Advisory Circular (AC) No. 107-002

Safety Management System Development Guide for Smaller Aviation Organizations

Issuing Office: Civil Aviation, Standards Document No.: AC 107-002
File Classification No.: Z 5000-34 Issue No.: 02
RDIMS No.: 11200215-V16 Effective Date: 2016-09-02

Table of contents

  1. 1.0 Introduction
    1. 1.1 Purpose
    2. 1.2 Applicability
    3. 1.3 Description of Changes
  2. 2.0 References and Requirements
    1. 2.1 Reference Documents
    2. 2.2 Cancelled Documents
    3. 2.3 Definitions and Abbreviations
  3. 3.0 Background
    1. 3.1 What is this guide for and who should use it?
    2. 3.2 What is a SMS?
    3. 3.3 Organizational Complexity
    4. 3.4 Cost/Benefit
  4. 4.0 Safety Management Plan
    1. 4.1 Safety Policy
    2. 4.2 Safety Reporting Policy
    3. 4.3 Roles and Responsibilities
    4. 4.4 Communication
    5. 4.5 Safety Planning
    6. 4.6 Performance Measurement
    7. 4.7 Management Review of the Safety Management System
  5. 5.0 Documentation
    1. 5.1 Identification and Maintenance of Applicable Regulations
    2. 5.2 SMS Documentation
  6. 6.0 Safety Oversight
    1. 6.1 Reactive/Proactive Safety Reporting
    2. 6.2 Investigation and Analysis
    3. 6.3 Risk Management
  7. 7.0 Training
    1. 7.1 Training Awareness and Competency
  8. 8.0 Quality Assurance
    1. 8.1 Quality Assurance
  9. 9.0 Emergency Preparedness
    1. 9.1 Emergency Preparedness and Response
  10. 10.0 Information Management
  11. 11.0 Document History
  12. 12.0 Contact Office
  13. Appendix A: Step By Step Guide for SMS Implementation in a Small Aviation Organization
  14. Appendix B: SMS Manual Development for a Smaller Moderately-Complex Aviation Organization
  15. Appendix C: Sample Safety Performance Indicators (SPI) Log
  16. Appendix D: Sample SMS Management Review-Template
  17. Appendix E: Sample Safety Report and Investigation Form-Template
  18. Appendix F: Sample Hazard Log-Template
  19. Appendix G: Sample Management of Change-Template
  20. Appendix H: Sample Aviation Safety Risk Profile-Template
  21. Appendix I: Sample Objectives and Goals Log-Template
  22. Appendix J: Sample Risk Management Tool (including 3x3 and 5x5 Risk Matrix)
  23. Appendix K: Useful links for SMS Program Development

1.0 Introduction

  1. This Advisory Circular (AC) contains helpful information and guidance. It does not:
    • change regulatory requirements;
    • allow deviations from regulatory requirements; or
    • set minimum standards.

1.1 Purpose

  1. This document helps a small-sized aviation enterprise implement a Safety Management System (SMS).

1.2 Applicability

  1. This document applies to small-sized aviation enterprises that either:
    • must establish and maintain a SMS as set out in the Canadian Aviation Regulations (CARs);
      or
    • elect to voluntarily implement a SMS.

1.3 Description of Changes

  1. This document has undergone extensive restructuring. Please view this as a new document.

2.0 References and Requirements

2.1 Reference Documents

  1. We encourage you to use the following reference materials in conjunction with this document:
    1. Part I, Subpart 7 of the Canadian Aviation Regulations (CARs) — Safety Management System Requirements;
    2. Part III, Subpart 2 of the Canadian Aviation Regulations (CARs) — Airports;
    3. Part V, Subpart 73 of the Canadian Aviation Regulations (CARs) — Approved Maintenance Organizations;
    4. Part VI, Subpart 4 of the Canadian Aviation Regulations (CARs) — Private Operators;
    5. Part VII, Subpart 5 of the Canadian Aviation Regulations (CARs) — Airline Operations;
    6. Part VIII, Subpart 1 of the Canadian Aviation Regulations (CARs) — Air Traffic Services;
    7. Standard 573 of the CARs — Approved Maintenance Organizations;
    8. Standard 725 of the CARs — Airline Operations — Aeroplanes;
    9. Advisory Circular (AC) 107-001, Issue 01, 2008-01-01 — Guidance on Safety Management Systems Development;
    10. Advisory Circular (AC) SUR-002, Issue 01, 2015-09-15, Root Cause Analysis and Corrective Action for TCCA Findings;
    11. Safety Management International Collaboration Group (SMICG), Version 1.0, April 2012 — Safety Management System Evaluation Tool;
    12. Safety Management International Collaboration Group (SMICG), March 2015 — SMS for Small Organizations.
    13. Safety Management International Collaboration Group (SMICG), July 2013 — Measuring Safety Performance Guidelines for Service Providers.
    14. Safety Management International collaboration Group (SMICG), April 2013 — Hazard Taxonomy Examples.
    15. Safety Management International Collaboration Group (SMICG), May 2016 — Determining the Value of SMS.
    16. International Civil Aviation Organization (ICAO), November 2013 — Annex 19 Safety Management.
    17. International Civil Aviation Organization (ICAO), 2013 — Safety Management Manual (SMM).

2.2 Cancelled Documents

  1. By default, the publishing of a new issue of a document automatically renders any earlier issues null and void.
  2. Transport Canada Publication, TP 14135, 2004-09-01 — Safety Management Systems for Small Aviation Operations—A practical Guide to Implementation.

2.3 Definitions and Abbreviations

  1. We use the following definitions in this document:
    1. Culture: A way of thinking, behaving, or working that exists in a place or organization (such as a business).
    2. Hazard: A condition that could cause or contribute to a safety event.
    3. Key Personnel: People within an organization who have assigned responsibilities as set out in:
      • the CARs. Examples include: Accountable Executive, Director of Flight Operations, Operations Manager, Person Responsible for Maintenance, QA Manager etc.,
      • your organization’s SMS documentation. Examples include: SMS implementation manager, event investigator, safety officer, etc.
    4. Likelihood: The chance of the identified risk occurring, within the defined scenario.
    5. Policy: The set of basic principles and associated guidelines formulated and enforced by the governing body of an organization, to direct and limit its actions in pursuit of long-term goals.
    6. Procedure: A fixed, step-by-step sequence of activities or course of action (with definite start and end points) that must be followed in the same order, to correctly perform a task.
    7. Process: A group of interrelated or interacting activities that convert inputs into outputs.
    8. Risk: The assessed likelihood and severity of a hazard’s consequence(s) or outcome(s).
    9. Risk Assessment: The overall process of risk identification, risk analysis and risk evaluation.
    10. Risk Management: A systematic approach to setting the best course of action under uncertainty, by identifying, understanding, assessing, monitoring, acting on, and communicating risk issues.
    11. Safety Event: An event which has a negative impact on safety. For the purposes of this document, this term includes aviation occurrences, accidents, incidents, and mandatory reportable incidents as defined by the Canadian Transportation Accident Investigation and Safety Board Act, but may also refer to other definitions enterprises use within their SMS.
    12. Safety Management System: A documented system for managing risks that integrates operations and technical processes with financial and human resource management to ensure aviation safety or the safety of the public.
    13. Severity: A measurement of the impact of one or more consequences on the organization.
    14. System: A group of inter-dependent processes and people that work together to achieve a defined result. A system comprises policies, processes and procedures. It is through systems that enterprises should achieve a state of compliance to their regulatory requirements on an on-going basis.
  2. We use the following Abbreviations in this document:
    1. AC: Advisory Circular
    2. AMO: Approved Maintenance Organization
    3. AOM: Airport Operations Manual
    4. CADORS: Civil Aviation Daily Occurrence Reporting System
    5. CARs: Canadian Aviation Regulations
    6. COM: Company Operations Manual
    7. ERP: Emergency Response Plan
    8. MCM: Maintenance Control Manual
    9. MPM: Maintenance Policy Manual
    10. QAP: Quality Assurance Program
    11. SMICG: Safety Management International Collaboration Group
    12. SMS: Safety Management System.
    13. SOP: Standard Operating Procedure(s)
    14. SPI: Safety Performance Indicator
    15. TCCA: Transport Canada Civil Aviation

3.0 Background

3.1 What is this guide for and who should use it?

  1. Introducing the concept of a safety management system (SMS) across the aviation industry brings some specific challenges for smaller organizations. We have written this guidance for any smaller aviation organization that operates or provides services in civil aviation under the Canadian Aviation Regulations (CARs). You can find guidance for larger or more complex organizations in AC 107-001 Guidance on Safety Management Systems Development.
  2. This guide explains the intent and application of SMS regulatory requirements in smaller aviation organizations. It also contains practical examples of how to develop and adopt components that make up a SMS. It is recommended you read this document once from cover to cover, to help you identify the links between SMS components. This being said, this document is meant to be used as a reference, one section at a time, to aid in the development of SMS policies, procedures and processes.
  3. Do not consider this simply as a list of legal requirements or a template to be used verbatim. Your organization must develop policies, processes and procedures that support your unique operating requirements and that fit the size and complexity of your organization.
  4. The tools that make up your SMS depends on your organization’s size and complexity. As such the material contained herein is not intended as a formula for meeting the regulatory requirements, but as a resource to help pave the way to a successful SMS implementation.
  5. As you read through this guidance material you may quickly realize you already have some of the requirements needed for the development of a SMS. For example, maybe you already have;; a safety policy (required by another set of regulations), an established quality assurance system (required by the CARs), a method for recording hazards or safety events (required by clients). Leverage on what already exists within your organization.

    Note: We have included Appendix A: Step by Step Guide for SMS Implementation in a Small Aviation Organization (based on work done by Safety Management International Collaboration Group (SMICG)) to help you develop a plan for SMS implementation.

  6. Whether you chose to develop an overarching SMS manual or incorporate your SMS documentation into existing manuals; such as the Airport Operations Manual (AOM), Maintenance Control Manual (MCM), Maintenance Procedures Manual (MPM), or Company Operations Manual (COM), Transport Canada requires you to have adequate document control. This will help you avoid discrepancies within policies, processes, and procedures, including omissions or conflicts that could result from having more than one manual. The format you use to document the SMS program should allow end users to quickly find the information they need to perform their functions.
  7. You must treat all amendments to SMS manuals/documentation as an amendment to the actual AOM, MCM, MPM or COM. This means you must follow the established TCCA approval process.
  8. As you use this AC, consult the CARs to ensure your SMS meets all regulatory requirements that apply to your operations.

3.2 What is a SMS?

  1. Simply put, a SMS is a business-like (systematic) approach to managing safety risks. Like all management systems, a SMS provides an organized way to set goals, make plans and measure performance. Your organization’s SMS will be at the core of its safety culture and will define how it intends to manage aviation safety as a part of its business management activities. This will eventually become the normal way people do their jobs.
  2. SMS is about an organisation’s safety culture. Indeed, the importance of an appropriate safety culture cannot be downplayed in respect to an effective SMS. As such, you may wish to get a better understanding of your organisation’s safety culture before, during and after you implement your SMS.
  3. Activities that make up your SMS take place throughout the organization, which means all employees contribute to your safety performance.
  4. Managing safety risks is at the heart of any SMS as it allows your organization to establish a structured and systematic way to:
    • Identify the hazards and safety events to which it is exposed;
    • Investigate and analyze them to identify and understand the risks; and
    • Adopt ways to manage and reduce these risks to an acceptable level.
  5. In a fully developed and functioning SMS, an organization’s highest level of management drives the cultural change required within the organization to set the tone and outline what the SMS is to accomplish. Key milestones include:
    • Creating and adopting the safety policy and other official documents that capture all SMS processes and procedures.
    • Communicating all processes and procedures to those individuals with defined roles within the SMS.
    • Recording outputs of processes and procedures to capture what has occurred within the organization.
  6. Organizations must communicate processes and procedures during SMS training to educate people about SMS concepts and their responsibilities within it. Training must also cover how to conduct required activities to ensure competence. Steps in the organization’s training cycle include:
    1. Establish the training needs for each person (or role) within the organization, and determine how to evaluate competence.
    2. Train people to the required competence level for each identified training need.
    3. Establish a feedback loop by evaluating training effectiveness and staff competency.

      Note: This cycle applies to all required training within the organization, not just that related to SMS.

