U.S. Department of Transportation
Federal Aviation Administration
Subject: Safety Management Systems for |
Date: 1/8/15 |
AC No: 12092B |
Aviation Service Providers |
Initiated by: AFS900 |
Change: |
|
This advisory circular (AC) provides information for Title 14 of the Code of Federal Regulations (14 CFR) part 121 air carriers that are required to implement Safety Management Systems (SMS) based on 14 CFR part 5. Specifically, this document provides a description of regulatory requirements, guidance, and methods of developing and implementing an SMS. This AC may also be used by other aviation service providers interested in voluntarily developing an SMS based on the requirements in part 5.
An SMS is an organizationwide comprehensive and preventive approach to managing safety. An SMS includes a safety policy, formal methods for identifying hazards and mitigating risk, and promotion of a positive safety culture. An SMS also provides assurance of the overall safety performance of your organization. An SMS is intended to be designed and developed by your own people and should be integrated into your existing operations and business decisionmaking processes. The SMS will assist your organization’s leadership, management teams, and employees in making effective and informed safety decisions.
Part 5 specifies a basic set of processes integral to an effective SMS but does not specify particular methods for implementing these processes. In other words, the regulation defines “what” must be accomplished, not “how” it must be accomplished. This AC provides additional guidance on how the SMS may be developed to achieve the safety performance objectives outlined by your organization. As is demonstrated by this AC, there is no onesizefitsall method for complying with the requirements of part 5. This design is intentional, in that the Federal Aviation Administration (FAA) expects each air carrier to develop an SMS that works for its unique operation. Thus, this AC provides guidance regarding designing and implementing acceptable methods of compliance with the requirements of part 5. These methods, however, are not the only means of compliance.
