[Federal Register Volume 75, Number 214 (Friday, November 5, 2010)]
[Proposed Rules]
[Pages 68224-68245]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-28050]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Parts 5 and 119
[Docket No. FAA-2009-0671; Notice No. 10-15]
RIN 2120-AJ86
Safety Management Systems for Part 121 Certificate Holders
AGENCY: Federal Aviation Administration (FAA), Department of
Transportation (DOT).
ACTION: Notice of proposed rulemaking (NPRM).
-----------------------------------------------------------------------
SUMMARY: The FAA proposes to require each certificate holder operating
under 14 CFR part 121 to develop and implement a safety management
system (SMS) to improve the safety of their aviation related
activities. A safety management system is a comprehensive, process-
oriented approach to managing safety throughout an organization. An SMS
includes an organization-wide safety policy; formal methods for
identifying hazards, controlling, and continually assessing risk; and
promotion of a safety culture. SMS stresses not only compliance with
technical standards but increased emphasis on the overall safety
performance of the organization.
DATES: Send your comments on or before February 3, 2011.
ADDRESSES: You may send comments identified by Docket Number FAA- 2009-
0671 using any of the following methods:
Federal eRulemaking Portal: Go to http://www.regulations.gov and follow the instructions for sending your
comments electronically.
Mail: Send comments to Docket Operations, M-30, U.S
Department of Transportation, 1200 New Jersey Avenue, SE., West
Building Ground Floor, Room W12-140, Washington, DC 20590-0001.
Fax: Fax comments to Docket Operations at (202) 493-2251.
Hand Delivery: Bring comments to Docket Operations in Room
W12-140 of the West Building (Ground Floor) at 1200 New Jersey Avenue,
SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday,
except Federal holidays. For more information on the rulemaking
process, see the SUPPLEMENTARY INFORMATION section of this document.
Privacy: We will post all comments we receive, without change, to
http://www.regulations.gov, including any personal information you
provide. Using the search function of our docket Web site, anyone can
find and read the comments received into any of our dockets, including
the name of the individual sending the comment (or signing the comment
for an association, business, labor union, etc.). You may review DOT's
complete Privacy Act Statement in the Federal Register published on
April 11, 2000 (65 FR 19477-78), or you may visit http://DocketsInfo.dot.gov.
Docket: To read background documents or comments received, go to
http://www.regulations.gov at any time or to Docket Operations in Room
W12- 140 of the West Building Ground Floor at 1200 New Jersey Avenue,
SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday,
except Federal holidays.
FOR FURTHER INFORMATION CONTACT: Scott Van Buren, Chief System Engineer
for Aviation Safety, Office of Accident Investigation and Prevention
(AVP), Federal Aviation Administration, 800 Independence Avenue, SW.,
Washington, DC 20591; telephone: (202) 494-8417; facsimile: (202) 267-
3992; e-mail: [email protected]. For legal questions, contact Anne
Bechdolt, Regulations Division, Office of the Chief Counsel, Federal
Aviation Administration, 800 Independence
[[Page 68225]]
Avenue, SW., Washington, DC 20591; telephone: (202) 267-3073;
facsimile: (202) 267-7971; e-mail: [email protected].
SUPPLEMENTARY INFORMATION: Later in this preamble under the Additional
Information section, we discuss how you can comment on this proposal
and how we will handle your comments. Included in this discussion is
related information about the docket, privacy, and the handling of
proprietary or confidential business information. We also discuss how
you can get a copy of related rulemaking documents.
Authority for This Rulemaking
The FAA's authority to issue rules on aviation safety is found in
Title 49 of the United States Code. This rulemaking is promulgated
under the authority described in 49 U.S.C. 44701(a)(5), which requires
the Administrator to promulgate regulations and minimum standards for
other practices, methods, and procedures necessary for safety in air
commerce and national security.
In addition, the Airline Safety and Federal Aviation Administration
Extension Act of 2010 (the Act), Public Law 111-216, sec. 215 (August
1, 2010), requires the FAA to conduct rulemaking to ``require all part
121 air carriers to implement a safety management system.'' The
rulemaking must consider, at a minimum, including an aviation safety
action program (ASAP), flight operational quality assurance program
(FOQA), a line operations safety audit (LOSA), and an advanced
qualification program (AQP) as part of the SMS. The FAA must issue a
notice of proposed rulemaking within 90 days of the passing of the Act,
and a final rule within 24 months of the passing of the Act, requiring
all part 121 air carriers to implement a safety management system.
Table of Contents
I. Executive Summary
II. Background
A. What is a Safety Management System?
B. Why is an SMS necessary?
C. Congressional Mandate
D. International Harmonization
E. NTSB Recommendations
F. FAA Aviation Safety (AVS) SMS Actions
III. Discussion of the Proposal
A. General Requirements
B. Safety Policy
C. Safety Risk Management
D. Safety Assurance
E. Safety Promotion
F. SMS Documentation and Recordkeeping
IV. Regulatory Notices and Analyses
I. Executive Summary
This proposal would require certificate holders authorized to
conduct operations under 14 Code of Federal Regulations (CFR) part 121
to develop and implement a Safety Management System (SMS) of their
aviation safety-related activities. An SMS includes an organization-
wide safety policy; formal methods for identifying hazards,
controlling, and continually assessing risk; and promotion of a safety
culture. When systematically applied, an SMS provides a set of
decision-making tools that certificate holders can use to improve
safety.
The FAA is proposing this rule as part of its efforts to
continuously improve safety in air transportation. The FAA proposes to
add the SMS rule, a performance-based regulation, to existing
regulations and technical operating standards to deal with gaps best
addressed through improved management practices. SMS's proactive
emphasis on hazard identification and mitigation, and on communication
of safety issues, would provide certificate holders robust tools to
improve safety.
The International Civil Aviation Organization (ICAO), in its March
2006 amendments to Annex 6 part I,\1\ which addresses operation of
airplanes in international commercial air transport, establishes a
standard for member states to mandate that each of these operators
establish an SMS. In addition, the National Transportation Safety Board
(NTSB) has recommended the FAA pursue rulemaking to require all 14 CFR
part 121 operators to implement an SMS.\2\ Congress, in the Airline
Safety and Federal Aviation Administration Extension Act of 2010 (Pub.
L. 111-216, August 1, 2010), directed the FAA to issue a notice of
proposed rulemaking within 90 days of enactment, and a final SMS rule
by July 30, 2012. If this proposal is adopted, U.S. aviation safety
regulations would be in conformance with ICAO standards, would fully
address NTSB recommendations, and would comply with the statutory
requirement.
---------------------------------------------------------------------------
\1\ A copy of Annex 6 has been placed in the docket for this
rulemaking.
\2\ Recommendation A-07-10, dated January 23, 2007. This
recommendation was issued in connection with the NTSB's
investigation of Pinnacle Airlines flight 3701, which occurred on
October 14, 2004.
---------------------------------------------------------------------------
The FAA anticipates a final rule would become effective 60 days
after publication of the final rule in the Federal Register. The agency
proposes to require current certificate holders to submit an SMS
implementation plan for approval within six months of that effective
date. The FAA solicits comments on the 60-day effective date, as well
as the timeframe for submission of an SMS plan. The implementation plan
would have to ensure the certificate holder's SMS would be fully
operational within three years of the effective date. New applicants
for certification to conduct operations under part 121 would be
required to demonstrate prior to certification that they have an SMS
that meets the requirements set forth in this proposal.
Under this proposal, the FAA would require each air carrier to
develop an SMS that includes the four SMS components set forth in Annex
6: Safety Policy, Safety Risk Management, Safety Assurance, and Safety
Promotion. To support each component, the FAA proposes a certificate
holder implement a number of processes and procedures. Together, the
four components and corresponding processes and procedures provide the
general framework for an organization-wide safety management approach
to air carrier operations.
The FAA projects that the compliance cost supporting each component
would come from the initial development and documentation of the SMS,
implementation and continuous operating costs to include the
modification or purchasing of new equipment/software, additional staff
and promotional materials, and training. Because SMS is inherently
scalable, costs depend on the size of the carrier and the type of
operations that it provides. Further, operators may have existing
quality management systems or other voluntary programs, which may lower
the estimated compliance costs. These components would also help air
carriers effectively integrate formal risk control procedures into
normal operational practices thus improving safety for all U.S. part
121 operators. Total benefits are estimated at $1,143.1 million ($500.8
million present value) and total costs are estimated at $710.8 million
($375.5 million present value).
[[Page 68226]]
[GRAPHIC] [TIFF OMITTED] TP05NO10.000
II. Background
The FAA is committed to continuously improving safety in air
transportation. Increased demand for air transportation, the impact of
additional air traffic, changes in business models, advances in new
technology, new routes, and transition of personnel can heighten the
risk in air carrier operations. While the FAA's use of existing
regulations and technical operating standards has been effective, these
regulations may leave gaps best addressed through improved safety
management practices. As the air carrier best understands its own
unique operating environment, it is in the best position to identify
these gaps and institute the proper controls to reduce or eliminate
risk to its operations. The FAA would still set the safety standards,
conduct inspections and maintain oversight. However, SMS's proactive
emphasis on hazard identification and risk control, as well as
communication and training of safety issues, would provide certificate
holders conducting operations under 14 CFR part 121 with the necessary
tools to improve safety within their organizations. SMS processes will
also make the application of regulations more meaningful to achieve
greater safety benefit.
Therefore, the FAA, in continuing to develop a comprehensive and
integrated framework for safety management, is proposing a standardized
set of requirements for the development and implementation of SMS. This
proposal includes the four key components of an SMS as set forth in
ICAO Annex 6.
A. What is a Safety Management System?
An SMS is an organization-wide approach to managing safety risk and
assuring the effectiveness of safety risk controls. It would provide an
air carrier with a set of decision-making processes and procedures that
it would use to plan, organize, direct, and control its business
activities in a manner that enhances safety and ensures compliance with
regulatory standards. It includes an organization-wide safety policy;
formal methods for identifying hazards, controlling, and continually
assessing risk; and promotion of a safety culture. An SMS incorporates
these procedures into normal, day-to-day business processes. SMS
processes seek to identify potential organizational breakdowns and
necessary process improvements allowing management to address a safety
issue before a noncompliant or unsafe condition results. These tools
are similar to those that management already uses to make operational
decisions, such as adding new aircraft to its fleet or adding a new
route. Using an SMS, however, is not a substitute for compliance with
FAA regulations or FAA oversight activities. Rather, an SMS would, at
its foundation, ensure compliance with safety-related statutory and
regulatory requirements and allow certificate holders to address
hazards unique to their operations.
There are four essential components of an SMS. These are based on
the ICAO SMS framework and FAA guidance in Advisory Circular 120-92A,
Safety Management Systems for Aviation Service Providers (August 12,
2010).\3\
---------------------------------------------------------------------------
\3\ Additional information on ICAO's SMS standards and guidance
may be found at http://www.icao.int/anb/safetymanagement. Copies of
the ICAO standards and the ICAO SMS manual have been placed in the
docket for this rulemaking.
---------------------------------------------------------------------------
The safety policy is the foundation of the organization's safety
management system. It clearly states the organization's safety
objectives and sets forth the policies, procedures, and organizational
structures necessary to accomplish the safety objectives. The safety
policy clearly delineates management and employee responsibilities for
safety throughout the organization. It also ensures that management is
actively engaged in the oversight of the company's safety performance
by requiring regular review of the safety policy by a designated
accountable executive.
The second component, safety risk management, requires development
of processes and procedures to provide an understanding of the
carrier's operational systems to allow individuals to identify hazards
associated with those systems. Once hazards are identified, other
procedures must be developed under safety risk management to analyze
and assess the risk resulting from these hazards, as well as to
institute controls to reduce or eliminate the risks from these hazards.
The third component, safety assurance, ensures the performance and
effectiveness of safety risk controls established under safety risk
management. Safety assurance is also designed to ensure that the
organization meets or exceeds its safety objectives through the
collection, analysis, and assessment of data regarding the
organization's performance.
The fourth component of an SMS is safety promotion. Safety
promotion requires a combination of training and communication of
safety information to employees to enhance the organization's safety
performance. How an organization seeks to comply with this component
depends on the size and scope of the organization. It may include
formal safety training for employees, a formal means of communicating
safety information, and a means for employees to raise safety concerns
without fear of retribution.
B. Why is an SMS necessary?
The commercial air carrier accident rate in the United States has
decreased substantially over the past 10 years.\4\
[[Page 68227]]
This has been accomplished through a growing body of regulations, FAA
oversight activities, and voluntary industry safety initiatives.
However, over the past 10 years, the FAA has identified a more recent
trend involving hazards that were revealed during incident and accident
investigations. Many of these hazards could have been mitigated or
eliminated earlier had a structured, organization-wide approach to
managing air carrier's operations been in place. For example, FAA's
Office of Accident Investigation and Prevention identified 172
accidents involving part 121 operators from fiscal year (FY) 2001
through FY 2010 that could have been mitigated if air carriers had
implemented a safety management system to identify hazards in their
daily operations and developed methods to control the risk. The
following two accidents are representative of the 172 accidents
reviewed by the FAA and discussed in the Initial Regulatory Evaluation.
Summaries of these two accidents are included to illustrate the
potential mitigations that could have resulted with SMS.
---------------------------------------------------------------------------
\4\ NTSB Aviation Accident Statistics: http://www.ntsb.gov/aviation/Table5.htm, http://www.ntsb.gov/aviation/Table6.htm, and
http://www.ntsb.gov/aviation/Table7.htm.
---------------------------------------------------------------------------
On January 8, 2003, Air Midwest flight 5481 crashed immediately
after lift-off in Charlotte, North Carolina. The aircraft was destroyed
by impact and post impact fire, resulting in twenty-one fatalities and
one injury to a person on the ground. This accident occurred shortly
after outsourced maintenance was completed on the airplane's elevator
control system. The accident investigation revealed that the elevator
controls were improperly rigged during maintenance. The crew was not
aware of this unsafe condition. The following is an example of how
maintenance hazards could have been identified and their associated
risks mitigated if the carrier had implemented an SMS.