  7. Continual improvement of the SMS should be an ongoing objective, but an organization only knows if this is happening when it evaluates its safety performance. To do this, you must establish safety performance indicators, outline what to measure, how to measure it, and what defines satisfactory performance. This serves as a constant feedback loop, which must also include; the setting of goals and objectives and conducting a system review. Together, these aspects will allow you to make a determination of the system’s performance and ultimately the effectiveness of your system.
  8. Your organization must follow a quality assurance process that:
    • Plans and conducts audits and reviews;
    • Reports results to management (and individuals responsible for elements of the system); and
    • Develops and takes corrective actions to address identified deficiencies.
  9. Reporting both safety management performance and quality assurance process results to top level management allows them to exercise accountability for the system and participate in the SMS at the highest level by allocating resources for corrective actions to improve weak areas.
  10. The sections of this Advisory Circular which follow, provide a further breakdown and increased detail about each component and element as defined within the TCCA SMS framework.
  11. TCCA’s SMS framework includes the following components and elements:
    1. Safety Management Plan
      1. 1.1 Safety Policy
      2. 1.2 Non-Punitive Safety Reporting Policy
      3. 1.3 Roles, Responsibilities
      4. 1.4 Communication
      5. 1.5 Safety Planning
      6. 1.6 Performance Measurement
      7. 1.7 Management Review
    2. Documentation
      1. 2.1 Identification and Maintenance of Applicable Regulations
      2. 2.2 SMS Documentation
      3. 2.3 Records Management
    3. Safety Oversight
      1. 3.1 Reactive Processes – Reporting
      2. 3.2 Proactive Processes – Hazard Identification
      3. 3.3 Investigation and Analysis
      4. 3.4 Risk Management
    4. Training
      1. 4.1 Training, Awareness and Competence
    5. Quality Assurance
      1. 5.1 Quality Assurance
    6. Emergency Preparedness
      1. 6.1 Emergency Preparedness and Response

3.3 Organizational Complexity

  1. A SMS does not need to be complicated to be effective. The overall complexity of an organization depends on its organizational structure and the risks and complexity of its activities. The goal of this section is not to prompt you to categorize your size or complexity level. It gives examples relevant to the various civil aviation sectors, which may help you to determine how to design your SMS. What is important is that you develop processes and procedures which allow for an SMS to function effectively under your unique operating conditions. Being small does not necessarily mean your organization is not complex. Some small organizations have complex operations which require complex solutions to effectively implement and maintain a SMS.
  2. Considerations include, but are not limited to:
  3. General:
    1. Number of employees;
    2. Number of certificates in different categories;
  4. Operating Certificate Holders:
    1. Operating environment (mountainous terrain, night operations, arctic operations, offshore operations, international, etc.);
    2. Types of operations (passenger operations, cargo, aerial work, emergency medical services, etc.);
    3. Fleet complexity; number of aircraft, number of different types of aircraft;
    4. Number of bases;
    5. International operations.
  5. Non-Operating Certificate Holders:
    1. Number of domestic bases;
    2. Maintenance organizations; number of ratings, types of product ratings, specialized work, technologies employed, number of customers and sub-contractors;
    3. Types of products and parts designed/manufactured.
  6. Airports:
    1. Number of aircraft movements;
    2. Number and type of approaches;
    3. Airport lighting;
    4. Surrounding terrain, built up areas, and levels of facilities/equipment at aerodromes;
    5. Density and complexity of traffic;
    6. Extent of contracted activities;
    7. Number of runways and taxiways; and
    8. Reason for certification.
  7. When considering how to develop an effective SMS for your organization, you may be tempted to use a commercial “off-the-shelf” system. Since it’s unlikely that this will meet all of your specific requirements, if you choose this route, you will likely need to modify the system to meet your organization’s operational reality. Make sure to include linkages between individual SMS components so the system functions in a cohesive manner.

    Note: A SMS designed for an organization with no employees (e.g. owner/operator) is unique in that there are several features that would typically be present, that add little value when there are no employees. We have identified these details in a box at the end of the guidance for each element.

3.4 Cost/Benefit

  1. It‘s often said that safety makes economic sense. Unless an organization experiences a loss, or critically assesses both the direct and indirect costs of an occurrence, it is often difficult to relate to this statement. The direct costs are usually easy to quantify, they include damage to the aircraft, compensation for injuries and damage to property and are usually settled through an insurance claim.
  2. The indirect costs are a little more difficult to assess, these are often not covered or fully reimbursed by the organization‘s insurance and the impact is often delayed. This includes items such as:
    1. Loss of business and reputation;
    2. Legal fees and damage claims;
    3. Medical costs not covered by worker‘s compensation;
    4. Cost of lost use of equipment (loss of income);
    5. Time lost by injured person(s) and cost of replacement workers;
    6. Increased insurance premiums;
    7. Aircraft recovery and clean-up;
    8. Fines.
  3. The economic argument is even more relevant when one considers the following figures produced by the Boeing Aircraft Corporation. Although these figures obviously represent the commercial airline industry, they may be scaled to give an idea of the relative effects on a smaller operator. Boeing estimated the average cost in U.S. dollars of the following:
    1. In-flight shutdown - $500,000
    2. Flight cancellation - $50,000
    3. Flight delay per hour - $10,000
  4. The following table looks at the profit margins required to cover specific yearly incident costs. Taking into account the following figures, it is clear that the cost of implementing and maintaining a SMS becomes less significant and well worth the investment when contrasted with the cost of doing nothing.
  5. Table 1
    Sales Required to Cover Losses
    Yearly Incident Costs Profit Margin
      1% 2% 3%
    $1,000 $100,000 $50,000 $33,000
    $10,000 $1,000,000 $500,000 $333,000
    $50,000 $5,000,000 $2,500,000 $1,667,000
    $100,000 $10,000,000 $5,000,000 $3,333,000
  6. Many organizations experience some additional costs to develop and maintain (operate) a SMS, accepting that the initial financial returns are mostly intangible and that it will likely take time to see any financial benefits materialize. Over time, when an organization carefully adopts and follows a SMS, adapted for its size and complexity, it will do a better job of addressing risks associated with hazards and safety events. The system also helps your organization to:
    • Better identify and tackle inefficiencies;
    • Improve communication;
    • Foster a better organizational culture; and
    • More effectively control contractors and suppliers.
  7. Cost-benefit analysis for putting a SMS in place is challenging, as it is difficult to follow the traditional approach, which generally focuses on determining costs associated with introducing tangible assets. Cost-benefit analysis for SMS requires assessing intangible benefits such as improved safety culture, effective regulatory compliance, management commitment to safety, shareholder value, and public confidence, which can be difficult to quantify. A good cost-benefit analysis conducted alongside safety and risk management activities will support your decision-making. The analysis provides an adequate assessment of resource allocation priorities and an understanding of the factors needed to maintain a balance between production and protection resources.
  8. You can find help for conducting a cost-benefit assessment in the SMICG document “Safety Management International Collaboration Group (SMICG), May 2016 — Determining the Value of SMS”.

Smaller Aviation Organization's Guide

4.0 Safety Management Plan

4.1 Safety Policy

  1. The highest levels of your organization’s management team must give strong support for an SMS for it to be effective. They must:
    • Be accountable for the SMS;
    • Allocate both time and financial resources;
    • Set the behavioral example to follow;
    • Drive the development of a positive safety culture; and
    • Express their strong and active support of aviation safety in a written safety policy approved and promoted by the Accountable Executive, or the Private Operator in the case of a 604 certificate holder.

      Note: This policy should establish a clear, high-level direction for the organization to follow to manage the safety of technical operations and deliver a safe aviation service/product. A safety policy should apply to, and be implemented at all levels within the organization.

  2. A safety policy should include:
    • Active management support, at the highest level within the organization;
    • A description of the overall objectives the SMS aims to achieve i.e. what does an SMS bring to the table;
    • A high level description of how the SMS will achieve this;
    • Express the expectations management places on all staff to participate and meet their safety obligations.
  3. The safety policy forms the basis for the entire safety management system. This makes it a necessary first step in developing an effective SMS. If your organization does not know what it wants the SMS to specifically accomplish, you will have a hard time improving overall aviation safety.
  4. Management must communicate the safety policy to everyone within the organization and make each individual aware of their safety obligations.

    Note: Since objectives and priorities will change over time, your organization needs to periodically review and update its Safety Policy.

    In a one person organization, a Safety Policy serves to inform clients, third-party subcontractors, TCCA and other stakeholders of your organization’s strong and active support of safety. It establishes an overall sense of direction, states the commitment to safety and sets the principles of action for the organization.

    The safety policy element in a one-person organization need not include elements for:

    • Promotion internally by the Accountable Executive;
    • Communication to all employees; and
    • Implementation at all levels within the organization.

4.2 Safety Reporting Policy

  1. A safety reporting policy gives all stakeholders a clear understanding of your organization’s values related to reporting safety-related information. This encourages a healthy reporting culture.
  2. The safety reporting policy may be included in the Safety Policy. Its purpose is to:
    • Encourage employees to report both hazards and safety events;
    • Define the conditions under which your organization would consider disciplinary action (e.g., illegal activity, negligence, willful misconduct).

    A safety reporting policy in a one-person organization is not necessary, as it adds no value to the process. This is not to be confused with the need to report hazards and safety events; only that promotion of the reporting system and of a non-punitive reporting structure is not necessary.

4.3 Roles and Responsibilities

  1. The Accountable Executive, or Operations Manager (604 operator):
    • Is accountable for ensuring the organization puts an SMS in place and that it performs as required.
    • Is responsible for providing financial and human resources necessary to ensure the organization meets regulatory requirements and can achieve the responsibilities associated with the daily operation of the SMS.
  2. Monitoring of the SMS’s daily operation need not be an onerous task, but it is necessary to ensure the system is active within the organization’s operations. This responsibility may reside with the person accountable for the SMS or may be delegated to a suitable alternate. It is important to document corresponding responsibilities and accountabilities, and ensure people holding these positions understand their role.
  3. In addition to operational responsibilities, some personnel will have additional safety responsibilities associated with their position within the organization, e.g. accountable executive, person responsible for the SMS, operations manager and person responsible for maintenance. You must document the responsibilities of these key personnel within your SMS.
  4. The person responsible for managing the daily operation of the SMS should have knowledge of the core work of your organization and understand the systems that support it. This person should have an understanding of safety management principles.
  5. The person managing the SMS is responsible to:
    • Implement the safety management plan;
    • Implement the safety oversight program;
    • Implement procedures with respect to SMS documents and records;
    • Implement emergency response procedures;
    • Implement the quality assurance program;
    • Ensure that deficiencies identified by the quality assurance program are analyzed to determine their root cause and contributing factors;
    • Investigate, analyze and identify the cause or probable cause of all hazards, incidents and accidents identified under the SMS;
    • Establish and maintain a reporting system to ensure the timely collection of information related to hazards, incidents and accidents that may adversely affect safety;
    • Identify hazards and carry out risk management analyses of those hazards;
    • Monitor and evaluate the results of corrective actions with respect to hazards and safety events;
    • Establish and maintain a safety data system, to monitor and analyze trends in hazards, and safety events;
    • Monitor the concerns of the civil aviation industry in respect of safety and their perceived effect on the organization;
    • Communicate to stakeholders, findings produced by the SMS in respect of a hazard to aviation safety;
    • Analyze any information relating to aviation safety that is received from any person with whom the organization exchanges services and take appropriate action to mitigate any hazard to aviation safety; and
    • Organize, and determine the effectiveness of safety training.

    In a one-person organization, it is likely that the Accountable Executive or Operations Manager (in the case of 604) is also responsible for the day to day management of the SMS.

    Roles and Responsibilities for a one-person organization need not include processes to:

    • Ensure the transmittal of safety authorities, responsibilities and accountabilities to all personnel; and,
    • Ensure all personnel understand their authorities, responsibilities and accountabilities in regards to all safety management processes, decisions and actions.

4.4 Communication

  1. It is important that all stakeholders involved with your organization are aware of the SMS and that you effectively disseminate/communicate safety information by a suitable medium, such as: notices, memos, emails, announcements etc. Effective communication encourages all personnel to participate in the SMS and builds a positive safety culture in which they can openly identify and address issues.
  2. When developing communication strategies to disseminate your SMS information, leverage existing effective communication processes and/or develop strategies appropriate to your organization’s structure and complexity. Communication strategies may vary depending on:
    • Location of employees;
    • Mobile technology employed by the organization;
    • Remoteness of bases or operations;
    • Number of employees, etc.
  3. It is important to periodically monitor the effectiveness of your communication strategies to ensure all stakeholders are receiving and understanding the information they need.
  4. As an organization grows in size and complexity, the processes required for effective communication and recording information will become more involved.