/s/ John S. Duncan
Director, Flight Standards Service
1/8/15 |
|
AC 12092B |
|
CONTENTS |
|
Paragraph |
Page |
CHAPTER 1. INTRODUCTION |
|
11. |
Purpose |
1 |
12. |
Cancellation |
1 |
13. |
Applicability |
1 |
14. |
Scalability |
2 |
15. |
Contact Information |
2 |
CHAPTER 2. SAFETY MANAGEMENT SYSTEM (SMS) FOUNDATIONS |
|
21. Safety Culture and Safety Management. ..........................................................................3 |
22. SMS Fundamentals |
4 |
23. Conceptual Overview of SRM and SA |
5 |
24. |
Definitions |
7 |
CHAPTER 3. SAFETY MANAGEMENT SYSTEM (SMS) COMPONENTS EXPLAINED |
31. Overview of the Structure of Chapter 3 |
9 |
32. Subpart A: General |
10 |
33. Subpart B: Safety Policy |
12 |
34. Subpart C: Safety Risk Management |
17 |
35. Subpart D: Safety Assurance |
28 |
36. Subpart E: Safety Promotion |
42 |
37. Subpart F: SMS Documentation and Recordkeeping |
44 |
CHAPTER 4: IMPLEMENTATION: BUILDING A SAFETY MANAGEMENT |
|
|
SYSTEM (SMS) |
|
41. Process Overview |
47 |
42. Mapping and Analyzing Your Organization |
48 |
43. Conducting a Gap Analysis |
48 |
44. Preparing an Implementation Plan |
49 |
45. Phased SMS Implementation Strategy |
50 |
CHAPTER 5: INTEGRATING EXISTING SAFETY PROGRAMS INTO THE SAFETY |
|
MANAGEMENT SYSTEM (SMS) |
|
51. Purpose of this Chapter |
55 |
52. |
Discussion of Individual Programs |
55 |
Page iii
1/8/15 |
|
AC 12092B |
Paragraph |
|
|
Page |
APPENDIX 1. SMS CROSSREFERENCE FOR TRANSITIONING SMS PILOT |
|
|
|
PROJECT PARTICIPANTS (2 pages) |
1 |
APPENDIX 2. SAFETY RISK MANAGEMENT (SRM) WORKSHEETS (8 pages) |
1 |
APPENDIX 3. |
SAMPLE SAFETY POLICY STATEMENT (2 pages) |
1 |
APPENDIX 4. |
IDENTIFYING THE ACCOUNTABLE EXECUTIVE (2 pages) |
1 |
APPENDIX 5. |
SAMPLE GAP ANALYSIS AND IMPLEMENTATION PLAN |
|
|
|
EXCERPTS (2 pages) |
1 |
APPENDIX 6. |
REFERENCES AND ADDITIONAL INFORMATION (2 pages) |
1 |
|
|
LIST OF FIGURES |
|
Figure 21. Safety Management Decisionmaking Processes |
6 |
Figure 31. Safety Risk Management Processes and Regulatory Requirements |
18 |
Figure 32. Sample Risk Matrix |
26 |
Figure 33. Safety Assurance Processes and Regulatory Requirements |
29 |
Figure 41. Recommended Safety Management System Implementation Levels |
51 |
Figure 42. |
Safety Management System Development |
52 |
Page iv
CHAPTER 1. INTRODUCTION
11. PURPOSE.
a.General. This advisory circular (AC) provides information to assist Title 14 of the Code of Federal Regulations (14 CFR) part 121 certificate holders in developing a Safety Management System (SMS). It provides guidance material that aligns with the requirements, structure, and format of 14 CFR part 5, Safety Management Systems for Certificate Holders Operating under Part 121. It describes an acceptable means, but not the only means, to implement and maintain an SMS. Because complying with part 5 satisfies the SMS Standards of the International Civil Aviation Organization (ICAO), as published in ICAO Annex 19 for operations covered under Annex 6 Part I, the material in this AC is also consistent with those ICAO standards.1
b.Integration. An SMS is not meant to be a separate system built alongside or on top of your other business systems. An SMS should be integrated into your existing business structure. A properly integrated SMS fosters a fundamental and sustainable change in how you view and analyze data and information, how you make informed decisions, and how you develop new operational and business methods. SMSs are necessary to comply with part 5, but they are not substitutes for compliance with other Federal regulations. However, SMSs can assist service providers in meeting other regulatory requirements.
c.Scalability. The SMS requirements of 14 CFR part 5 are applicable to a wide variety of types and sizes of operators. Therefore, those requirements are designed to be scalable, allowing operators to integrate safety management practices into their unique business models. An SMS should be tailored to each specific operator; therefore, this AC cannot provide a single means of compliance that applies to all certificate holders who are required to develop and implement an SMS.
12. CANCELLATION. AC 12092A, Safety Management Systems for Aviation Service Providers, dated August 12, 2010, is canceled.
13. APPLICABILITY.
a.This AC Applies to Part 121 Certificate Holders. This AC applies to businesses that are considering applying for, have applied for, or hold a part 121 certificate. Part 5, § 5.1 requires a part 121 certificate holder to have an SMS that meets the requirements of part 5 and that is acceptable to the Administrator of the Federal Aviation Administration (FAA). Various methods of compliance may be accepted by the Administrator. The methods offered in this AC are not the only means of compliance with part 5; however, these have been found to be acceptable to
1ICAO Safety Management standards require operators of airplanes over 27,000 kg to have include a Flight Data Analysis (FDA) program as part of their SMS. Part 5 will not require these programs. However, operators desiring to implement a Flight Operational Quality Assurance (FOQA, FAA equivalent to FDA) program on a voluntary basis can obtain FAA approval for these programs. For more information and a link to AC 12082, go to https://www.faa.gov/about/initiatives/atos/air_carrier/foqa/.
the FAA. Your SMS implementation plan is the mechanism used to evaluate your method toward compliance.
b.If You Hold a Certificate Other Than Part 121 or are Not Certificated. This AC may also be helpful if you hold a certificate other than part 121 or are not certificated because this AC can be used to voluntarily develop and implement an SMS.
c.If You are Applying for a Part 121 Certificate. For a discussion of new applicants, refer to Chapter 4, subparagraph 41b.