In this instance, the formal safety risk management analysis would
have been triggered by the air carrier's plan to have aircraft
maintenance performed at uncertificated repair facility using
maintenance technicians provided by a third party sub-contractor.
First, the air carrier's maintenance management would have conducted a
thorough system analysis, reviewing its current maintenance program,
including all relevant policies, processes, and procedures. It would
have identified the personnel, procedures, equipment, and facilities
necessary to perform the work and assessed whether the maintenance
facility, its management, and the third party mechanics met those
requirements. It also would have identified the personnel necessary to
conduct oversight for the air carrier at the maintenance facility.
Following the system analysis, the air carrier's maintenance management
would have identified the following system hazards: (1) The maintenance
facility was not a certificated repair station and therefore lacked the
controls associated with regulatory certification; (2) the facility,
its management and the actual workforce were provided by separate
contractors; (3) the inadequate number of experienced air carrier
maintenance representatives and their lack of authority under the
contract to oversee the performance of the maintenance. The maintenance
management team would have reported these issues to the management
representative and the accountable executive.
The air carrier's maintenance management, in assessing the risk of
these and other hazards, would have considered the worst credible
outcome of the performance of the maintenance at that facility under
those conditions. Those risks may have been determined to be
unacceptable and appropriate risk controls would have been implemented.
Such risk control options may have included contracting with a
certificated part 145 repair station, revising the maintenance
procedures and associated job aids for its maintenance and inspection
programs, having additional experienced maintenance representatives of
the air carrier, with appropriate contract authorities, stationed at
the repair facility to monitor the performance of maintenance tasks and
inspections. Also, through the SMS safety assurance processes, the air
carrier would have evaluated the safety performance of its risk
controls through its continuous analysis and surveillance system (CASS)
to verify that the controls were effective. Errors in specific
maintenance tasks or inspections may have been spotted by the on site
air carrier maintenance representatives or through a confidential
employee reporting system if any of these concerns were raised with
regard to the maintenance activities. These reports would have been
utilized to steer changes in existing policies or in more effective
contracting and execution of maintenance. Using the SMS safety
promotion component, the air carrier could have made these critical
maintenance issues known to its entire maintenance workforce, including
air carrier management. This would have increased awareness of hazards
and enhanced the safety of the overall maintenance program for the air
carrier.
A second example is Comair flight 5191. On August 27, 2006, at
approximately 6 a.m., Comair flight 5191 crashed during takeoff from
Blue Grass Airport, Lexington, Kentucky, en route to Atlanta, Georgia.
The flightcrew received and acknowledged a clearance from the tower to
take off from runway 22 but instead, they positioned the airplane on
runway 26 and commenced the takeoff. The airplane ran off the end of
the runway and impacted the airport perimeter fence, trees, and
terrain. The pilot in command (PIC), flight attendant, and 47
passengers were killed. The second-in-command pilot sustained serious
injuries. The airplane was destroyed by impact forces and a post-crash
fire. The flightcrew believed that they had taxied the airplane to
runway 22 when they had actually taxied onto runway 26 and initiated
the takeoff roll. The flightcrew's noncompliance with standard
operating procedures, including the PIC's abbreviated taxi briefing,
combined with both pilots' non-pertinent conversation most likely
created an atmosphere in the cockpit that enabled the crew's errors.
The following is an example of how hazards relating to the flight
operations of this accident could have been identified and the
associated risks mitigated if the carrier had implemented an SMS.
In this instance, the SMS safety assurance component would have
triggered a formal safety risk management analysis. Under the SMS
safety assurance process, periodic audits of flight crew performance,
such as Line Operations Safety Audits (LOSA), may have revealed
systemic failures of crew coordination concepts and failures to follow
standard procedures. Additionally, reports from a confidential employee
reporting system like Aviation Safety Action Program (ASAP) would have
indicated that deficiencies in flightcrew performance. LOSA audits or
other structured operational checking procedures, combined with reports
from a confidential employee reporting system regarding flight crew
performance, would have indicated that the existing controls, such as
operational procedures and preflight checklists were not effective, or
flightcrew training and evaluation programs were ineffective.
Under a formal SMS safety risk management process, the management
representative would have ensured that the flight operations management
team conducted a system analysis, reviewing its operational control and
flight operations procedures, the operating environment (runway
conditions, airport configuration), as well as the personnel and
equipment required for the safe operation of the airplane. The system
analysis would have led to a
[[Page 68228]]
discovery of hazards and possible errors that could be made at runway
intersections, like the incorrect selection of the appropriate
departure runway. The flight operations management team would have
reported these issues to the management representative and the
accountable executive.
Upon completion of the risk assessment, the flight operations
management team could have developed risk controls, such as revising
the checklists to require the positive verification of the airplane
alignment on the correct runway and additional crew resource management
training to enhance the crewmembers' situational awareness. These
procedures could be incorporated into the company's flight manuals,
checklists, and training curriculum. Once in place, the effectiveness
of the risk controls would have been continuously monitored under the
safety assurance processes.
From the SMS safety promotion component, the information gained
through the safety risk management and safety assurance processes such
as the employee reporting system, could be provided back to crews in
the form of awareness tools such as company newsletters, bulletins to
pilots, and other communications media.
C. Congressional Mandate
In addition to the FAA's accident review indicating a need for SMS,
Congress recognized the need for air carriers to implement safety
management systems. On August 1, 2010, The Airline Safety and Federal
Aviation Administration Extension Act of 2010 (the Act), Public Law
111-216, was signed. The Act requires the FAA to conduct rulemaking to
``require all part 121 air carriers to implement a safety management
system.'' Public Law 111-216, sec. 215.
The Act also requires the FAA to consider mandating as part of the
SMS rulemaking, the following voluntary programs: ASAPs, flight
operational quality assurance systems (FOQAs), LOSAs, and advanced
qualification programs (AQPs). The FAA has reviewed these programs and
finds they would be useful to meet the requirements to regularly review
the safety performance of the organization (Sec. 5.25(b)(5)), to
monitor the effectiveness of safety risk controls (Sec. 5.25(c)(2)),
and to monitor and measure the organization's safety performance (Sec.
5.71). However, based on the following, the FAA has determined that it
would not be appropriate to require all of these programs for all
certificate holders conducting operations under 14 CFR part 121.
Aviation Safety Action Program (ASAP). ASAP is an employee
reporting system that certificate holders may use to gather information
from employees on safety compliance and performance issues. ASAP
programs are intended for air carriers that operate under part 121 and
major domestic repair stations certificated under part 145. The goal of
ASAP is to enhance aviation safety voluntary reporting of safety issues
and events that come to the attention of employees. The program
encourages an employee to voluntarily report safety issues even though
they may involve a potential violation(s) of Title 14 of the Code of
Federal Regulations.
As of September 27, 2010, there are 90 certificate holders
conducting operations under part 121. Approximately two-thirds of these
certificate holders have implemented some type of ASAP program. While
ASAP originally was limited to pilots and flight engineers, some air
carriers have expanded the program to include its flight attendants,
dispatchers, and mechanics. One carrier has an ASAP for ground service
personnel. The program is a valuable way to bring employees into a
proactive safety effort and can be a means of building trust throughout
the organization. Single ASAP reports can generate safety risk
management action if they reveal a hazard of high severity and high
likelihood. Further, analysis of the aggregate ASAP data can also
reveal trends that lead to safety risk management action. ASAP reports
often serve as an indicator that risk controls are effective, or they
may reveal that risk controls are not effective. Reports accepted into
ASAP are protected from disclosure under the provisions of 14 CFR part
193, Protection of Voluntarily Submitted Information.
ASAP programs typically only cover selected employee groups. Even
the largest air carriers do not have ASAPs that encompass all of their
employees. Typically, each employee group ASAP has an event review
committee (ERC) designed to take in data from employees, analyze the
data, and develop corrective actions. The ERC consists of members of
the air carrier's management team, the FAA's certificate management
organization, and if applicable, the employee group's representative.
The ERC considers each ASAP report for acceptance or denial, and if
accepted, analyzes the report to determine the necessary controls to
put into effect. ASAP is a good example of a confidential employee
reporting system that an air carrier may develop to comply with the
provisions of the proposed rule. Small carriers would likely not
require such an expansive and complex system. Rather, a simpler
employee reporting system may meet the needs of the smaller carriers.
Further, the proposed SMS requirement for a confidential employee
reporting system spans all employee groups. Thus, even a medium to
large air carrier may be overly burdened by such a requirement if its
current ASAPs do not cover all of its employees who perform aviation-
safety related activities. In this case, the air carrier could use its
existing ASAPs and develop simpler tools or procedures to allow the
employees who are not currently covered under its ASAPs to report
safety issues or concerns.
If the FAA were to require the use of ASAPs, the information
submitted through ASAP would no longer be considered voluntary. As
such, the protections under part 193 would no longer apply. One major
concern of industry regarding a requirement for SMS is the possible
disclosure of critical safety information. Industry is concerned that
if information submitted through ASAP or any other employee reporting
system is subject to disclosure, this would likely have a negative
impact on the willingness of employees to disclose the data. The loss
of these protections under 14 CFR part 193, therefore, would likely
impede the air carrier's ability to gather this critical information
for analysis. Thus, the FAA has determined that ASAP may be one means
for compliance with certain provisions of the SMS, but would not be
necessary to mandate for all air carriers. FAA seeks comments on how
air carriers that are currently voluntarily implementing ASAP programs
could integrate these programs into an SMS plan, and the incremental
costs and benefits of doing so.
Flight Operational Quality Assurance (FOQA). FOQA provides the air
carrier with accurate operational performance information covering all
flights by multiple aircraft types such that single events can be
analyzed or overall patterns of aircraft performance can be seen and
analyzed. FOQA programs provide actual data that can be analyzed in the
aggregate to determine trends specific to aircraft types, local flight
path locations, and overall flight performance trends for the air
carrier industry. FOQA information has proven effective in showing the
need for changing air carrier operating procedures for specific
aircraft fleets, and for changing air traffic control practices at
certain airports with unique traffic pattern limitations. 41 of 90 part
121 carriers have voluntarily implemented FOQA programs, including 22
of 30 part 121 operators
[[Page 68229]]
with a fleet of more than 50 airplanes. The 22 includes seven of the
top eight largest passenger-carrying airlines, which each operate more
than 200 airplanes. To have an FAA approved FOQA program, an air
carrier must meet the requirements described in AC 120-82, Flight
Operational Quality Assurance.\5\
---------------------------------------------------------------------------
\5\ The FOQA program is described in AC 120-82, Flight
Operational Quality Assurance (http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgAdvisoryCircular.nsf/key/AC%20120-82).
---------------------------------------------------------------------------
Since 2005, ICAO Annex 6 part I has included a provision that
commercial air carriers operating airplanes having a maximum gross
takeoff weight in excess of approximately 59,400 lb. ``* * * should
establish and maintain a flight data analysis programme as part of its
safety management system.'' Flight Data Analysis Program (FDAP) is a
general term encompassing a number of means by which routine flight
operations data may be acquired, recorded, analyzed, and shared. FOQA
is one such program. FOQA requires extensive flight data recording
systems which facilitate rapid transfer of recorded data, de-
identification of that data, and agreements between pilot organizations
and the carriers which define how this information may be used.
Further, FOQA requires comprehensive analysis of the information
provided by technically competent staff using specialized equipment to
derive useful safety enhancement opportunities. Although all operators
meet the current regulatory requirements for flight data recording,
many of the recorders used do not meet all the FOQA specifications. The
part 121 fleet is diverse in terms of size, complexity, and age, as
well as the size of the companies that operate them. Many of the older
aircraft would require extensive modifications to adapt them to the
technical requirements of a FOQA program. The investment and expense of
implementing and maintaining such a system exceeds the financial
capability of many smaller carriers.
Since the FOQA voluntary program requirements were established,
technological advancements in lightweight self-contained flight data
monitoring and recording systems have been developed that may provide
alternative, cost effective means for accomplishing the same purpose as
a FOQA. An air carrier may wish to acquire these tools rather than
those necessary for FOQA and develop its own procedures to collect
flight operational data for analysis. An air carrier may also choose a
combination of tools, such as preflight risk assessment checklists and
existing flight data recorders, to collect information on flight
operational data. There are a number of ways to collect this
information and the FAA does not believe it is appropriate to prescribe
the exact method for collection and analysis of this type of data. The
air carrier should develop and implement the processes and procedures
suitable to the complexity and needs of its organization to identify
hazards and assess risk to its operation. In addition, like ASAP, the
FAA has determined that it is appropriate to protect certain
information collected under FOQA from disclosure. If the FAA were to
require FOQA this protection would be lost. Thus, while FOQA is an
excellent tool for some air carriers and may be used as a process or
procedure in the air carrier's SMS, this proposal would not require it
for all certificate holders conducting operations under part 121. FAA
seeks comments on how air carriers that are currently voluntarily
implementing FOQA programs could integrate these programs into an SMS
plan, and the incremental costs and benefits of doing so.
Line Operations Safety Audit (LOSA). The Line Operations Safety
Audit (LOSA) is a voluntary safety audit focused on the discovery,
mitigation, and management of human error in aviation operations. LOSA
audits are mainly conducted for crewmembers and are performed in actual
in-flight conditions. Thus, they provide a real-time assessment of
system operations. During the flight, trained observers record any
potential threats to safety, how a flightcrew handled the hazard and
any errors the flightcrew committed in managing a threat. They may also
document behaviors known to cause accidents or incidents.
Under LOSA programs, the certificate holder collects the data
concerning the flightcrew's performance. While an air carrier may elect
to share the results of a LOSA with the FAA, there is no requirement to
do so. Data obtained from the LOSA can be used to modify the air
carrier's training or other operational programs or procedures and
shape basic organizational strategies to prevent accidents and
incidents. The certificate holder may use the audit results to create
better safety practices by improving operational processes and
documentation, such as revising checklists, flight operations manuals,
quick reaction handbooks, and developing training curricula for flight,
maintenance, and ramp personnel.
