Guidelines on auditing a Safety Management System. Effective July 2016 Based on GOSM 5 th Ed

Transcription

1 Guidelines on auditing a Safety Management System Effective July 2016 Based on GOSM 5 th Ed

2 NOTICE DISCLAIMER: The information contained in this publication is subject to constant review in the light of changing government requirements and regulations. No subscriber or other reader should act on the basis of any such information without referring to applicable laws and regulations and/or without taking appropriate professional advice. Although every effort has been made to ensure accuracy, the International Air Transport Association shall not be held responsible for any loss or damage caused by errors, omissions, misprints or misinterpretation of the contents hereof. Furthermore, the International Air Transport Association expressly disclaims any and all liability to any person or entity, whether a purchaser of this publication or not, in respect of anything done or omitted, and the consequences of anything done or omitted, by any such person or entity in reliance on the contents of this publication. International Air Transport Association. All Rights Reserved. No part of this publication may be reproduced, recast, reformatted or transmitted in any form by any means, electronic or mechanical, including photocopying, recording or any information storage and retrieval system, without the prior written permission from: Senior Vice President Safety and Flight Operations International Air Transport Association 800 Place Victoria P.O. Box 113 Montreal, Quebec CANADA H4Z 1M1

3 Table of Contents Foreword... ii Use of this Document... iv Section 1 Safety Management in ISAGO Introduction From Quality Programs to SMS SMS Implementation ISAGO Audit Scope... 3 Section 2 SMS Audit Aims, Focus & Planning Audit Aims Audit Focus Audit Planning The Safety Office... 7 Section 3 SMS Audit by GOSARP Introduction Organization & Accountability The Accountable Executive Safety Policy & Objectives SMS (The Safety) Manager Safety Roles & Responsibilities Corporate Safety Policy (Safety Objectives) Safety Reporting Policy Emergency Response Plan (ERP) SMS Documentation (SMS Manual) SMS Implementation Plan Safety Risk Management Hazard Identification Safety Reporting System Safety Risk Assessment & Mitigation Accident/incident Investigation & Reporting Ground Damage Reporting Safety Assurance Safety Assurance Program Safety Performance Metrics Management of Change Continuous Improvement of the SMS Management Safety Decision Making Safety Promotion Safety Awareness Safety Information Safety Training SMS Checklist...21 Section 4 Audit Summary Report - Assessment of the SMS Introduction Audit SMS Summary...23 Appendix A QA Provisions & SMS Training Tables...25

4 Foreword A Safety Management System (SMS) 1 is a framework of policies, processes, procedures and techniques for use by an organization to monitor and continuously improve its safety performance. Improvements are made by making informed decisions on the management of operational safety risks. Annex 19 to the Convention on International Civil Aviation (ICAO Annex 19, Safety Management) details the global regulations for SMS that are applicable to specified air operators, air traffic service providers and certified airports and other operational services. The principle method of safety management prescribed by ICAO is similar for all types of operator and service provider, based on a common framework of processes and procedures contained in 4 discrete components that are further sub-divided into a total of 12 elements, as illustrated in figure 1 below. Figure 1 The 4 Components of the ICAO SMS Framework (Annex 19) Guidance on the ICAO SMS regulations and their implementation is provided in ICAO Doc 9859, Safety Management Manual. The ICAO SMS regulations do not currently apply to ground service providers (Providers) but those applicable to aircraft operations encompasses ground operations where aircraft safety is concerned. Ground handling personnel are mentioned in the regulations in the context of reporting safety events or issues. Providers therefore play an important role in safety management at an airport. Furthermore, by implementing SMS, Providers would gain considerable credibility from air operators, airports and regulatory authorities worldwide by acknowledging the contribution and influence that ground operations has in improving the safety of aircraft operations and the airport environment in general. IATA has already recognized the global regulations and the importance placed on the implementation of SMS by aircraft operators. The IATA Operational Safety Audit (IOSA) program is an internationally 1 A systematic approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures. (ICAO Annex 19) ii

