1 Introduction to SMS

By far the greater number of aeroplane accidents are due to precisely the same
circumstances that have caused previous accidents. A distressing feature of
these accidents is the evidence they afford of the unwillingness, or the inabil-
ity, of many pilots to profit from the experiences and mistakes of others.
- Gustav Hamel and Charles C. Turner
In the past, aviation safety improvement was characterized by a fly-crash-fix-fly
approach. We would fly airplanes, have the occasional unfortunate crash, and inves-
tigate the cause(s) to prevent it from happening again. Sometimes the causes would
be weather-related or a mechanical failure, but more often the cause was determined
to be human error – usually the pilot. Essentially, the prevailing philosophy was that
once the cause was determined to be the pilot, we simply needed to encourage other
pilots not to make the same mistakes.
Today, we realize that it is much more productive to engineer a system in which,
to the extent possible, causes of failure have been designed out. As one might imag-
ine, there are many elements to this engineering effort, and many of these will be
discussed in this book. The modern, well-informed aviation safety practitioner must
have a working understanding of hazard identification, risk management, systems
theory, human factors engineering, organizational culture, quality engineering and
management, quantitative methods, and decision theory.
Safety Management Systems (SMSs), of course, are not just for aviation – they
are found in a wide variety of diverse industries, such as chemical, oil, construction,
occupational health, food, highway, electrical, and fire protection, among others.
SMS is not a new concept in these industries – references to SMS in the literature of
some of these industries can be found as far back as the early 1980s. Many of these
industries had historically poor safety records and have benefited from the philoso-
phy and structure SMS provides.
SMS is not just in the United States. Many people mistakenly think that the
United States always leads when it comes to aviation safety. While the United States
does have an enviable safety record, other countries are considerably further along in
their efforts to develop and implement aviation SMS. Transport Canada committed
to the implementation of SMS in aviation organizations in 2005. Europe and New
Zealand, to name two others, have moved forward with SMS more rapidly than the
United States.

A BRIEF HISTORY OF SMS

SMSs evolved from the combination of system safety concepts that themselves
evolved from the 1960s or so, combined with also evolving concepts of manage-
ment systems, first in the form of Quality Management Systems (QMSs) and then

DOI: 10.1201/9781003286127-2 13
14 Safety Management Systems in Aviation

into occupational health and SMSs, environmental management system, and others.
Current SMS concepts stress a process approach, similar to those in ISO 9000. The
ISO (International Organization for Standardization) standard also evolved, start-
ing in the 1980s as a quality control standard, moving into quality assurance in
the 1990s, and finally into the process approach in the 2000 and 2008 versions of
the 9000 standard. There were other initiatives such as the New Zealand Internal
Quality Assurance program requirements that emanated from a 1988 Review of
Civil Aviation Safety Regulations and the Resources, Structure and Functions of
the New Zealand Ministry of Transport, known as the Swedavia-McGregor report.
This review questioned the continued efficacy of the approach that stressed intensive
inspection of end items, products, and activities and moved toward an emphasis on
the systems that produced them.
The European Joint Aviation Authority (JAA – now replaced by EASA) also
had a requirement for a QMS that could be combined with another requirement for
an accident prevention program – a separate, ICAO (International Civil Aviation
Organization) required program. This moved toward a combined, risk-based assur-
ance system with a lot of the same features of the systems that have become known
as SMS.
In the United States, the Federal Aviation Administration (FAA) began looking
at system safety in oversight systems in the late 1990s, resulting in the development
of the Air Transportation Oversight System (ATOS). No longer in use, ATOS took
a more systemic view of the operator’s processes but is an FAA oversight system.
For system safety to truly work, it must be practiced by the system/process owner –
the operator. This led the FAA to investigate the application of QMS principles and
subsequently to look at what other countries are doing in SMS. This began about
2001–2002 and coalesced into an SMS initiative from 2003 to 2004. The FAA pub-
lished its first air operator SMS guidance in June 2006, in AC 120-92 Introduction
to Safety Management Systems for Air Operators. In parallel, the FAA’s air traffic
organization (ATO), along with air traffic management organizations in a number
of other countries, began developing SMS at about the same time. On January 8,
2015, the FAA published in the federal register (Vol. 80, No. 5) its final SMS rule
for air carriers (Safety Management Systems for Domestic, Flag, and Supplemental
Operations Certificate Holders, 2015).
When did SMS begin and who started it? As you can discern from the above
explanation, SMS did not begin at a specific time with any single event. Rather, it
has been the result of an evolutionary process with a lot of combining of ideas from
other management and scientific domains and a lot of sharing of information within
the air safety community.

ICAO DEFINITION OF SMS

The ICAO,1 a specialized agency of the United Nations, codifies the principles and
techniques of international air navigation and fosters the planning and development
of international air transport to ensure safe and orderly growth.
ICAO’s definition of SMS is “a systematic approach to managing safety, includ-
ing the necessary organizational structures, accountability, policies and procedures”
Introduction to SMS 15

(ICAO, 2018, p. viii). The following paragraphs will decompose the term SMSs to bet-
ter understand it and present a definition that attempts to capture the essence of SMS.

SMS FURTHER DEFINED

Safety
Safety means different things to different people. In the Merriam-Webster Online
Dictionary, the definition for “safety” is given as follows: “the condition of being
safe from undergoing or causing hurt, injury, or loss” (“safety” Merriam-Webster
Online Dictionary, 2022). The application of this definition is, in part, a function of
our circumstances. For instance, if you live near a nuclear power plant, safety means
that whatever happens in such a facility doesn’t adversely affect your health and
well-being. To those constructing the nuclear power plant, it means efficient control
of the nuclear chain reaction, proper cooling of the reactor core, and prevention of
the release of radioactive materials. If you are a downhill skier, you want to reach
the bottom of the slope without a broken ankle, sprained arm, or head injury. In the
context of Webster’s definition of safety, that is, “freedom from danger or injury,” did
the downhill skier embark on a safe activity when she took off down the slopes? Was
she free from danger or injury? In that context, is anything safe? Most of us drive to
work or school every day. However, more people are killed or injured in this country
in automobile accidents (approximately 35,000 to 40,000 deaths per year) than any
other activity. Surely, we’re not all considered “unsafe.”
To the traveling public, the term “safety” means, at its most fundamental level,
that we want to reach our destinations without getting hurt. Since people do get hurt
on occasion, it is logical to conclude that we are willing to accept some risk in trav-
eling. Whether consciously or subconsciously, we know that there is some chance,
albeit a minute one, that we could be hurt or killed while traveling.
Over the last several years, we’ve averaged about 25 accidents in commer-
cial airliners in this country each year, as “accident” is defined by the National
Transportation Safety Board (the vast majority have been classified as “injury” or
“damage” accidents). Despite the horrific images and 24/7 press coverage that major
accidents attract, the traveling public is sophisticated enough to realize that when
the odds of any one flight being your last one are so remote (that is, 1 to 11 million),
“safe” is a reasonable word to apply to commercial aviation.
But of course, as safety professionals, we have to be considerably more sophisti-
cated in the use of that word. Safety is defined by ICAO as “the state in which the risks
associated with aviation activities, related to, or in direct support of the operation of
the aircraft, are reduced and controlled to an acceptable level” (ICAO, 2018, p. 2-1).
(Actually, ICAO’s definition might best be thought of as relating to safety manage-
ment.) This definition recognizes that the risk in the activity is not reduced to zero,
but rather to an acceptable level. It also suggests that safety of the activity is measured
against the acceptable level. And it explains that we maintain safety by a process. That
process involves identifying the hazards that impede safety and managing risks.
So for safety professionals, the very word “safety” implies constant measurement,
evaluation, and feedback into the system. Safety is a verb and an active one at that.
16 Safety Management Systems in Aviation