In order to implement a LOSA program, significant resources are
required. The air carrier would need to develop and produce the program
and its associated materials. The following elements are part of LOSA:
(1) Training check airmen or other observers on how to conduct the
observations and data collection, (2) developing and maintaining
schedules for LOSA observations, (3) staff time for observer preflight
preparation, (4) in-flight observation, (5) post-flight briefing, (6)
data transfer and entry, (7) information management software costs
(software and staff time for data entry and database management), and
(8) development and administration of data analysis processes. LOSA
programs may be very complex and expensive. Air carriers that have not
implemented a voluntary LOSA may be using audit tools that are more
appropriately scaled to the size of their operation. Because there may
be other, more effective means for conducting these audits, the FAA
does not believe it is necessary to limit an air carrier to conducting
audits and collecting data through a specific program like LOSA.
Rather, the FAA has determined that participating in a LOSA program,
may be one acceptable means to comply with the requirements of this
proposal. FAA seeks comments on how air carriers that are currently
voluntarily implementing LOSA programs could integrate these programs
into an SMS plan, and the incremental costs and benefits of doing so.
Advanced Qualification Program (AQP). AQP is an alternative method
for developing training and testing materials for pilots, flight
attendants, and aircraft dispatchers based on instructional systems
design, advanced simulation equipment, and comprehensive data analysis
to continuously validate curriculums. Although the FAA considers AQP to
be an effective voluntary alternative for compliance with minimum
training and qualification requirements, the FAA does not believe that
it is appropriate to require all air carriers to train under AQP as
part of their SMS processes and procedures. The FAA recognizes that AQP
may not be appropriate for every certificate holder. The AQP is a
voluntary program established to allow a greater degree of regulatory
flexibility in the approval of innovative training programs. Based on a
documented analysis of operational requirements, a certificate holder
under AQP may propose to depart from the traditional practices with
respect to what, how, when, and where training and testing is
conducted. Detailed AQP documentation requirements, data collection,
and analysis provide the FAA and the operator with the tools
[[Page 68230]]
necessary to adequately monitor and administer an AQP. (See 14 CFR Part
121, subpart Y, paragraphs 121.901-121.925).
As mentioned above, AQP may not be appropriate for all certificate
holders. Some air carriers may prefer the structured requirements of a
traditional training program to the analytically-driven AQP program.
Other air carriers that use contract training facilities may not find
AQP to be a suitable alternative to traditional training requirements.
The FAA also acknowledges that to get the most benefit from AQP, a
stable work force and route structure is necessary. Therefore, for
those air carriers that have a higher turnover in their pilot ranks or
conduct supplemental operations where the routes may vary, AQP may not
be appropriate. Thus, this proposal would not require all air carriers
to implement AQP as the method for training its flightcrew members,
flight attendants, aircraft dispatchers, and other operations
personnel. FAA seeks comments on how air carriers that are currently
voluntarily implementing AQP programs could integrate these programs
into an SMS plan, and the incremental costs and benefits of doing so.
D. International Harmonization
In March 2006, ICAO amended Annex 6 part I--which addresses the
operation of airplanes in international commercial air transport.
Member states agreed to establish an SMS requirement for air carriers.
The SMS, as outlined in this Annex, includes processes to identify
safety hazards and ensure the implementation of risk controls and
corrective actions necessary to maintain safety performance. The Annex
also aims for improvement of the overall safety performance of the
organization, with clearly defined lines of safety accountability
throughout the operator's organization. Member states agreed to
initiate compliance with amendments to Annex 6 part I by January 1,
2009.\6\ If adopted, the provisions in this rule would conform to these
ICAO agreements.
---------------------------------------------------------------------------
\6\ On December 15, 2008, the FAA filed a difference to the SMS
standard because the agency had not formally initiated rulemaking.
---------------------------------------------------------------------------
ICAO provides that each ICAO member state is the judge of whether
its national SMS rules provide an acceptable level of safety. The FAA
solicits comments on whether the SMS rules proposed in this NPRM could
serve as a suitable basis for achieving an international harmonized
regime.
E. National Transportation Safety Board (NTSB) Recommendations
The NTSB first recommended safety management systems in 1997,
through recommendations aimed at improving safety in the maritime
industry. Since then, a number of NTSB investigations related to other
modes of transportation, including aviation, have cited organizational
factors contributing to accidents and have recommended SMS as a way to
prevent future accidents and improve safety. The NTSB first offered an
SMS recommendation for part 121 air carriers (A-07-10) to the FAA after
its investigation of the October 14, 2004 accident of Pinnacle Airlines
flight 3701.
Pinnacle Airlines flight 3701 was on a repositioning flight between
Little Rock National Airport and Minneapolis-St. Paul International
Airport when both engines flamed out after a pilot-induced aerodynamic
stall at high altitude. The pilots were unable to regain control, and
the aircraft crashed in a residential area south of Jefferson City,
Missouri. The NTSB's investigation revealed ``the accident was the
result of poorly performing pilots who intentionally deviated from
standard operating procedures and basic airmanship.'' The NTSB further
stated ``operators have the responsibility for a flightcrew's cockpit
discipline and adherence to standard operating procedures'' and offered
an SMS as a means to help air carriers ensure safety. The NTSB formally
recommended the FAA ``require all 14 CFR part 121 operators establish
Safety Management System programs.'' NTSB Safety Recommendation A-07-10
(January 23, 2007). That recommendation recognized that ``air carriers
need to ensure safety through a formalized system safety process. One
such process is a safety management system program, which incorporates
proactive safety methods for air carriers to identify hazards, mitigate
risk, and monitor the extent that the carriers are meeting their
objectives.'' Id. at p. 12. The NTSB recommended the FAA pursue
rulemaking to require commercial operators to implement an SMS. In
discussing this recommendation, the NTSB noted it would evaluate any
rulemaking proposal based on ICAO's minimum requirement: ``(a)
Identifies safety hazards; (b) ensures that remedial action necessary
to maintain an acceptable level of safety is implemented; (c) provides
for continuous monitoring and regular assessment of the safety level
achieved; and (d) aims to make continuous improvement to the overall
level of safety.'' Id. Adoption of this proposal would address this
NTSB recommendation.
F. FAA Aviation Safety (AVS) SMS Actions
Guidance Materials. This rulemaking would also codify existing FAA
SMS guidance material. In June 2006, FAA Flight Standards published
Advisory Circular, AC 120-92, Introduction to Safety Management Systems
for Air Operators based on the Joint Planning and Development Office
(JPDO) SMS Standard.\7\ The FAA also used this work to develop internal
guidance, using SMS principles, and incorporated them in FAA Order
8000.369, Safety Management System Guidance and FAA Order VS 8000.367,
Aviation Safety (AVS) Safety Management System Requirements. AC 120-92
was revised in August 2010 to become AC 120-92A to reflect the ICAO
framework. This proposal is based on the guidance material in AC-120-
92A and FAA Orders, as well as the ICAO SMS framework and guidance in
the ICAO Safety Management Manual.\8\ Copies of these documents are
available in the docket for this rulemaking.
---------------------------------------------------------------------------
\7\ http://www.jpdo.gov/library/InformationPapers/JPDO_SMS_SPC_v1_4.pdf.
\8\ See ICAO, Safety Management Manual, at 6.5.3 ICAO Doc. 9859-
AN/474 (2nd ed. 2009) (http://www.icao.int/anb/safetymanagement/DOC_9859_FULL_EN.pdf).
---------------------------------------------------------------------------
SMS Pilot Project. To assist operators choosing to implement SMS
voluntarily, the FAA initiated an SMS Pilot Project. The program, which
currently includes 26 part 121 air carriers of varying sizes and
complexities, allows these certificate holders and their FAA oversight
organizations to learn the means of applying SMS to their unique
management and environmental conditions and to demonstrate their
commitment to comply with international standards. The SMS pilot
projects have provided experience in implementation and oversight
processes. Lessons the FAA has learned from the pilot projects include
findings in the areas of management involvement, training requirements,
gap analysis and implementation planning, and the development of risk
tools.
Advanced Notice of Proposed Rulemaking (ANPRM). In addition to the
pilot project, the FAA also issued an ANPRM on July 23, 2009 (74 FR
36414), soliciting comments on the appropriate applicability and scope
of a potential SMS rule. The ANPRM requested information from air
carriers, operators conducting charters, maintenance repair stations,
and design and manufacturing organizations on their experiences with
SMS; the costs associated with
[[Page 68231]]
implementing SMS in their organization; and recommendations for
documentation, recordkeeping, data collection and sharing, and training
requirements necessary for implementation of an SMS. The FAA received
89 comments in response to the ANPRM from a variety of commenters,
including air carriers, aircraft design and manufacturing
organizations, service facilities, trade associations, and private
citizens.
Seven part 121 operators and six trade associations representing
the 121 operators or their employees submitted comments in response to
the ANPRM. Each of the seven 121 operators said it has an SMS or a
system with some SMS components. Six of the seven operators reported
positive results after applying SMS to their operations. Operators
reported improving their safety performance and regulatory compliance
by improving their ability to detect possible nonconformities to
policies and regulations before an accident or serious incident occurs.
One commenter stated that by implementing SMS the organization has
``seen some successes in reducing risk, decreasing operating costs, and
managing safety through a structured process.''
An SMS requires that organizations identify hazards and address the
risk associated with the products or services they provide. It also
requires documenting the decisions made to address safety risk.
Commenters expressed concern that this information could be
misinterpreted or mischaracterized and they stressed the need to
protect SMS data.
A majority of the commenters recommended the FAA issue a
performance-based regulation, consistent with the ICAO framework, which
would allow organizations flexibility in how they meet the standards,
and enable them to integrate their existing systems into an SMS rather
than requiring a stand-alone system. Commenters also said the
requirements should be scalable to accommodate organizations that vary
in size, complexity, structure, and focus. Some commenters recognized a
need for SMS for part 135 operators and part 145 repair stations, and
design and manufacturing organizations based on the ICAO requirements
for these sectors of the industry. This rulemaking, however, focuses
only on certificate holders conducting operations under part 121.
Aviation Rulemaking Committee (ARC). On February 12, 2009, the FAA
chartered the SMS ARC to solicit recommendations from industry experts
on the scope of this rulemaking. The ARC is comprised of
representatives from air carriers, maintenance organizations, and
design and manufacturing organizations and associations. On March 31,
2010, the ARC submitted its report to the FAA with the recommendations
summarized in the paragraphs below.
The ARC recommended that the FAA SMS regulations and guidance be
closely aligned and consistent with the ICAO SMS framework to allow for
ease of acceptance of an organization's SMS by a foreign civil aviation
authority. The ARC also recommended that the SMS rule apply to
organizations subject to 14 CFR parts 21, 119, 121, 125, 135, 141, 142,
and 145 as listed in the ANPRM, as well as 14 CFR part 91, subpart K,
to ensure consistency of applicability with ICAO's SMS Framework.
Furthermore, it suggested that an SMS regulation should acknowledge and
permit incorporation of existing voluntary and regulatory (e.g., CASS)
safety management efforts that fit, or that could be adapted to fit,
the SMS construct. For air carriers, such programs include aviation
safety action programs, flight operational quality assurance programs,
line operations safety audits, and quality management systems. To avoid
duplicative practices, the ARC stressed the importance of allowing
organizations to build upon these existing systems and processes rather
than requiring them to build a whole new safety system. For example,
rather than mandate a separate manual outlining the air carrier's SMS,
the air carrier should have the option of either developing a new
manual or including it in the manual required by Sec. 121.133. This
flexibility would allow the certificate holder to document the SMS in
the way that best fits its operations while still providing the FAA
appropriate insight into the organization's SMS for assessment and
oversight. In addition, the ARC asserted that SMS should not be an add-
on to the organization's operational system but rather part of the
operational system.
In acknowledging a potential significant impact of an SMS rule on
small businesses, the ARC stressed the importance of creating a
regulatory framework that is scalable and flexible to accommodate a
broad range of organizations, from small operators and manufacturers to
large organizations holding multiple types of FAA certificates or
approvals. This would ensure that the level of SMS-required complexity
imposed on a small organization would not interfere with the company's
ability to pursue its business, or impose a degree of SMS data analysis
that would result in insufficient time left to develop, implement and
monitor risk mitigation procedures. It also recommended the FAA
consider alternative strategies for SMS implementation, such as
continuing with the voluntary program for operators that engage in
international commercial activity.
The ARC was also concerned with the protection of SMS safety
information and proprietary data. Therefore, it noted that there should
be protection of safety information and proprietary data from
disclosure and use for other purposes. Safety information is vitally
important to an SMS. Without the development, documentation, and
sharing of safety information SMS benefits will not be fully realized.
According to the ARC, protecting safety information from use in
litigation (discovery), Freedom of Information Act (FOIA) requests, and
FAA enforcement action is necessary to ensure the availability of this
information, which is essential to SMS. The ARC recommended either a
new regulation or a revision and strengthening of existing part 193,
Protection of Voluntarily Submitted Information, to include SMS
information. Further, the ARC recommended that the FAA establish policy
or regulation which provides limits on enforcement action applicable to
information that is identified or produced by an SMS.
The ARC recommended that the FAA ensure that sufficient planning,
policy and guidance, and workforce training be in place prior to SMS
implementation to accommodate efficient, timely, objective and
consistent assessment and oversight of SMS. To accomplish this, the ARC
also suggested a phased promulgation of extending the applicability of
a set of general SMS requirements to different populations. For
example, the ARC recommended extending the set of general requirements
to part 121 operators first, followed by part 135 operators and part
145 repair stations conducting maintenance for part 121 and part 135
operators, and extending the requirements to regulated entities under
part 21 as part of the last phase of implementation. The ARC noted that
this phased promulgation would allow earlier deployment of new
regulations in the area of greatest operational exposure and greatest
implementation experience, while allowing the necessary time for the
development of sector-specific guidance and operation of pilot programs
for remaining certificate and approval holders. For example, the design
and manufacturing community has less experience in applying SMS than
many commercial operators that are participating in SMS
[[Page 68232]]
pilot projects with AFS. The ARC has recommended that the FAA sponsor
an SMS pilot program within the design and manufacturing sector to
further develop implementation experience.
In addition to the phased promulgation of the applicability of SMS
requirements, the ARC also recommended a phased implementation of SMS
requirements within individual companies. For example, the first stage
of implementation would require an implementation plan to be completed
six months after the effective date of a final rule, with the next
level focusing on implementing safety risk management processes. The
next level would focus on the proactive and predictive processes in
safety assurance.