    Effective communication of safety information is important, even in a one-person organization. In an organization with no employees, your communication focus may be outside the organization i.e. regular communication with aviation system stakeholders, industry associations, clients, Transportation Safety Board, and TCCA.

4.5 Safety Planning

  1. Organizations of all sizes must develop safety objectives. These are statements of desired outcomes that describe what the organization plans to accomplish to improve its aviation safety. Objectives can be broad statements that provide the overall context for what your safety plan is trying to accomplish. You should develop your safety objectives based on the areas of highest safety risk within your organization i.e. they reflect your organization’s safety priorities.
  2. Goals, on the other hand, are specific targets or tasks that help you achieve your stated objectives. An objective should have a minimum of one or two specific goals to support its achievement. Set SMART goals, and evaluate them periodically, at defined intervals to determine whether you are closer to achieving them. When developing goals, consider the following:
    • Specific: Focused on one thing only.
    • Measurable: Can be quantified, compared or evaluated.
    • Achievable: Within the organization’s capabilities.
    • Relevant: Of importance or significance to aviation safety.
    • Timed: Have a deadline for achievement.

    Example:

     

    Safety objective:

    - To be more proactive in the identification of aviation hazards.

     

    Goals or targets:

    - Conduct quarterly hazard identification workshops.

    - Emphasize importance of hazard reporting with each employee during this year’s annual training.

    - Place hazard ID forms in each aircraft by the end of Q1.

    - Increase the number of documented assessments of all new destination airports before departure by 50%.

     

    Safety performance indicators:

    - Number of new hazards identified by pilots this year.

    - Number of destination airport assessments completed this year.

    (See Section 4.6 below for further information on Safety Performance Indicators (SPIs)).

     
  3. Safety objectives and goals help your organization to:
    • identify and prioritize issues;
    • measure safety performance;
    • allocate resources where they are needed the most; and
    • ensure continuous safety improvement.

    In a one-person organization, both financial and time resources can be limited, so focus on where resources will have the greatest safety benefit. This may be achieved by focusing safety goals on the top one, two or three risks from the organization’s safety risk profile.

    Example:

    Hazard

     

    (#1 from safety risk profile):

    - Unstable Approaches continued to landing.

     

    Safety Objective:

    - Reduce the number of unstable approaches continued to landing by 50% for the 2016 calendar year.

     

    Goals:

    - Define operational stable approach criteria and implement standard operating procedures (SOPs) for unstable approaches by the end of the calendar year.

    - Implement SOPs for Stabilized Constant Descent Angle (SCDA) Approaches by the end of the calendar year.

    - Integrate new SOPs into flight crew training and train all flight crew personnel by the end of Q2 of next year.

    - Emphasize non-punitive nature of the safety reporting policy.

    - Encourage flight crews to report all unstable approaches continued to landing.

     

    Safety Performance Indicators

    - Number of safety reports related to unstable approaches continued to landing.

    - Flight Data Monitoring reports, including trend analysis.

    - Flight Crew training and Pilot Proficiency Check reports.

4.6 Performance Measurement

  1. An organization must decide on the safety performance indicators (SPI) to measure. Identifying and measuring safety performance will allow your organization to:
    • Assess the effectiveness of the SMS and verify continuous safety improvement;
    • Facilitate decision making;
    • Evaluate objectives and goals;
    • Determine if training is effective;
    • Determine if system failures are being fixed; and
    • Determine if controls to mitigate risk are actually working.
  2. Focus on developing SPIs for what is important to your organization and to measure achievement of safety goals set out in the safety planning process. SPIs, like priorities, objectives and goals, will change.
  3. It is important to be able to compare SPIs over time as the organization grows and changes. Common definitions and terms related to SPIs may help you to develop a consistency to allow for ongoing comparison and monitoring.
  4. Example SPIs may include:
    1. Number of major risk incidents;
    2. Number of safety reports;
    3. Number of voluntary reports;
    4. Number of safety meetings;
    5. Number of safety audits;
    6. Number of investigations performed;
    7. Number of unstable approaches continued to landing per X # of landings;
    8. Percentage of changes to SOPs subjected to hazard identification and safety risk management;
    9. Percentage of work carried out according to SOPs;
    10. Number of organizational changes for which you followed the management of change procedure.
  5. It is important to inform everyone within your organization what the SPIs are and what targets you have set. This will help strengthen their commitment to aviation safety and make clear what the organization is trying to achieve through its SMS.
  6. Your organization needs a process for conducting trend analysis to look at changes in safety levels over a given time. This will help determine what actions you must take to maintain and/or improve safety. Trend analysis means assessing SPIs, causal relationships between risk factors and outcomes, investigation outcomes, etc. Graphing data over time may be sufficient for evaluating SPIs and showing the development of trends. It may be as simple as plotting SPI measurements by month, year, occurrence type, incident root cause etc. If you recognize negative trends, you may need to look further to determine what is causing or contributing to them.

    Note: Trend analysis is an input to the management review process described in section 4.7.

  7. Assessing SPIs with small sample sizes may amplify results, sometimes in a dramatic way. For example, an increase from one incident to two incidents per year is a 100% increase, but may not be as significant as an increase from 50 to 55 incidents, which is only a 10% change. This is why it can be helpful to look beyond your organization’s activities. To increase sample sizes, or to evaluate the significance of your data, try to get information from external sources such as industry associations, professional organizations, civil aviation authorities, national safety boards, etc.
  8. Appendix C, Sample Safety Performance Indicators (SPI) Log provides an example of how you may record the SPI’s and their targets within your organization.

    In a one-person organization, the reactive data you gather will likely not be statistically significant due to small sample sizes. You can manage this by looking beyond the data within your own organization. Where available, include data from industry organizations and associations, related industries, regulatory bodies and safety boards.

    Note: You must still develop SPIs to monitor the achievement of your safety goals and objectives developed during the safety planning process.

4.7 Management Review of the Safety Management System

  1. The purpose of reviewing the SMS is to evaluate how effective it is, how it is performing and ensures your organization is monitoring for continuous improvements in its aviation safety performance. Your organizational structure will determine who participates in these reviews. As a minimum, it requires the participation of the Accountable Executive or Private Operator (604 certificate holders) and the person responsible for the SMS.

    Note: A review of the SMS will be more effective when it includes everyone who has a defined role within it.

  2. You should conduct this type of review at least once a year, but also for cause, such as safety events that affect aviation safety, or where you recognize a deficiency that reduces the effectiveness of all or any part of your SMS.
  3. Management Review of the SMS should communicate and document at least the following topics:
    • Internal/External audit result review;
    • Safety objective achievement progress;
    • Activities to verify that employees understand the SMS and their role and responsibilities within it;
    • Hazard and occurrence investigation and analysis results (including trend analysis);
    • Internal/external feedback analysis and results;
    • Corrective and preventive action(s) status, including those resulting from management review;
    • Training program effectiveness;
    • Follow up actions from previous management reviews;
    • Changes that could affect the SMS;
    • Recommendations for improvement; and
    • Sharing of best practices across the organization.
  4. A review of these areas should determine how well the SMS is performing and what measures you must take to improve it. It is important to document the results so you can track progress over time. Where you identify deficiencies or weaknesses, you must put corrective actions in place to correct them.
  5. You can find a template to help you record SMS reviews in Appendix D: Sample SMS Management Review-Template.

    An internal review of the SMS is required regardless of the size of you organization. In a one-person organization the scope of the review will vary. For instance, it is not necessary for the scope to include:

    • Activities to verify that employees understand the SMS and their role and responsibilities in it;
      and
    • Sharing of best practices across the organization.

    You must document outputs of the review, including corrective actions, so you can track your organizations progress over time.

5.0 Documentation

5.1 Identification and Maintenance of Applicable Regulations

  1. Identify and monitor any changes to regulations that apply to your organization, within your SMS. This will help you to ensure your organization understands its regulatory responsibilities. This not only includes regulations made under the Aeronautics Act, but may also include other provisions. For example:
    • The Canada Labour Code;
    • Canadian Transportation Accident Investigation and Safety Board Act;
    • Transportation of Dangerous Goods Act;
  2. Your organization must establish and follow a documented process to ensure it identifies any and all regulatory requirements that apply. This includes periodic reviews of regulations, standards and exemptions relevant to the organizations operations. Larger organizations with multiple certificates are likely to require a more complex system for keeping track of applicable regulations.
  3. Document your review so you can show how your organization is meeting its obligations to identify and monitor the regulations that apply, and make changes to maintain regulatory compliance when necessary.
  4. Resources that may help you identify and maintain applicable regulations may include, but are not limited to:
    • Review of bi-annual CARs Amendment Summaries;
    • Monitoring of Canada Gazette publication;
    • Transport Canada distribution lists(s);
    • Participation in industry associations.

    There is no appreciable difference between the expected outcome in a one-person organization vs. a larger organization with respect to the identification and maintenance of appreciable regulations. However the tools or mechanisms used may be less complex.

5.2 SMS Documentation

  1. An SMS must be documented. SMS documentation explains your organization’s SMS processes and procedures to all stakeholders (including staff, contractors, and Transport Canada). Keep your SMS documentation clear and concise. It must reflect the size and complexity of your organization and meet your organization’s specific needs. All personnel should have easy access to your SMS documentation.
  2. Your SMS Manual/documentation should be a living document that reflects the current structure, processes, and procedures of your organization’s SMS. SMS documentation includes clearly written procedures and processes, including organizational charts, job descriptions and other descriptive written material that defines and clearly delineates the system of authority and responsibility within the organization to ensure safe operations. Processes must outline who does what, when, where, and how. This is specific to each organization.
  3. You must review SMS documentation periodically to ensure:
    • It remains suitable, adequate and effective, and
    • It reflects any changes you have made to the SMS.

    Note: Include a process in your review to proactively identify changes that could affect your organization’s documentation.

  4. Appendix B: SMS Manual Development for a Smaller Moderately Complex Aviation Organization, may be used as an aid to assist an organization in developing a SMS manual or documentation for use in a smaller aviation organization.

    Note: We expect all organizations to develop documentation that reflects their organizational and operational reality.

  5. SMS Documentation also includes records, which are outputs from your SMS processes which provide a historical record of compliance and information for monitoring continuous safety improvement. They are also supporting evidence which serve as an auditable trace of your organizations activities. Your organization’s records may include:
    1. Occurrence and hazard reports;
    2. Investigation results;
    3. Risk assessment and root cause analysis;
    4. Training reports;
    5. Corrective and preventative action logs;
    6. Trend monitoring information;
    7. Performance measurement results, and;
    8. Goals and objectives results.
  6. You must develop a process to ensure your organization creates and keeps all records necessary to document and support the SMS. Your system should provide the control processes necessary to ensure appropriate record identification, legibility, storage, protection, archiving, retrieval, retention time, and disposition.

    Controlled SMS documentation must correspond to the size and complexity of your organization.

    For a one-person organization, records may simply be handwritten/typewritten documents, spreadsheets, and forms you keep in hardcopy and physically store in a filing cabinet or binder.

    The Documentation and Records Management elements for a one-person organization need not include processes to:

    • Ensure documents are readily accessible to all personnel; and
    • Ensure there are acceptable means of documentation detailing organizational charts, job descriptions and other descriptive written material that defines and clearly delineates the system of authority and responsibility within the organization for ensuring safe operations.

6.0 Safety Oversight

6.1 Reactive/Proactive Safety Reporting

Safety Reporting System

  1. You can only control the risks associated with hazards and safety events you are aware of. A safety reporting system can help you identify underlying issues that have the potential to negatively affect aviation safety. Safety reporting can be:
    • Reactive (safety event that has happened within your organization); or
    • Proactive (potentially unsafe situation within your organization is identified as a hazard).

    You can then use information from reports to identify safety risks and trends so you can take appropriate action(s).