At the simplest level, we collect data about events and try to discern trends. We
will get into greater depth later concerning the appropriate use of statistical tools in
SMS, but for now let’s take a look at some statistical charts to help understand the
state of safety in our system today. First, Figure 1.1 depicts the number of fatal acci-
dents for U.S. air carriers from 1987 through 2020 (14 CFR 121, scheduled service2)
(NTSB, 2022a, Table 6). The dashed line is a best-fit logarithmic trendline (selected
due to the variability and the leveling of the data), which comfortingly indicates that
the trend during this period is decreasing. Of course, these are raw numbers and,
consequently, they do not really tell us if we’re becoming more or less safe. To get
that picture, we must normalize the data, as described below.
Figure 1.2 shows the accident rate per 100,000 air carrier departures (14 CFR 121
scheduled service) from 1987 to 2020 (NTSB, 2022a, Table 6); thus, it normalizes the
data by taking into account the increase in air travel. The figure shows two rates – one
for all accidents and the other for accidents with fatalities. Both logarithmic trendlines
show a slight decrease over time. Most people might examine this chart and conclude
that these data support the use of the word “safe,” considering the ICAO definition.
Let’s also take a look at general aviation safety statistics (see Figure 1.3) (NTSB,
2022c, Table 10). As opposed to the airline safety data, which is based on the number
of departures, the general aviation statistics use the number of flight hours. Again,

FIGURE 1.1 U.S. airline accidents with fatalities from 1987 to 2020, 14 CFR 121 scheduled
service.
Introduction to SMS 17

FIGURE 1.2 U.S. airline accident rate per 100,000 departures from 1987 to 2020, “all” and
“with fatalities,” 14 CFR 121 scheduled service.

the (dashed) logarithmic trendlines (all accidents rate is the top line and fatal acci-
dents rate is the bottom line) are on a downward slope, which is good, but that still
doesn’t tell us whether we’re safe.
Finally, it’s worth noting the relative safety among airlines (14 CFR 121, sched-
uled), air taxis (14 CFR 135, scheduled) (National Transportation Safety Board,
2022b, Table 8), and general aviation operations (see Figure 1.4). Clearly, gen-
eral aviation has a significantly higher accident rate (although it had been steadily

FIGURE 1.3 U.S. general aviation accident rates per 100,000 flight hours, “all” and “with
fatalities,” from 1987 to 2020.
18 Safety Management Systems in Aviation

FIGURE 1.4 Comparison of accident rates per 100,000 flight hours among airlines (14 CFR
121, scheduled), air taxis (14 CFR 135, scheduled), and general aviation in the United States
from 1987 to 2020.

decreasing until plateauing in the 1990s) than either CFR FAR 135 commuter air-
lines or CFR FAR 121 air carriers, and air carriers have the lowest of the three.
Probably everyone who views this chart will have a different perception about the
level of safety that exists in each of these operations, the trends associated with each,
and the reasons for the differences.
This discussion underscores the point that, as safety professionals or others inter-
ested in safety as a discipline, we must understand the concept of safety as compli-
cated and only having real meaning when considered in light of processes designed
to control the outcome.

Management
A generally accepted definition for management is that management is the process of
getting activities completed efficiently and effectively with and through other people.
The functions normally associated with management are planning, organizing, staff-
ing, directing, controlling, and (sometimes) budgeting. Management is leading and
directing an organization or an activity through the deployment and manipulation
of resources (something managers do), whether the resources are human, financial,
intellectual, material, or other.

Systems
The dictionary defines “systems” as “a regularly interacting or interdependent group
of items forming a unified whole” (“systems” Merriam-Webster Online Dictionary,
Introduction to SMS 19

2022). A system is more than the sum of its parts. A useful way to think about the
concept of systems is that it is an amalgam of people, procedures and processes,
and equipment that is integrated to perform a specific function or activity within a
particular environment.

Definition of SMS
The following is offered as a comprehensive definition of SMS: A dynamic risk man-
agement system based on Quality Management System (QMS) principles in a structure
scaled appropriately to the operational risk, applied in a safety culture environment.
This definition and its components will be examined in some detail throughout
this book. This section includes only a cursory overview.

Risk Management Systems

An SMS system is, at its core, a dynamic risk management system. A review of
the current guidance in risk management is revealing and is an indication of how
paradigms in the safety community are still in the process of shifting, even among
the proponents of SMS. We will first review current risk management theory as pro-
moted by the FAA and ICAO and then describe an alternate view.
In both FAA and ICAO guidance documents, risk is described as a measure of the
expected losses, which can be caused by an undesired event (severity), factored with
the likelihood of the event occurring; that is, risk equals severity × likelihood, or:

R=S×L

A few decades ago, even the best safety analyses were forensic in nature. Note that
this definition of risk is forensic as well. The two measures on which this tradi-
tional calculation of risk is based both depend upon an analysis of undesired events.
Moreover, the data from which these calculations are drawn are historical. For
example, suppose that a hard landing occurs. A forensic approach to risk analysis
would have the safety department look into the various safety databases maintained
by the airline and review the “hard landing” reports on file. After review of those
reports, subject matter experts would assign a measure of severity to the reports
and then aggregate those assignments into an index that describes the severity of
the hard landing event. Then an attempt would be made to calculate a rate statistic
(the number of hard landings divided by the exposure statistic, in this case the total
number of landings in the system), thus deriving the likelihood of occurrence index.
Using these two indices, a final “risk index” would be obtained by referencing a risk
matrix. ICAO’s risk matrix is shown in Figure 1.5 (ICAO, 2018, p. 2–16).
Most operators have a management guidance document that describes appropri-
ate mitigating action and allowable timelines for corrective and preventive actions
based upon this risk index.
Accomplishing this process on the various types of undesired events experienced
in operations would also give the management team the ability to prioritize actions
based upon the relative value of the risk indices assigned to each event type.
20 Safety Management Systems in Aviation

FIGURE 1.5 Risk matrix.

This analytic approach applied to understanding undesired events is a great

improvement over those utilized in the past. However, this traditional “severity ×
likelihood = risk” calculation is by its very nature backward-looking and does
not by itself capture the essence of SMS. An SMS also accomplishes risk analy-
sis at the constituent element level of a system, where hazards are identified.
In its most sophisticated form, risk analysis is based on model-building, where
estimates of the range of potential severities, possible likelihoods, and measures
of the effectiveness of those controls put in place to mitigate hazards are allowed
to interact with each other over and over in scenario-modeling software, with
the result being a prediction of the most probable outcome of events. Forensic
analysis of undesired events is an important method of identifying hazards, but
it is not the only one.