5 recognized and accepted evaluation system designed to assess the operational management and control systems of an airline. All IATA members are IOSA registered and must remain registered to maintain IATA membership. The IOSA standards are published in the IOSA Standards Manual (ISM). The current edition, ISM Edition 9, includes a recommended practice, ORG , that establishes the management of the safety risks associated with aircraft operations. As part of the IOSA SMS implementation strategy, the recommended practice is upgraded to standard status from ISM Edition 10 (effective 1 September 2016) meaning that all IATA member airlines will very soon be required to implement a SMS. Furthermore, Edition 10 incorporates a new standard, ORG , for the management of safety risks associated with outsourced operations, for example those functions conducted by ground service providers. The IATA Safety Audit for Ground Operations (ISAGO) is an industry audit and registration scheme aimed primarily at creating safer ground operations and cost benefits by reducing the risk of aircraft damage, reducing delays, and eliminating redundant audits by airlines. ISAGO audits the ISAGO Standards and Recommended Practices (GOSARPs) contained in the ISAGO Standards Manual (GOSM). The ISAGO Strategy and Audit Concept ( ) established safety management provisions for ground operations, with incident reporting and recording for the purpose of incorporating risk based audits. Edition 5 (March 2016) of the GOSM included a review of the existing SMS provisions, elevating some to Standard level as the first phase of a SMS Strategy (SMS Implementation - Strategic Plan for Upgrading ISAGO SMS Provisions 1 st Edition March 2016). The strategy upgrades all SMS recommended practices to Standard level over a three year period. Auditing the SMS, internally by the Provider and by an external body (such as in the case of ISAGO), is an essential activity as part of assurance that the SMS is, or could be made to be, effective and meets expectations. A specific focus on making safety management the principle component of the Organization and Management Section of the GOSM, as well paving the way for the introduction of the ISAGO new operational audit model in 2017, will require further refinement and amendment of the SMS provisions, to reduce duplication, account for any changes in global regulations and define more clearly the ISAGO audit scope and content. The annual review of the GOSM will therefore include a review of these auditing guidelines. 2 ORG The Operator should have an SMS that is implemented and integrated throughout the organization to ensure management of the safety risks associated with aircraft operations. Note: Conformity with this ORG recommended practice is possible only when the Operator is in conformity with all standards and recommended practices that are identified by the [SMS] symbol. Note: Effective 1 September 2016 [in ISM Edition 10], this recommended practice will be upgraded to a standard. 3 ORG The Operator shall have processes to ensure the management of safety risks in outsourced operational functions conducted by external service providers for the Operator: (i) If the Operator outsources such functions with external service providers that do not have a valid SMS, the Operator shall have a process to: (a) Identify and define specific SMS elements that must be implemented by the provider to ensure the management of safety in operations conducted for the Operator; (b) Ensure the provider's personnel are trained to perform duties as appropriate to each individual's involvement in the defined SMS elements as specified in item a). (ii) If the Operator outsources such functions with external service providers that have a valid SMS, the Operator shall have coordination and monitoring processes that ensure the management of safety in operations conducted for the Operator. The Operator may conform to ORG through Active Implementation as long as the Implementation Action Plan (IAP) projects conformance on or before 1 September iii

6 Use of this Document The GOSARPs are the basis for an ISAGO audit of a Provider. This document provides guidelines on what to look for when auditing the SMS of a Provider, as a whole, against the SMS GOSARPs contained in Section 1, Organization and Management (ORM) of the GOSM. Suggested recommended actions, questions, checklists and audit summary text are also provided. It is not a definitive guide and hopefully not a condescending one. The guidelines do not replace formal auditing procedures and should be considered as an aid to the Auditor Actions described in the GOSM, checklists and incorporated in Q5AIMS. More detailed checklists (and hence more appropriate for a well-established SMS) may be found in the ICAO Doc 9859, Safety Management Manual. The IOSA SMS standards and associated guidance material that is developed would provide useful reference material complementary to the ISAGO provisions. The ORM Section is divided into three, covering audits of the Provider s headquarters only (ORM-H), headquarters and station combined (ORM-HS), and station only (ORM-S). In all but two cases the SMSrelated GOSARPs are repeated and hence in this document only one reference is used for each and is indicated ORM-H/HS/S. The GOSARPs are quoted in full in the two cases where there is a difference. This document will be updated, as necessary, when changes are made to the GOSARPs and audit procedures, or through practical experience. Suggestions for improvements are always welcome. Reference Material (with hyperlinks) IATA Safety Audit for Ground Operations (ISAGO) Homepage ICAO Annex 19, Safety Management (1st Edition) ICAO Doc 9859, Safety Management Manual (3rd Edition) ISAGO Standards Manual (GOSM) 5th Edition SMS Implementation - Strategic Plan for Upgrading ISAGO SMS Provisions 1 st Edition March 2016 IOSA Standards Manual (ISM) 9 th Edition IOSA Standards Manual (ISM) 10 th Edition (effective 1 September 2016) IOSA SMS Strategy iv