A copy of the ARC's recommendations is available for review in the
docket for this rulemaking.
III. Discussion of the Proposal
A. General Requirements
Applicability. The FAA proposes to add a new part 5 to title 14 of
the CFR, creating the general framework for an SMS that a part 121 air
carrier may adapt to fit the needs of its operation. The new part 5 is
modeled after the International Civil Aviation Organization (ICAO)
framework in Annex 6, Operation of Aircraft, which was adopted in March
2006 and is designed for broad application. It is also consistent with
the ARC's recommendations to use the ICAO framework and develop SMS
requirements that are scalable and flexible to accommodate all business
models. Therefore, the proposed requirements are meant to be applicable
to organizations of various sizes and complexities, as well as
adaptable to fit the different types of organizations in the air
transportation system and operations within an individual company. The
proposed SMS construct is also consistent with AC-120-92A, Safety
Management Systems for Aviation Service Providers, and FAA Order
8000.367, Aviation Safety (AVS) Safety Management System (SMS)
Requirements.
Although this proposal extends only to part 121 operators, the FAA
has developed these general requirements with the intent that in the
future, they could be applied to other FAA-regulated entities, such as
part 135 operators, part 145 repair stations, and part 21 aircraft
design and manufacturing organizations and approval holders, consistent
with ICAO requirements.\9\ This proposal also acknowledges the SMS
ARC's recommendation for phased promulgation of SMS regulations to
apply SMS requirements to certificate holders under different parts of
title 14 of the CFR in successive phases. The FAA solicits comments on
possible future application of these general requirements.
---------------------------------------------------------------------------
\9\ Amendment 33 to Annex 6 part 1 addresses part 121, 135, and
145 operations. It has a compliance date of November 18, 2010 and
was announced in State Letter AN 11/1.3.19-06/34 24 (March 2006).
Amendment 101 to Annex 8 addresses Design and Manufacturing. It has
a compliance date of November 14, 2013 and was announced in State
Letter AN 3/5.6-09/21 (April 3, 2009).
---------------------------------------------------------------------------
In addition, it is not the FAA's intent that this rule would result
in contractors or subcontractors, or entities not directly regulated by
the FAA, being required to develop an SMS. Current processes require
air carriers to ensure that the employees or businesses with whom they
contract to conduct training or maintenance activities on their behalf
are qualified, capable, and have the necessary equipment and facilities
to perform the work. This proposal would not expand these existing
requirements. However, the FAA seeks specific comment on the potential
impact of a trickle down effect of this proposal to these entities.
Scalable and Flexible. The proposed SMS regulation is designed as a
performance based regulation. It requires a number of processes (for
safety policy, safety risk management, safety assurance, and safety
promotion) which are flexible, and can be tailored to provide relevant,
yet robust management systems for each carrier. The SMS provides a
framework for safety decision making by requiring structured processes
for gathering and using information necessary to make sound management
decisions. Because the part 121 air carrier population is extremely
diverse in complexity related to both aircraft fleet sizes and numbers
of employees, this proposal was designed to accommodate a variety of
business models and sizes.
The components of SMS are scalable relative to the size and
complexity of the operator. For instance, the objective of safety risk
management is the same regardless of the size of the carrier. That
objective is to understand the operations and the tools and processes
used to accomplish the work. While specialists in information
technology and statistical analysis may be necessary in large,
sophisticated carriers' operations, the safety risk management steps
could be accomplished by the management and employees of even the
smallest organization. For smaller operators, this process need not
employ sophisticated techniques or be overly detailed. For example, a
whiteboard, pencil, and paper, may be all that are needed to consider,
analyze, and record the characteristics of the systems. Likewise,
recording and tracking the results of the safety risk management
process need not be extensive or overly sophisticated. They may be
captured with paper records or simple electronic files using common
word processing or spreadsheet applications.
The safety assurance processes can also be scaled to the size and
complexity of the operator. Its purpose is to provide key managers with
only the information that they need to assure that the risk controls
they have implemented remain valid and their processes are on track. An
organization would determine what audit tools are needed to acquire
only the information that it needs to maintain compliance with CFRs and
company policies and procedures, e.g., airplane inspection intervals,
open Minimum Equipment List (MEL) items, pilot training, and checking
intervals, and dates and other key information. Internal evaluation and
management review processes are used to evaluate the performance of
major systems (i.e., flight operations, training, maintenance,
inspection, and engineering, etc.). All part 121 carriers have a
Continuing Analysis and Surveillance system (CASS) required by 14 CFR
121.373. Most companies have Internal Evaluation Programs based on
guidance in AC 120-59A, Air Carrier Internal Evaluation Programs, and
other audit structures. These existing programs would likely satisfy
the safety assurance requirements in this proposal. In very small
companies, these may be performed personally by senior managers,
specialist personnel, the Director of Safety, or the Chief Inspector
required by 14 CFR 119.65. Analysis of audits, evaluations, employee
reports, and internal investigations may be as simple as reading
narratives, simple trend analysis of problems, and discussion among key
management personnel.
The safety management system may be adapted and scalable based on
the complexity of the air carrier's operations. For example, some air
carriers may have multiple certificates, authorizing them to conduct
flight operations and also perform aircraft maintenance for other
organizations. These air carriers may only want to implement one SMS
that encompasses all of these aviation-related safety activities, and
some may want to expand SMS to encompass all activities of the
business. As another example, some certificate holders only have a few
aircraft and service a limited area. These certificate holders may
choose to
[[Page 68233]]
implement a smaller, simpler SMS consistent with requirements, but
sized and designed for their operation. The FAA invites comments on how
air carriers may approach the design and implementation of their SMS.
The previous discussion indicates that certificate holders could
comply with the proposed SMS requirements through a variety of means.
The FAA intends these proposed requirements to be scalable and flexible
to the size and complexity of the certificate holder's organization. In
addition, the FAA also recognizes that certificate holders may already
have systems and processes in place that meet the proposed SMS
requirements. The FAA believes these systems and processes could easily
be incorporated into an SMS and does not intend to create duplicative
burdens. The FAA requests comments specifically identifying how the FAA
could clarify or improve the incorporation of existing systems and
processes into an SMS to improve the efficiency, scalability, and
flexibility of this proposal.
Compliance with other Regulatory and Statutory Requirements. The
SMS requirements, as described in this section, would not be considered
a substitute for compliance with existing technical and performance
standards. Technical and performance standards would still be
considered the baseline for safety performance. These general
requirements for SMS would require air carriers to be able to
demonstrate their capability to assess and control risk in their highly
variable individual operational environments. While several air
carriers currently may be in the process of implementing, or have
implemented an SMS in accordance with FAA guidance material, these air
carriers would need to ensure their system meets the regulatory
requirements set forth in this proposal, and follow the same process
for acceptance as an air carrier who is implementing SMS for the first
time. The SMS may be adapted and scaled based on the complexity of the
airline operations. If the FAA agrees that all regulatory requirements
are met, the implementation plan will be approved. This includes all
air carriers participating in the FAA's SMS Pilot Project.
Under new Sec. 5.1, the FAA would require each air carrier to
develop an SMS to include the four SMS components: Safety policy,
safety risk management, safety assurance, and safety promotion. To
support each component, the FAA proposes a certificate holder implement
a number of processes contained in the proposed subparts for each
component. Together, the four components and their underlying elements
and processes provide the general framework for an organization-wide
safety management approach to air carrier operations. To the extent
possible, air carriers may leverage existing voluntary and required
programs by integrating these activities and existing information
collection streams into their SMS system and plans.
Protection of Data. The ARC, as well as several commenters to the
ANPRM, raised concerns regarding the protection of data submitted
through the SMS. The ARC recommended the FAA revise current
requirements under 14 CFR part 193, Protection of Voluntarily Submitted
Information, to protect any SMS data from disclosure. In this proposal,
the FAA would not require the submission of any SMS data. Rather, the
certificate holder must make its documentation available for inspection
to determine whether the certificate holder has implemented and is
maintaining an SMS that meets the requirements of part 5. Existing
protections for voluntary programs such as Aviation Safety Action
Program (ASAP) and Flight Operational Quality Assurance (FOQA) data
would still apply as the FAA is not mandating these programs. However,
at this time, the FAA would not extend the protections of part 193
beyond those afforded to current voluntary programs. The FAA invites
comment on the protection of safety data and on potential information
architectures which could allow carriers to collect information while
reducing disclosure concerns.
Implementation and Compliance. Under this proposal, current
certificate holders, within six months of the effective date of the
final rule, would be required under Sec. 119.8 to submit an
implementation plan for approval that ensures the certificate holder's
SMS would be fully operational within three years of the effective date
of the final rule. Under the implementation plan, the certificate
holder may decide to gradually phase-in the requirements of this rule
over the three-year period consistent with the current process in the
FAA SMS Pilot Project. A copy of this implementation process is
provided in the draft advisory circular that is available for review in
the docket for this rulemaking. An air carrier is not required to
follow this format for implementation, but rather should develop a plan
for implementation that meets the needs of its organization.
Many air carriers may already be in the process of developing an
SMS in accordance with existing guidance material or otherwise have
some elements of SMS in existence. In developing the implementation
plan, air carriers should review existing programs to identify elements
already in place that comply with provisions of part 5 and plan for
implementation. Experience in the SMS Pilot Projects has found that
this process is necessary to identify gaps in processes and management
controls, documentation that is not up to date or is incomplete, and
vague interfaces between processes or departments. The implementation
planning and SMS documentation have helped to bring improvements in
these areas. Thus, as proposed, the implementation plan should cover
all the proposed part 5 requirements across all of the aviation safety-
related operational processes of the company.
This plan would be submitted to the air carrier's certificate-
holding district office, and approval of the plan would be coordinated
with the SMS Program Office within the Flight Standards Service,
Certification & Surveillance Division (AFS-900). In addition, anyone
who submits a certification application under Sec. 119.35 to conduct
operations under part 121 would be required to demonstrate that it has
incorporated an SMS that meets the requirements of part 5.
Although the implementation plan must be approved, the FAA has
proposed, under Sec. 5.3, that the certificate holder's SMS would have
to be accepted by the FAA. Given the dynamic nature of an air carrier's
operating environment, the air carrier needs to be able to continuously
improve its SMS, rather than wait for approval of the proposed change
before taking necessary action. Acceptance of the SMS would allow the
organization to proceed with implementation of necessary changes while
the FAA reviews SMS documentation to determine whether the air carrier
has met the requirements of this rule. Upon review, if the FAA
determines that changes must be made to the SMS, the air carrier would
be responsible for making those changes. This process for acceptance
would allow the air carrier the flexibility necessary to continuously
monitor and adapt its SMS to address emerging safety concerns in its
operating environment.
B. Safety Policy
Subpart B sets forth the requirements for the certificate holder's
safety policy, the foundation of the SMS. All organizations must define
policies, procedures, and organizational structures to accomplish their
safety objectives and goals. It is important to
[[Page 68234]]
have a documented safety policy to assure all employees of the
organization of management's commitment to achieving the organization's
safety objectives. A documented safety policy also ensures that all
employees are aware of their own role in maintaining the safety
objectives of the company. Thus, proposed Sec. 5.21 would require a
documented safety policy statement that establishes the organization's
safety objectives, provides for a safety reporting policy, defines
unacceptable behavior and conditions for disciplinary action, and
establishes standard operating procedures for transitioning from normal
to emergency operations.
A key aspect of the documented safety policy is the confidential
safety reporting policy requirement proposed in Sec. 5.21(a)(4). This
requirement is distinguishable from the disciplinary action policy
requirement proposed in Sec. 5.21(a)(5) in that the safety reporting
policy must allow employees to report unsafe working conditions or
equipment for correction without fear of reprisal by either management
or labor groups within the organization. As discussed earlier, many air
carriers may already meet part of this safety reporting policy
requirement by having an ASAP in place for selected employee groups.
ASAP, as described in AC 120-66B, Aviation Safety Action Program,
(November 15, 2002), allows certain safety issues to be addressed
through corrective action rather than through disciplinary or
enforcement action. Under ASAP, corrective action may be taken for
inadvertent regulatory violations that do not appear to involve an
intentional disregard for safety and events that do not appear to
involve criminal activity, substance or controlled substance abuse, or
intentional falsification. A corrective action is developed by the air
carrier which may include training or education on an issue or changes
to operational procedures to prevent a future occurrence of the same
safety problem. These same concepts, inherent in ASAP, may be relevant
for consideration by an air carrier who has not implemented an ASAP in
developing a safety reporting policy pursuant to proposed Sec. 5.21.
As discussed previously, the FAA would not mandate that each air
carrier implement an ASAP because the complexity of ASAP may not fit
all air carriers or their FAA oversight organizations. However, if an
air carrier has an ASAP in place or wishes to develop an ASAP, the FAA
would view this program as one means of compliance with the proposed
safety reporting policy requirement for the employee group(s) covered
by the ASAP program(s).
Just as the safety reporting policy must describe those types of
events that can be reported without fear of reprisal, the disciplinary
policy proposed under Sec. 5.21(a)(5) would require the air carrier to
define unacceptable behaviors and conditions for disciplinary action.
Some examples to consider, which are currently included in ASAP
programs as described in AC-120-66B, include an intentional disregard
for safety, suspected criminal activity, and substance abuse, as well
as those instances when employees fail to complete a corrective action
developed by the air carrier to address a safety hazard.
Consistent with the ICAO framework, the FAA is proposing, as part
of the documented safety policy, to include emergency response
planning. Emergency response planning provides the basis for a
systematic approach to managing the organization's operations in the
aftermath of a significant unplanned event or during an ongoing
emergency situation. The overall objective is the safe continuation of
operations and the return to normal operations as soon as possible. It
is an important element of an SMS because in the transition from normal
to emergency operations and back again, additional risk may be
introduced and the organization should be monitoring and taking action
to mitigate those risks. An effective emergency response also provides
an opportunity to develop and apply learned safety lessons.
The type of commitment required by the safety policy mandates the
active engagement of all employees in the safety performance of the
organization and, in particular, specific safety responsibilities of
management officials. Direct, personal involvement on the part of all
levels of management is a bedrock principle of any management system.