Risk and Reliability

As we have described in the classical view of risk management, the focus is on the
event – the evaluation of its severity and the likelihood of its occurrence. These
considerations remain active in an SMS, but a concept from quality engineering is
added, that is, reliability. Reliability is a measure of a system’s ability to operate
without defects or errors and is consciously designed into a system. A reliability
approach to risk management uses quality engineering techniques to modify sys-
tem design, adding parallel subsystems, redundancy, alerts, barriers, and so forth.
Reliability will be covered in greater depth in Chapter 4.
Introduction to SMS 21

Risk Management
Risk management is the process of measuring risk and developing strategies to
manage it. These strategies usually include reducing the negative effect of the risk.
In the forensic risk analysis equation above, changing the severity (S) or likelihood
(L) would accomplish that task. A quality engineered approach will include a rigor-
ous analysis of the system of interest – identifying hazards, understanding the inter-
actions between these hazards, and engineering detection systems, incorporating
parallel and/or redundant systems when appropriate, and determining clear go/no
go decision points. Finally, as SMS is incorporated into an integrated management
system, strategic risk planning will include transferring the risk (e.g., to insurance
carriers), avoiding the risk, and/or accepting the consequences – in whole or in
part – of the risk (see Figure 1.6).
It is important to note the following regarding risk management strategies:

1. They are not mutually exclusive. Choosing one of them doesn’t mean you
can’t also choose others. In fact, often these strategies will be mixed and
combined to varying degrees.
2. The individual strategies are not an all-or-nothing proposition. Strategies
can be and often are partially deployed.
3. The strategies are somewhat of a balancing act.
4. The decisions regarding risk management must be made by the organiza-
tion’s management.

FIGURE 1.6 Strategic risk management.

22 Safety Management Systems in Aviation

Production versus Protection

Risk is evaluated in the context of the production versus protection concept. Production
refers to the product or service that is the objective of the organization. Production
could be air traffic services, flight training, airport services, maintenance services,
or other activities, depending on the nature of the organization. It is the successful
production of the intended service that enables an organization to remain in business.
Because there are hazards in aviation, a consequence of production is a safety risk.
This risk necessitates the creation of a protection system for users and stakeholders,
which is a responsibility of the aviation service provider (most directly) and the regulat-
ing authorities. This protection system is fundamentally what an SMS should provide.
The production and protection goals must be balanced by the management of an
organization. Often this balance is fragile; too much production may compromise
safety and too much safety may compromise financial performance.
The purpose of a risk management process is to identify hazards and attendant
risks associated with those hazards and to manage and reduce the risks. A widely
used process, and one espoused in the FAA’s AC 120-92B, includes the following
steps (FAA, 2015, pp. 19–27):

1. System Description and Analysis. The first step is fully understanding

the system and subsystems, as appropriate. Systems can be people, hard-
ware, software, information, procedures, and environment related to safety
activities.
2. Hazard Identification. Considering the system described in the previous
step, hazards must be identified and documented and the associated risk
controlled.
3. Risk Analysis. As discussed above, risk is evaluated by its two components:
likelihood of the undesirable event occurring and severity of the occurrence.
4. Risk Assessment. Once the risk is analyzed, a determination is made regard-
ing whether or not the risk is acceptable. A risk matrix is commonly used
to guide this decision-making.
5. Controlling Risk. Risk controls are designed and implemented after the
hazards and risks are fully understood. Residual risk (risk remaining after a
control has been implemented) and substitute risk (new hazards introduced
to the system after a control has been implemented) must be thoroughly
assessed. When the controls are implemented, the system is placed in oper-
ation and monitored to ensure the effectiveness of the controls.

Returning to our definition of SMS – a dynamic risk management system based on

Quality Management System (QMS) principles in a structure scaled appropriately to
the operational risk, applied in a safety culture environment – let’s briefly consider
QMS principles.

Quality Management System (QMS) Principles

QMSs are systems that outline the policies and procedures necessary to improve
and control the various processes that will ultimately lead to improved business
Introduction to SMS 23

performance. SMSs are based on QMS principles. These principles can be found
throughout effective SMSs. One of the primary organizations that promotes qual-
ity is the ISO,3 which is a non-governmental, international standards setting body
composed of 157 member countries. A brief overview of the principles of QMS as
articulated by ISO includes the following (ISO, 2022):

• Principle 1 Customer Focus. Organizations depend on their customers and

must understand current and future customer needs. Organizations should
meet customer requirements and strive to exceed customer expectations.
• Principle 2 Leadership. Leaders establish unity of purpose and direction
of the organization. Effective leaders create and maintain an environment
in which people can become fully involved in helping the organization
achieve its objectives.
• Principle 3 Engagement of People. Competent, empowered, and engaged
people are the essence of an organization, and their full engagement serves
to benefit the organization.
• Principle 4 Process Approach. Consistent results are achieved when activi-
ties are managed as interrelated processes than function as a cohesive
system.
• Principle 5 Improvement. Organizations must have an ongoing focus on
improvement.
• Principle 6 Evidence-Based Decision-Making. Analysis of data and infor-
mation leads to effective decision-making and desired results.
• Principle 7 Relationship Management. An organization manages its rela-
tionships with interested parties to ensure sustained success.

These seven principles should be kept at the forefront of any effort to develop and
manage an SMS.
The astute reader would notice that one major distinction between the FAA and
ICAO definitions, and the one that we presented earlier in this chapter, is that our defini-
tion includes the notion that SMS must be scaled appropriately to the operational risk.

Scaled Appropriately to the Operational Risk

Clearly, one size will not fit all when it comes to SMS. These safety management
programs must take into account the operational risk that exists in the particular
aviation organization. Various factors will influence the operational risk, including
nature of the production activity and size of the organization. The primary objective
of the SMS – safety – should be achieved regardless of where the organization is on
the risk continuum or its size.
Further, many risks must be managed on a scale beyond any one organization’s
boundaries. For example, runway incursions remain consistently near the top of every-
one’s list of scary occurrences. When one looks at the list of stakeholders involved
in this issue and the list of contributing factors, it is clear that a true fix of the runway
incursion problem requires action on the part of many organizations – airlines, char-
ter operators, maintenance organizations, airports, catering services, etc. An SMS
24 Safety Management Systems in Aviation

designed to mitigate this risk must therefore be appropriately scaled to include all
stakeholders as active participants, with common goals and shared accountability.
The challenge of designing a management system that can be effective in such col-
laborations will be discussed in later chapters.
Finally, some safety issues require attention all the way from the bottom to the top
of the food chain. These issues, national or even global in scope, are being addressed
in many creative and promising programs, such as the Commercial Aviation Safety
Team and its component Joint Implementation Measurement and Data Analysis
Team, the General Aviation Joint Steering Committee, and others. These programs
are evolving into central components of SMSs.
Finally, from our definition, an SMS is applied in a safety culture environment.

Safety Culture Environment

Culture is defined as the values, beliefs, and norms shared by a group of people that
influence the way they behave. We are all influenced by cultural issues. Organizational
psychologists tell us that there are several distinct cultural environments that we need
to consider. These various cultures set boundaries for acceptable behavior and provide
a framework for decision-making. It is within the intersection of these environments
that a safety culture evolves, and it is generated from the top down.
Chapter 3 will cover safety cultures in greater depth and describe the inextricable
tie between a strong safety culture and the successful implementation of SMS.

THE FOUR COMPONENTS OF SMS

As described in Advisory Circular (AC) 120-92B, SMS is structured upon four
basic components of safety management: policy, Safety Risk Management, Safety
Assurance, and Safety Promotion. All four structural elements must exist and be
robustly executed in order for an SMS to be effective. The following description of
the four components borrows heavily from AC 120-92B, with some additions and
edits for clarity or expansion of the concept.