14. SCALABILITY. The difference between a large, medium, and small organization’s SMS is primarily one of size and complexity of the operations to be covered, volume of data available, the size of the employee workforce, and the resources needed to manage the organization. The SMS requirements (safety policy, Safety Risk Management (SRM), Safety Assurance (SA), and safety promotion) are the same regardless of the size of your organization. However, part 5 allows organizations of different sizes to meet those requirements in different ways. The SMS functions do not need to be extensive or complex to be effective. All businesses, regardless of size, may use existing systems, programs and resources to document and track safety issues to resolution.
15. CONTACT INFORMATION. For additional information or suggestions, please contact the Flight Standards Service National Field Office (AFS900) at 9NATLSMSProgramOffice@faa.gov .
CHAPTER 2. SAFETY MANAGEMENT SYSTEM (SMS) FOUNDATIONS
21. SAFETY CULTURE AND SAFETY MANAGEMENT. One key aspect that is essential to safety performance is the culture of the organization. “Safety culture” is the term that we apply to those aspects of the organization’s culture that relate to safety performance. The concept of safety culture underlies safety management and is the basis for the SMS requirements of Title 14 of the Code of Federal Regulations (14 CFR) part 5.2
a.Interdependence. Because the culture of an organization includes the deeply ingrained and automatic psychological and behavioral aspect of human performance, there is a strong correlation between safety culture and accident prevention. Therefore, safety culture and SMS are interdependent. Management’s constant attention, commitment, and visible leadership are essential to guiding an organization toward a positive safety performance.
b.Safety Culture. Cultures are the product of the values and actions of the organization’s leadership as well as the results of organizational learning. Cultures are not really “created” or “implemented;” they emerge over time and as a result of experience. Organizations cannot simply purchase a software program, produce a set of posters filled with buzzwords, require their people to attend an hour of slide presentations, and instantly install an effective SMS. As with the development of any skill, it takes time, practice and repetition, the appropriate attitude,
a cohesive approach, and constant coaching from involved mentors.
c.Management Framework. It is for this reason that a management framework that facilitates decisionmaking and shapes the environment in which employees work is crucial to organizational performance in all aspects of the organization’s business, including safety.
A safety culture matures as safety management skills are learned and practiced and become second nature across the entire organization. The following have been found to be characteristics of organizations that consistently achieve safe results.
(1)Open Reporting. Policies and processes that foster open reporting while, at the same time, stressing the need for continuous diligence and professionalism. The organization should encourage disclosure of error without fear of reprisal, yet it should also demand accountability on the part of employees and management alike.
(2)Just Culture. The organization should engage in identification of systemic errors, implement preventative corrective action, and exhibit intolerance of undesirable behaviors such as recklessness or willful disregard for established procedures. This is often referred to as
a “just culture.”
2While the concepts discussed in this section underlie the requirements of part 5, they are included solely for background purposes. The actual regulatory requirements of part 5 are discussed in Chapter 3.
(3)Personnel Involvement. Involvement of line personnel and all levels of management in functions dealing with aviation safety, including the accountable executive, is critical to effective safety management throughout an organization.
(4)Use of Information. Effective use of all safety information assures informed management decisionmaking.
(5)Commitment to Risk Reduction. The organization expects direct management involvement in identifying hazards and managing risk.
(6)Vigilance. Processes that provide vigilance of ongoing operations and the environment to ensure effectiveness of risk controls and awareness of emerging hazards.
(7)Flexibility. Using information effectively to adjust and change to reduce risk, and a willingness to commit resources to making changes necessary to reduce risk.
(8)Learning. The organization learns from its own failures and from those of allied and similar businesses. The organization actually uses acquired data to feed analysis processes, the results of which yield information that can be acted upon to improve safety.
d.Management Involvement. Management leadership should demonstrate their visible commitment to and involvement in safe operation performing their daily work. SMS processes do not have to be expensive or sophisticated; however, active personal involvement of operational leaders is essential. Safety management must be accomplished by those managers who “own” the processes in which risk resides. Safety cultures also cannot be “created” or “implemented” by management decree, no matter how sincere their intentions. Every organization has a safety culture. It is embodied in the way the organization and its members approach safety in their jobs. If positive aspects of culture are to emerge, the organization’s management must set up the policies and processes that create a working environment that fosters safe behavior. That is the purpose of the SMS processes.