7 Section 1 Safety Management in ISAGO 1.1 Introduction From the start it is important to keep in mind that a SMS is foremost a decision making tool. The SMS provides the organization with information on operational and other safety risks, such that actions to eliminate, mitigate and/or control the safety risks can be determined and, if accepted by the decisionmakers, implemented. A SMS does not normally provide immediate solutions. Although immediate action could (and probably should) be needed to address an unexpected unsafe situation, the SMS is not intended to cater for these situations. Instead, processes and procedures gather safety data and information, and, once there is sufficient or relevant data and information, formal assessments are conducted and, if necessary, measures are implemented to prevent an identified hazardous condition escalating into an accident scenario. Done properly, this takes time and effort. Where significant effort would be needed, such as in terms of people, finance, equipment or change, the SMS provides senior management with the information to make informed decisions on what to do and, if necessary, when. These decisions, when accepted as necessary, are then translated into safety action plans to implement safety risk controls and as safety objectives. The ultimate aim of the audit of the SMS should therefore be (in addition to assessing the organization s implementation and conformity with the SMS GOSARPs) whether the SMS is, or will be, effective in achieving the safety objectives of the Provider. Installing a SMS doesn t happen overnight. Gradual implementation in an easy-to-do manner seems to be the way that many aviation organizations are going about it. The IATA Strategic Plan for Upgrading ISAGO SMS Provisions applies the same principle in a structured schedule of upgrading the SMS GOSARPs over a three year period. The audit guidelines in this document do not differentiate between a standard and a recommended practice as their implementation is essentially the same. Until required and implemented, the audit would therefore have to take appropriate account of a Provider that is not able to demonstrate full conformance with a specific GOSARP and the consequences on other GOSARPs. Until all SMS GOSARPs are at standard level, an important feature of the audit would be an assessment of a Provider s implementation of the SMS (see 4.1). 1.2 From Quality Programs to SMS The establishment of safety practices that closely resemble those associated with a SMS is not new to ground operations or ISAGO. Prior to and in the initial stages of the introduction of SMS in ISAGO. Providers are already required to have a safety program (GOSM Edition 4 ORM-S ) at the station level as part of ISAGO registration. Furthermore, there was a recommended practice to implement risk 4 ORM-S The Provider shall have a station safety program for the purpose of preventing accidents and incidents, which includes processes for: (i) Personnel to report operational hazards, deficiencies and areas of concern; (ii) The investigation of accidents and incidents; (iii) The reporting of accidents and incidents; (iv) The investigation of irregularities or other non-routine operational occurrences that may be precursors of accidents or incidents; (v) The identification and analysis of operational hazards and potentially hazardous conditions; (vi) The production of analytical information, which may include recommendations, for use by operations managers in the prevention of operational accidents and incidents; (vii) Ensuring significant issues arising from the station safety program are subject to regular review by senior management; (viii) The dissemination of safety information to appropriate management and operational personnel; (ix) Compliance with applicable regulations and requirements of the customer airline(s). 1 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

8 management (GOSM Edition 4 ORM-S ), also at the station level. The safety requirements were closely associated with (station) quality control and (headquarters) quality assurance programs to monitor and assess the risk management processes. The current ISAGO SMS provisions (as recommended practices) and the implementation strategy allow amendments to the GOSARPs eliminating duplication and alternative practices. In addition, a clear differentiation can be made between quality and safety. The purpose of quality assurance (or in more broad terms, a quality management system) is generally taken to be a means of assuring that an organization s processes and procedures result in products or services that meet a predetermined standard and hence customers' expectations. The relevance or safety of the standard is rarely questioned as compliance and repeatability are the main objectives. A SMS on the other hand determines whether the products, service or (specifically) operations are safe by actively seeking to identify hazards and safety risks, and address them in the most appropriate way. Regulations and best industry practice form the basis of an operation but there is recognition, especially in a highly complex and technical operational environment, that additional safeguards (or safety risk controls in ICAO language) are necessary. The need for and the form of the additional safeguards are usually determined on a case by case basis, through the assessment of safety data and information directly related to the operation. As the operational environment usually changes over time, the continuing effectiveness of the safeguards is monitored, measured and when necessary modifications are made. This is the essence of safety management. In many areas of aviation, including in ISAGO, safety had been adopted within quality practices. However, in a risk-averse culture, the inevitable impact of an aviation accident means that safety needs to be explicit and, with increased demand and complexity of operations, safety management and the SMS was developed and separated to some degree from quality. Quality assurance is still required in the organization as normal business practice (as in ORM-H/HS/S 3.4.1), and also plays an important role in the SMS (ORM-H/HS/S and 3.3.4). Quality assurance is used internally as part of the SMS safety assurance to determine compliance with requirements, processes and procedures. It is also used specifically to determine whether the safety actions taken or activities provide safety satisfaction or what improvements can be made to the SMS processes and procedures (ORM-H/HS/S 3.3.4/3.3.5). Note that while ORM-H/HS/S is a standard, ORM-H/HS/S is currently a recommended practice. The introduction of safety assurance in SMS has to be considered in the context of the implementation of other SMS activities. It is therefore introduced as a recommended practice until such time that those other SMS processes and procedures can, where currently not, be established (documented/implemented). This means that until the SMS GOSARP for continuous improvement (ORM- H/HS/S 3.3.4) is implemented, the general quality assurance assessment of management processes, procedures and documentation (ORM-H/HS/S 3.4.1) would apply. For reference purposes, the GOSM Edition 5 quality assurance GOSARPs (ORM-H/HS/S ) are detailed in Appendix A to this document. 5 ORM-S The Provider should have a station risk management program that specifies processes that are implemented within the management system and in locations where ground operations are conducted to ensure: (i) Hazards with the potential to affect operational safety or security are identified through an operational risk assessment; (ii) Threats with the potential to affect security are identified; (iii) Hazards are analyzed to determine risks; (iv) Risks are assessed to determine the need for control; (v) Risk control actions are developed and implemented in operations, and are subsequently monitored and measured to ensure validation of their effectiveness and to ensure risks are controlled. 2 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