Component 1 – Safety Policy

Every type of management system must define policies, procedures, and organiza-
tional structures to accomplish its goals. An SMS must have policies and procedures in
place that explicitly describe responsibility, authority, accountability, and expectations.
Most importantly, safety must be a core value for the organization. Notice we said core
value, not that safety should be a priority. Oftentimes in the wake of an accident or
serious incident, a spokesperson for the organization will use the worn-out phrase that
“safety is our top priority.” Priorities come and go, whereas core values are the fabric
of the organization and typically don’t change without a great deal of thought.

Top Management Involvement

A primary characteristic of an SMS is its absolute clarity in defining that the key fac-
tor for success is top management’s personal, material involvement in safety activities.
Introduction to SMS 25

While all members of the organization must know their responsibilities and be both
empowered and involved with respect to safety, the ultimate responsibility for the
safety of the system cannot be delegated down from top management. SMS identifies
key behaviors that demonstrate this involvement, such as inclusion of safety goals
into strategic plans and regular management review of the SMS. Executive manage-
ment involvement is a key requirement in the SMS policy documentation.

Roles, Responsibilities, and Relationships

In today’s complex operational environment, many organizations and agencies are
charged with some aspect of maintaining the highest levels of safety. SMS acknowl-
edges this shared responsibility and specifically describes the roles, responsibilities,
and relationships between all stakeholders involved in maintaining safe operations.
In SMS, each interface between production and operation, on the one hand, and over-
sight, on the other, is clearly identified, and each subsystem is designed to provide the
interfacing agency or organization with everything it needs to perform its role.

Procedures and Controls

SMS policy must include clear requirements for all operational departments to docu-
ment their procedures, controls, training, process measurements, and change man-
agement systems.

Safety and Quality

SMS uses quality management principles, but the requirements to be managed by
the system are based on an objective assessment of safety risk, rather than customer
satisfaction with products or other conventional commercial goals. These require-
ments must be explicitly referenced in SMS policy documentation and must be fully
integrated into the organization’s mission and vision.

Component 2 – Safety Risk Management

We manage risks whenever we modify the way that we do something to increase
the chance of success or minimize the chance of injury, failure, or loss. A formal
system of risk identification and management is fundamental to controlling risk to
acceptable levels. A well-designed risk management system describes operational
processes across departmental and agency boundaries, identifies key performance
indicators and regularly measures them, methodically assesses risk, and exercises
controls to mitigate that risk.

Systems Description and Task Analysis

Risk management requires a detailed understanding of operational systems. The
system consists of the organizational structures, processes, and procedures and the
people, equipment, and facilities used to accomplish the organization’s mission.
Systems analysis is the heart of quality engineering, and a well-done systems engi-
neering analysis will explain the interactions among the hardware, software, people,
and environment that make up the system in sufficient detail to identify hazards and
perform risk analyses.
26 Safety Management Systems in Aviation

One of the authors was invited to participate in the FAA’s Design and
Manufacturing SMS Pilot Project from 2010 to 2012 and was tasked to develop a
process that could be used by organizations for defining their system description. A
brief synopsis of that work is included in Chapter 12.

Hazard Identification
Once processes are well understood, hazards in the system and its operating envi-
ronment can be identified, documented, and controlled. The first step in the pro-
cess, hazard identification, is based on a thorough understanding of the system,
emphasizing the importance of the previous steps concerning system description.
Once the system is well-understood, one can review the written system description
or the process workflow diagram and at each component of the workflow, ask the
question “what if ….” What if this component failed? What if that threat appeared?
What if the other error was made? As with system and task descriptions, judgment
is required to determine the adequate level of detail. While identification of every
conceivable hazard would be impractical, organizations are expected to exercise
due diligence in identifying significant and reasonably foreseeable hazards related
to their operations.

Risk Analysis and Assessment

SMS encourages risk assessment, decision-making, and acceptance through the
use of a consistently applied process, such as that described in the ICAO Safety
Management Manual. Later chapters will cover risk assessment in detail.

Controlling Risk
Once the preceding steps have been completed, measures to reduce or control the
risk must be designed and implemented. These may be additional or revised proce-
dures, new controls, changes to training, additional or modified equipment, changes
to staffing arrangements, or any of a number of other system changes. SMS requires
that clear lines of responsibility and authority be drawn that assign the task of con-
trolling risk.

Residual and Substitute Risk

Typically, numerous controls are evaluated to mitigate a risk, and rarely do these
controls completely eliminate the risk – the risk remaining after mitigation to an
acceptable level is residual risk. Substitute risk is the introduction of hazards into
the system as a result of implementation of risk controls. It should be apparent to the
reader that the risk analysis process may go through several iterations to arrive at
acceptable levels of residual and substitute risk.

System Operation
The risk management component of SMS should be designed to not only continu-
ously monitor, assess, analyze, and control risk, but also provide the next component,
Safety Assurance – an efficient means of auditing, analyzing, and reviewing the
results of its efforts. Risk management works in concert with Safety Assurance to
ensure effective functioning in a changing operational environment.
Introduction to SMS 27

Component 3 – Safety Assurance

Once policies, processes, measures, assessments, and controls are in place, the orga-
nization must incorporate regular management reviews to assure safety goals are
being achieved. Solid change management processes must be in place to assure the
system is able to adapt.

System Operation – Performance Monitoring and Measurement

Beginning with the system description, system operation encompasses the tools and
techniques used to monitor the system to ensure that the controls put in place to miti-
gate risk are performing as intended.

Data Acquisition
Former FAA Associate Administrator for Aviation Safety, Nick Sabatini, stated that
data are the lifeblood of an SMS. Safety Assurance uses information from a variety
of sources: audits, investigations of safety-related events, monitoring of key pro-
cess indicators in routine operations, and information submitted by employees into
employee reporting systems. A key concept in SMS is that these various oversight
systems should feed into a system of management review. As you will read through-
out this book, SMS is about fact-based decision-making, and getting those facts is
a vital component of Safety Assurance. Continuous monitoring of processes par-
ticularly by line managers is a key source of information for Safety Assurance. Line
managers are the process owners and are in the best position to assess the perfor-
mance of those processes through continuous monitoring.
SMS assigns immediate responsibility for the safety of every process within an
organization to the owner of that process. Process owners are the domain technical
experts in any organization and thus the most knowledgeable about the technical pro-
cesses involved. Managers within operational departments are assigned the respon-
sibility for monitoring their own processes through an internal auditing program.
SMS also defines an additional audit function – internal evaluation – at the orga-
nizational level. This level provides a quality assurance function to assure that the
more in-depth and technical reviews accomplished by the departmental internal
audits are accomplishing organizational goals by assessing and mitigating risk. In
U.S. airline operations, this is the Internal Evaluation Program or IEP. These audits
provide executive management with the information for decision-making required
for the evaluation of the overall SMS.
External audits provide yet another level of Safety Assurance. These audits may
be required by regulation or may be third-party audits initiated by the organization
to provide an objective evaluation of its processes. Once again, SMS does not sup-
plant the need for these external oversight systems, but rather considers these audits
as another information source for management review.
Investigations should be focused on discovering why a safety event happened as
opposed to assigning blame for the event. Information gathered during investigations
should be fed back into the Safety Assurance system.
Employee Reporting Systems are truly an essential part of any effective SMS. A
robust, confidential reporting system is one in which all employees feel empowered
28 Safety Management Systems in Aviation

to report any and all safety concerns without fear of reprisal. Data gathered from
employee reporting systems should be monitored to identify hazards and also to
inform Safety Assurance processes.