However, experience in the SMS Pilot Project has indicated that this is
not universally and commonly understood. To ensure this type of
engagement, Sec. 5.23 would require the air carrier to clearly define
all employees' responsibilities for the safety performance of the
organization, from line staff to executive management. Clearly
delineating safety responsibilities throughout the organization is a
foundational characteristic of any management system. It also allows
for greater communication and integration of practices and procedures
employed throughout the organization, resulting in effective management
of the air carrier's operations.
To ensure that executive management is involved in the oversight of
the organization's safety performance, Sec. 5.25 would require the
certificate holder to designate a single accountable executive who has
the final authority over operations and is ultimately responsible for
the safety performance of the air carrier. The accountable executive
would need to be able to organize, direct, and control the
organization's activities, as well as allocate resources to make safety
controls effective. The accountable executive would be required to
develop the documented safety policy proposed under Sec. 5.21,
communicate the policy throughout the organization, and regularly
review the safety policy and safety performance of the organization.
The accountable executive would review safety information to assess the
overall performance of the organization and make necessary changes.
To assist in the collection and analysis of the data, the
accountable executive also would be required to designate a management
representative to monitor the performance of the SMS, facilitate hazard
identification and safety risk analysis, and report regularly to the
accountable executive on the safety performance of the organization.
The FAA does not believe these requirements would necessarily result in
part 121 air carriers hiring new personnel to serve these functions.
The FAA recognizes that many of the daily oversight activities that are
proposed for the management representative are currently being
performed by the required management personnel under 14 CFR 119.65. Any
one of these individuals could be designated to serve in this role.
C. Safety Risk Management
Safety risk management is a core component in an air carrier's SMS.
A comprehensive SMS using safety risk management would provide
management tools for identifying hazards and assessing risk, as well as
developing risk controls to reduce or eliminate risk associated with
the hazards. As proposed in Sec. 5.5, a hazard would be considered a
condition that can lead to injury, illness or death to people; damage
to or loss of a system, equipment, or property; or damage to the
environment. The intent of this subpart is for the certificate holder
to focus on the areas of greatest risk from a safety perspective,
taking into account system complexity and scope of the operations to
develop and implement appropriate risk controls. While each
[[Page 68235]]
certificate holder's safety risk management processes may be unique to
its organizational structure and operating environment, the FAA would
require it to incorporate safety risk management steps as described in
Sec. Sec. 5.53 and 5.55. These steps provide for system analysis,
identifying hazards associated with the system, analyzing the risk
associated with the hazards, assessing risk associated with the
hazards, and controlling the risks of identified hazards when
necessary. These steps are based on the safety risk management
processes in the ICAO framework, as well as AC 120-92A, Safety
Management Systems for Aviation Service Providers, and FAA Orders
8000.367, Aviation Safety (AVS) Safety Management System Requirements
and 8000.369, Safety Management System Guidance.
Proposed Sec. 5.51 establishes when an air carrier would need to
apply safety risk management processes and procedures to systems to
assess the hazards and risk associated with the systems. An air carrier
may learn of a hazard from a variety of sources, such as voluntary
reporting systems, industry alerts from the FAA or manufacturers, or
from internal assessments and audits. The system in which the hazard
lies may be a small scale system that is easily defined, such as the
development of maintenance (M) and operational (O) items for
consideration to add an individual aircraft system to a Minimum
Equipment List (MEL), or it may be a system large in scope that may
have multiple hazards, like the addition of a new fleet of aircraft.
Whenever a new system is implemented (e.g., new crew scheduling
software), or an existing system is revised (e.g., a change to a
training program), or new operational procedures are developed (e.g.,
changes in cockpit checklists or maintenance work procedures), safety
risk management would be applied to ensure that hazards are identified
and proper controls are put in place to mitigate the risk associated
with them. Safety risk management would also be applied to analyze new
hazards or ineffective risk controls that are identified under the
safety assurance processes in subpart D of the new part 5.
It is not the intent of this proposed rule to require the
application of safety risk management processes and procedures to
activities that are not related to aviation operations. As an example,
safety risk management would not be necessary when changing accounting
practices or administrative computer software. Similarly, the FAA does
not intend for an air carrier to apply safety risk management processes
retroactively to established systems and processes. However, carriers
may need to use the safety risk management process to review processes
for which problems have been found in the past. For example, an air
carrier would initiate safety risk management after learning that
deicing operations at a particular airport are not effective. In that
case, the air carrier would use safety risk management to analyze the
deicing operation. First, it would review the deicing system to
understand how it functions, to include the personnel responsible for
deicing, the air carrier's guidance, processes, and training regarding
deicing, as well as the deicing equipment that is used. Once the air
carrier has an understanding of the system, the air carrier should be
able to identify hazards and assess the risk associated with those
hazards and make the necessary changes to the deicing system to control
those risks. As a result of safety risk management, the air carrier may
determine that controls such as implementing additional training,
requiring inspection of the equipment, or revising operating procedures
would be needed to control the risk in the deicing operation. Contrast
this simple system with an air carrier that is changing its business
model from conducting domestic operations in medium class turbo-prop
aircraft to conducting international flights in turbojet aircraft. In
this case, the systems involved are more numerous and more complex. The
air carrier would apply safety risk management by defining the systems
involved (i.e., flight operations, operational control and dispatch,
maintenance, ground operations and servicing) and would review items
such as the operating requirements for the aircraft as defined in title
14 of the CFR, the crewmember qualification and training requirements
for the new aircraft, the operating limitations of the aircraft, and
the proposed route structure for the international flights. While the
existing regulations that govern these kinds of operations would serve
as the primary risk controls for the proposed operations, the air
carrier would use safety risk management to establish any additional
risk controls to mitigate risks identified as a result of defining and
analyzing the system and to design systems that incorporate the
regulations in a way that best achieves their intent in terms of risk
reduction.
The first step of safety risk management is analyzing the system.
Once an air carrier determines that the processes of safety risk
management have been triggered under proposed Sec. 5.51, it would
conduct a system analysis, as required by Sec. 5.53. The system
analysis, also referred to as the system description in the ICAO Safety
Management Manual, serves as the initial source for hazard
identification when new systems are designed, when systems are revised,
or when operational procedures are developed. The system analysis
processes must ensure that information regarding the function and
purpose of the system, the system's operating environment, and the
personnel, equipment and facilities that the system requires for
operation, is analyzed so that hazards may be appropriately identified.
While the system analysis should be documented, no particular format is
required. The system analysis could provide the basis for the
development of the operator's manual system required by Sec. 121.133,
as well as checklists and other job aids, organizational charts, and
personnel position descriptions. A typical functional breakdown of
operational and support processes for air operators might include:
Flight operations;
Dispatch/flight following;
Maintenance and inspection;
Cabin safety;
Ground handling and servicing;
Cargo handling; and
Training.
Long and excessively detailed system analyses are not necessary,
provided they are sufficiently detailed to perform hazard and risk
analyses.
The second step of safety risk management, set forth in Sec.
5.53(b), would allow a certificate holder to identify hazards in a
systematic way based on the system analyses conducted in the first step
of safety risk management. While identification of every possible
hazard would be unlikely, aviation service providers would be expected
to exercise due diligence in identifying significant and reasonably
foreseeable hazards related to their operations. A certificate holder
should implement hazard identification processes relative to the
complexity of its management structure and operations. The system
analysis should be used to determine if there is a good integration of
equipment, facilities, personnel, procedures, supervision, training,
and the operational environment and if there are any characteristics of
those system components or other conditions that could compromise
safety. Any such conditions would meet the definition of ``hazards.''
The third step of safety risk management would require the analysis
[[Page 68236]]
of risk to determine the severity and likelihood associated with the
hazards identified in step two of safety risk management. A common tool
used in this analysis for risk decision making and acceptance is a risk
matrix similar to those in the ICAO Safety Management Manual (SMM),\10\
and in Appendix 3 of AC 120-92A (August 12, 2010). A certificate holder
may design a matrix similar to these to categorize the potential
severity of the worst credible projected outcome (consequence) of an
event related to the hazard. For example, a tower or terrain in the
takeoff path of an airport presents a hazard to departing aircraft. The
worst credible event related to these obstacles would be for an
aircraft to collide with it, resulting in loss of the aircraft and loss
of life. Risk matrices typically use levels such as: Catastrophic
(meaning outcome results in multiple fatalities and destroyed
equipment), hazardous (would result in serious injury or death, major
equipment damage), major (would result in injury, serious incident),
minor (would result in minor incident, use of emergency procedures),
and negligible (little consequence). Once the severity of the potential
event has been determined, the certificate holder would then determine
the likelihood of the event, for example, to determine whether the
event is likely to occur frequently, occasionally, remotely, or is
improbable or extremely improbable. Based on these categories, a
likelihood and severity of the occurrence is selected for each hazard.
This is just one method for analyzing hazards. Certificate holders
should develop processes that reflect the complexity of their
operations.
---------------------------------------------------------------------------
\10\ See ICAO, Safety Management Manual, at 6.5.3 ICAO Doc.
9859-AN/474 (2nd ed. 2009). (http://www.icao.int/anb/safetymanagement/DOC_9859_FULL_EN.pdf).
---------------------------------------------------------------------------
The fourth step of safety risk management, risk assessment, first
requires the certificate holder to determine acceptability of safety
risk. The starting foundation for each determination of acceptable
safety risk would be the corresponding regulatory requirements and
technical or performance standards. As indicated in Sec. 5.23, the
certificate holder would be required to identify the levels of
management that are authorized to accept risk. The certificate holder
may opt to use a risk matrix similar to that in Appendix 3 of AC 120-
92A. A risk matrix graphically depicts the various levels of severity
and likelihood as they relate to levels of risk (acceptable, acceptable
with controls, or unacceptable). When the likelihood and severity of a
potential outcome are plotted on the risk matrix, the certificate
holder can see whether the hazard's safety risk is acceptable to the
organization. Generally, as the likelihood and severity increase, the
risk increases. For example, an outcome with an assessed likelihood of
frequent and severity of catastrophic would be classified as an
unacceptable risk in the matrix. The certificate holder would use this
information to determine whether it may accept the risk, accept the
risk provided risk controls are instituted, or whether the risk is too
great and must be avoided.
The final step of safety risk management would require the
certificate holder to develop processes and procedures for the
development and implementation of risk controls. The development of
risk controls is dependent upon the risk assessment conducted under
step four of safety risk management. Risk controls may be additional or
changed procedures, new supervisory controls, addition of
organizational hardware, or software aids, changes to training,
additional, or modified equipment, changes to staffing arrangements, or
any of a number of other system changes. After these controls are
developed but before the system is placed into operation, an assessment
must be made of whether the controls are likely to be effective. This
is also necessary to avoid introducing new hazards to the system. When
the controls are acceptable, the system is placed into operation. The
controls would then be continuously monitored under the processes and
procedures developed under subpart D, Safety Assurance, to ensure they
remain effective.
D. Safety Assurance
An organization needs to ensure that risk controls put into place
under safety risk management continue to be effective in maintaining
risk within the acceptable levels and that the organization's safety
performance is meeting or exceeding its safety objectives. This is
accomplished in the safety assurance component of SMS. Safety assurance
has three purposes: (1) To confirm that risk controls established
during safety risk management are effective; (2) to determine what new
risk controls should be developed if new hazards or changes in risk
levels are revealed, and (3) to take steps to assure the effectiveness
of existing risk controls (e.g., completion of required training by
employees, increased supervisory emphasis). To accomplish this, safety
assurance has three elements: (1) Safety performance monitoring and
measurement (Sec. 5.71); (2) safety performance assessment (Sec.
5.73); and (3) continuous improvement (Sec. 5.75).
The first tool, safety performance monitoring and measuring, would
require the development and maintenance of processes or systems that
monitor system operations and collect data on the performance of the
organization. There are already many sources, processes and systems in
place in air carrier operations that collect this type of data. Some of
these sources are based on current regulatory requirements and programs
that have been voluntarily implemented. The following are just a few
examples of existing processes and systems that would satisfy the
requirements of safety assurance.
[cir] Continuing Analysis and Surveillance System (CASS) (Sec.
121.373). CASS is a currently required system that is used to assure
the performance and effectiveness of maintenance and inspection
programs, to identify deficiencies, and to determine and implement
appropriate action. A typical CASS includes internal auditing of the
maintenance and inspection programs, analysis of the resulting data,
and development of corrective actions to those programs. This system
would be an appropriate process required under subpart D and would be
accepted as one means of complying with the provisions of proposed
Sec. 5.71(a)(1), (2), (3), (5), and (7).
[cir] Line Operations Safety Audit (LOSA): LOSA, as described
previously, is a voluntary program that could provide partial
compliance with the internal auditing requirements of the systems.
[cir] Flight Operational Quality Assurance (FOQA): FOQA, as
discussed previously, could provide information useful to monitor
flight operations and maintenance programs. FOQA could provide data
useful to compliance with the monitoring and measurement provisions of
the proposed rule.
[cir] Internal Evaluation Program (IEP): IEP is a comprehensive
program for evaluating an air carrier's operational systems as well as
its assurance programs. It builds on the auditing programs of the
internal audit function and provides management with an additional
level of assurance that is independent of the operational sub-
organizations' audits and reviews. IEPs are required of carriers who
contract with the Department of Defense but are not currently required
by the FAA. However, many of the auditing and evaluation safety
assurance processes of the proposed rule can be addressed by
[[Page 68237]]
established IEP processes at the carriers who have implemented them.
[cir] Aviation Safety Action Program (ASAP): ASAPs, as discussed
previously, could be used to meet the employee reporting requirements
of the proposed rule for those employee groups covered by the ASAP.
[cir] Voluntary Disclosure Reporting Program (VDRP): VDRP is an FAA
program designed for certificate holders to promptly report regulatory
violations and show that corrective actions were taken to address the
violations. As used in safety assurance, the certificate holder could
track the reports submitted through VDRP, analyze the reports to
identify compliance trends, and develop and report corrective actions.