9 1.3 SMS Implementation A new GOSARP was introduced in GOSM Edition 5 (ORM-H/HS/S see 3.3.8) requiring the Provider to have an SMS implementation plan. The SMS implementation plan should detail the way the Provider will structure its entire organization (including all stations), resources and processes to effectively manage safety in operations. Considering that a safety and quality control program, with some risk assessment procedures, may already be in place, certain aspects can be directly transferable to the SMS. It would therefore be prudent of the Provider to follow the ICAO guidance and conduct a gap analysis to identify what changes or new processes would be needed to comply with the ISAGO SMS implementation strategy. The implementation plan should therefore show which SMS elements (or equivalent processes) are already implemented, and those in the process of being or planned to be implemented. The plan should also describe how the SMS will be based at a corporate (headquarters) level and implemented throughout the organization. Recommendation Obtain a copy of the Provider s SMS Implementation Plan prior to the audit to determine the audit scope and expectations for the SMS aspects. It is possible that implementation progress rates may vary within a Provider, especially at stations as part of an international organization and where local regulations may have an impact. If encountered, these factors will have to be taken into consideration when determining the scope of the audit and the assessment of the overall implementation of the SMS in an organization. The SMS implementation plan should, in the way that GOSARP recommended practices are treated, give a good indication of the Provider s commitment and recognition of current safety practices in aviation that are becoming the norm if not a requirement for an organization to conduct business. Credit, in the audit report, should therefore be given when a recommended practice is implemented by the Provider as if it were a standard. Where the SMS is already implemented, and functioning and the Provider is measuring its effectiveness, then ORM-H/HS/S might be assessed as not applicable (N/A). Whilst conformance with each individual GOSARP should be assessed, the SMS functions may be integrated with other management systems and/or distributed throughout the organization. The requirement to have a SMS (ORM-H/HS/S 3.1.1) is not, however, met until all the SMS GOSARPs are implemented. 1.4 ISAGO Audit Scope The extent of the SMS activities to be included in the audit is outlined in the framework (Figure 1) as specified in ICAO Annex 19, Safety Management, and is captured in the GOSARPs. The amount of activity, once implemented (see also 3.3.1), would depend to a large degree upon the size of the organization or the extent of its operations. In many States there are civil aviation regulations that require the establishment of an SMS within aircraft and airport operators. The services provided by Providers can have a direct influence on aircraft and airport operations and hence, even if not explicitly applicable in the regulations 6, the SMS of those operators should acknowledge many of the Provider s operational and management activities. Similarly, the SMS of a Provider should have established links to the SMS of the airport operator and those of customer airlines. This aspect is very important. It makes little sense for the SMSs of all the organizations 6 Or until the implementation of IOSA ORG in September ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

10 that operate on an airport (and there can be many) to be developed or work in isolation or, in the worst case scenario, in conflict. Indeed, there could be additional safety risks created by the actions resulting from the SMS of an individual organization without considering the safety impact on other operators and their operations. For a typical Provider s operation, with multiple customer airlines, this could very likely be the outcome if there were no measures in place for collaboration on safety management. The interface between the SMSs of Providers, aircraft and airport operators, perhaps with the air traffic services too, may sometimes be part of an airport collaborative decision-making initiative. This is particularly relevant to safety reporting (as already a regulatory requirement in some cases) and the development of safety action plans (as a result of a safety risk assessment), and the development of an emergency response plan (ERP). The actions of a Provider may also have a direct impact on safety performance indicators, as may be set for aircraft and airport operators by the regulatory authorities. Some of the SMS GOSARPs (especially ORM-H/HS/S and 3.3.3) include such interactions with other organizations on the airport. It is therefore important during a SMS audit to seek evidence of the existence and effectiveness of external relationship procedures and communications, and to be assured that it is bi-directional. Recommendation Identify the external organizations that may need to be contacted to verify conformance where interaction with the Provider is specified in a process or procedure. A similar relationship, sometimes referred to a bridge, would be in effect between the Provider s headquarters and each station(s). The SMS audit should seek evidence of effective communication, consistent implementation of corporate processes and procedures and clear lines of safety responsibilities between the two. The aim of Edition 5 of the GOSM is to ensure that the Provider has a thorough and robust corporate management of the services it provides at each station. This is why the GOSARPs often refer to implementation throughout the organization. Implementation in a GOSARP sense means that the process, procedure or otherwise required action or activity at a station is directed by headquarters and there is continuous oversight at a headquarters level to ensure correct implementation. A station audit would therefore have to use the most recent and a valid headquarters audit as a baseline reference for the implemented processes and procedures, and the effectiveness of the bridge should be tested for each relevant GOSARP. It is entirely plausible that management and communications between headquarters and the stations can become estranged. The emphasis must be on a top (headquarters)-down approach to SMS implementation, management and oversight - not bottom (station)-up or disconnected. The SMS audit therefore has to verify that implementation and compliance at each station is coordinated by headquarters and checked on a regular basis. 4 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