  2. For a reporting system to be effective, everyone connected to your organization, whether internally or externally, needs to understand it and be an active participant. It needs to be clear how to report, what to report, and who to report to. This is easiest when your reporting process is simple, accessible, gathers relevant information that is appropriate to the size and complexity of the organization.
  3. It is important to encourage reporting “minor” safety events for which the severity could have been greater. This will give a more complete understanding of what is going on within your organization, as well as providing an earlier detection of negative safety trends.
  4. It is important for management to exercise patience with employees during the initial stages of SMS implementation. It is important that when reports are filed that management deals with them effectively and is careful that the system remains non-punitive in nature. When front line employees start recognizing that the system truly is non-punitive and that they don’t have to fear reprimand when mistakes are made, the cultural buy-in will begin and the system will start to mature.
  5. A SMS in its infancy may have a higher incident report rate and lower hazard report rates. As the SMS matures, the training program will begin to shift to a “lessons learned” approach from previous incidents. At this point, you should expect that the hazard report rate will increase and over time, the incident report rate will decrease.
  6. Where employees submit reports, ensure they receive feedback at defined intervals. This shows you take them seriously and act on information they contain. This approach is likely to encourage further reporting.
  7. A safety reporting form is a good way to gather the required information. The person responsible for your SMS is the best person to manage these reports, directing them to the appropriate person for action and ensuring they are reviewed at the appropriate level of management.
  8. Your organization should use safety reports to enhance safety rather than to lay blame. To encourage reporting without fear, it is important that employees understand the open and fair culture you have expressed in your safety reporting policy.
  9. You can find an example template for a safety reporting form in Appendix E, Sample Safety Report and Investigation Form.

    While a reporting system for a one-person organization need not be highly sophisticated to be effective, you must have a documented method to maintain reactive/proactive reports. It may be a digital folder on a computer, hardcopy forms stored in a filing cabinet, or a notebook in an office. The key is to collect the information in a consistent way; review the information and use it to improve safety within your organization.

    Safety Reporting elements for a one-person organization need not include a process to:

    • Provide feedback to notify contributors that their reactive/proactive reports have been received and to share the end result of the analysis.
    • Ensure reports are reviewed at the appropriate level of management.

    Hazard Identification

  10. Identifying hazards is vital in proactively managing risk within your organization. Hazards are anything that could lead to an aviation safety event. Unless you know what aviation safety related hazards your organization is exposed to, it is impossible to develop controls or mitigations to manage them. Do not leave this to chance, develop a simple process to actively look for them.
  11. There are many ways to identify hazards, which may be conducted both internal and external to the organization:
    1. Inspections;
    2. Brainstorming;
    3. Review of safety event investigation reports;
    4. Consultation and interviews;
    5. Trend Analysis;
    6. Employee Safety Reports;
    7. Safety Surveys;
    8. Information gained through industry associations;
    9. Review of Civil Aviation Daily Occurrence Reports (CADORS).
  12. Encourage everyone to report any aviation safety related hazard they see or are aware of. It is better to follow the occasional false trail than to miss a lurking potential problem. Celebrating good reporting within your organization will help motivate people to continue reporting.
  13. Reporters may use a safety report form like the sample we’ve included in Appendix E, Sample Safety Report Form and Investigation Form. Regardless of the reporting tool you use, it is key to ensure it is easily accessible and that reports include all necessary information as described in your SMS documentation.
  14. You must clearly document all identified aviation-safety-related hazards, risk assessments and subsequent follow up actions. One way of doing this is to use an aviation safety related hazard registry form or database. It should include:
    • Each identified hazard and associated risk(s);
    • Results of the risk assessment (discussed in 6.3);
    • Risk control or mitigation strategies if required;
    • A re-assessment of the risk with the risk control or mitigation measures in place;
    • Dates for follow up of corrective/preventative actions; and
    • The closure of reports.

    Note: The register should be an active record and should be reviewed regularly.

  15. Appendix F: Aviation Safety Related Hazard Log, is an example of how to detail required information in a log.
  16. Hazard identification is not a static “one-off” process; Your organization must do it proactively, and often. It is particularly important whenever you are planning a change within your organization.

    Management of Change

  17. Changes within your organization, whether to a procedure, an operation, or key personnel; can bring new hazards and risks. It is important to have a process to proactively analyze these changes to minimize their negative impact on your organization.
  18. Common changes worth assessing proactively include:
    1. Organizational changes (i.e. new management/owner, the departure of experienced or key personnel, organizational restructuring, mergers);
    2. Operational changes (i.e. new aircraft type, new equipment, new contract, new systems, new operating procedures, new services being provided); and
    3. Physical changes (i.e. new facility, new base, new destination, aerodrome layout changes).
  19. A management of change begins with identifying all hazards associated with the proposed change. You can do this systematically by breaking the change down into its components or elements, steps or stages and identifying hazards associated with each. Once you have identified all hazards and their associated risks, you may rate the risk (discussed in more detail in section 6.3). When a change is proposed, start by assessing its overall risk. You may realize early in the process that either the change is simply not worth the risk, or the risk of not making the change is too high. Assess the safety risks as you would your business risks before making an important decision. Consult those people who the changes will affect, as they may raise concerns/hazards that others would not take into account. This may include involving key stakeholders outside the organization.
  20. Conduct an assessment for each identified hazard, so you can put risk controls or mitigation strategies in place to minimize them. For instance, introducing a new aircraft type may require an assessment of: aircraft certification and registration issues, training requirements, schedules and maintenance arrangements, facility and tool requirements, changes to existing SOPs or the development of new ones etc. Develop a plan to manage the identified hazards, including: what must be done, who is responsible for doing it, and when must it be completed.

    Appendix G: Management of Change Template, provides a template that may help you document a planned change.

6.2 Investigation and Analysis

  1. Safety events require investigation to determine root cause(s) and contributing factors. It is counterproductive to develop a corrective action plan only to find that you have not solved the underlying problem. Using a root cause analysis investigation technique will help you identify what caused the problem and allow you to develop specific and effective corrective actions. Every organization needs a documented process for investigating safety events.
  2. While your organization must investigate and analyze all reported hazards and safety events, not all reports require the same level of investigation. For example, it is not logical to spend the same amount of time investigating an event of little consequence, as an event that is both likely to recur and could trigger serious consequences.
  3. Document the criteria to use to determine the level of investigation required, including who should perform the investigation, timelines for its completion, and the need to take corrective action to prevent recurrence.

    Note: An organization should evaluate the benefit of analyzing/investigating hazards and safety events as a group, where they appear to be similar in nature,

  4. Review all safety reports, then assess the level of investigation required. Document the investigation and include applicable findings to the Aviation-Safety-Related Hazard Registry.
  5. Investigation documentation should include procedures to:
    • Identify issues;
    • Report/document issues;
    • Determine cause(s) and contributing factors;
    • Develop and implement corrective or preventive actions; and
    • Evaluate corrective/preventative actions to make sure they are effective in preventing recurrence.
  6. Appendix E: Sample Safety Report and Investigation Form, may help you develop a form to document hazard reports, safety events, investigations, and corrective/preventative actions.
  7. You need a method for documenting the information coming out of your investigations, such as a report outlining the results/findings.
  8. Advisory Circular (AC) SUR-002 Corrective Actions and Root Cause Analysis for TCCA Findings, may help you choose a root cause investigation technique that suits your organization.

    Investigation is a necessary activity within any SMS, regardless of the organization’s size. If, as a one-person organization, you do not have the knowledge or experience to develop a process to conduct investigations, consider using TCCA AC SUR-002 as a starting point or seeking assistance outside your organization either through consultation with industry associations or contracting services from a third party provider.

    As a one-person organization, you know exactly how it operates. With a sound documented process to conduct an investigation, you should be able to come up with relevant conclusions, so long as you remain objective.

    The Investigation and Analysis elements for a one-person organization need not include processes to:

    • Ensure your organization has a staff of competent investigators consistent with its size and complexity; and
    • Have a process to communicate the results of the investigation analysis to the responsible manager for corrective action and to other relevant managers for their information.

6.3 Risk Management

  1. Risk Management is a core process of the SMS. It will allow you to assess, classify, prioritize, and control or mitigate safety risks.
  2. An effective Risk Management process will enable you to anticipate the answers to the following four questions:
    1. What is most likely to be the cause of your next accident or serious incident?
    2. How do you know that?
    3. What are you doing about it?
    4. Is it working?
  3. Since it is not possible to eliminate all sources of risk from your operations, you must accept some level of risk. It is up to the Accountable Executive or Private Operator (604) and Operations Manager (604), to determine where this threshold lies, and what approvals may be necessary to accept each level of risk defined within your organization.
  4. There are five common components to an effective risk management process;
    1. Hazard Identification;
    2. Identification of Risks and Consequences;
    3. Rating of Risks through the evaluation of Severity and Likelihood;
    4. Risk Control strategies, and;
    5. Monitoring and Assessment of risk mitigation effectiveness.

    Identification of Risks and Consequences

  5. Hazard Identification is completed through proactive processes as detailed in section 6.1. After you identify a hazard, you must determine the associated risk(s). It is critical to understand the difference between a hazard and a risk. Generally speaking, a hazard is an identified situation or condition that exists in the present. A risk is the anticipated effect the hazard may have on the operation in the future. A hazard may present more than one associated risk.
  6. Once you have identified the associated risk(s), you must put them into context based on your operation. This step is important, as it frames the scenario and allows you to determine risk controls specific to your operation.

    For Example:

    1. Poor visibility due to adverse weather can be a hazard to aircraft operations. One associated risk is controlled flight into terrain (CFIT).
    2. Foreign Object Debris (FOD) on a runway is a hazard to aircraft operations. One associated risk is FOD being ingested into an aircraft engine. Additional risks may include a punctured aircraft tire on takeoff or landing, or an aircraft engine blowing FOD, which hits another aircraft.
  7. It is only after documenting this process that you can understand the scenario clearly enough to determine the overall risk by assessing the likelihood and severity of consequences.

    Rating Risk

    Evaluating Likelihood

  8. The first step to evaluating the overall risk is determining the likelihood; a measure of the chance of each risk scenario occurring. Determining the likelihood can be difficult, as you cannot always express it quantitatively. You may have to rely on a logical common sense analysis of the risk to arrive at a reasonable answer. It can be difficult to remove subjectivity from the assessment process, so using specific and appropriately defined criteria for likelihood classifications will produce a more consistent evaluation.
  9. Determining the following information may help you to assess the likelihood of a given risk scenario:
    • Is there a history of similar occurrences within your organization, industry, or similar industries?
    • Are there other similar aircraft, equipment or components that might have encountered similar conditions?
    • How often do you complete this activity (i.e. what is the exposure level)?

    Evaluating Severity

  10. You must also assess risks in terms of severity. If it happens, what is the impact on your organization? Always consider the severity in the context of the worst possible outcome (or worst credible scenario) you can reasonably expect within your organization. When rating the severity of a risk scenario, it is important to not only look at the actual outcome of past events, but also consider whether the outcome had the potential to be worse (i.e. the potential outcome). Did the organization just get lucky?
  11. Determining the following information may help you assess the severity of a given risk scenario occurring:
    • What would be the effect on people (employees, passengers, by-standers) i.e. would there be: injuries, critical injuries, loss of life?
    • What is the impact on operations (ex. operating limitations or shutdown, engagement in emergency procedures, operational delay)?
    • What is the potential impact on property (ex. damage, hull loss)?
    • What is the environmental impact (contamination from fuel spillage, physical disruption to the natural habitat, toxic smoke)?
    • What are the commercial or media interest implications (ex. bad press, loss of reputation, Transport Canada Civil Aviation action, litigation)?

    Level of Risk

  12. You determine the level of risk by assessing the combined impact of both likelihood and severity using a risk matrix. Appendix J: Sample Risk Management Tool provides generic examples you can adapt for use within your organization. This creates the framework for how an organization will classify and manage each level of risk.
  13. Appendix J presents sample tools for both a 3X3 and a 5X5 classification system. It is up to you to determine which tool works best for your organization. You should base your decision on the degree of detail you believe you need to define likelihood and severity classifications, and potentially the number of risk acceptance categories you intend to define.
  14. You must customize the risk acceptability matrix and risk acceptance determination tools and use them together to reflect your organizations needs and risk tolerance. The example features three levels of risk, i.e. High, Medium, and Low. This may not be suitable for your organization, so you may wish to define an additional intermediate level.
  15. Make sure you test your newly developed risk matrix before you use it. Test it by using both real historical scenarios and scenarios that could occur within your organization. By working through a number of examples of varying likelihoods and severities you should get a good sense of whether the tools are appropriately designed. For example:
    • Do the results:
      1. Fit into the risk categories you would have expected?
      2. Make sense?
      3. Fit into the appropriate categories of defined risk and appropriate actions?
    • Do the defined actions make sense given the evaluated risk?
    • Determine if you need to modify/fine tune your tools.
  16. It is up to your organization to define its acceptable level of risk. This being said, you should not develop tools to justify accepting higher levels of risk.
  17. A risk matrix should:
    • Fit your organization’s needs (based on size and complexity);
    • Be simple, easy to use and understand;
    • Not require extensive knowledge of quantitative risk analysis to complete;
    • Have consistent and clearly defined likelihood and severity ranges that cover the full spectrum of potential scenarios; and
    • Clearly define acceptable and unacceptable levels of risk.
  18. The risk acceptance scale and required actions definitions should outline:
    • The level of risk the organization finds acceptable;
    • At what risk level mitigations are required;
    • At what risk level an activity should be stopped, or not started (in the case of management of change); and
    • The level of authority required to approve activities involving each defined level of risk, and where necessary, the documentation required to support a given decision.
  19. Where the level of risk is unacceptable, an organization’s Risk Management process provides the structure to adopt and monitor mitigations, and to make informed decisions about rejecting high risk activities.

    Risk Control

  20. Once an organization has identified a hazard and assessed its risks, it should give a report outlining the assessment results to the appropriate person responsible for the activity, to determine corrective/preventative action(s).
  21. Depending on the level of risk, an organization may take appropriate mitigation measures to either eliminate the risk or reduce the risk to a lower, acceptable level. Mitigation measures should directly reduce the likelihood of the risk occurring, the severity of the consequences should it occur, or both likelihood and severity. Start by focusing resources on mitigating risks classified as high or unacceptable.
  22. The person responsible for the activity should document an action plan with associated timelines outlining how the organization proposes to control the identified risk(s). This may include both short-term and long-term actions, depending on the nature of the risks. You will find an example of the type of documentation which may be used to achieve this in Appendix E: Sample Safety Report and Investigation Form.
  23. An understanding of the costs and benefit of implementing corrective and preventative actions will aid in the decision making process when considering a variety of risk mitigation options. This analysis helps you focus available resources where they are likely to have the greatest benefit in improving aviation safety. To maintain the balance between production and protection resources you need to examine the financial and economic factors of proposed corrective and preventative actions. This being said a cost/benefit analysis based on financial or economic information alone must never be used to justify the acceptance of higher risk(s) without adequate mitigation(s).
  24. While mitigations are designed to reduce risk; some may introduce new hazards that actually increase the overall level of risk. To ensure this does not happen, carefully assess new mitigations before you put them in place. You may find it necessary to mitigate risks introduced by new procedures, tools, controls etc.
  25. Once you have put mitigations in place, it is critical to evaluate their effectiveness. If you find them ineffective, it may be that you did not correctly or fully implement them, or did not clearly understand or identify the hazard and associated risks. Regardless, action must be taken to evaluate and correct any issues.

    Safety Risk Profile

  26. An additional outcome of the risk assessment process is the ability to rank risks from highest to lowest to establish priorities. This forms the basis of the safety risk profile (See Appendix H: Sample Aviation Safety Risk Profile). This will allow your organization to identify where its highest risks exist and where management should focus the greatest resources. Your organization’s safety risk profile should identify your top risks.
  27. Your organization’s objectives and goals should be linked to its aviation safety risk profile. See Appendix I: Sample Objectives and Goals Log for a template that may help you document them.
  28. You should update your safety risk profile as part of your established SMS management review cycle. However, where your organization identifies and assesses the associated risks as unacceptable, management should review the safety risk profile more frequently and adjust it accordingly.

    While there is no appreciable difference between the expected outcomes in a one-person organization vs. a larger organization, how you store, communicate and track aspects associated with risk management may vary based on the size and complexity of your organization. For example it may be accomplished by using worksheets completed manually, computer spreadsheets, or commercial software.

7.0 Training

7.1 Training Awareness and Competency

  1. To meet SMS expectations and/or regulatory requirements, all employees must demonstrate the appropriate levels of competency to perform assigned duties. To effectively accomplish this, your organization must identify and document applicable training requirements as well as a means for measuring competency.
  2. While existing certificate holders should already have a training program set up as required by the relevant CARs; you must also incorporate relevant SMS training needs.
  3. As the organization grows in size and complexity, different employees may receive different types of training, depending on their involvement within the SMS.
  4. All staff needs training to understand how the SMS functions and their responsibilities within it. Persons responsible for managing the SMS should have an understanding of SMS concepts and/or formal SMS training. This will give them the knowledge of staff training needs and may even qualify them to deliver the training.
  5. Training must suit the needs, size and complexity of your organization. Ways to conduct SMS training in a smaller organization may include:
    1. Requiring employees to read and confirm an understanding of the SMS documentation and complete a sign off record to that effect; or
    2. Computer or classroom based sessions, with organizational specific training material.
  6. Your organization must keep training records showing that employees have completed all required training, with a method to evaluate and record that staff are competent to carry out their aviation safety-related functions. SMS training should be done as soon as possible after an individual is hired, ideally as a part of the organization’s training for new employees.
  7. A SMS training program should include:
    • An explanation of the importance of SMS;
    • Training in the concepts and principles of safety management systems;
    • Training in the organization and operation of the SMS (i.e. Policies, Processes and Procedures);
    • Competency-based training for persons with assigned duties within the SMS;
    • Appropriate learning objectives for each person;
    • Training in Human and Organizational Factors;
    • Emergency preparedness and response training for affected personnel; and
    • Means of measuring the level of competency each person attains after receiving the training.
  8. A safety training program includes periodic refresher and update training. This could involve regular briefings or facilitated workshops where employees can discuss hazards, safety issues and established mitigations. It is useful to include lessons based on safety events that come out of internal and external investigations.
  9. There should be a training plan that includes a documented process to identify training requirements for each position, a list of staff requiring training and a record of when refresher and update training took place.
  10. Each person should complete periodic validation of their training to ensure that it is effective and continues to meet the needs of your organization. This applies to both internal training and to any training conducted by a third party provider. Document these reviews and make them a part of your SMS management review.
  11. Safety education is an ongoing process. Try to make safety-related information (magazines, books, pamphlets, posters, videos, DVDs, online resources) readily available.

    The knowledge and experience you gain by developing your organization’s SMS material is likely sufficient to meet training requirements for a one person organization.

    The training awareness and competency element for a one-person organization need not include a process to:

    • Incorporate the organization’s safety management training into its indoctrination training upon employment.

8.0 Quality Assurance

8.1 Quality Assurance

  1. You must monitor the components of your SMS. You may incorporate this activity into an existing Quality Assurance Program (QAP).
  2. A QAP is the internal validation function of the SMS. It is through the QAP that an organization verifies and validates that the controls it has put in place (e.g. policies, processes, procedures) to manage its safety risks are effective in achieving on-going compliance with regulatory requirements.
  3. Do not confuse a QAP with the SMS management review function. The management review evaluates the performance of the SMS as a whole with the aim of improving it. To this end, the outputs of the QAP becomes one of the various inputs to the management review. This provides feedback as to the level of compliance within your organization and identifies where you may need to take corrective/preventative actions.
  4. Further advisory material for developing a QAP, may be found in Advisory Circular (AC) SUR-003, Quality Assurance Programs Overview provides guidance on how to create and administer a Quality Assurance Program that complies with the CARs.

    One-person organizations may find efficiency in adding SMS/operational quality assurance requirements to an existing QAP.

    The Quality Assurance element for a one-person organization need not include a process to:

    • Ensure that competence to perform duties is evaluated.

9.0 Emergency Preparedness

9.1 Emergency Preparedness and Response

  1. No one conducts operations with the intent of having an accident or serious incident. When an accident or serious incident does occur, however, confusion is often a common factor. The Emergency Response Plan (ERP) is a document, customized to meet your organization’s unique operating requirements and designed to help you respond to an accident or serious incident. An ERP is a way for you to proactively manage a possible significant risk and reduce the impact on your organization, should it occur.
  2. It is possible to plan many of the steps that must take place during an aviation emergency. This will eliminate much of the confusion that often occurs in the initial emergency response. Emergency response plans and procedures are living documents and require regular exercising/review to be effective when needed.
  3. While emergency response planning has often focused primarily on aviation operations, you should prepare your maintenance and any other departments within your organization for an emergency event as well.
  4. When developing an emergency response plan (ERP), consider planning, to:
    1. Make it appropriate to your organization’s size, complexity and scope of operations;
    2. Include steps:
      1. For an orderly transition from normal to emergency operations;
      2. To protect/investigate the accident scene
    3. Add a communication plan, including emergency call list;
    4. Designate emergency authority;
    5. Assign emergency responsibilities;
    6. Explain how and where to secure relevant company records;
    7. Consider coordinating efforts to resolve the emergency;
    8. Addresses:
      1. Caring for survivors
      2. Notifying next of kin
      3. Handling public relations
      4. Keeping records
    9. List elements to ensure an orderly return to normal operations.
  5. Your ERP should document the responsibilities, roles and actions for your staff members with assigned duties within the ERP. You should distribute the ERP to all employees and make sure all key personnel with defined roles understand it. These individuals also require training on the processes and procedures associated with the organization’s ERP. Completing drills or desk top exercises by following published step by step procedures will determine if they are sound, or if you need to make changes. This will also help you determine if employees are competent to carry out appropriate actions during an emergency.
  6. When running a drill or a desk top exercise, change the elements of the simulated emergency, and practice as if it were the real thing. Practicing it under these conditions is the best way to identify weaknesses, prepare staff for the real thing and evaluate the overall effectiveness of the plan. Always document the results of drills and include them as a part of the SMS Management Review.
  7. Communicate and coordinate the ERP with organizations you interact with, including emergency services, contractors, and employee assistance plan providers.
  8. It is important to recognize how a change within the organization may impact your ERP. This is why you should include ERP considerations when developing a management of change plan and why it should be discussed during the SMS management review process.

    An ERP should be suitable to the size and scope of the organization and will look different in a one-person organization than in a large national organization. The accountabilities and responsibilities will be appropriated differently, as all actions are likely to be executed by one person, or a combination of external service providers.

    An ERP distribution procedure may not be necessary for the internal distribution of your ERP documentation. This being said, an external distribution procedure may be necessary where external parties carry out defined roles for emergency response, or where clients request it.

10.0 Information Management

  1. Not applicable

11.0 Document History

  1. Advisory Circular. (AC) 107-002 Issue 01, RDIMS 2382587 (E), 2499853 (F), dated 2008-06-15 —Safety Management Systems Development Guide for Small Operators/Organizations

12.0 Contact Office

  1. For more information, please contact:

    Chief, Technical Program Evaluation and Coordination (AARTT)
    E-mail: AARTinfoDoc@tc.gc.ca

  2. If you have suggestions for amending this document, please submit them to the email address above.

Original signed by

Robert Sincennes
Director, Standards
Civil Aviation

Appendix A: Step By Step Guide for SMS Implementation in a Small Aviation Organization

The following summary presents the main considerations when adopting an SMS within a small aviation organization.

Implementation Guide
Step 1 Gap Analysis
  1. 1.1 Review the requirements of an SMS
  2. 1.2 Identify what you have
  3. 1.3 Identify what you need
Step 2 Design and Development
  1. 2.1 Implementation Plan
  2. 2.2 Document your SMS
Step 3 Introduction and Rollout
  1. 3.1 Get your people involved
  2. 3.2 Communicate the changes
  3. 3.3 Set a realistic timeframe
Step 4 Improvement and Measurement
  1. 4.1 Gather feedback
  2. 4.2 Measure performance
  3. 4.3 Continuously improve your SMS

Step 1: Gap Analysis

1.1 Review the Requirements of an SMS

The first step is to know what an ideal SMS looks like, and then consider this in light of your organization. Look at your regulatory requirements and any available guidance material. You may use the SM ICG SMS Evaluation Tool on SKYbrary as a gap analysis tool. The following resources and actions should help.

  1. a) Research existing regulatory guidance material

    Research guidance material thoroughly, such as the resources listed in section 2.1 of this Advisory Circular to help you understand what you need to address in your SMS.

  2. b) Work together

    Work with similar or partner organizations and industry groups to compare and contrast your understanding of what is required. Avoid a cut-and-paste solution, which might not work well and may waste time and effort.

1.2 Identify What You Have

While you are reading through this guide, consider and document what you have in place already. Jot down some notes as you go about what you already do, and what you do well. Use the language your organization understands in your SMS.

1.3 Identify What You Need

Carry out a gap analysis. The results may overwhelm you when looking at the things that may not be in place. But, if you follow these steps, you will end up with a manageable list of actions to focus on.

A gap analysis does not have to take a long time to complete or be overly complex. Here’s an example of a simple table to capture results:

No. Element What we have What we don’t have Actions
1 Safety policy and objectives
  • Quality Policy (with safety mentioned)
  • Safety commitment statement
  • Safety objectives for 2016
  • Accountable Executive to develop and sign commitment statement
  • Conduct workshop to develop safety objectives for the coming year.