In addition to these tools that could be used in safety performance
monitoring and measurement, external audits conducted by outside
organizations such as the FAA, the Department of Defense, code-share
partners, industry organizations, or other third parties selected by
the operator provide an excellent source of information regarding the
safety performance of the organization. FAA oversight processes provide
an external source of safety assurance of the carrier's operational
processes and their SMS. Current practices of the Air Transportation
Oversight System (ATOS) are designed to evaluate the design of air
carrier processes and programs prior to certification, approval, or
acceptance. Once systems or programs are in place, FAA inspectors
conduct assessments of the programs' performance based upon FAA's
assessment of risk as well as randomly sampled inspection activities.
Information from these inspections could be used by air carriers to
provide independent assessments of their processes and information on
areas needing improvement. The air carrier's processes (as described in
proposed Sec. Sec. 5.71, 5.73, and 5.75) would be used to process FAA
inspection data, as well as other external audit data. These processes
can also be used to demonstrate the carrier's actions in correcting
problems that are subjects of self disclosures or other regulatory
issues.
If an organization uses an external audit as described above, the
organization should use the audit data to augment the data that the
organization gained with its own tools. The proposed SMS requirements
do not require, however, that operators, especially small scale
operators, hire external auditors to evaluate the safety performance of
their organization. This is just one option that an air carrier of any
size may choose to employ to evaluate its safety performance.
Safety assurance processes would also include investigations as
noted under Sec. 5.71(a)(5). Investigations are a reactive tool aimed
at specific problems or occurrences in an organization and are a good
source of performance data. In an SMS, the objective of investigating
is to identify systemic safety deficiencies rather than to assign
blame. A company's safety performance is enhanced by removing systemic
deficiencies rather than by disciplining individuals who may only have
made an error. Errors are not intentional actions and they are common;
however, they can have negative outcomes. In an SMS, the point is to
prevent the errors from happening or arrange company processes so that
mistakes do not have unfortunate effects. Investigations should be done
with the understanding of the difference between making an error,
committing purposeful harm, or displaying a lack of competence or
qualification.
Employee reporting systems provide another excellent source of
information regarding the performance of the organization. ASAP is just
one example of an employee reporting system that provides specific
types of employees to report safety issues or concerns.
Once the air carrier collects the data through the processes under
proposed Sec. 5.71(a), it must have processes in place to analyze the
data to determine the overall safety performance of the organization.
This step is used to transform raw data into usable information that
can support informed decision making.
The next step in safety assurance, the safety performance
assessment under proposed Sec. 5.73, analyzes the data collected
against the safety objectives established by the air carrier in its
safety policy. This function includes reviews by the accountable
executive, who would review the information and analysis on a regular
basis to ensure the organization's compliance with applicable
regulatory requirements and safety controls established by the air
carrier, to evaluate the performance of the SMS and the effectiveness
of the safety controls, to identify changes in the operational
environments, and to identify potential new hazards or safety issues.
If the assessment reveals new hazards or safety issues, the certificate
holder must initiate the processes under safety risk management to
evaluate and, if necessary, control the risk to its operation.
The last component of safety assurance is continuous improvement
under proposed Sec. 5.75. This step is designed to ensure that the air
carrier is correcting substandard safety performance identified during
the safety performance assessment to continuously improve the
organization's safety performance. The analysis and assessment
functions of safety assurance are essential in alerting the
organization to significant changes in the operating environment,
possibly indicating a need for system change to maintain effective risk
controls. The certificate holder should use safety and quality
practices, audit and evaluation results, analysis of data, corrective
actions, and management reviews developed under this subpart. For
example, the certificate holder would take steps to correct
noncompliance with existing regulatory requirements or safety controls
initiated by the certificate holder.
E. Safety Promotion
An organizational safety effort cannot succeed purely by mandate or
strict implementation of policy. The organizational culture and
individual attitudes set the tone for the organization's safety
performance. An organization's culture consists of the values, beliefs,
mission, goals, and sense of responsibility held by the organization's
members. The culture ties together the organization's policies,
procedures, and processes and provides a sense of purpose to safety
efforts. The fourth component of SMS, safety promotion, seeks to
enhance the safety culture in an organization through increased
employee communication and training.
The safety promotion component requires organizations to ensure
employees throughout the organization are trained and competent to
perform their safety-related job functions. This training may vary
somewhat depending on where in the organization an employee works.
Additionally, it is important for all employees to know how to report
safety concerns and understand that it is their responsibility to do
so. It is not the intent of this rule to establish mandatory training
hours or a prescriptive training program. Rather, the training required
under proposed Sec. 5.91 may be incorporated into the air carrier's
existing training programs, or may be provided separately, as changes
are made to the operating system for which the individual is
responsible. Training may range from formal classroom training to
simple notice alerts when changes are made to update a system. For
these reasons the FAA has determined that it is appropriate for the air
carrier to develop training that meets the needs of the organization,
including
[[Page 68238]]
the content, methods of delivery, and frequency of training.
In addition to training, communication of critical safety
information is essential to building a positive safety culture. The
organization must put in place processes that allow for open
communication among employees and the organization's management. The
organization must make every effort to communicate its goals and
objectives, as well as the current status of its activities and
significant events. Likewise, the organization must supply a means of
communication that fosters an environment of collaboration, trust, and
respect. Thus, proposed Sec. 5.93 would require the certificate holder
to develop and maintain a means for communicating safety information.
F. SMS Documentation and Recordkeeping
Documentation of SMS requirements, processes and procedures, and
outputs is necessary in order for certificate holders to conduct a
meaningful analysis under safety risk management, to review safety
assurance activities, and for the FAA to review for compliance during
inspections. Documentation and recordkeeping also ensure that safety-
related decisions are consistent with safety policies and goals and
provide historical information that can be used to make future safety-
related decisions.
The FAA, therefore, is proposing a set of documentation and
recordkeeping requirements under subpart F of part 5. As proposed in
Sec. 5.91, the air carrier would be required to document its safety
policy and SMS processes and procedures. The safety policy requirements
are described in more detail in proposed Sec. 5.21. Documentation of
the certificate holder's SMS processes and procedures include the steps
involved, methods to be used and associated criteria, objectives,
expected outputs, and outcomes necessary to meet the regulatory
requirements. For instance, proposed Sec. 5.71(a)(3) requires internal
audits. Proposed Sec. 5.95(b) requires that the audit processes and
procedures be documented. This would also include the criteria, scope,
and frequency of the audits.
As proposed in Sec. 5.97, the air carrier would maintain records
of the outputs (risk assessments, implemented risk controls) of safety
risk management and safety assurance processes. Outputs of safety risk
management processes would be retained for as long as they remain
relevant to the operation. For risk assessments, this may mean for as
long as the air carrier engages in that activity. For risk controls, it
may mean for as long as the risk control remains in effect. These
records can be kept either electronically or in paper format. In
addition, the certificate holder would be required to retain outputs of
safety assurance processes for a minimum of five years, and training
and communication records for a minimum of 24 months. The timelines
associated with the retention of these documents ensure that they are
kept for a time period that provides the air carrier with sufficient
historical data to conduct the required analyses and assessments. The
retention requirements are consistent with other retention requirements
in part 121. Furthermore, these are minimum retention requirements. A
certificate holder may retain its documents for longer time periods if
necessary.
IV. Regulatory Notices and Analyses
Paperwork Reduction Act
The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires
that the FAA consider the impact of paperwork and other information
collection burdens imposed on the public. According to the 1995
amendments to the Paperwork Reduction Act (5 CFR 1320.8(b)(2)(vi)), an
agency may not collect or sponsor the collection of information, nor
may it impose an information collection requirement unless it displays
a currently valid Office of Management and Budget (OMB) control number.
This action contains the following proposed new information
collection requirements. As required by the Paperwork Reduction Act of
1995 (44 U.S.C. 3507(d)), the FAA will be submitting these proposed
information collection amendments to OMB for its review and approval
before the information collection related provisions go into effect.
FAA specifically requests comments regarding the cost and staff hours
necessary for information collection and record keeping required under
proposed part 5.
Summary: The new 14 CFR part 5 would require certificate holders
authorized to conduct operations under part 121 to develop and
implement a Safety Management System (SMS) for all of their aviation
safety-related activities. An SMS is a formalized approach to managing
safety by developing an organization-wide safety policy, developing
formal methods of identifying hazards, analyzing, and mitigating risk,
developing methods for ensuring continuous safety improvement, and
creating organization-wide safety promotion strategies. When
systematically applied in an SMS, these activities provide a set of
decision-making tools that certificate holders can use to improve
safety.
Use: Each certificate holder operating under a part 121 certificate
would develop its SMS based on its own unique operating environment.
The FAA expects an SMS comprised of four key components: Safety Policy,
Safety Risk Management, Safety Assurance, and Safety Promotion.
Collection and analysis of safety data is an essential part of an SMS.
In addition, a primary component of an SMS is the publication of safety
policy, which establishes the foundation for the SMS. Two other
essential components of SMS are safety risk management and safety
assurance. The certificate holder is required to maintain records of
the outputs of these processes. Safety promotion is the other component
of SMS. Within it, the certificate holder is required to maintain
training records and records of communications used to promote safety.
However, it is important to note that some part 121 certificate holders
already have and maintain some of these documents and records as a
result of other voluntary or required programs. Finally, because of the
complexity involved in the development and implementation of an SMS, a
phased approach to implementation within the certificate holder's
organization will be used. Part of the initial phase is the development
of an implementation plan, which will guide the certificate holder's
implementation, as well as provide the basis for the FAA's oversight
during the development and implementation phases. The implementation
plan is the only new document or data the certificate holder will
submit to the FAA due to the new rule.
Respondents: 90.
Frequency: Initial and Annual Burden (ongoing collection and record
keeping)
Sec. 119.8/5.95 Implementation Plan/SMS Documentation
The FAA estimates that there are approximately 90 operators who
would be respondents that would be in compliance with these proposed
requirements. All certificate holders are required to develop and
submit an implementation plan to establish and document a safety policy
that outlines the policy and objectives of the company. Although much
of the information would depend on a carrier's specific operation and
size, all carriers would need to document the following: implementation
plan, commitment to
[[Page 68239]]
safety management and objectives, responsibilities of an accountable
executive and management representatives, and a coordinated emergency
response plan. Costs for SMS documentation come from both the necessary
man hours to research and document the safety policy, processes, and
procedures, as well as the actual documentation. Carriers also reported
recurring costs for updates to the document. The FAA assumes that the
majority of document updates are minor at minimal.
Implementation Plan and SMS Documentation (Initial Hourly Burden):
2 full time employees per carrier; 3000 hours per year.
90 certificated carriers x 3000 hours annually = 270,000 hours
annually.
270,000 hours annually * 3 years = 810,000 total hours.
$38,880,000 Total Initial Labor Costs for 3 years.
+ 25,733,400 Material Costs of Documentation for 3 years.
$64,613,400 Total Estimated Initial Cost Burden for 3 years.
Estimated Recurring Annual Cost for SMS Documentation:
2 full time employees per carrier; 350 hours per year.
90 certificated carriers * 350 hours = 31,000 hours
annually.
$1,125,000 Total Labor Cost per Year.
+$252,000 Material Costs of Documentation per Year.
$1,377,000 Total Estimated Annual Recurring SMS Documentation.
Sec. 5.97 SMS records
This proposed rule would require carriers to record output from
their safety risk management (SRM) process, safety assurance (SA)
process, safety communications, and SMS training. All of these records
depend on a carrier's operations. The FAA does not specify how, or in
what media, documents and records must be maintained relative to the
requirements in this proposed rule. However, it encourages certificates
holders to use existing mechanisms and systems to minimize the burden.
The FAA also believes that there would be minimal additional costs for
the maintenance of training records since part 121 certificate holders
already maintain training records.
Estimated Implementation Costs:
2 full time employees per carrier; 2000 hours per year.
90 certificated carriers * 2000 hours = 180,000 hours
annually.
180,000 hours annually * 3 years = 540,000 total hours.
$25,920,000 Total Labor Cost for 3 Years.
+ $26,356,200 Equipment/Software Implementation Costs for 3 Years.
$52,276,200 Total Estimated Implementation Cost Burden for 3 Years.
Estimated Annual Operating Costs:
2 full time employees per carrier; 3500 hours per year.
The agency is soliciting comments to--
(1) Evaluate whether the proposed information collection
requirements (including recordkeeping, record retention, and auditing)
are necessary for the proper performance of the functions of the
agency, including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden;
(3) Enhance the quality, utility, and clarity of the information to
be collected; and
(4) Minimize the burden of collecting information on those who are
to respond, including by using appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology.
Individuals and organizations may send comments on the information
collection requirement by February 3, 2011, and should direct them to
the address listed in the ADDRESSES section at the beginning of this
preamble. Comments also should be submitted to the Office of Management
and Budget, Office of Information and Regulatory Affairs, Attention:
Desk Officer for FAA, New Executive Office Building, Room 10202, 725
17th Street, NW., Washington, DC 20053.
International Compatibility
In keeping with U.S. obligations under the Convention on
International Civil Aviation, it is FAA policy to conform to
International Civil Aviation Organization (ICAO) Standards and
Recommended Practices to the maximum extent practicable. The FAA has
reviewed the corresponding ICAO Standards and Recommended Practices and
has identified the following differences with these proposed
regulations. Amendment 30 to Annex 6 part I Section 3.2 Safety
Management, Paragraph 3.3.6 effective 1 January, 2009 requires that a
Flight Data Analysis Program be in the SMS standard. If this proposal
is adopted, the FAA intends to file a difference with ICAO.
ICAO Annex 6 part I includes a provision that part 121 air carriers
operating airplanes having a maximum gross takeoff weight in excess of
27,000 kg (approximately 59,400 lb). ``* * * shall establish and
maintain a flight data analysis programme as part of its safety
management system.'' Flight Data Analysis Program (FDAP) is a general
term encompassing a number of means by which routine flight operations
data may be acquired, recorded, analyzed, and shared. Flight
Operational Quality Assurance (FOQA) is one such program. FOQA is a
formal voluntary program which has been implemented by 41 certificate
holders conducting operations under part 121. FOQA specifications
include installation of extensive flight data recording systems which
facilitate rapid transfer of recorded data, de-identification of that
data, and agreements between pilot organizations and the carriers which
define how this information may be used.
The part 121 fleet is diverse in terms of size, complexity, and
age, as well as the size of the companies that operate them. Many of
the older aircraft would require extensive modifications to adapt them
to the technical requirements of a FOQA program. The investment and
expense of implementing and maintaining such a system exceeds the
financial capability of many smaller carriers. There are a number of
ways to meet the requirements of an FDAP. Therefore, the FAA will not
require FOQA in this rule. This issue is discussed further in the
Congressional Mandate section of this NPRM.
Regulatory Evaluation, Regulatory Flexibility Determination,
International Trade Impact Assessment, and Unfunded Mandates Assessment
Changes to Federal regulations must undergo several economic
analyses. First, Executive Order 12866 directs that each Federal agency
shall propose or adopt a regulation only upon a reasoned determination
that the benefits of the intended regulation justify its costs. Second,
the Regulatory Flexibility Act of 1980 (Pub. L. 96-354) requires
agencies to analyze the economic impact of regulatory changes on small
entities. Third, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires agencies to prepare a written assessment of the costs,
benefits, and other effects of proposed or final rules that include a
Federal mandate likely to result in the expenditure by State, local, or
tribal governments, in the aggregate, or by the private sector, of $100
million or more annually (adjusted for inflation with base year of
1995). This portion of the preamble summarizes the FAA's analysis of
the economic impacts of this proposed rule. Readers seeking greater
detail should read the full regulatory evaluation, a copy of which we
have placed in the docket for this rulemaking.
In conducting these analyses, the FAA has determined that this
proposed rule has benefits that justify its costs, is not
[[Page 68240]]
an economically ``significant regulatory action'' as defined in section
3(f) of Executive Order 12866, (3) is ``significant'' as defined in
DOT's Regulatory Policies and Procedures; (4) would have a significant
economic impact on a substantial number of small entities; and (5)
would not impose an unfunded mandate on state, local, or tribal
governments, or on the private sector by exceeding the threshold
identified above. These analyses are summarized below.
Total Benefits and Costs of This Rule
Who is Potentially Affected by this Rule?
All Part 121 Operators
Assumptions
All costs and benefits are presented in 2010 dollars.
All costs and benefits are estimated over a 20-year period
from 2012 through 2031.
Benefits of SMS implementation would begin to accrue in
2015.
Costs to airlines and air carriers would begin to accrue
in 2012.
The present value discount rate of 7 percent
The estimated cost of this proposed rule is $710.8 million ($375.5
million in present value terms). The estimated potential benefits from
avoided casualties, aircraft damage and accident investigation costs
are $1,143.1 million ($500.8 million in present value terms).
Benefits of This Rule
The benefits of this proposed rule consist of the value of averted
casualties, aircraft damage, and accident investigation costs by
identifying safety issues and spotting trends before they result in a
near-miss, incident, or accident. Although, an SMS would help carriers
detect problems early, the FAA also recognizes that both the severity
of the problem and possible mitigations impact the rate at which future
accidents would be prevented. Over the 20-year period of analysis, the
FAA estimates potential benefits of $1,143.1 million ($500.8 million in
present value terms).
Costs of This Rule
Each air carrier would be required to develop an SMS that includes
the four SMS components: Safety Policy, Safety Risk Management, Safety
Assurance, and Safety Promotion. To support each component, the FAA
projects that the compliance cost of this proposed rule would come from
the initial development and documentation of their SMS, implementation
and continuous operating costs to include the modification or
purchasing of new equipment/software, additional staff and promotional
materials, and training. Costs range depending on the size of the
carrier and the type of operations that they provide. Further,
operators have existing quality management systems which may lower the
estimated compliance costs. In total this proposed rule is estimated to
cost carriers $710.8 million dollars over 20 years ($375.5 million
present value).
Regulatory Flexibility Determination
The Regulatory Flexibility Act of 1980 (Pub L. 96-354) (RFA)
establishes ``as a principle of regulatory issuance that agencies shall
endeavor, consistent with the objectives of the rule and of applicable
statutes, to fit regulatory and informational requirements to the scale
of the businesses, organizations, and governmental jurisdictions
subject to regulation. To achieve this principle, agencies are required
to solicit and consider flexible regulatory proposals and to explain
the rationale for their actions to assure that such proposals are given
serious consideration.'' The RFA covers a wide-range of small entities,
including small businesses, not-for-profit organizations, and small
governmental jurisdictions.
Agencies must perform a review to determine whether a rule will
have a significant economic impact on a substantial number of small
entities. If the agency determines that it will, the agency must
prepare a regulatory flexibility analysis as described in the RFA.
Each initial regulatory flexibility analysis required under this
section shall contain--
1. A description of the reasons why action by the agency is being
considered:
The objective of SMS is to proactively manage safety, to identify
potential hazards, to determine risk, and to implement measures that
mitigate the risk. The FAA envisions operators being able to use all of
the components of SMS to enhance a carrier's ability to identify safety
issues and spot trends before they result in a near-miss, incident, or
accident. For this reason, the FAA seeks to require carriers to develop
and implement an SMS. Lastly, the proposed rule meets a congressional
mandate.
2. A succinct statement of the objectives of and legal basis for,
the proposed rule:
The authority for this rulemaking is derived from Title 49 of the
United States Code in addition to the Airline Safety and Federal
Aviation Administration Extension Act of 2010 (the Act), Public Law
111-216, Sec. 215 (August 1, 2010). The Act requires the FAA to
conduct rulemaking ``requiring all part 121 air carriers to implement a
safety management system.''
3. A description of and, where feasible, an estimate of the number
of small entities to which the proposed rule will apply:
Under NAICS codes 481111 and 481112, for scheduled air
transportation, small entities would be all part 121 carriers with less
than 1,500 employees. The FAA estimates that there are approximately 90
part 121 operators and 64 of these operators meet the definition of a
small entity; therefore the FAA believes that there are a substantial
number of small entities impacted by this rule.
4. A description of the projected reporting, recordkeeping and
other compliance requirements of the proposed rule, including an
estimate of the classes of small entities which will be subject to the
requirement and the type of professional skills necessary for
preparation of the report or record:
An SMS is a formalized approach to managing safety by developing an
organization-wide safety policy, developing formal methods of
identifying hazards, analyzing and mitigating risk, developing methods
for ensuring continuous safety improvement, and creating organization-
wide safety promotion strategies. Each air carrier would be required to
develop an SMS that includes the four SMS components: Safety Policy,
Safety Risk Management, Safety Assurance, and Safety Promotion. To
support each component, the FAA projects that the compliance cost of
this proposed rule would come from the initial development and
documentation of their SMS, implementation and continuous operating
costs to include the modification or purchasing of new equipment/
software, additional staff and promotional materials, and training.
Costs range depending on the size of the carrier and the type of
operations that they provide. The FAA estimates that for a small
carrier, with less than 9 aircraft, compliance would cost $253,500 per
year for the first three years and then roughly $233,000 per year for
subsequent years. For medium sized carriers, that have 10 to 49
aircraft, but still have less than 1,500 employees the compliance cost
would be $342,450 per carrier per year for the first 3 years and then
$222,500 every years after. Although, the compliance costs are more
than 3% of a small to medium carriers operating costs, there is a lot
of variability surrounding these estimates. Carriers could spend more
or less given
[[Page 68241]]
the flexibility of this proposed rule, and the FAA believes that
carriers would choose an option where they can maximize their benefits
and minimize their costs. The FAA has determined that this proposed
rule has a significant economic impact on small carriers.
5. An identification, to the extent practicable, of all relevant
Federal rules which may duplicate, overlap or conflict with the
proposed rule:
The FAA is not aware of any Federal rules that would duplicate,
overlap or conflict with this proposed rule.
Each initial regulatory flexibility analysis shall also contain a
description of any significant alternatives to the proposed rule which
accomplish the stated objectives of applicable statutes and which
minimize any significant economic impact of the proposed rule on small
entities. Consistent with the stated objectives of applicable statutes,
the analysis shall discuss significant alternatives such as:
1. The establishment of differing compliance or reporting
requirements or timetables that take into account the resources
available to small entities;
2. Clarification, consolidation, or simplification of compliance
and reporting requirements under the rule for such small entities;
3. The use of performance rather than design standards; and
4. An exemption from coverage of the rule, or any part thereof, for
such small entities.
This proposed rule is congressionally mandated leaving little room
for alternatives in terms of adopting a safety management system. All
Part 121 operators would be required to establish an SMS with no
exemptions for small entities. However, to accommodate small businesses
the FAA intends to make the implementation of SMS flexible and
scalable. Carriers can adapt SMS to their existing programs therein
reducing the cost. There are already many sources, processes and
systems in place in air carrier operations that collect this type of
data that could be utilized to meet this requirement for an SMS. As
described throughout this document, Flight Operational Quality
Assurance (FOQA) and Aviation Safety Action Program (ASAP) are good
examples of a source that is already in place for a large number of
carriers. Following congressional direction the FAA is not considering
other alternatives and requests comments on potential alternatives that
would minimize the impact on small businesses.
The FAA believes that this proposed rule would have a significant
impact on a substantial number of small entities for the following
reasons: We estimate that 64 operators are small entities and the
compliance costs could be higher than three percent of their operating
costs. Even though the proposed rule responds to the PL 111-216
Congressional requirement, we structured the requirement such that
small entities could meet the requirements with lower costs than a
larger firm.
Unfunded Mandates Assessment
Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires each Federal agency to prepare a written statement
assessing the effects of any Federal mandate in a proposed or final
agency rule that may result in an expenditure of $100 million or more
(in 1995 dollars) in any one year by State, local, and tribal
governments, in the aggregate, or by the private sector; such a mandate
is deemed to be a ``significant regulatory action.'' The FAA currently
uses an inflation-adjusted value of $143.1 million in lieu of $100
million. This proposed rule does not contain such a mandate; therefore,
the requirements of Title II of the Act do not apply.
Executive Order 13132, Federalism
The FAA has analyzed this proposed rule under the principles and
criteria of Executive Order 13132, Federalism. We determined that this
action would not have a substantial direct effect on the States, on the
relationship between the national Government and the States, or on the
distribution of power and responsibilities among the various levels of
government, and, therefore, would not have federalism implications.
Environmental Analysis
FAA Order 1050.1E identifies FAA actions that are categorically
excluded from preparation of an environmental assessment or
environmental impact statement under the National Environmental Policy
Act in the absence of extraordinary circumstances. The FAA has
determined this proposed rulemaking action qualifies for the
categorical exclusion identified in paragraph Chapter 3, paragraph 312d
and involves no extraordinary circumstances.
Regulations That Significantly Affect Energy Supply, Distribution, or
Use
The FAA has analyzed this NPRM under Executive Order 13211, Actions
Concerning Regulations that Significantly Affect Energy Supply,
Distribution, or Use (May 18, 2001). We have determined that it is not
a ``significant energy action'' under the executive order, and it is
not likely to have a significant adverse effect on the supply,
distribution, or use of energy.
Additional Information
Comments Invited:
The FAA invites interested persons to participate in this
rulemaking by submitting written comments, data, or views. We also
invite comments relating to the economic, environmental, energy, or
federalism impacts that might result from adopting the proposals in
this document. FAA also intends to propose separate SMS rulemakings in
other sectors of the aviation industry. When the FAA does propose any
such rulemaking, the FAA will take into account the unique qualities of
the industry to which they will apply, and will use lessons learned
from this rulemaking, to include: Scalability, flow-through,
flexibility, performance standards, and status of existing SMS
programs. The most helpful comments reference a specific portion of the
proposal, explain the reason for any recommended change, and include
supporting data. To ensure the docket does not contain duplicate
comments, please send only one copy of written comments, or if you are
filing comments electronically, please submit your comments only one
time.
We will file in the docket all comments we receive, as well as a
report summarizing each substantive public contact with FAA personnel
concerning this proposed rulemaking. Before acting on this proposal, we
will consider all comments we receive on or before the closing date for
comments. We will consider comments filed after the comment period has
closed if it is possible to do so without incurring expense or delay.
We may change this proposal in light of the comments we receive.
Proprietary or Confidential Business Information
Do not file in the docket information that you consider to be
proprietary or confidential business information. Send or deliver this
information directly to the person identified in the FOR FURTHER
INFORMATION CONTACT section of this document. You must mark the
information that you consider proprietary or confidential. If you send
the information on a disk or CD-ROM, mark the outside of the disk or
CD-ROM and also identify electronically within the disk or CD-ROM the
specific information that is proprietary or confidential.
Under 14 CFR 11.35(b), when we are aware of proprietary information
filed with a comment, we do not place it in
[[Page 68242]]
the docket. We hold it in a separate file to which the public does not
have access, and we place a note in the docket that we have received
it. If we receive a request to examine or copy this information, we
treat it as any other request under the Freedom of Information Act (5
U.S.C. 552). We process such a request under the DOT procedures found
in 49 CFR part 7.
Availability of Rulemaking Documents
You can get an electronic copy of rulemaking documents using the
Internet by--
1. Searching the Federal eRulemaking Portal (http://www.regulations.gov);
2. Visiting the FAA's Regulations and Policies web page at http://www.faa.gov/regulations_policies or
3. Accessing the Government Printing Office's web page at http://www.gpoaccess.gov/fr/index.html.
You can also get a copy by sending a request to the Federal
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence
Avenue, SW., Washington, DC 20591, or by calling (202) 267-9680. Make
sure to identify the docket or notice number of this rulemaking.
You may access all documents the FAA considered in developing this
proposed rule, including economic analyses and technical reports, from
the internet through the Federal eRulemaking Portal referenced in
paragraph (1).
List of Subjects
14 CFR Part 5
Air carriers, Aircraft, Airmen, Aviation safety, Reporting and
recordkeeping requirements, Safety, Transportation.
14 CFR Part 119
Administrative practice and procedure, Air carriers, Aircraft,
Aviation safety, Charter flights, Reporting and recordkeeping
requirements.
The Proposed Amendment
For the reasons stated in the preamble, the Federal Aviation
Administration proposes to amend 14 CFR Chapter I as follows:
1. The heading for subchapter A is revised to read as follows:
Subchapter A--Definitions and General Requirements
2. Add part 5 to read as follows:
PART 5--SAFETY MANAGEMENT SYSTEMS
Subpart A--General
Sec.