Analysis and Assessment

Perhaps the most important part of any continuous improvement process is the con-
sistent application of management review. If management review is not a routine
part of the organization’s calendar, all of the other components of the SMS system
are useless. In addition, management review must include well-defined change man-
agement processes so that intelligence gained from analysis and assessment can be
applied to decrease operational risk.

Management of Change
Simply put, change management is a structured approach to moving employees
and organizations from a current state to a desired state. Effective change manage-
ment helps ensure this can be done without disaffecting workers or causing other
undesirable or unintended outcomes and, importantly, ensure that the desired state
becomes institutionalized – that is, the change sticks. Management of change pro-
cesses should ensure safety performance throughout the implementation of the
change.

Continuous Improvement
Like quality, a key feature of SMS is continuous improvement. Continuous improve-
ment is a cyclical, data-driven process to ensure that risk controls and SMS effective-
ness are improved through intentional actions of the organization.

Component 4 – Safety Promotion

Finally, the organization must continuously promote safety as a core value with prac-
tices that support a sound safety culture.

Safety Cultures
One of the most challenging elements of SMS is the creation and nurturing of a
safety culture, in which every person, from CEO to a new hire, understands his or
her role in maintaining a safe operation and actively participates in controlling and
minimizing risk.
Creating a safety culture begins at the top of the organization, with the incor-
poration of policies and procedures that cultivate a reporting culture (where struc-
tures are in place that allow safety-related information to flow from all levels of
the organization into a system empowered to correct problems) and a just culture
(in which individuals are both held accountable for their actions and treated fairly
by the organization). Maintaining a safety culture requires constant attention by
every layer of management and every department within the organization. A cen-
tral tenet of SMS is this realization – that the safety department does not own
safety, rather safety is owned by every employee. Safety culture is discussed in
detail in Chapter 3.
Introduction to SMS 29

Competencies and Training

An SMS ensures that every employee is appropriately trained on their safety-related
functions, and it further requires that lessons learned be regularly incorporated into
a continuing qualification program for relevant employees.

Communication and Awareness

An SMS must also have robust mechanisms to disseminate information to its
workforce so that each employee has timely access to safety-related information.
Knowledge management systems support SMS by identifying the type of information
each employee needs and providing targeted means to disseminate that information.

EMERGENCY RESPONSE
In both ICAO and FAA documentation, emergency response is included as an inte-
gral part of SMS. For readers already familiar with existing emergency response
requirements in ICAO and FAA regulations, and with existing emergency response
programs at large air carriers and airports, the inclusion of this topic in SMS plan-
ning and implementation can immediately arouse suspicion. Why, one might ask, do
we once again need to revisit something that is already very highly regulated, which
already requires significant resource assignment within the organization, and which
already works pretty well? A common concern is that any additional requirements
imposed by an SMS system will only be burdensome and increase complexity, with
little return on investment as to the quality of emergency response.
To that criticism we would point the concerned reader to a component of our
own definition of SMS, as “scaled appropriately to the operational risk.” The natural
evolution of safety management in our industry has driven the reactive response to
disasters such that emergency response is already well-developed in areas of poten-
tially high operational risk, such as at Class I airports or major air carriers. Anyone
involved in safety planning at a hub airport or large airline knows that existing ERPs
(emergency response plans, as ICAO designates them) are very well developed and
extensive, and regularly tested as required by regulation.
For those operators, it is very likely that existing ERPs will fulfill all SMS
requirements, so fluster or panic is not necessary. For those existing well-developed
programs, the extent of the burden in incorporating their ERPs into an SMS frame-
work will probably be very low. But we ask the patience of the reader with this
particular orientation because, as mentioned earlier, SMS is intentionally a scalable
system, whose principles apply to both the large and the small service provider.
Therefore, the general outlines for emergency response in SMS are worthy of con-
sideration, with the knowledge that some levels of operation already have robust
systems, while others will benefit from a review.
Appendix 3 to Chapter 5 of the ICAO Safety Management Manual (third edition)
is devoted to emergency response planning and is, in our judgment, an excellent ref-
erence for service providers to use to review the fundamentals of their own programs.
There are of course specific regulations governing levels of emergency planning and
response, dependent upon the location, scale, and type of operations involved, but
the purpose of our review here is to highlight the essences. Exhaustively covering the
30 Safety Management Systems in Aviation

topic of emergency response is far beyond the scope of this book, and for a detailed
review of the essentials, the reader is referred to the ICAO document. But a quick
review is in order so that the SMS practitioner can understand how the ERP fits in to
the larger philosophies and techniques of SMS.
The ICAO Safety Management Manual states that:

The overall objective of the ERP is the safe continuation of operations and the return
to normal operations as soon as possible. This should ensure an orderly and efficient
transition from normal to emergency operations, including assignment of emergency
responsibilities and delegation of authority. It includes the period of time required to
re-establish “normal” operations following an emergency. The ERP identifies actions
to be taken by responsible personnel during an emergency. Most emergencies will
require coordinated action between different organizations, possibly with other service
providers and with other external organizations such as non-aviation-related emer-
gency services. The ERP should be easily accessible to the appropriate key personnel
as well as to the coordinating external organizations.
(ICAO, 2018, 9-8)

The purpose of requiring that an ERP be a part of an SMS is to ensure that a service
provider has thought through each one of the enumerated items above and has estab-
lished a plan of operations prior to the need to use the plan. This purpose is entirely
driven by the same underlying motivation that energizes SMS in the first place – the
control of risk. In this case, the risk being controlled is not specifically aimed at the
circumstances that led to the emergency (though SMS would drive the need to consider
corrective action to prevent the emergency in the future, of course). Rather, the risk that
is mitigated by having the ERP is that associated with handling the emergency itself.
An emergency is an event that is by its very nature high risk, certainly for those
victims at the immediate scene, but also for first responders, for those assisting those
responders, and especially for those other customers who continue to receive ser-
vices from the organization while the emergency is in progress, even if those cus-
tomers are a thousand miles away from the scene. An ERP exists to control the
organizational response to the emergency in such a way as to minimize the risk for
all facets of the operation. An ERP is a control mechanism.
An earlier version of the ICAO document mentioned several constituent elements
of a well-designed ERP.

Governing Policies
An ERP should have explicit references to the regulations governing emergency
response in the organization’s operational environment and should contain the com-
pany policies and procedures that determine how the organization will respond to
the emergency.

Organization
Emergency response is a process and ideally should be created using the same disci-
pline as applies to the creation of any process under SMS. The ERP should describe
Introduction to SMS 31

who has responsibility and authority in various aspects of the response, how that
response is conducted, what resources will be available, and so on.

Notifications
The ERP should contain a very clear notification process so that assistance is avail-
able when needed. Not to be neglected, of course, is the terrible task of notifying
relatives of those involved in the event. Other steps in the ERP will also address the
responsibilities the operator has to the families involved.

Initial Response
The initial response to an emergency is potentially a very high-risk environment.
This section should be especially well considered, keeping first-responders in mind.

Additional Assistance
The ERP should be designed such that backup is immediately available when
needed. All available resources should be considered. This step feeds back into the
notifications step.

Emergency Management Center

A well-managed emergency requires special infrastructure – communications,
methods of coordination, quick command, and control decision-making. Planning
for a crisis management center is essential.

Records
There are both regulatory and practical requirements for good record-keeping dur-
ing an emergency. The ERP planning team should assure that all record-keeping
requirements are identified and that someone is assigned the responsibility for main-
taining these records.

Accident Site
The accident site itself is an extremely high-risk environment, and the operator must
assure that no further harm is done in responding to the event. That means access
control must be a part of the plan, and protective equipment must be available for
first responders. There are regulatory responsibilities the operator has concerning
the protection of the site, and those responsibilities must be assigned.

News Media
It is inevitable that an operator involved in a serious emergency will have contact
with the media. Having a plan to control that contact might not immediately seem
32 Safety Management Systems in Aviation

like risk management, but it is. The media interfaces with other groups the operator
clearly has responsibilities to, such as the families of victims and employees. Not
the least of the reasons to have a media plan in an ERP is to assure that those actu-
ally managing the crisis are isolated from a barrage of questions and requests by the
media so that they can do their jobs.

Formal Investigations
The operator needs to plan on how to support the formal investigations that are an
inevitable part of post-incident operations. The time required to support such inves-
tigations can be quite significant, and good planning beforehand can help assure that
company interests are represented without removing critical personnel from routine
operations.

Family Assistance
The operator clearly has a responsibility to the families of victims – not only a moral
one, but also a legal one. Those responsibilities include setting up family assistance
services, travel accommodations for family members, financial assistance in some
circumstances, and especially satisfying the need for accurate and up-to-date infor-
mation concerning the event.

Post-Occurrence Review
The essence of SMS is continuous improvement. As such, an ERP should include
plans to debrief everyone involved in the event and should require a post-incident
review of activity.
Readers familiar with ERPs existing at major air carriers or airports will recog-
nize these elements as already existing in the emergency planning documentation
required by regulation. Smaller operators would be well served to review their own
procedures in light of these ICAO suggestions. An ERP that covers these issues will
satisfy all the requirements in SMS – as long as one other step is included.
Management review is one of the most important steps in any quality process,
and since SMS is exactly that – a quality process – it is essential that an ERP con-
tain within it the requirement for regular management review of the plan. And with
something as serious as the ERP, that review cannot be only a document review. It
is necessary to exercise the plan on a regular basis. Large operators and airports
already have such a requirement mandated by regulation. For smaller operators
embracing SMS, it is very important that the ERP is actually taken off the shelf at
regular intervals and run in a simulated environment.
For those in the United States, the Department of Homeland Security has created
outstanding resources for operators to use to create a schedule for emergency
response exercises. There is no need to reinvent the wheel – a smart management
team will take advantage of this excellent work and appoint someone in the organi-
zation to become fully certified in the HSEEPS program (Homeland Security
Exercise and Evaluation Program). This training is designed to support emergency
Introduction to SMS 33

management, and a well-designed toolkit exists to assist in the creation of all levels
of emergency response practice – from tabletop drills, to functional practice, and to
full-scale exercises.

SMS IN PRACTICE
Jill Wilson, Head of Safety at Joby Aviation, writes about the Importance of
Practiced Emergency Response:
I began my career as a safety professional and aircraft accident investigator,
working for established aircraft manufacturers and operations. During this
time, I was made acutely aware of the value of having a well-documented,
rehearsed, and reviewed emergency response plan (ERP), which is no surprise
as this is standard practice for experienced aviation organizations. Additionally,
the development and use of an ERP is a key element of a successful SMS.
My traditional experience paid off when I joined a startup leveraging
cutting-edge technology to revolutionize the aviation industry. This organiza-
tion had a wide variety of operations including Part 91, Flight Test, and even
a burgeoning Part 135. However, being a new entrant to the aviation industry,
their flight operations emergency plan was rudimentary and needed improve-
ment. Knowing the importance of a strong response plan, I made it one of my
first objectives to building a more robust ERP for each of our operation types.
Because we were in the process of becoming a Part 135 operator, we began
with writing a response plan for this type of operation.
Another lesson learned from my past is that having a plan is just the first
step. To be effective, an ERP must be practiced, critiqued, and improved regu-
larly. Those responsible for executing the plan need experience in performing
it BEFORE it’s truly needed. Practice began with the Part 135 operations team
and enabled us to identify and strengthen weak points. From there, we adapted
the ERP for use by the Flight Test Team, responsible for test-flying our proto-
type vehicles.
Approximately one week into working with the Flight Test Team on their
ERP, we had a significant emergency. Although it was just a draft, the Flight
Test ERP was used to guide our activation and response. Even though we had
only practiced the plan once, the ERP helped the company respond to a crisis
in a fashion much more organized that if it hadn’t existed. Immediate actions
which were taken as a result of the (draft) ERP put the company in a much
better position to support the official investigation and ultimately allowed for
smoother business continuity and an organized response.
Takeaways:

Have a plan
Practice the plan
Improve the plan
34 Safety Management Systems in Aviation

BRIEF HISTORY OF FAA INITIATIVES TO ESTABLISH SMS

In its March 2006 amendments to Annex 6 part I, Commercial Air Transport
Aeroplanes, ICAO established a standard for its member States to require that opera-
tors develop and implement SMSs to achieve an acceptable level of safety in aviation
operations. The FAA began issuing guidance on SMS (e.g., AC 120-92) to U.S. oper-
ators in 2006. The FAA’s focus for regulatory action has been on certificate holders,
such as air carriers, repair stations, design and manufacturing firms, and airports.
The FAA has launched numerous initiatives in support of SMS, including forming
an aviation rulemaking committee (ARC), developing guidance material, notices of
rulemaking, voluntary pilot projects, and, finally, a rule (see below).
The Safety Management System ARC was chartered by FAA Order 1110.152
on February 12, 2009. According to the Order, “An ARC will enable the FAA to
respond effectively in developing SMS rulemaking and implementation require-
ments, as well as compliance guidance applicable to FAA certificate holders, certain
product manufacturers, applicants, and employers.” The ARC was asked to evaluate
pilot comments provided to the FAA in response to the advanced notice of proposed
rulemaking (ANPRM) and the NPRM regarding the FAA’s SMS, and provide rec-
ommendations for the FAA, including suggested processes, policies, guidance, and
other actions. These products were intended to assist the FAA’s development of SMS
requirements. The ARC issued its final report on March 31, 2010, and made numer-
ous recommendations in areas such as protection of SMS safety information; align-
ment with the ICAO SMS framework; phased implementation of SMS requirements;
recognition of existing systems and processes; scalability and flexibility; and FAA
oversight of SMS.
The FAA has developed an array of guidance documents for SMS. These include
read me first documents, advisory circulars, FAA orders, FAA notices, information
for operators, assurance guides, and preliminary and detailed gap analysis tools.
The FAA issued an advanced notice of proposed rulemaking (ANPRM) on July
23, 2009, but it was subsequently withdrawn on March 17, 2011.4 The agency stated
that it was considering an SMS regulatory framework for service providers under 14
CFR 21, 119, 121, 125, 141, 142, and 145. The ANPRM consisted of a series of ques-
tions designed to obtain comments from respondents.
Public Law 111-216, Airline Safety and Federal Aviation Administration
Extension Act of 2010, was passed on August 1, 2010, resulting in a Congressional
requirement for the FAA to issue an NPRM within 90 days of enactment of the Act,
and within 24 months to establish a final rule on SMS. Specifically, the rulemaking
is to require CFR 14 Part 121 air carriers to implement an SMS. The FAA published
an NPRM titled Safety Management Systems for Part 121 Certificate Holders on
November 5, 2010.
There have been numerous SMS pilot projects in the past few years. For example,
the FAA’s Flight Standards office launched a pilot project in 2007 and had well over
100 participants in the project. Aircraft Certification Service (AIR) launched a pilot
project for design and manufacturing (D&M) firms in 2010; a final report was issued
in 2012. The FAA conducted two rounds of pilot studies for airports beginning in
2008; a final report was issued in May 2011. The purpose of these pilot projects
Introduction to SMS 35