11 Section 2 SMS Audit Aims, Focus & Planning 2.1 Audit Aims The aim of the headquarters audit would be to determine the extent of implementation of the SMS throughout the organization and the effectiveness of the corporate management aspects. The audit summary would provide a detailed description of the Provider s conformance with the relevant SMS GOSARPs as implemented, see 4.2. Similarly, the aim of the station audit would be, in addition, to determine the effectiveness of the corporate SMS at the station through assessment of the implementation of procedures, oversight and the deployment of SMS safety risk management and safety assurance activities. 2.2 Audit Focus The primary focus of the SMS audit should be, where implemented, to seek evidence of: due diligence and competence in the assigned safety roles; the development, implementation of and conformance with documented processes and procedures; effective safety reporting systems, safety communications and awareness (hopefully, reflecting a positive safety culture); coordination and cooperation with other relevant SMSs at the airport, including customer airline(s); and the monitoring and measurement of SMS outcomes and effectiveness (quality assurance). A headquarters audit would be based predominantly upon an assessment of documentation. For auditing purposes the SMS documentation should provide a complete picture of how the SMS should work and all the SMS activities that have taken place. A fully implemented SMS should be rich with processes and procedures, assessments, reports, and other documentation that can be assessed against corresponding GOSARPs; checking for content, completeness, consistency and currency. It does, however, take time to develop a safety library of safety reports, safety assessments, action plans and documented decisions, which should be taken into consideration. Similarly, smaller organizations or those with limited ground operations may not produce large volumes of documentation. However, this situation should not prevent the organization from taking account of or using safety data and information shared or made available publicly. GOSARPs upgraded to Standards in GOSM Edition 5 relate to administrative processes for which documentation should be available. As a result, there should at least be verifiable evidence of some development and, if in advance of the SMS strategy timeline, possible implementation of an internal safety reporting system in operation. There should be documented evidence of reports and other management oversight records that demonstrate that processes and procedures are implemented and followed. There should also be ample opportunities to talk with the organization's personnel, from the very top level, and test their awareness of and whether or not they actually carry out their SMS duties and responsibilities. A station audit would be based on an assessment of implementation. On-site, Interviews with key people and the observation of a procedure in operation should be undertaken as the opportunity to do so arise 5 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

12 or is requested. It should also be possible to review procedures that have been developed and evidence of being correctly followed or reports produced and acted upon as required. 2.3 Audit Planning The audit of a SMS would normally consist of: A review of documented processes, procedures, reports, assessments and records; An assessment of evidence of implementation of processes and procedures; Interviews with key safety personnel; and Observations of operational procedures (at a station). While the use of computer networks (internet, intranet etc.) should render the physical location of documentation (and its development or management) of little consequence, the verification of use and access to SMS documentation and document management systems might depend upon the location of the Provider s headquarters and station(s). The organization could be spread across several countries, and activities could vary from place to place. The documentation could also be held locally in a different language and translation/interpretation services may need to be considered. Interviews with the nominated key safety personnel are needed to verify conformance with corresponding GOSARPs, that the SMS processes and procedures are implemented and used correctly, and that everyone is aware of their SMS roles and responsibilities. Some of these personnel may be located at a station; hence the headquarters audit should identify these personnel for when the station audit is conducted. Recommendation Establish where, if different, the management and administration of each SMS function is conducted and the location of key safety personnel. There are few, if any, SMS activities that can be observed in the same way as a ground operations procedure. Even if, say, a safety assessment was taking place during the audit, there would be little benefit in observing it. It would be more worthwhile seeking evidence that the safety assessments were recorded properly and have produced tangible outcomes in accordance with the SMS safety risk management and safety assurance GOSARPs. In this respect, there should be a record of the risk assessment activity, discussions that took place and any decisions made by management. The headquarters documentation review could, by way of records of safety events and safety risk management/safety assurance actions, reveal the extent of the SMS activities at each station. Based on reasoned judgment, queries could be raised and explored if one station appears to be less safe than others, or if there is a marked difference in the number of safety reports generated at each station or how safety issues are operationally addressed. This situation could indicate a lack of conformity with processes and procedures at the headquarters or the station, and raised with the Provider for immediate clarification or attention. If the reason for the anomalies is an issue at a station, the next planned audit at that station should verify that corrective action has been successfully completed by the Provider. A finding, however, has to be raised if the Provider s oversight of effective SMS implementation is at fault. Where a Provider has an extensive network of stations, perhaps 20 or more, a pragmatic approach should be taken during the headquarters audit when assessing conformity of implementation and headquarters oversight. A sample of stations may be chosen as a rational indication that GOSARP conformance at the other stations is likely to be at least as good as those in the sample. In this respect, the number and 6 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