5.1 Applicability.
5.3 General requirements.
5.5 Definitions.
Subpart B--Safety Policy
5.21 Safety policy.
5.23 Safety accountability and authority.
5.25 Designation and responsibilities of required safety management
personnel.
5.27 Coordination of emergency response planning.
Subpart C--Safety Risk Management
5.51 Applicability.
5.53 System analysis and hazard identification.
5.55 Safety risk assessment and control.
Subpart D--Safety Assurance
5.71 Safety performance monitoring and measurement.
5.73 Safety performance assessment.
5.75 Continuous improvement.
Subpart E--Safety Promotion
5.91 Competencies and training.
5.93 Safety communication.
Subpart F--SMS Documentation and Recordkeeping
5.95 SMS documentation.
5.97 SMS records.
Authority: Public Law 111-216, sec. 215 (Aug. 1, 2010); 49
U.S.C. 106(g), 40101, 40113, 40119, 41706, 44101, 44701-44702,
44705, 44709-44711, 44713, 44716-44717, 44722, 46105.
Subpart A--General
Sec. 5.1 Applicability.
(a) A certificate holder under part 119 of this chapter authorized
to conduct operations in accordance with the requirements of part 121
of this chapter must have a Safety Management System that meets the
requirements of this part and is acceptable to the Administrator by
[date 3 years after the effective date of final rule].
(b) A certificate holder must submit an implementation plan to the
FAA Administrator for approval no later than [date 6 months after the
effective date of the final rule].
(c) The implementation plan may include any of the certificate
holder's existing programs, policies, or procedures that it intends to
use to meet the requirements of this part, including components of an
existing SMS.
Sec. 5.3 General requirements.
(a) Any certificate holder required to have a Safety Management
System under this part must submit the Safety Management System to the
Administrator for acceptance. The Safety Management System must include
at least the following components:
(1) Safety policy in accordance with the requirements of subpart B
of this part;
(2) Safety risk management in accordance with the requirements of
subpart C of this part;
(3) Safety assurance in accordance with the requirements of subpart
D of this part; and
(4) Safety promotion in accordance with the requirements of subpart
E of this part.
(b) The Safety Management System must be maintained in accordance
with the recordkeeping requirements in subpart F of this part.
(c) The Safety Management System must ensure compliance with the
relevant regulatory standards in chapter I of Title 14 of the Code of
Federal Regulations.
Sec. 5.5 Definitions.
Hazard means a condition that can lead to injury, illness or death
to people; damage to or loss of a system, equipment, or property; or
damage to the environment.
Risk means the composite of predicted severity and likelihood of
the potential effect of a hazard.
Risk control means a means to reduce or eliminate the effects of
hazards.
Safety assurance means processes within the SMS that function
systematically to ensure the performance and effectiveness of safety
risk controls and that the organization meets or exceeds its safety
objectives through the collection, analysis, and assessment of
information.
Safety Management System (SMS) means the formal, top-down,
organization-wide approach to managing safety risk and assuring the
effectiveness of safety risk controls. It includes systematic
procedures, practices, and policies for the management of safety risk.
Safety objective means a measurable goal or desirable outcome
related to safety.
Safety performance means realized or actual safety accomplishment
relative to the organization's safety objectives.
Safety policy means the certificate holder's documented commitment
to safety, which defines its safety objectives and the accountabilities
and responsibilities of its employees in regards to safety.
Safety promotion means a combination of training and communication
of safety information to support the implementation and operation of an
SMS in an organization.
[[Page 68243]]
Safety Risk Management means a process within the SMS composed of
describing the system, identifying the hazards, and analyzing,
assessing and controlling risk.
Subpart B--Safety Policy
Sec. 5.21 Safety policy.
(a) The certificate holder must have a safety policy that includes
at least the following:
(1) The safety objectives of the certificate holder.
(2) A commitment of the certificate holder to fulfill the
organization's safety objectives.
(3) A clear statement about the provision of the necessary
resources for the implementation of the SMS.
(4) A safety reporting policy that defines requirements for
employee reporting of safety hazards or issues.
(5) A policy that defines unacceptable behavior and conditions for
disciplinary action.
(6) An emergency response plan that provides for the safe
transition from normal to emergency operations in accordance with the
requirements of Sec. 5.27.
(b) The safety policy must be in accordance with all applicable
regulatory requirements in Chapter I of Title 14 of the Code of Federal
Regulations and must reflect the certificate holder's commitment to
safety.
(c) The safety policy must be signed by the accountable executive
described in Sec. 5.25.
(d) The safety policy must be documented and communicated
throughout the certificate holder organization.
(e) The safety policy must be regularly reviewed by the accountable
executive to ensure it remains relevant and appropriate to the
certificate holder.
Sec. 5.23 Safety accountability and authority.
(a) The certificate holder must define accountability for safety
within the organization's safety policy for the following individuals:
(1) Accountable executive, as described in Sec. 5.25.
(2) All members of management in regard to developing,
implementing, and maintaining SMS processes within their area of
responsibility, including, but not limited to:
(i) Hazard identification and safety risk assessment.
(ii) Assuring the effectiveness of safety risk controls.
(iii) Promoting safety as required in subpart E of this part.
(iv) Advising the accountable executive on the performance of the
SMS and on any need for improvement.
(3) Employees relative to the certificate holder's safety
performance.
(b) The certificate holder must identify the levels of management
with the authority to make decisions regarding safety risk acceptance.
Sec. 5.25 Designation and responsibilities of required safety
management personnel.
(a) Designation of the accountable executive. The certificate
holder must identify an accountable executive who, irrespective of
other functions, satisfies the following:
(1) Is the final authority over operations authorized to be
conducted under the certificate holder's certificate(s).
(2) Controls the financial resources required for the operations to
be conducted under the certificate holder's certificate(s).
(3) Controls the human resources required for the operations
authorized to be conducted under the certificate holder's
certificate(s).
(4) Retains ultimate responsibility for the safety performance of
the operations conducted under the certificate holder's certificate.
(b) Responsibilities of the accountable executive. The accountable
executive must accomplish the following:
(1) Ensure that the SMS is properly implemented and performing in
all areas of the certificate holder's organization.
(2) Develop and sign the safety policy of the certificate holder.
(3) Communicate the safety policy throughout the certificate
holder's organization.
(4) Regularly review the certificate holder's safety policy to
ensure it remains relevant and appropriate to the certificate holder.
(5) Regularly review the safety performance of the certificate
holder's organization and direct actions necessary to address
substandard safety performance in accordance with Sec. 5.75.
(c) Designation of a management representative. The accountable
executive must designate a management representative who, on behalf of
the accountable executive, must be responsible for the following:
(1) Facilitating hazard identification and safety risk analysis.
(2) Monitoring the effectiveness of safety risk controls.
(3) Ensuring safety promotion throughout the certificate holder's
organization as required in subpart E of this part.
(4) Regularly reporting to the accountable executive on the
performance of the SMS and on any need for improvement.
Sec. 5.27 Coordination of emergency response planning.
Where emergency response procedures are necessary, the accountable
executive and management representative must develop, as part of the
safety policy of the certificate holder, an emergency response plan
that addresses at least the following:
(a) Delegation of emergency authority throughout the certificate
holder's organization;
(b) Assignment of employee responsibilities during the emergency;
and
(c) Coordination of the certificate holder's emergency response
plans with the emergency response plans of other organizations it must
interface with during the provision of its services.
Subpart C--Safety Risk Management
Sec. 5.51 Applicability.
A certificate holder must apply safety risk management to a system
under any of the following conditions:
(a) Implementation of new systems.
(b) Revision of existing systems.
(c) Development of operational procedures.
(d) Identification of hazards or ineffective risk controls through
the safety assurance processes in subpart D of this part.
Sec. 5.53 System analysis and hazard identification.
(a) When applying safety risk management, the certificate holder
must have a process to describe and analyze the system for use in
identifying hazards under paragraph (c) of this section, and developing
and implementing risk controls related to the system under Sec.
5.55(c).
(b) In conducting the system analysis, the following information
must be considered:
(1) Function and purpose of the system.
(2) The system's operating environment.
(3) An outline of the system's processes and procedures.
(4) The personnel, equipment, and facilities necessary for
operation of the system.
(c) The certificate holder must develop and maintain processes to
identify hazards within the context of the system analysis.
Sec. 5.55 Safety risk assessment and control.
(a) The certificate holder must develop and maintain processes to
analyze safety risk associated with the hazards identified in Sec.
5.53(c).
[[Page 68244]]
(b) The certificate holder must define a process for conducting
risk assessment that allows for the determination of acceptable safety
risk. Acceptable safety risk must, at a minimum, comply with the
applicable regulatory requirements set forth in Chapter I of title 14
of the Code of Federal Regulations.
(c) The certificate holder must develop and maintain processes to
develop safety risk controls that are necessary as a result of the
safety risk assessment process under paragraph (b) of this section.
(1) The certificate holder must evaluate whether the risk will be
acceptable with the proposed safety risk control applied, before the
safety risk control is implemented.
(2) The safety risk controls must, at a minimum, comply with the
applicable regulatory requirements set forth in Chapter I of title 14
of the Code of Federal Regulations.
Subpart D--Safety Assurance
Sec. 5.71 Safety performance monitoring and measurement.
(a) The certificate holder must develop and maintain processes and
systems to acquire data with respect to its operations, products, and
services to monitor the safety performance of the organization. These
processes and systems must include, at a minimum, processes, and
systems for the following:
(1) Continuous monitoring of operational processes.
(2) Periodic monitoring of the operational environment to detect
changes.
(3) Auditing of operational processes and systems.
(4) Evaluations of the SMS and operational processes and systems.
(5) Investigations of incidents and accidents.
(6) Investigations of reports regarding potential non-compliance
with regulatory standards or other safety risk controls established by
the certificate holder through the safety risk management process
established in subpart B of this part.
(7) A confidential employee reporting system in which employees can
report, including, but not limited to: Hazards, issues, concerns,
occurrences, incidents, as well as propose solutions and safety
improvements.
(b) The certificate holder must develop and maintain processes that
analyze the data acquired through the processes and systems identified
under paragraph (a) of this section and any other relevant data with
respect to its operations, products, and services.
Sec. 5.73 Safety performance assessment.
(a) The certificate holder must conduct assessments of its safety
performance against its safety objectives, which include reviews by the
accountable executive, to:
(1) Ensure the certificate holder's compliance with the applicable
regulatory requirements in Chapter I of title 14 of the Code of Federal
Regulations and additional safety risk controls established by the
certificate holder.
(2) Evaluate the performance of the SMS.
(3) Evaluate the effectiveness of the safety risk controls
established under Sec. 5.55(c) and identify any ineffective controls.
(4) Identify changes in the operational environment that may
introduce new hazards.
(5) Identify potential new hazards or safety issues and concerns.
(b) Upon completion of the assessment, if ineffective controls, new
hazards, or potential hazards are identified under paragraph (a)(2)
through (a)(4) of this section, the certificate holder must use the
safety risk management process described in subpart C of this part.
Sec. 5.75 Continuous improvement.
The certificate holder must establish and implement processes to
correct substandard safety performance identified in the assessments
conducted under Sec. 5.73.
Subpart E--Safety Promotion
Sec. 5.91 Competencies and training.
The certificate holder must provide training to each individual
identified in Sec. 5.23 to ensure the individuals attain and maintain
the qualifications necessary to perform their duties relevant to the
operation and performance of the SMS.
Sec. 5.93 Safety communication.
(a) The certificate holder must develop and maintain means for
communicating safety information that, at a minimum:
(b) Ensures that all personnel are aware of the SMS.
(c) Conveys safety critical information.
(d) Explains why particular safety actions are taken.
(e) Explains why safety procedures are introduced or changed.
Subpart F--SMS Documentation and Recordkeeping
Sec. 5.95 SMS documentation.
The certificate holder must develop and maintain SMS documentation
that describes the certificate holder's:
(a) Safety policy.
(b) SMS processes and procedures.
Sec. 5.97 SMS records.
(a) The certificate holder must maintain records of outputs of
safety risk management processes as described in subpart C of this
part. Such records must be retained for as long as the control remains
relevant to the operation.
(b) The certificate holder must maintain records of outputs of
safety assurance processes as described in subpart D of this part. Such
records must be retained for a minimum of 5 years.
(c) The certificate holder must maintain a record of all training
provided under Sec. 5.91 for each individual. Such records must be
retained for a minimum of 24 consecutive calendar months after
completion of the training.
(d) The certificate holder must retain records of all
communications provided under Sec. 5.93 for a minimum of 24
consecutive calendar months.
PART 119--CERTIFICATION: AIR CARRIERS AND COMMERCIAL OPERATORS
3. The authority citation for part 119 is revised to read as
follows:
Authority: Public Law 111-216, sec. 215 (August 1, 2010); 49
U.S.C. 106(g), 1153, 40101, 40102, 40103, 40113, 44105, 44106,
44111, 44701-44717, 44722, 44901, 44903, 44904, 44906, 44912, 44914,
44936, 44938, 46103, 46105.
4. Add Sec. 119.8 to read as follows:
Sec. 119.8 Safety Management Systems.
(a) Certificate holders authorized to conduct operations under part
121 of this chapter must have a safety management system that meets the
requirements of part 5 of this chapter and is acceptable to the
Administrator by [date 3 years after effective date of final rule].
(b) Certificate holders required to have an SMS under this section
must submit an SMS implementation plan in a form and manner prescribed
by the Administrator to the certificate-holding district office for
approval by [date 6 months after effective date of final rule].
(c) A person applying to the Administrator for an air carrier
certificate or operating certificate to conduct operations under part
121 of
[[Page 68245]]
this chapter after [effective date of final rule] must demonstrate, as
part of the application process under Sec. 119.35, that it has an SMS
that meets the standards set forth in part 5 of this chapter and is
acceptable to the Administrator.
Issued in Washington, DC, on October 29, 2010.
Margaret Gilligan,
Associate Administrator, Office of Aviation Safety.
[FR Doc. 2010-28050 Filed 11-4-10; 8:45 am]
BILLING CODE 4910-13-P