included determining the adequacy of development and implementation guidance,

refining implementation strategies, determining the pros and cons of implementing
SMSs in certain operational departments first, and others.
The final SMS rule for air carriers was published on January 8, 2015 – nearly two
and a half years beyond the date mandated by Congress. The rule stated that air car-
riers must have an SMS in place that is acceptable to the FAA by January 8, 2018.

HOW TO RECOGNIZE AN SMS WHEN YOU SEE ONE

This chapter exposed the reader to what (in the United States at least) might be
considered the orthodox disquisition of SMS through the four components. While
conceptually sound, the SMS practitioner needs an in-depth understanding of the
fundamentals, a comprehension deep enough to be able to enter any organization,
at any level, and recognize the elements of a successful SMS as they might exist in
many different forms.
Throughout this book, we will use every opportunity we can to take apart SMS
and lay the components out on the table in front of us – examining those pieces in
detail, and then putting it all back together only to take it apart in a different way. It’s
important for the reader to understand that in doing this we are not suggesting that
the conceptual structure the FAA has created in the four components, or the outline
used by ICAO, is the wrong way to describe SMS. Just as any complex system can be
viewed from a variety of perspectives, each contributing to our understanding of the
whole, deconstruction of the components of SMS can help us assure that we have a
solid grasp of the discipline. It is incumbent upon the SMS student or practitioner to
comprehend not just the large components, but also the details.

Recognizing an SMS by Looking at the Organization’s

Documentation and Records
Suppose you walk into an organization’s office and have three hours to find evidence
that the organization has an SMS. What would you look for?

Policy
This is the same word as is used in the first component, but with a distinction. A care-
ful reading of the four components of guidance reveals that other important concepts
are included under the heading of policy. In addition to references to the importance
of clear policy guidelines in SMS, there is also a discussion of the process definition.
Policies and processes are two different concepts. And while there is an acknowledg-
ment of the necessity of record-keeping in the advisory circular, we will elevate this
topic to equal that of policy.
Policies are the shalls and shall-nots of the organization and tend to be more fixed
than process descriptions. Policies reflect the strategic vision and commitment to the
values of the organization. Policies also provide guidance for the creation of new
processes, and standards against which processes or process measures can be evalu-
ated. For example, an organization might (should!) have a policy stating, “All process
36 Safety Management Systems in Aviation

descriptions will identify one or more Key Process Indicators (KPIs) through which
the performance of the process can be evaluated.” Or perhaps a policy might specify
that “All processes will clearly define the roles of responsibility for and authority
over that process.”
Policy documentation is extremely important to SMS. Just as a quality manage-
ment system must have a quality policy manual, an SMS must have the equivalent of
a Safety Policy Manual. You can recognize an SMS by its documentation.

Process Descriptions
An organization with an SMS will understand what you mean when you ask to see
examples of its process descriptions. Process descriptions can be as simple as a set
of instructions for an employee to use to do his/her job, or as complex as a multi-
departmental process workflow diagram. The best process descriptions will follow
a standardized format so that no matter which one of the organization’s many pro-
cesses you examine, you can readily tell who is responsible, or how they measure the
success of the process, or which records must be kept. We assert that quality-based
process descriptions are the distinguishing feature of a mature SMS.

Process Measurements
Just as a quality organization knows that it must establish measures within its pro-
cesses to enable continuous monitoring of performance, an SMS must have measures
within processes to determine whether those processes are meeting their safety tar-
gets. In an SMS, measures are directed at those points within the process that are
most revealing of risk. An SMS does not collect data simply to collect data. The
SMS practitioner in that organization can readily answer why a particular process
measure has been established.

Record-Keeping
An organization with an SMS is good at keeping records and can readily answer
why it does so; keeping records to be prepared for audits is not the right answer! Of
course, there are regulatory reasons for keeping many records but, from an SMS
perspective, records are kept to facilitate management review. Those records include
the process measurements described above, but also include narratives submitted in
an employee self-reporting system, results of internal and external audits, and even
those parameters not directly associated with safety issues, such as routine opera-
tional performance numbers (flights per day, fuel logs, maintenance schedules, and
so on).
But perhaps most importantly, an SMS carefully records, and frequently refer-
ences, the decision-making processes involved in management review. For incidents
and events (reactive safety), this kind of record includes categories such as what
happened, why did it happen, what was the effect, how are we going to decrease the
risk of such an event, who is responsible for the action, and, critically, did it work?
For proactive and predictive safety efforts, the record includes what might happen,
why it might happen, etc., down to “how will we tell if our intervention is working?”
Management review requires the availability of good records, and a mature SMS
will allow those documents to be readily produced when needed.
Introduction to SMS 37

Risk Assessment
An organization’s SMS practitioners will be able to immediately answer when asked
the question “How do you assess risk?” Their answer will reveal that they have a
process for that assessment, not just a guess. That is not to say that every SMS must
have software to run complex problems, such as Monte Carlo simulations, or use
probabilistic risk assessment, or stochastic modeling. Not every organization’s meth-
odology needs to be the same, though guidance is available upon which to build a
risk assessment process. What all SMSs will have in common is a considered, ratio-
nal, and thoughtful way to assess and prioritize risk.

Recognizing an SMS by Asking the Most Fundamental

Question of All – How Do You Manage Change?
Even though this is only Chapter 1 of this book, we have already made the following
suggestion, and you can count on seeing it frequently from this point forward: none of
the preceding characteristics, methods, or techniques has value in an SMS unless there
is an effective safety change management process in place. A safety change manage-
ment process is one that takes the results of all the work described thus far and acts
on it. A mature SMS change management process will be established and governed
by policy, defined in a clear process description, and itself monitored in a management
review tasked with assuring that successful action is an inherent part of the SMS. An
organization with an SMS can not only describe its safety change management process
but can also point to success stories that resulted from its application.

Recognizing an SMS by Observing the Organization’s Safety Programs

Another characteristic of an organization with an SMS is that if you say to one of
its SMS practitioners, “Tell me about your safety programs …,” you might as well
find a seat and settle in for a long presentation. It is the nature of an SMS to be pro-
active, and the SMS practitioner has a natural proclivity to actively seek sources of
new information and new methods of risk control. Chapter 2 of this book will cover
a brief history of proactive safety programs in the United States (focused on airline
operations for reasons we outlined in the Preface) – and SMS will likely have most,
if not all, of them.
The characteristic of a safety program within an SMS is its proactiveness. The
SMS practitioner in charge of such a program does not wait for events to happen, but
rather uses every technique available to discover the information necessary to antici-
pate areas of increased risk before they happen. A safety program manager within an
SMS is proud of this fact and will relate success story after success story if you have
the time. It’s worth the investment to listen.

