of processes that include the required components:
Canadian Standards Association (CSA) Standard CAN/CSA-CEI/IEC 300-9-97, Dependability management - Part 3 Application Guide - Section 9: Risk Analysis of Technological Systems. This document provides the guidelines for selecting and implementing risk analysis techniques, primarily for risk assessment of technological systems. It contains guidelines regarding:
Risk analysis concepts
Risk analysis processes
Risk analysis methods
- Risk analysis concepts
CSA Standard CAN/CSA-Q850-97 Risk Management: Guideline for Decision Makers. This guideline is intended to assist decision makers in effectively managing all types of risk issues, including injury or damage to health, property, the environment, or something else of value. It describes a process for acquiring, analyzing, evaluating, and communicating information that is necessary for decision-making. The guideline provides a description of the major components of the risk management decision process using a step-by-step process as follows:
- Commercially available Software Programs. A number of software programs which advertise a risk analysis component, are available to operators. Some are directly focused on the safety management aspect within aviation and others are more generic in nature, but may meet individual organization's requirements. Information on these programs is readily available on the internet.
7.6.2 Corrective Action Plan
Once a safety event report has been investigated and analysed, or a hazard identified, a safety report outlining the occurrence, and if available, the results of a hazard assessment, should be given to the appropriate director for determination of corrective or preventative action. The functional director should develop a corrective action plan (CAP), a plan submitted in response to findings, outlining how the organization proposes to correct the deficiencies documented in the findings. Depending on the findings the CAP might include short-term and long-term corrective actions. As an example, TC's oversight documentation defines these in the following manner
Short-Term Corrective Action - This action corrects the specific issue specified in the audit finding and is preliminary to the long-term action that prevents recurrence of the problem. Short-term corrective action should be completed by the date/time specified in the corrective action plan.
Long-Term Corrective Action - Long-term corrective action has two components. The first component involves identifying the contributing factors of the problem and indicating the measures the responsible manager will take to prevent a recurrence. These measures should focus on a system change. The second component is a timetable for implementation of the long-term corrective action. Long-term corrective action should include a proposed completion date.
- Short-Term Corrective Action - This action corrects the specific issue specified in the audit finding and is preliminary to the long-term action that prevents recurrence of the problem. Short-term corrective action should be completed by the date/time specified in the corrective action plan.
- Some long-term corrective actions may require periods in excess of the organization's established acceptable timeframe, for example, where major equipment purchases are involved. Where applicable, the organization should include milestones or progress review points not exceeding the established timeframe leading up to the proposed completion date. Where the short-term corrective action taken meets the requirements for long-term corrective action, this should be stated in the long-term corrective action section on the corrective action form.
7.6.3 On-Going Monitoring
In order to ensure the effectiveness of the remedial measures, the corrective actions should be monitored and evaluated on a regular basis. Follow-up activity should be conducted through the internal audit process. This should include comprehensive documentation of audit findings, corrective actions and follow-up procedures.
7.6.4 Information Dissemination
All safety related information should be disseminated throughout the organization. Keeping current on safety provides better background for understanding aspects of the organization's safety condition and developing novel solutions to difficult problems. This can be accomplished by subscribing to safety related programs, making relevant Transportation Safety Board (TSB) reports available, and encouraging staff to participate in safety related training, seminars and workshops. Manufacturers can also provide important safety information and reliability data related to the organization's specific needs.
- Another aspect of information dissemination is feedback on safety reports submissions. Employees should be notified when a safety report is received or when a potential safety threat is discovered. Further information should be provided pursuant to investigation, analysis and corrective action. Information dissemination can also be achieved through the publication of a corporate magazine or through the organization's website. The organization should endeavour to inform all employees as to where safety related information can be found. In this way, the entire organization becomes aware of safety issues and understands that the organization is actively seeking to address these issues.
|Component 3 - Safety Oversight||Yes/No|
|Element 3.1 - Reactive Process - Reporting|
|The organization has a process or system that provides for the capture of internal information including incidents, accidents and other data relevant to SMS|
|The reactive reporting system is simple, accessible and commensurate with the size of the organization|
|Reactive reports are reviewed at the appropriate level of management|
|There is a feedback process to notify contributors that their reports have been received and to share the results of the analysis|
|There is a process in place to monitor and analyze trends documented|
|Corrective and preventive actions to respond to event analysis|
|Element 3.2 - Proactive Process - Hazard ID|
|The organization has a proactive process or system that provides for the capture of internal information identified as hazards and other data relevant to SMS|
|The proactive reporting process is simple, accessible and commensurate with the size of the organization (Part V &VII only)|
|Proactive reports are reviewed at the appropriate level of management|
|There is a feedback process to notify contributors that their proactive reports have been received and to share the results of the analysis|
|There is a process in place to monitor and analyze trends|
|The organization has planned self-evaluation processes, such as regularly scheduled reviews, evaluations, surveys, operational audits, assessments, etc.|
|Corrective and preventive actions are generated in response to hazard analysis|
|Element 3.3 - Investigation and Analysis|
|There are procedures in place for the conduct of investigations|
|Measures exist that ensure all reported occurrences and deficiencies reported are analyzed to identify contributing and root causes|
|Corrective and preventative actions are generated in response to event investigation and analysis|
|Element 3.4 - Risk Management|
|There is a structured process for the assessment of risk associated with identified hazards, expressed in terms of severity, level of exposure and probability of occurrence|
|There are criteria for evaluating risk and the tolerance level of risk the organization is willing to accept|
|The organization has risk control strategies that include corrective/preventive action plans to prevent recurrence of reported occurrences and deficiencies|
|The organization has a process for evaluating the effectiveness of the corrective/preventive measures that have been developed|
|Corrective/preventive actions, including timelines, are documented|
- Date modified: