Академический Документы
Профессиональный Документы
Культура Документы
Foreword .................................................................................................................................................................................. ii
Use of this Document .............................................................................................................................................................. iv
Section 1 – Safety Management in ISAGO .............................................................................................................................. 1
1.1 Introduction .................................................................................................................................................................... 1
1.2 SMS Implementation...................................................................................................................................................... 1
1.3 ISAGO Audit Scope ....................................................................................................................................................... 2
Section 2 – SMS Audit Aims, Focus & Planning....................................................................................................................... 4
2.1 Audit Aims ..................................................................................................................................................................... 4
2.2 Audit Focus.................................................................................................................................................................... 4
2.3 Audit Planning................................................................................................................................................................ 5
2.4 The Safety Office ........................................................................................................................................................... 6
Section 3 – SMS Audit by GOSARP ........................................................................................................................................ 7
3.1 Introduction .................................................................................................................................................................... 7
3.2 Organization & Accountability ........................................................................................................................................ 7
3.2.1 The Accountable Executive ...................................................................................................................................... 7
3.3 Safety Policy & Objectives ............................................................................................................................................. 8
3.3.1 SMS......................................................................................................................................................................... 8
3.3.2 (The Safety) Manager .............................................................................................................................................. 8
3.3.3 Safety Roles & Responsibilities ................................................................................................................................ 9
3.3.4 Corporate Safety Policy (Safety Objectives) ............................................................................................................. 9
3.3.5 Safety Reporting Policy ...........................................................................................................................................10
3.3.6 Emergency Response Plan (ERP) ..........................................................................................................................11
3.3.7 SMS Documentation (SMS Manual) ........................................................................................................................11
3.3.8 SMS Implementation Plan.......................................................................................................................................12
3.4 Safety Risk Management ..............................................................................................................................................12
3.4.1 Hazard Identification ...............................................................................................................................................13
3.4.2 Safety Reporting System ........................................................................................................................................13
3.4.3 Safety Risk Assessment & Mitigation ......................................................................................................................14
3.4.4 Accident/incident Investigation & Reporting.............................................................................................................15
3.4.5 Ground Damage Reporting .....................................................................................................................................15
3.5 Safety Assurance ..........................................................................................................................................................15
3.5.1 Safety Assurance Program .....................................................................................................................................16
3.5.2 Safety Performance Metrics ....................................................................................................................................16
3.5.3 Management of Change..........................................................................................................................................17
3.5.4 Continuous Improvement of the SMS ......................................................................................................................17
3.5.5 Management Safety Decision Making .....................................................................................................................18
3.6 Safety Promotion ..........................................................................................................................................................18
3.6.1 Safety Awareness ...................................................................................................................................................18
3.6.2 Safety Information ...................................................................................................................................................18
3.6.3 Safety Training........................................................................................................................................................19
3.7 SMS Checklist ..............................................................................................................................................................20
Section 4 – Audit Summary Report - Assessment of the SMS ................................................................................................22
4.1 Introduction ...................................................................................................................................................................22
4.2 Audit SMS Summary.....................................................................................................................................................22
Appendix A – QA Provisions & SMS Training Tables ..............................................................................................................24
i
Foreword
A Safety Management System (SMS) 1 is a framework of policies, processes, procedures and techniques
for use by an organization to monitor and continuously improve its safety performance. Improvements
are made by making informed decisions on the management of operational safety risks. Annex 19 to the
Convention on International Civil Aviation (ICAO Annex 19, Safety Management) details the global
regulations for SMS that are applicable to specified air operators, air traffic service providers and certified
airports and other operational services.
The principle method of safety management prescribed by ICAO is similar for all types of operator and
service provider, based on a common framework of processes and procedures contained in 4 discrete
components that are further sub-divided into a total of 12 elements, as illustrated in figure 1 below.
Guidance on the ICAO SMS regulations and their implementation is provided in ICAO Doc 9859, Safety
Management Manual.
The ICAO SMS regulations do not currently apply to ground service providers (Providers) but those
applicable to aircraft operations encompasses ground operations where aircraft safety is concerned.
Ground handling personnel are mentioned in the regulations in the context of reporting safety events or
issues. Providers therefore play an important role in safety management at an airport. Furthermore, by
implementing SMS, Providers would gain considerable credibility from air operators, airports and
regulatory authorities worldwide by acknowledging the contribution and influence that ground operations
has in improving the safety of aircraft operations and the airport environment in general.
IATA has already recognized the global regulations and the importance placed on the implementation of
SMS by aircraft operators. The IATA Operational Safety Audit (IOSA) program is an internationally
1 A systematic approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures.
(ICAO Annex 19)
ii
recognized and accepted evaluation system designed to assess the operational management and control
systems of an airline. All IATA members are IOSA registered and must remain registered to maintain
IATA membership. The IOSA standards are published in the IOSA Standards Manual (ISM). The current
edition, ISM Edition10, includes standard, ORG 1.1.102, that establishes the management of the safety
risks associated with aircraft operations.
The IATA Safety Audit for Ground Operations (ISAGO) is an industry audit and registration scheme aimed
primarily at creating safer ground operations and cost benefits by reducing the risk of aircraft damage,
reducing delays, and eliminating redundant audits by airlines. The GOSM Ed 5 and Ed 6 included a
review of the existing SMS provisions, elevating some to Standard level as the first and second phase of
a SMS Strategy (SMS Implementation - Strategic Plan for Upgrading ISAGO SMS Provisions 2nd Edition
September 2017). The strategy upgrades all SMS recommended practices to Standard level over a three
year period.
Auditing the SMS, internally by the Provider and by an external body (such as in the case of ISAGO), is
an essential activity as part of assurance that the SMS is, or could be made to be, effective and meets
expectations.
A specific focus on making safety management the principle component of the Organization and
Management Section of the GOSM, as well paving the way for the introduction of the ISAGO new
operational audit model in 2017, will require further refinement and amendment of the SMS provisions,
to reduce duplication, account for any changes in global regulations and define more clearly the ISAGO
audit scope and content. The annual review of the GOSM will therefore include a review of these auditing
guidelines.
2ORG 1.1.10 The Operator shall have an SMS that is implemented and integrated throughout the organization to ensure management of the
safety risks associated with aircraft operations.
Note: Conformity with this ORG standard is possible only when the Operator is in conformity with all standards that are identified by the [SMS]
symbol.
iii
Use of this Document
The GOSARPs are the basis for an ISAGO audit of a Provider. This document provides guidelines on
what to look for when auditing the SMS of a Provider, as a whole, against the SMS GOSARPs contained
in Section 1, Organization and Management (ORM) of the GOSM. Suggested recommended actions,
questions, checklists and audit summary text are also provided. It is not a definitive guide and hopefully
not a condescending one.
The guidelines do not replace formal auditing procedures and should be considered as an aid to the
Auditor Actions described in the GOSM, checklists and incorporated in Q5AIMS. More detailed
checklists (and hence more appropriate for a well-established SMS) may be found in the ICAO Doc
9859, Safety Management Manual. Refer also to ACI SMS Handbook Step A.
The IOSA SMS standards and associated guidance material that is developed would provide useful
reference material complementary to the ISAGO provisions.
The ORM is now a section including the previous three sections (ORM-H, ORM-HS and ORM-S). The
SMS related GOSARPs have also been included in the new ORM. This document will be updated, as
necessary, when changes are made to the GOSARPs and audit procedures, or through practical
experience. Suggestions for improvements are always welcome.
iv
Section 1 – Safety Management in ISAGO
1.1 Introduction
From the start it is important to keep in mind that a SMS is foremost a decision making tool. The SMS
provides the organization with information on operational and other safety risks, such that actions to
eliminate, mitigate and/or control the safety risks can be determined and, if accepted by the decision-
makers, implemented. A SMS does not normally provide immediate solutions. Although immediate action
could (and probably should) be needed to address an unexpected unsafe situation, the SMS is not
intended to cater for these situations.
Instead, processes and procedures gather safety data and information, and, once there is sufficient or
relevant data and information, formal assessments are conducted and, if necessary, measures are
implemented to prevent an identified hazardous condition escalating into an accident scenario. Done
properly, this takes time and effort. Where significant effort would be needed, such as in terms of people,
finance, equipment or change, the SMS provides senior management with the information to make
informed decisions on what to do and, if necessary, when. These decisions, when accepted as necessary,
are then translated into safety action plans to implement safety risk controls and as safety objectives. The
ultimate aim of the audit of the SMS should therefore be (in addition to assessing the organization’s
implementation and conformity with the SMS GOSARPs) whether the SMS is, or will be, effective in
achieving the safety objectives of the Provider.