Recognizing an SMS by Talking to the Organization’s Employees

Picture yourself in the break room of an organization, such as an aviation service
provider, in the middle of a group of its employees taking a short respite from their
labors. These people are not executives, nor members of the organization’s safety
38 Safety Management Systems in Aviation

department, but they could be any other work group employed by the organization.
Ask a few of them three questions, and from their answers you will begin to know
whether the organization has a mature and well-functioning SMS. Those questions are:

1. What are the three greatest areas of risk in your work, and what do you do
to mitigate that risk?
2. When was the last time that you or one of your fellow workers were asked
to help figure out how to make the job and the company’s products safer?
3. What happens to you when you make a mistake?

Everyone complains about their job now and then. Overlooking this fact of life, the
employees of an organization with a mature SMS will be able to point out where the
risk is in their work, because the organization has invested in ways to communicate
that information to each employee. And the organization is not communicating just
generic safety information, but also information relevant to that specific employee’s
work. Those in charge also know that the most accurate and informed sources of
risk information for every process within that organization are the employee groups
performing that process. Therefore, there will be mechanisms in place to tap this
vital source of intelligence.
This is one of the most important features of an SMS. In an SMS, safety must
begin at the top and permeate throughout the organization, including to those on the
“shop floor.”
Finally, employees of an organization with a mature SMS understand that they
are fully accountable for their actions, but not punished for unfortunate but natu-
ral human errors. To the question of what happens when they make a mistake, the
employees would answer that they would probably feel bad, maybe even ashamed
that they did it, but not enough to keep them from participating in the self-reporting
systems the company has created. They understand that they are not responsible for
being perfect but are responsible for striving for continuous improvement, and one
of the best ways to reach that goal is to submit a report.
The remainder of this book will immerse the reader into significantly more detail
about the history and components of, and the theory underlying, SMS. But once one
is familiar with the concepts, recognizing a vibrant SMS is similar to distinguishing
great art – you know it when you see it. Verification of the existence of an SMS is not
presently accomplished (nor probably should it ever be) by merely the achievement
of having 8 out of 10 boxes checked on the “Is There an SMS Here?” form. SMS is
far more organic and integral to the fabric of an organization, and there is no one-
size-fits-all SMS. But once you are an SMS practitioner yourself, spend a short time
visiting an organization with a mature program, and you’ll know, because safety
management is everywhere you look.
In closing this chapter, we remind the reader of something that the late Dr. Don
Arendt said. Don was a driver in promoting SMS during his work as a Senior
Technical Specialist with the FAA. Somewhat facetiously, Don argued that the term
safety management system should be changed to simply Safety Management. His
rationale was that SMS isn’t something that you have; it’s not a program that sits on a
shelf collecting dust. Instead, it’s something that you are actively doing – something
that his proposed wording implies – you are managing safety.
Introduction to SMS 39

REVIEW QUESTIONS
1. Explain the relative nature of the term “safe.” Is commercial aviation get-
ting more or less safe?
2. What is meant by the term forensic aviation safety management?
3. Why is it important that an SMS is “scalable”? What are the possible con-
sequences of SMS not being scalable?
4. What are the four components of SMS?
5. Why is it important that SMS be supported by top management?
6. How does management ensure all parts of an organization embrace and
practice SMS?
7. Explain what is meant by the term “dynamic risk management system.”
8. Who is responsible and accountable for safety in an organization?
9. What are some of the ways you can recognize SMS in an organization?
10. What is safety culture and why is it important?

NOTES
1. The International Civil Aviation Organization (ICAO) is a specialized agency of the
United Nations that was created with the signing in Chicago, on December 7, 1944, of
the Convention on International Civil Aviation. ICAO is the permanent body charged
with the administration of the principles laid out in the Convention. It sets the standards
for aviation safety, security, efficiency, and regularity, as well as aviation environmental
protection, and encourages their implementation. ICAO’s membership comprises 193
Signatory States. Its headquarters are in Montréal and it has regional offices in Bang-
kok, Cairo, Dakar, Lima, Mexico City, Nairobi, and Paris.
2. 14 CFR 121 refers to Title 14 of the United States Code of Regulations, Part 121, which
covers the FAA’s regulations for scheduled air carriers. Likewise, 14 CFR 135 covers
and refers to the FAA’s regulations for Part 135 operators (charter operators). From this
part forward, we will simply refer to these types of operations as “Part 121 operators”
or “Part 135 operators” instead of calling out 14 CFR each time.
3. Founded on February 23, 1947, the International Organization for Standardization
(ISO) is a non-governmental, international standard-setting body composed of repre-
sentatives from national standards bodies. ISO sets worldwide industrial and commer-
cial standards which often become law through treaties or national standards.
4. The U.S. government requires that before a regulatory action is taken, such as issuing
a new regulation, the government agency proposing the new rule must first issue a pub-
lic Notice of Proposed Rulemaking (NPRM). The purpose of the NPRM is to solicit
public input before enacting a new regulation. In some cases, the agency may issue an
Advance Notice of Proposed Rulemaking (ANPRM) to seek input for what the NPRM
should consider.

REFERENCES
Federal Aviation Administration [FAA]. (2015). Safety Management Systems for Aviation
Service Providers. Advisory Circular 120-92B. Retrieved January 6, 2015, from http://
www.faa.gov/documentLibrary/media/Advisory_Circular/AC_120-92B.pdf
International Civil Aviation Organization [ICAO]. (2018). Safety Management Manual
(SMM), 4th ed. (Doc 9859). Montréal, Canada: ICAO. ISBN 978-92-9258-552-5.
International Organization for Standardization [ISO]. (2022). Quality Management
Principles. Retrieved March 10, 2022, from https://www.iso.org/files/live/sites/isoorg/
files/store/en/PUB100080.pdf
40 Safety Management Systems in Aviation

National Transportation Safety Board [NTSB]. (2022a). Table 6. Accidents, Fatalities,

and Rates, 1987 through 2020, for U.S. Air Carriers Operating under 14 CFR 121,
Scheduled Service (Airlines). Retrieved March 10, 2022, from https://www.ntsb.gov/
safety/Pages/research.aspx
National Transportation Safety Board [NTSB]. (2022b). Table 8. Accidents, Fatalities,
and Rates, 1987 through 2020, for U.S. Air Carriers Operating under 14 CFR 135,
Scheduled Service. Retrieved March 10, 2022, from https://www.ntsb.gov/safety/Pages/
research.aspx
National Transportation Safety Board [NTSB]. (2022c). Table 10. Accidents, Fatalities, and
Rates, 1987 through 2020, for U.S. General Aviation. Retrieved March 10, 2022, from
https://www.ntsb.gov/safety/Pages/research.aspx
Merriam-Webster Online Dictionary. (2022). “safety.” Retrieved March 19, 2022, from http://
www.merriam-webster.com/dictionary/safety
Merriam-Webster Online Dictionary. (2022). “systems”. Retrieved March 19, 2022, from
http://www.merriam-webster.com/dictionary/system
Safety Management Systems for Domestic, Flag, and Supplemental Operations Certificate
Holders, 80 Fed. Reg. 5 (January 8, 2015).