13 location of stations chosen by the auditor for the sample should consider the Provider s ISAGO history (in terms of results) and if potential weaknesses or failures of management oversight of station activities are apparent. Where station sampling is used, justification, including the methodology and evidence used, must be documented by the auditor in the headquarters audit report. 2.4 The Safety Office Depending upon the size of the organization, the administrative aspects of the SMS (such as safety risk management) may be undertaken by a dedicated team, perhaps a centralized Safety Office, managed by a person normally with the title Safety Manager. This will probably mean that a station will play only a participative role and therefore all the documentation needed for review would be accessible from the Safety Office. The Safety Manager would be a key person in the audit. It would be unusual for more than one Safety Office to exist in an organization but there could be more than one Safety Manager, dependent upon the delegation of responsibilities and possibly one at each station if the operation is large enough. The roles and responsibilities of the Safety Office and Safety Manager(s) have to be clearly defined. The Safety Office may be located anywhere provided that effective lines of communication with operational subject matter experts and responsibility for establishing safety action plans are in place. The Safety Office is also the place where safety issues (safety reports) identified at a station should be forwarded to for processing, including review and recording, and analysis and distribution as necessary. The Safety Office is where the administrative center of the organization and the safety library exist. The Safety Office would normally be responsible for the following: safety reports are received and, with other safety information, are processed according to the procedures safety risk assessment outcomes are handled correctly and efficiently actions to control safety risks are implemented and monitored safety performance is monitored and measured reviews of the SMS performance take place. The Safety Office may also be responsible for the dissemination of safety information and facilitator of safety training. As the SMS becomes more established the Safety Office should increase its presence and its influence over the safety activities throughout the organization. In future, the Safety Office and the Safety Manager might become the focal point for the ISAGO SMS audit. 7 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

14 Section 3 SMS Audit by GOSARP 3.1 Introduction This section aims to provide, where perhaps necessary, some guidance on the audit of each SMS GOSARP. The SMS GOSARPs follow a similar format to that of the ICAO SMS framework illustrated in Figure 1. Of the four ICAO SMS framework components, the safety policy and objectives aspects are mostly administrative and may not change significantly over a period of time. The fourth framework component, safety promotion, is also administrative in nature but will most likely have regular tangible outcomes and outputs that can be audited. The two main SMS functional areas, involving routine activities, are safety risk management and safety assurance. These are two functions expected to be administered by the Safety Office or, in kind, by a person with safety responsibilities at the station. If addressed at the station (or the Safety Office is located at the station) the audit should verify that the associated GOSARPs (ORM-H/HS/S 3.2 and 3.3) are implemented and that there is effective management control by the Provider at a headquarters level. Documentation is needed in nearly all cases to verify conformance with the corresponding GOSARPs but, in general, interviews with the nominated key safety personnel may be useful and, where practicable, observations may take place. 3.2 Organization & Accountability Although only one GOSARP in this part of the ORM is directly linked to SMS, all the GOSARPs have an association and therefore the SMS should be taken into consideration in the context of a management system The Accountable Executive ORM-H/HS The Provider shall identify one senior management official as the Accountable Executive who is accountable for performance of the management system as specified in ORM-H/HS and: (i) Irrespective of other functions, has ultimate responsibility and accountability on behalf of the Provider for the implementation and maintenance of the safety management system (SMS) throughout the organization; (ii) Has the authority to ensure the allocation of resources necessary to manage safety risks to ground operations; (iii) Has overall responsibility and is accountable for ensuring operations are conducted in accordance with applicable regulations and standards of the Provider. [SMS] A SMS is designed to be driven from the highest level of the organization, with clearly defined roles, responsibilities and lines of authority and communication. At the top is the person nominated as the Accountable Executive. An interview with this person, if possible, would be useful to ascertain the management commitment, verify senior management involvement (in decision making) and awareness of the SMS and its outcomes. The interview should establish whether the level of commitment typically 7 ORM-H/HS The Provider shall have a management system that ensures: (i) Policies, systems, programs, processes, procedures and/or plans of the Provider are administered and/or implemented throughout the organization; (ii) Ground operations are supervised and controlled; (iii) Operations are conducted in accordance with applicable regulations and requirements of the customer airline(s). 8 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

15 indicated in safety policies is in fact put into place. The answers given to simple questions can reveal a lot and prepare the auditor for the rest of the audit. Question Is the Accountable Executive made fully aware of the level of operational safety of the organization, including all the stations? Question What has been done to address safety issues, improve safety and improve the SMS? The Accountable Executive is the only person with accountability for the safety performance of the organization and therefore should be fully aware of the SMS outputs and effectiveness. Recommendation Ask the Accountable Executive what the Provider s top, say, 3 safety risks are and verify that they are represented by safety performance indicators/targets (and possibly safety risk mitigation plans). If it is not possible to arrange an interview, verify through documentation and questioning those persons with SMS responsibilities that the Accountable Executive takes an active role in the SMS and for allocating resources. The Accountable Executive should not be just a signature. 3.3 Safety Policy & Objectives SMS The first component of the SMS framework mainly addresses the administrative aspects of the SMS that would also mainly be within the scope of the headquarters audit. ORM-H/HS/S The Provider should have an SMS that is implemented and integrated throughout the organization to ensure management of the safety risks associated with ground operations. [SMS] Note: Effective 1 January 2019, this recommended practice will be upgraded to a standard. Conformity with ORM- H/HS/S is possible only when the Provider is in conformity with all standards and recommended practices that are identified by the [SMS] symbol. All components and elements of the SMS framework have to be in place for the SMS to function properly. Conformance with this GOSARP would depend upon conformance with all other SMS GOSARPs. In many cases this will not be the case; hence, the reason why this GOSARP has a standard upgrade date of 2019, after all the other GOSARPs have been upgraded too, and the requirement for the SMS implementation plan (ORM-HS/HS/S 3.1.8). Note that it is intended that ORM-HS/HS/S will be removed once the IATA strategic implementation plan is completed (The Safety) Manager ORM-H The Provider should appoint a manager who is responsible for the implementation, maintenance and the day-to-day administration and operation of the SMS at the corporate level and throughout the organization. [SMS] Note: Effective 1 January 2017, this recommended practice will be upgraded to a standard. ORM-HS The Provider should appoint a manager(s) who is responsible for: (i) The implementation, maintenance and the day-to-day administration and operation of the SMS at the corporate level and throughout the organization; (ii) The day-to-day administration and operation of the SMS at the station level. [SMS] Note: Effective 1 January 2017, this recommended practice will be upgraded to a standard. ORM-S The Provider should appoint a manager who is responsible for the day-to-day administration and operation of the SMS at the station level. [SMS] Note: Effective 1 January 2017, this recommended practice will be upgraded to a standard. 9 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

16 Another key safety role is that of the Manager assigned to administer the SMS usually called the Safety Manager. The role and responsibilities of this person (or persons depending upon if the role is spread across several stations) should be clearly defined and there should be documented evidence of the person performing the role. If more than one Safety Manager (or other defined job title) exists then there should be defined lines of authority and communication such that there is no ambiguity or interference with performing the safety responsibilities within the organization. Question Ask the Safety Manager or person responsible at a station the same questions suggested to the Accountable Executive. Question Can the Safety Manager explain the organization s safety hierarchy and the lines of responsibility? The Safety Manager should be able to demonstrate that the SMS policy and objectives, and the associated processes and procedures are implemented at all stations. The Safety Manager should also be able to provide evidence of the way that safety reports and safety information is processed (through the safety risk management process) and that records and other documentation is controlled Safety Roles & Responsibilities Recommendation As time allows, trace a safety report through the safety risk management process (see 3.4). Wherever possible, choose at least one that results in a safety recommendation that required a management decision, and mitigation measures with documented performance indicators and targets. ORM-H/HS/S The Provider should define the safety responsibilities of management and non-management personnel throughout the organization and specify the levels of management with the authority to make decisions that affect the safety of ground operations. [SMS] Note: Effective 1 January 2017, this recommended practice will be upgraded to a standard. Other key safety roles would probably be those of station personnel with direct management or supervisory responsibilities for ground operations. Apart from documented details of the roles and responsibilities of named persons, there should be evidence of their involvement in safety risk management and safety assurance activities, usually as an operational expert. An interview should test the awareness and knowledge of the assigned roles and responsibilities, and confirm recent activity Corporate Safety Policy (Safety Objectives) Recommendation Look for evidence of the named persons responsible for ground operational safety involvement in the implementation and monitoring of safety risk mitigation or control activities. ORM-H/HS/S The Provider shall have a corporate safety policy that: (i) Reflects the organizational commitment regarding safety; (ii) Includes a statement about the provision of the necessary resources for the implementation of the safety policy; (iii) Includes safety reporting procedures as specified in ORM-H/HS/S 3.2.2; (iv) Indicates which types of behaviors are unacceptable and includes the circumstances under which disciplinary action would not apply as specified in ORM-H/HS/S 3.1.5; (v) Is signed by the Accountable Executive of the organization; (vi) Is communicated, with visible endorsement, throughout the organization; (vii) Is periodically reviewed to ensure it remains relevant and appropriate to the Provider. [SMS] Conformance is determined mostly as a straightforward verification exercise. Documentation should be in conformity to all seven items listed in the GOSARP. 10 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

17 It should be clear from the safety policy that it is relevant to the Provider and there should be evidence of implementation. Implementation in this sense means that it is clear that safety activities exist or actions are taken directly as a result of the policy. Question Is the safety policy generic (indicating a possible lack of detail/sincerity) or contains policies specific to the organization, or to a station? Resources (ORM-H/HS/S 3.1.4(ii)) would usually be in the form of funding, people and equipment. Time, allocated to undertake SMS activities could also be included. A typical indication of inadequate resourcing is where SMS activities are delayed or if safety recommendations are postponed. Another indicator of inadequate resourcing is where key safety personnel posts remain vacant for a prolonged period of time or are assigned to people with inadequate credentials and time to undertake the extra responsibilities. Recommendation Examine the CVs and SMS training records of key personnel. For ORM-H/HS/S 3.1.4(iii) see ORM-H/HS/S and ORM-H/HS/S A behavior policy (ORM-H/HS/S 3.1.4(vii)) should be clear, comprehensive and communicated to all employees. There could be evidence provided of an example where the policy was invoked and action was taken but be careful to respect sensitive information. Note that a non-punitive behavior policy may require approval from a regulatory body. For example, in aviation there are instances where a mandatory report is required but the organization may be authorized to investigate and, subject to the outcome, address the issue without recourse to the regulatory authority. Periodic review of the safety policy (ORM-H/HS/S 3.1.4(vii)) would normally be covered by ORM-H/HS/S (the Quality Assurance program see Appendix A) but may also depend upon the implementation of ORM-H/HS/S It is typical for a two-year review period to apply. Although not explicitly required as a GOSARP at this time, the Provider s safety objectives should be documented with the safety policy. There is, however, inference of the requirement for safety objectives in ORM-H/HS/S and in documentation and the implementation plan respectively. In any case, safety objectives should be linked to the safety policy and the safety assurance component. Question Are safety objectives relevant to the organization stated (or related to safety mitigation activities)? Safety objectives should be derived as a consequence of ORM-H/HS/S The safety objectives should reflect any high level safety performance indicators and targets that the Provider sets and, once the safety assurance component is fully functional, may include significant safety objectives, i.e. set as a direct result of the Provider s safety risk management and related to an assessment or, perhaps, set by a regulatory authority as part of a national issue or safety campaign. Recommendation Look for evidence of the safety objectives incorporating an objective that reflects an established safety performance indicator(s) associated with a significant safety risk mitigation or control activity. 11 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5

18 3.3.5 Safety Reporting Policy ORM-H/HS/S The Provider shall have a corporate safety reporting policy that encourages personnel to report hazards to ground operations and, in addition, defines the Provider's policy regarding disciplinary action, to include: (i) Types of operational behaviors that are unacceptable; (ii) Conditions under which disciplinary action would not be taken by the Provider. [SMS] The safety reporting policy supports the policy outlined in ORM-H/HS/S 3.1.4(iii) and the behavior policy in ORM-H/HS/S 3.1.4(iv) but has to specifically address safety reporting. In this respect, the policy should outline clearly what should be reported, by whom and when. The behavior policy should reflect the nonpunitive requirement in ORM-H/HS/S The safety reporting policy should also address the data protection aspects of ORM-H/HS/S 3.2.2(iv), which may be subject to applicable national regulations or guidelines. Question Is the Provider aware of the data protection regulatory guidance provided by ICAO in Annex 19? Emergency Response Plan (ERP) ORM-H/HS/S The Provider should have a corporate emergency response plan (ERP) that includes provisions for: (i) The central management and coordination of all the Provider's activities should it be involved in or it is necessary to respond or react to an aircraft accident or other type of adverse event that could result in fatalities, serious injuries, considerable damage and/or a significant disruption to operations; (ii) The appropriate coordination or be compatible with the ERPs of other applicable organizations relevant to the event. [SMS] Note: Effective 1 January 2018, this recommended practice will be upgraded to a standard. The Provider's ERP should describe in a suitable document who does what, when and how for all perceived emergency situations. The ERP should address the emergency procedures that maintain operational safety from the time that an emergency is declared until normal operations are resumed. ERP should also address security events. The ERP should be made available and be known to all relevant personnel. Named persons or those in named posts should be interviewed to test their knowledge and understanding of the ERP and their roles and responsibilities. Personnel should also be trained and equipped to deal with their roles and responsibilities. While the Provider should develop its own ERP, specifying what its staff should do, it is highly likely that the Provider s station personnel will play a participative or perhaps a coordination role in the ERP of the airport with some supervisory roles and functions (particularly for passenger handling). Look for the association of the Provider with the ERP or other such contingency plans of the customer airline(s) and, importantly, that of the airport authority. There should be evidence of collaboration in the ERP development as required in ORM-H/HS/S 3.1.6(ii). Recommendation Confirm that the Provider actively participates in the development, maintenance and testing of the ERP of the airport. 12 ISAGO SMS Audit Guidelines July 2016, based on GOSM ED. 5