Step 2: Design and Development

In this step, the person responsible for managing the SMS needs to design and develop a plan to put the SMS in place throughout your organization. Consider seeking help or support from a partnering company or industry association.

2.1 Implementation Plan

Using the action item list from the gap analysis, go through and introduce all under-developed or absent elements in an implementation plan. A few things to consider:

  • Think about each action. Does it requirea new policy (e.g. non-punitive reporting policy), procedure (e.g. incident investigation) or process (e.g., risk assessment)? It can help to differentiate these to make sure you develop the policies first.
  • Read through the identified actions, and prioritize them. It is useful to quickly ask yourself, "Do I really need everything I’ve identified to achieve a successful system?" This is a good time to see if your actions sufficiently address the identified gaps and are suitable for your organization.
  • You do not need to have each action up and running right away. Develop an implementation plan that will allow you to phase in different elements over a period of time. Building an SMS overnight will be too challenging. Your goal at this stage is to lay the foundation.
  • Go with what works. Do not try to force a process or activity that clearly has no place in your business. For example, if you are trying to develop a risk assessment methodology, think about how complex you want to make this process; make it practical; and focus on what you’re trying to achieve (e.g., identifying the safety and business risks of a new venture).
2.2 Document Your SMS

You need to document your current processes and procedures, and those you plan to introduce. Where required by the CARs, add your SMS processes and procedures to the TCCA-approved documentation you already have, such as your Operations Manual, Maintenance Policy Manual, or Airport Operations Manual.

Step 3: Introduction and Rollout

3.1 Get Your People Involved

No matter how small your organization (except where you have no employees), failing to get your people involved will make buy-in more challenging. So, be sure your people are on board and understand what you are trying to achieve. A clear safety policy and strong active support from the Accountable Executive is the best place to start. A positive safety culture begins with the Accountable Executive 'walking the talk'. A few one-on-one discussions will go a long way.

3.2 Communicate the Changes

Let your staff know about the changes, why you are making them, the benefits they are designed to bring, and their role within the SMS.

Who else may benefit from knowing that you have an SMS in place? Examples would include your customers and your contractors. If you are a small operator based at an aerodrome, it might be valuable to let the aerodrome operator know - your reporting system may have safety information that’s worthwhile passing on to them and vice versa.

3.3 Set a Realistic Timeframe

Be sure to introduce one or two things at a time, over a reasonable timeframe. Make sure these are in place and working before moving to the next step in your plan. Even for small organizations, it will take time to fully implement your SMS and longer for it to become effective.

Keep checking your progress. For example, if you have implemented a new safety reporting process but have not received (or submitted) any reports, find out why.

Step 4. Improvement and Measurement

An important part of implementation is seeing whether your actions have worked. Consider doing a review six months after your initial development began. You can increase the interval as your SMS matures.

4.1 Gather Feedback

To understand what is working and what is not, consider getting both an internal and external perspective.

Internally:

  • Review any guidance material and compare your thoughts now with what they were when you first read it.
  • Use your initial gap analysis to identify what may need updating. Have things changed?
  • Talk to your people and see what they think.

Externally:

  • Check in with your partner organization(s) or industry association(s).
  • Consider having an independent evaluation done.
4.2 Measure Performance

Establish some performance measures that will help you measure your safety performance. This can be simply measuring the amount of significant safety events you have, the amount of voluntary safety reports you receive or the number of safety meetings you have. Use them to see how far you have come and tell your staff about your progress.

4.3 Continue To Improve Your SMS

The previous steps should give you an idea of what you can improve. Refining and enhancing your SMS never stops. If you think you have done all you can, just remember that continual improvement is fundamental to your SMS. Your SMS is successfully in place when it is embedded in your day-to-day activity (and has been for a while), it works consistently, and it is actually effective. This won’t happen overnight, but with time you’ll see the system maturing and your confidence growing.

(Return to Guidance Material)

Appendix B: SMS Manual Development for a Smaller Moderately-Complex Aviation Organization

This manual aims to be an example of what SMS documentation may look like in a smaller, moderately complex organization. Organizations should view it as a starting point for developing more extensive documentation. This sample does not meet the requirements of any specific organization as it does not detail the Who/When/Where and How which is necessary to describe the specific procedures for your organization. We expect all organizations to develop documentation that reflects their organization and operational reality and includes a description of the organization’s processes; which includes a description of who does what, when, where and how.

Contents

  1. 1. Safety Management Plan
    1. 1.1 Safety Policy
    2. 1.2 Non-Punitive Safety Reporting Policy
    3. 1.3 Roles and Responsibilities
    4. 1.4 Communication
    5. 1.5 Safety Planning
    6. 1.6 Performance Measurement and 1.7 Management Review
  2. 2. Documentation
    1. 2.1 Identification and Maintenance of Applicable Regulations
    2. 2.2 SMS Documentation and 2.3 Records Management
  3. 3. Safety Oversight
    1. 3.1 Reactive Processes-Reporting
    2. 3.2 Proactive Processes-Hazard ID
    3. 3.3 Investigation and Analysis
    4. 3.4 Risk Management
  4. 4. Training
    1. 4.1 Training, Awareness and Competence
  5. 5. Quality Assurance
    1. 5.1 Operational Quality Assurance (QA)
  6. 6. Emergency Preparedness
    1. 6.1 Emergency Preparedness and Response

1. Safety Management Plan

1.1 Safety Policy

Safety is a core value, and a fundamental component of our competitive advantage. Our organization becomes stronger by making continuous safety improvements.

All managers and employees are responsible and accountable for their actions and safety performance, starting with myself as CEO and accountable executive. I endorse all personnel to think and work safely at all times, regardless of any real or perceived pressures to do otherwise.

To prevent accidents and to eliminate damage or injury, we have implemented and maintain an active safety management system (SMS). Our objective is the proactive management of identifiable hazards, the reduction of risk to a level as low as reasonably practicable, and the sharing of safety information with our stakeholders.

Signed:
Date:
Accountable Executive/Private Operator (604)
 
1.2 Non-Punitive Safety Reporting Policy

Our organization fully supports and encourages a culture of openness and trust between all personnel. We cannot achieve this unless employees feel able to report occurrences or hazards without fear. Reporting occurrences or hazards must become a priority for all employees.

Only with full awareness can management correct deficiencies in a timely manner. We encourage employees to identify and report unsafe conditions without fear. The organization’s primary safety goal is to identify and correct any unsafe condition that exists within, or may affect, the organization.

No personnel reporting safety-related issues to the organization will receive punitive discipline, even if they were personally involved in the observation giving rise to the safety concern.

The only grounds for management taking disciplinary action will be for:

  • negligence;
  • willful or intentional disregard of regulations or procedures;
  • criminal intent; and
  • use of illicit substances.
1.3 Roles and Responsibilities

We will identify, communicate, document and periodically evaluate all SMS roles and responsibilities and employee involvement to ensure they are appropriate and functioning within all levels of the organization.

In addition to safety responsibilities in our day-to-day operations, the accountable executive, person responsible for the SMS and employees have additional responsibilities associated with the operation and maintenance of our SMS.

Note: Roles and Responsibilities for 604 certificate holders would include those relevant to the Private Operator, Operations Manager and any other individual with a defined role within the SMS.

The Accountable Executive is responsible for:

  • establishing and implementing the SMS (Operations Manager-604);
  • ensuring the required safety resources are available (Private Operator-604);
  • establishing and following the corporate safety policy (Operations Manager-604);
  • promoting and supporting the SMS (Operations Manager-604); and
  • ensuring the SMS remains effective (Operations Manager-604).

The Person responsible for the SMS is responsible for:

  • managing the operation of the SMS;
  • collecting and analyzing safety information in a timely manner;
  • monitoring and evaluating the results of corrective actions;
  • ensuring that risk assessments take place when applicable;
  • determining the adequacy of training;
  • delegating specific SMS tasks/roles to persons within the organization;
  • ensuring periodic reviews take place to determine the effectiveness of the system;
  • monitoring the industry for safety concerns that could affect the program; and
  • ensuring safety-related information, including organization goals and objectives, are available to all personnel through established communication processes;
  • communicating SMS deficiencies/findings to the Accountable Executive

Employees are responsible for:

  • following established safe working practices;
  • immediately dealing with any unsafe condition, as practical;
  • identifying and reporting all occurrences, hazards, operational irregularities, unsafe conditions or practices in a timely manner; and
  • being familiar with the organization’s SMS.
1.4 Communication

As part of an effective SMS, we communicate, share and review safety-related information through meetings, electronic and written documentation with the following groups:

Internal:

  • hold quarterly (or as required) safety meetings to review reports;
  • conduct individual or group face-to-face meetings;
  • issue organization memos;
  • update safety bulletin board; and
  • share amendments to documentation.

TCCA:

  • participate in relevant and accessible safety-related forums.

Industry:

  • participate in relevant and accessible safety-related forums;
  • other organizations and associations; and
  • manufacturers.

Clients:

  • hold safety briefings;
  • produce safety cards; and
  • request customer feedback.

Your documented process must explain inputs, tasks, and outputs for both dissemination and effectiveness monitoring activities; to adequately ensure process repeatability and auditability.

1.5 Safety Planning

The aim of establishing attainable objectives and goals is to ensure safety and continuous improvement. Each year, we review our safety policy and company objectives and goals and update them in accordance with our performance measurement and management review processes. These reviews will also confirm that our objectives and goals are linked to our safety risk profile. Safety objectives and goals are logged in Appendix I Objectives and Goals Log.

The process for establishing goals includes reviewing:

  • our business plan;
  • internal audit results;
  • all safety events and hazard reports; and
  • our safety risk profile

Our current objectives and goals are:

  • Objective A: Reduce hazards and associated risks.
    • Goal 1: Increase hazard reporting by 5% by the end of the calendar year.
    • Goal 2: Increase Safety Event reports by 5% by the end of the calendar year..
  • Objective B: Continue to enhance trend monitoring and develop effective corrective action plans.
    • Goal 1: Provide additional trend monitoring and root cause analysis training to SMS manager before the end of Q2.
    • Goal 2: Ensure the SMS manager provides additional SMS training to other personnel by the end of the calendar year.
  • Objective C: To reduce losses through a reduction in the number and severity of accidents and incidents.
    • Goal 1: Increase the number of safety event reports received by 5 per cent.
    • Goal 2: Join the local aircraft maintenance engineer (AME) association.
    • Goal 3: Provide St. John’s ambulance and fire extinguisher training to those who do not already have it by the end of Q3.

Your documented process must explain inputs, tasks, and outputs for developing safety goals; to adequately ensure process repeatability and auditability.

1.6 Performance Measurement and 1.7 Management Review

Each year, management reviews data from various sources to measure safety performance, assess SMS effectiveness and verify continuous improvement. Safety performance indicators as well as their achievement goals are recorded in Appendix C Safety Performance Indicators (SPI) Log as well as Section 2 of Appendix D Management Review Template. Results of management reviews are populated in Appendix D Review of the SMS Form.

  • During the process, we:
    • identify trends through data analysis and information sharing;
    • evaluate effectiveness of corrective actions (including from previous management reviews);
    • update safety objectives and goals;
    • monitor and update safety performance measures;
    • allow for risk-based allocation of resources;
    • review quality issues; and
    • review the Emergency Response Plan.
  • Our safety performance measures for this year are:
    • number of hazards identified this year vs. previous years;
    • number of incident and accident reports received this year vs. previous years;
    • # of organizational personnel who receive SMS training;
    • value of damage to organization property this year vs. previous years.

Your documented process must explain inputs, tasks, and outputs to develop and maintain safety performance indicators to adequately ensure process repeatability and auditability.

Your documented procedure must explain Who/When/Where/How to regularly monitor and measure safety performance; to adequately ensure procedure repeatability and auditability.

2. Documentation

2.1 Identification and Maintenance of Applicable Regulations

We identify and keep track of the regulations that apply to our operations to ensure that we understand our legal responsibilities. The person responsible for the SMS will ensure we follow the following process:

  • Conduct a bi-annual review of CARs and Standards (via the summary), including applicable exemptions, and modify existing policy, procedures and processes to ensure continued regulatory compliance;
  • Review Canada Gazette Part II and any additional safety regulations such as the Canada Labour Code and Workplace Safety and Insurance Act, 1997, take action as required; and
  • Make pertinent regulatory and technical information available to all personnel through their departments.
Your documented procedure must explain how you identify applicable regulatory requirements (inputs, tasks, outputs – is the output of the previous review used as an input for the next one, is there a form or checklist, etc.); to adequately ensure procedure repeatability and auditability.
2.2 SMS Documentation and 2.3 Records Management

We document and manage associated records to ensure all personnel remain informed and involved with our SMS. The person responsible for the SMS maintains two types of SMS documentation:

  • description of SMS policies, processes, and procedures; and
  • records or outputs from these processes.