22. SMS FUNDAMENTALS.
a.What Is an SMS? SMSs can be a complex topic with many aspects to consider, but the defining characteristic of an SMS is that it is a decisionmaking system. An SMS does not have to be an extensive, expensive, or sophisticated array of techniques to do what it is supposed to do.
Rather, an SMS is built by structuring your safety management around four components: safety policy, safety risk management (SRM), safety assurance (SA), and safety promotion. A brief description of these components is provided below.
b.Safety Policy. Safety policy is where you set objectives, assign responsibilities, and set standards. It is also where management conveys its commitment to the safety performance of the organization to its employees. As SRM and SA processes are developed, you will come back to the safety policy to ensure that the commitments in the policy are being realized and the standards are being upheld.
c.Safety Risk Management (SRM). The SRM component provides a decisionmaking process for identifying hazards and mitigating risk based on a thorough understanding of the
organization’s systems and their operating environment. SRM includes decisionmaking regarding management acceptance of risk to operations. The SRM component is the organization’s way of fulfilling its commitment to consider risk in their operations and to reduce it to an acceptable level. In that sense, SRM is a design process, a way to incorporate risk controls into processes, products, and services or to redesign controls where existing ones are not meeting the organization’s needs.
d.Safety Assurance (SA). SA provides you with the necessary processes to give you confidence that your system is meeting your organization’s safety objectives and that your mitigations, or risk controls, developed under SRM are working. In SA, your goal is to watch what is going on and review what has happened to ensure that your objectives are being met. Thus, SA requires monitoring and measuring safety performance of operational processes and continuously improving the level of safety performance. Strong SA processes will yield information used to maintain the integrity of risk controls. SA processes are thus a means of assuring the safety performance of the organization, keeping it on track, correcting it where necessary, and identifying needs for rethinking existing processes.
e.Safety Promotion. The last component, safety promotion, is designed to ensure that your employees have a solid foundation regarding their safety responsibilities, the organization’s safety policies and expectations, reporting procedures, and a familiarity with risk controls. Thus, training and communication are the two key areas of safety promotion.
f.Summary. An SMS does not have to be large, complex, or expensive in order to add value. If you have active involvement of the operational leaders, maintain open lines of communication up and down the organization and among peers, stay vigilant in looking for new operations, and ensure that your employees know that safety is an essential part of their job performance, you will have an effective SMS that helps you make better safety management decisions.
23. CONCEPTUAL OVERVIEW OF SRM AND SA.
a.Graphical Overview of SRM and SA Processes. Figure 21, Safety Management Decisionmaking Processes, provides an expanded view of the principal two sets of processes of the SMS: SRM and SA. In the discussion that follows, we’ll introduce some key terms and concepts related to SMS processes. A more detailed discussion of the SRM and SA processes is set out in Chapter 3, Safety Management System (SMS) Components Explained. Because safety management is a decisionmaking process, the SRM and SA processes follow a set of processes outlined in Figure 21. These processes work as follows. The Description and Context step requires the user of the process to gain an overall understanding and context of the operation that either is being or will be performed. The Specific Information step requires the user of the process to obtain information about aspects of the systems and environments involved that may present risk. Under the Analysis step, the user analyzes or makes sense of that information. The Assessment step requires the user to make decisions regarding the acceptability or risk of system performance. Finally, under the Resolution step, the user takes necessary action.
FIGURE 21. SAFETY MANAGEMENT DECISIONMAKING PROCESSES.
b.SRM.
(1)In SRM, the first step, System Description (Analysis), is used to understand the aspects of the operation that might cause harm. In most cases, Hazard Identification flows from this system analysis. Hazard identification requires you to ask: What hazards exist in the operational environment? What are the human factors issues of the operation (e.g., workload, distraction, fatigue, or system complexity)? What are the limitations of the hardware, software, procedures, etc.?
(2)While the diagram above depicts that processes as distinctly defined components, in practice they flow from one to the other. For example, in a careful discussion of how a system currently works (System Description (Analysis)), hazards will often become evident. Thus, the hazard identification step has also been at least partially accomplished.