We keep the following policy, process and procedure documents in a location easily accessible by all personnel. We update them as required.

  • SMS manual/documentation;
  • maintenance control manual; and
  • company operations manual.

We store records and output (information gathered through the SMS) in a secure filing cabinet and keep them for at least two audit cycles.

We keep SMS manual/documentation with our other required manuals and update them as required.

We seek TCCA approval when we make changes to approved content.

We identify documentation requiring modification as a result of organizational or operational changes as part of the management of change process.

We review information in the SMS manual/documentation during the annual internal quality assurance audit. We also review information in the SMS manual/documentation on an as-required basis, i.e. to identify issues and trends between audit intervals. We maintain SMS documentation and records for a period of two audit cycles.

Your documented process must explain inputs, tasks and outputs to ensure that changes to documentation have been implemented adequately to ensure process repeatability and auditability.

Your documented process must explain the record control process tasks, outputs, and who performs the process; adequately to ensure process repeatability and auditability.

3. Safety Oversight

3.1 Reactive Processes-Reporting

As part of our continuous safety improvement process, we maintain a safety event/hazard reporting system (reactive/proactive) to collect and analyze data and carry out investigations. We will deal with all reports in confidence. Self-identified reporters will receive a response acknowledging their submission within 5 days, and an update within 30 days or when the process described below is complete.

Note: When a safety event occurs, our organization must complete the Safety Report and Investigation Form (Appendix E).

The process is as follows:

  • Complete Parts A, B, C and D as soon as practicable.
    • The reporter completes Part A and submits it to the person responsible for the daily operations of the SMS. Part A consists of tombstone data and a narrative of the event, including; what happened, how widespread it is, where it occurred within your operations, and what type of problem it is (may be completed with the help of the person responsible for the SMS).
    • The person responsible for the daily operation of the SMS:
      • reviews the report form; and
      • submits the form to the person responsible for the related activity and together they investigate the safety event to determine the root cause and any contributing causes.
    • Approval of the implementation plan must be sought from the Responsible Manager/Accountable Executive/Private Operator and Operations Manager (604).
    • The person responsible for the daily operation of the SMS will verify that corrective actions for safety events have been implemented as planned, and assess for effectiveness.
    • When Parts A, B and C have been completed, the individual who holds the accountability for the SMS will sign-off verifying the closure of the activity.
    • We will file and keep relevant documentation for at least two audit cycles.
    • We will use this information as part of our performance measurement and management review process.

The following must be reported:

  • Any safety event involving injury or damage to personnel, equipment or facilities;
  • Any safety event involving injury or damage to non-organization personnel, equipment or facilities, resulting from organization operations.

Your documented processes must explain inputs, tasks, and outputs to notify contributors and monitor & analyze trends in safety events; adequately to ensure process repeatability and auditability.

3.2 Proactive Processes-Hazard ID

Any identified hazard must be documented by completing the Safety Report and Investigation Form (Appendix E).

The process is as follows:

  • Complete Parts A, B, C and D as soon as practicable.
    • Reporter completes Part A and submits it to the person responsible for the daily operation of the SMS. Part A consists of tombstone data, hazard narrative and an initial risk assessment is (may be completed with the help of the person responsible for the SMS).
    • The person responsible for the daily operation of the SMS, together with the person responsible for the related activity will:
      • Develop preventative actions in accordance with Part B.
      • Develop mitigations to lower the risk to below the defined tolerable level and develop a plan to implement mitigations.

        Note: The Accountable Executive may also decide to accept Medium level risks (initial or after mitigation) in accordance with the Risk Management process (example in Appendix J) only after he or she has been briefed, and is familiar with the nature of the Hazard.

      • Re-evaluate and document a revised risk rating, assuming successful implementation of the mitigations.
    • Approval of the implementation plan must be sought from the Responsible Manager/Accountable Executive/Private Operator and Operations Manager (604).
    • The person responsible for the SMS will verify that mitigations have been implemented as planned and have them assessed for effectiveness.
    • When Parts A, B and C have been completed, the individual who holds the accountability for the SMS will sign-off verifying the closure of the activity (Part D).
    • We file and save the relevant documentation for at least two audit cycles.
    • We use this information as part of our performance measurement and management review process.

The following must be reported:

  • Any identified hazards that may contribute to a safety event involving injury or damage to organization personnel, equipment or facilities; and
  • Any identified hazards that may contribute to a safety event involving injury or damage to non-organization personnel, equipment or facilities resulting from organization operations.

Note: Reactive and Proactive Processes

Even though the reactive process deals with events that have already happened and the proactive process looks for potential problems, the methods for managing both are similar. While these processes are separate issues, many organizations will choose to combine them as much as practicable due to their similarities.

Your documented processes must explain inputs, tasks, and outputs to notify contributors, monitor & analyze trends in hazards, and conduct self-evaluations to identify hazards adequately to ensure process repeatability and auditability.

Your documentation must explain who and how the organization develops a hazard register (log of identified hazards), safety cases (management of risks associated with proposed change) as well as their safety risk profile (prioritizing the risks associated with hazards), and define the interval between hazard analyses (how often you review, analyze & update your hazard register data e.g. for new hazards identified or trends from hazard reports submitted since last review, are controls still effective in maintaining risk within tolerable levels, etc.).

3.3 Investigation and Analysis

The ability to investigate, analyze and identify the cause or probable cause of hazards and occurrences documented through the SMS is an important component of our continuous safety improvement process. Investigation and analysis are components of the reactive, proactive and risk-management processes. Details can be found in those sections.

The person responsible for the daily operation of the SMS and the person responsible for the related activity will analyze/investigate safety events and hazards to:

  • determine the root, and contributing cause(s);
  • develop and implement corrective or preventive actions; and
  • evaluate corrective actions to make sure they are effective in preventing recurrence.

Your documented procedure must explain Who/What/When/Where/How to conduct investigations; adequately to ensure procedure repeatability and auditability.

Your documented processes must explain inputs, tasks, and outputs to analyze events, identify contributing and root causes of events (including the methodology), and monitor & analyze trends in issues identified during investigation; adequately to ensure process repeatability and auditability.

3.4 Risk Management

The ability to assess risks associated with hazards is an important component of our continuous safety improvement process. We require a risk assessment be completed for every hazard report submitted. To maintain a consistent approach to risk management we use a 3X3 risk matrix as defined in Appendix J Risk Management Tool. Additionally the results of risk assessments are used to populate the tables found in Appendix F Aviation Safety Related Hazard Log and in turn Appendix I Aviation Safety Risk Profile.

The risk-management process is as follows:

  1. Identify the hazard;
  2. Determine the associated risks;
  3. Define Risk Scenarios;
  4. Determine the likelihood and severity risk rating;
  5. Develop risk control strategies, including timelines, and determine a revised risk rating;
  6. Put risk control strategies in place;
  7. Assess risk controls for effectiveness;
  8. Update the SMS form when the process has been completed, with a narrative of the results;
  9. Store the completed forms/reports in a secure location.

Your documented process must explain inputs, tasks, and outputs for evaluating the effectiveness of risk mitigations; adequately to ensure process repeatability and auditability.

Your documentation must explain the organization’s tolerable level of risk.

4. Training

4.1 Training, Awareness and Competence

Operational and technical training requirements are documented in the appropriate sections of the AOM/MPM/COM in accordance with the appropriate CAR’s subpart. To meet additional SMS training requirements we:

  • Offer initial SMS training:
    • The person responsible for the SMS will receive additional trend monitoring and root cause analysis training; and
    • The person responsible for the SMS will provide all organization personnel with an initial training session on the SMS.
  • Offer SMS training updates:
    • We will review regulatory changes and incorporate them, if applicable, and update the SMS program as required;
    • Once each year, or as required, all personnel will receive update training to include:
      • information on changes to the SMS; and
      • a review of all reported occurrences and hazards, including recommended mitigations and corrective or preventative actions.
  • Conduct SMS training validation/performance measurement:
    • The overall effectiveness of training must be assessed/determined by:
      • the person responsible for the SMS evaluating the level of learning through verbal or written quizzes;
      • any internal audit finding that identifies additional training in the corrective action plan.
  • Offer additional SMS training:
    • Where it is shown to be necessary during the internal quality assurance audit, we will conduct additional training; and
      • When any new requirement arises, for example new or modified equipment.
  • Require emergency preparedness and response training:
    • The person responsible for the SMS will ensure that all personnel are trained in, and aware of, their duties and responsibilities within the organization’s emergency response plan; and
    • The organization has briefed local emergency service providers on its operation, and participates in emergency response exercises.
  • Keep training records:
    • We will keep a record of all training completed in personnel files.

Your documented process must explain inputs, tasks, and outputs for identifying training requirements to achieve competence to perform all duties required by the CARs and approved manuals (not just SMS duties), including who performs the identification process and what forms are used; adequately to ensure process repeatability and auditability.

Your documented process must explain inputs, tasks, and outputs for measuring the effectiveness of training to perform all duties required by the CARs and approved manuals (not just SMS duties); adequately to ensure process repeatability and auditability.

5. Quality Assurance

5.1 Operational Quality Assurance (QA)

To meet SMS QA requirements, we:

  • Follow an independent audit procedure;
  • Measure applicable organizational processes including:
    • Safety policy;
    • Non-punitive reporting policy;
    • Roles, responsibilities and employee involvement;
    • Communications;
    • Safety planning objectives and goals;
    • Performance measurement and management review;
    • Identification and maintenance of applicable regulations;
    • SMS documentation and records management;
    • Reactive and proactive processes, investigation and analysis;
    • Risk management;
    • Training, and competence evaluation of personnel performing duties gove3red by the CARs;
    • Emergency preparedness and response; and
    • Review of safety critical functions.
  • Provide additional SMS audit component training as required.

Your documentation must state who manages the QAP.

Your documentation must explain the audit scope, criteria, frequency and methods (including reference to checklists) for internal audits of all processes, procedures, analyses, inspections and training within the scope of the certified operation, not just for SMS requirements.

Your documented process must explain inputs, tasks, and outputs to ensure auditor objectivity and impartiality; adequately to ensure process repeatability and auditability.

Your documented procedures must explain Who/What/When/Where/How to report audit results to management and to the appropriate persons for corrective action, to develop and take corrective action in response to audit findings, to monitor for timely completion and effectiveness of corrective action, to record and retain audit records (including what was verified, findings, corrective actions, and follow-ups); adequately to ensure procedure repeatability and auditability.

Your documentation must explain How/Who/How Often the QAP itself is audited, including reference to checklists.

6. Emergency Preparedness

6.1 Emergency Preparedness and Response

Our organization recognizes that even the safest organizations can suffer loss. To reduce human suffering and property damage after a safety event has occurred, we have developed an Emergency Response Plan (ERP). We:

  • examine the ERP as part of the annual SMS management review and after key personnel and organizational change;
  • communicate and distribute the ERP to all organization and flight watch personnel and local emergency response authorities;
  • conduct ERP exercises in co-operation with local authorities on an annual basis;
  • update the ERP as required based on exercises and review outputs; and
  • make ERP awareness a required training item for all personnel who may be affected or involved in the event of an emergency.

Company ABC’s Emergency Preparedness and Response plan is detailed within a separate document entitled: “ABC Emergency Preparedness and Response Plan” and is distributed in accordance with the distribution list within that document.

Your documentation must state who the responsible manager is for the ERP (including who performs the required communication and distribution process.

(Return to Guidance Material)

Appendix C: Sample Safety Performance Indicators (SPI) Log

Company X Safety Performance Indicators
Year 20XX
Performance Indicator Target Performance
Qtr1 Qtr2 Qtr3 Qtr4
Voluntary Reports per employee per year More than 10        
Overdue safety report closures per year 2 or less        
Safety meetings per year 4        
Safety briefings per year 2        
Safety audits per year 2        
Organization-specific SPIs
Operator: Flights flown with operational MEL restrictions per 100 flights Less than 5%        
Aerodrome: Runway incursions per year Less than 5        
Maintenance: Maintenance errors per year Less than 5        
ATS: Airspace infringements per 100 movements Less than 2        
Major Risk IncidentsFootnote * per 100 flights 0        
Mandatory Reports per 100 flights 3 or less        

Notes:

  • These are only suggestions to give organizations some ideas for safety performance indicators. You must customize performance indicators and targets to the nature and size your operation.
  • Review Objectives and SPIs as part of the SMS Management Review, and amend or update when necessary.

(Return to Guidance Material)

Appendix D: Sample SMS Management Review-Template

Company X Annual Review of SMS Effectiveness

Date

 

Time

 

Present

 

 

 

 

 

 

Absent

 

 

 

 

 

AGENDA

1. Review of actions arising from previous meetings

Action Item # Status Completion Date Further Action Required
       
       
       
       

2. Safety Objective Performance Review

Performance Indicator Target Performance
Qtr1 Qtr2 Qtr3 Qtr4
Voluntary Reports per employee per year More than 10        
Overdue safety report closures per year 2 or less        
Safety meetings per year 4        
Safety briefings per year 2        
Safety audits per year 2        
Organization-specific SPIs
Operator: Flights flown with operational MEL restrictions per 100 flights Less than 5 %        
Aerodrome: Runway incursions per year Less than 5        
Maintenance: Maintenance errors per year Less than 5        
ATS: Airspace infringements per 100 movements Less than 2        
Major Risk IncidentsFootnote * per 100 flights 0        
Mandatory Reports per 100 flights 3 or less        

Are Safety Objectives and Goals being met?

Comments:

3. Safety Events Review (reported since last Management Review)

Safety Report # Report Status Corrective/Preventive Action Effectiveness Further Action Required/Follow Up Date
       
       
       
       

4. Hazard Log/Occurrence Investigation/Management of Change (MoC) Review

Hazard/ MoC # Mitigation Status Mitigation Effectiveness Further Action Required/Follow Up Date
       
       
       
       

5. Training and Safety Promotion Review

Area Training and Promotion Effectiveness Action Required/Follow Up Date
Operational    
Management    
     

6. Internal and External Audit / Review Findings and Feedback

Finding # Corrective/ Preventive Action Status Corrective/Preventive Action Effectiveness Further Action Required/Follow Up Date
       
       

7. Changes Required to SMS/Recommendations for Improvement and Sharing of Best Practices

Type of Change Change Required Person Responsible Completion Date
Safety Policy and Objectives      
SPIs      
Documentation      

8. Other Business

Issue Follow up Action Person Responsible Completion Date
       
       

9. Date of next meeting

 

 

(Return to Guidance Material)

Appendix E: Sample Safety Report and Investigation Form-Template

Part A: To be completed by the person identifying the safety event or hazard

Date:

 

Local time:

 

Location:

 

Name of Reporter:

 

Operational Area:

 
 
Description of safety event or identified hazard (Identify what happened, how widespread it is, where it occurred within your operations, and what type of problem it is.)

 

 
For Hazards: Initial Risk Rating (based on risk assessment tool)

Likelihood

Severity

Risk Rating

 

 

 

 

Part B: To be completed by person responsible for the daily operation of the SMS, and the person responsible for the related activity

For Safety Events: Root Cause Analysis (Identify Root and Contributing Causes)

Name of Investigator

 

 

 

* The Accountable Executive/Private Operator (604) and Operations Manager (604) may accept risks classified as Moderate (initial or after mitigation), as set out in the Risk Management process. If Moderate risk is accepted, they must document and sign the decision.

For Hazards: Justification to Accept Moderate Level Risk

 

 

Name:

Title:

Signature:

Date:

 
Mitigations (Corrective/Preventative Actions-Short/Long Term [including an assessment of any induced hazards or risks associated with the implementation of the corrective actions(s)])

 

 
For Hazards: Revised Risk Rating-with mitigations implemented (based on risk assessment tool)

Likelihood

Severity

Risk Rating

 

 

 

 
Implementation Plan for Corrective/Preventative Actions

Who?

 

What?

 

When?

 

Agreed and Accepted by:

(insert title of responsible person)

Date

Responsible Manager

Date

Accountable Executive/Private Operator (604)

Date

Operations Manager (604)

Date

 

 

Part C: To be completed by the person responsible for the daily operation of the SMS

Verification of Corrective/Preventative Actions

Who?

 

What?

 

When?

 
 

Part D: To be signed off by the person who holds the accountability for the SMS

Managerial Approval

Name:

Title:

Signature:

Date:

 

(Return to Guidance Material)

Appendix F: Sample Hazard Log-Template

Date Hazard # and Description Risk(s) Description/Scenario Risk Rating Before Control Measures Control Measures and Person Responsible Risk Rating After Control Measures Control Review Date Close out Date

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(Return to Guidance Material)

Appendix G: Sample Management Of Change-Template

Management of Change

1. What is the proposed change?

Describe the change.

 

 

2. Who is responsible?

Describe who is responsible to implement the change.

 

 

3. Describe the major components of the change

This will help you identify the main risks of each component you address in section 7.

 

 

4. Who does the change affect?

Consider who it affects: individuals, departments and organizations?

 

 

5. What is the impact of the change?

Consider why the change is taking place and the impact on the organization and its processes and procedures.

 

 

6. What follow up action is needed? (assurance)

Consider how you will communicate the change and whether you will need additional activities such as audits during the change and after it has taken place.

 

 

7. Safety Issues and Risk Assessment

What is the issue? (hazard)
 
What could happen as a result?
(associated risk(s) and risk scenario(s))
How likely is it to occur? (likelihood)
 
How Bad will it be? (severity)
 
Risk rating
 
What action(s) are being taken? (mitigations)
 
Action by whom and when
1            
2            
3            
4            
5            

The Change is acceptable to implement

Final Acceptance Signature (Accountable Executive)

Name:

Date:

 

(Return to Guidance Material)

Appendix H: Sample Aviation Safety Risk Profile-Template

Hazard # and Description Risk(s) Description/Scenario Risk Rating Priority

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(Return to Guidance Material)

Appendix I: Sample Objectives And Goals Log-Template

Risk Priority #1

 

Objective 1

 

Goal 1

 

Goal 2

 

Control

 

Measurement

 

(Return to Guidance Material)

Appendix J: Sample Risk Management Tool (Including 3x3 And 5x5 Risk Matrix)

Company X Risk Management Procedures

Use the following definitions and risk acceptability matrices when assessing all hazards. The person responsible for the SMS (insert title) will carry out the initial risk assessment. An independent validation is also carried out, by one of the following personnel:

  • Accountable Executive
  • Quality Manger (or identify alternate position)
  • Identify another position if appropriate

Sample Likelihood Classifications for use with a 3X3 Risk Matrix

Likelihood of Occurrence
Descriptor Definition Value
Unlikely Is very unlikely to reoccur or occur 1
Possible Is possible to reoccur or to occur at least once a year 2
Likely Is likely to reoccur or to occur several times in a year 3

Sample Severity Classifications for use with a 3X3 Risk Matrix

Severity of Consequences
Descriptor Definition Value
Negligible Results in minor incident that would not be reportable to the TSB 1
Incident Results in a Mandatory Reportable Incident, reportable to the TSB 3
Accident Results in an accident with fatality(s) 5

Risk Acceptability Matrix (3X3)

Severity Accident
(5)
MODERATE
(5)
HIGH
(10)
HIGH
(15)
Incident
(3)
MODERATE
(3)
MODERATE
(6)
HIGH
(9)
Negligible
(1)
MINIMUM
(1)
MINIMUM
(2)
MODERATE
(3)

 

 

Unlikely
(1)
Possible
(2)
Likely
(3)

 

 

Likelihood

Sample Likelihood Definitions for use with a 5X5 Risk Matrix

Likelihood of Occurrence
Descriptor Definition Value

Improbable-Rare

  • Almost inconceivable that the event will occur within the defined risk scenario
  • Statistically impossible [10-9 and below]
  • Event would almost never be expected to occur
1

Remote-Unlikely

  • Unlikely, but possible to occur within the defined risk scenario
  • Statistically 10-7-10-9
  • Event would not be expected to occur very often
2

Occasional

  • Likely to occur sometimes within the defined risk scenario
  • Statistically 10-3-10-7
  • Event would be expected to occur in some circumstances
3

Probable-Likely

  • Will occur several times within the defined risk scenario
  • Statistically 10-3-10-5
  • Event is likely to occur in most circumstances
4

Frequent-Almost Certain

  • Likely to occur often during the defined risk scenario
  • Statistically 10-1-10-3
  • Event is likely to occur in almost all circumstances
5

Note:

  • - You may use qualitative or quantitative measures as deemed appropriate.
  • - The numerical values for the statistics above are from engineering certification standards and serve as an example only. These quantitative values may not apply to your organization, or in cases where there is no available data. The values may have to be adjusted appropriately to the activity.
  • - The descriptors above do not all have to be met to identify the level of likelihood. They are meant to help differentiate between the different levels.

Sample Severity Definitions for use with a 5X5 Risk Matrix

Severity of Consequences
Descriptor Definition Value

Negligible

  • Little to no impact on safety/business/operational or production objectives
  • Less than minor injury and/or less than minor system damage
1

Minor

  • Personnel—first aid injury; no disability or lost time
  • Public—minor impact
  • Environment—contained release
  • Equipment—minor damage; potential organizational slowdown or potential downtime
2

Moderate

  • Personnel—lost time injury; no disability
  • Public—greater than minor impact, loss of confidence; some injury potential
  • Environment—small uncontained release
  • Equipment—minor damage; leads to organizational slowdown or minor downtime
3

Major-Critical

  • Personnel disability or severe injury
  • Public—exposed to a hazard that could or will produce injuries
  • Environment—moderate uncontained release
  • Equipment—major damage; results in major slowdown or downtime
4

Catastrophic- Extreme

  • Personnel—fatal, life-threatening injury
  • Public—exposed to life-threatening hazard
  • Environment—large uncontained release
  • Equipment—loss of critical equipment, or shutdown of organization
5

Sample Risk Acceptability Matrix (5X5)

Severity 5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5
    1 2 3 4 5
   

Likelihood

Risk Acceptance

Prioritize your actions based on the score from the Risk Acceptability Matrix. Use the table below to help determine the appropriate action to take.

Minimum
(Acceptable)
  • Risk is considered acceptable, to be reviewed if reoccurrence takes place. Unless already reduced to as low as reasonably practical (ALARP), consider reducing the risk further, as long as this does not divert resources from mitigating higher risk activities.
Moderate
(Review)
  • Consider mitigations to lower the risk. Where mitigations are not practical or viable, you may accept the risk, the Accountable Executive must understand and sign off on this approach
High
(Unacceptable)
  • Risk Intolerable Immediately inform the Accountable Executive/ Operations Manager (604), stop activity, take action to reduce the risk to an acceptable level.

(Return to Guidance Material)

Appendix K: Useful Links For SMS Program Development

  1. Advisory Circular (AC) 107-001, Issue 01, 2008-01-01 — Guidance on Safety Management Systems Development
  2. Advisory Circular (AC) SUR-002, Issue 01, 2015-09-15, Root Cause Analysis and Corrective Action for TCCA Findings
  3. Safety Management International Collaboration Group (SMICG), Version 1.0, April 2012 — Safety Management System Evaluation Tool
  4. Safety Management International Collaboration Group (SMICG), March 2015 — SMS for Small Organizations
  5. Safety Management International Collaboration Group (SMICG), July 2013 — Measureing Safety Performance Guidelines for Service Providers
  6. Safety Management International Collaboration Group (SMICG), May 2016 — Determining the Value of SMS
  7. Safety Management International Collaboration Group SMICG), April 20130 — Hazard Taxonomy Examples
  8. SKY-brary-Safety Management Systems
  9. ICAO-Annex 19-Safety Management, First Edition 2013
  10. ICAO-Safety Management Manual, Third Edition-2013
  11. ICAO Integrated Safety Management website
  12. Federal Aviation Administration (FAA) SMS
  13. European Aviation Safety Agency (EASA) SMS
  14. Transport Canada Civil Aviation (TCCA) SMS
  15. Civil Aviation Safety Authority (CASA) of Australia SMS
  16. Civil Aviation Authority of New Zealand (CAA NZ) SMS
  17. Flight Safety Foundation — Global Aviation Safety Network
  18. TSB Canada-Aviation Occurrence Data
  19. Aviation Safety Reporting System-Occurrence Data
  20. Canadian Council for Aviation and Aerospace
  21. Canadian Aviation Regulations