Installing a SMS doesn’t happen overnight. Gradual implementation in an easy-to-do manner seems to
be the way that many aviation organizations are going about it. The IATA Strategic Plan for Upgrading
ISAGO SMS Provisions applies the same principle in a structured schedule of upgrading the SMS
GOSARPs over a three year period. The audit guidelines in this document do not differentiate between
a standard and a recommended practice as their implementation is essentially the same. Until required
and implemented, the audit would therefore have to take appropriate account of a Provider that is not
able to demonstrate full conformance with a specific GOSARP and the consequences on other
GOSARPs. Until all SMS GOSARPs are at standard level, an important feature of the audit would be an
assessment of a Provider’s implementation of the SMS (see 4.1).
1
Recommendation – Obtain a copy of the Provider’s SMS Implementation Plan
prior to the audit to determine the audit scope and expectations for the SMS
aspects.
It is possible that implementation progress rates may vary within a Provider, especially at stations as part
of an international organization and where local regulations may have an impact. If encountered, these
factors will have to be taken into consideration when determining the scope of the audit and the
assessment of the overall implementation of the SMS in an organization.
The SMS implementation plan should, in the way that GOSARP recommended practices are treated, give
a good indication of the Provider’s commitment and recognition of current safety practices in aviation that
are becoming the norm if not a requirement for an organization to conduct business. Credit, in the audit
report, should therefore be given when a recommended practice is implemented by the Provider as if it
were a standard. Where the SMS is already implemented, and functioning and the Provider is measuring
its effectiveness, then ORM 3.1.8 might be assessed as not applicable (N/A).
Whilst conformance with each individual GOSARP should be assessed, the SMS functions may be
integrated with other management systems and/or distributed throughout the organization. The
requirement to have a SMS (ORM 1.1.3) is not, however, met until all the SMS GOSARPs are
implemented.
2
Recommendation – Identify the external organizations that may need to be
contacted to verify conformance where interaction with the Provider is specified
in a process or procedure.
A similar relationship, sometimes referred to a “bridge”, would be in effect between the Provider’s
headquarters and each station(s). The SMS audit should seek evidence of effective communication,
consistent implementation of corporate processes and procedures and clear lines of safety
responsibilities between the two. The aim of the GOSM is to ensure that the Provider has a thorough and
robust corporate management of the services it provides at each station. This is why the GOSARPs often
refer to implementation throughout the organization. Implementation in a GOSARP sense means that the
process, procedure or otherwise required action or activity at a station is directed by headquarters and
there is continuous oversight at a headquarters level to ensure correct implementation. A station audit
would therefore have to use the most recent and a valid headquarters audit as a baseline reference for
the implemented processes and procedures, and the effectiveness of the bridge should be tested for
each relevant GOSARP.
It is entirely plausible that management and communications between headquarters and the stations can
become estranged. The emphasis must be on a top (headquarters)-down approach to SMS
implementation, management and oversight - not bottom (station)-up or disconnected. The SMS audit
therefore has to verify that implementation and compliance at each station is coordinated by headquarters
and checked on a regular basis.
3
Section 2 – SMS Audit Aims, Focus & Planning
2.1 Audit Aims
The aim of the headquarters audit would be to determine the extent of implementation of the SMS
throughout the organization and the effectiveness of the corporate management aspects. The audit
summary would provide a detailed description of the Provider’s conformance with the relevant SMS
GOSARPs as implemented, see 4.2.
Similarly, the aim of the station audit would be, in addition, to determine the effectiveness of the corporate
SMS at the station through assessment of the implementation of procedures, oversight and the
deployment of SMS safety risk management and safety assurance activities.
4
or is requested. It should also be possible to review procedures that have been developed and evidence
of being correctly followed or reports produced and acted upon as required.
While the use of computer networks (internet, intranet etc.) should render the physical location of
documentation (and its development or management) of little consequence, the verification of use and
access to SMS documentation and document management systems might depend upon the location of
the Provider’s headquarters and station(s). The organization could be spread across several countries,
and activities could vary from place to place. The documentation could also be held locally in a different
language and translation/interpretation services may need to be considered.
Interviews with the nominated key safety personnel are needed to verify conformance with corresponding
GOSARPs, that the SMS processes and procedures are implemented and used correctly, and that
everyone is aware of their SMS roles and responsibilities. Some of these personnel may be located at a
station; hence the headquarters audit should identify these personnel for when the station audit is
conducted.
Recommendation – Establish where, if different, the management and
administration of each SMS function is conducted and the location of key safety
personnel.
There are few, if any, SMS activities that can be observed in the same way as a ground operations
procedure. Even if, say, a safety assessment was taking place during the audit, there would be little
benefit in observing it. It would be more worthwhile seeking evidence that the safety assessments were
recorded properly and have produced tangible outcomes in accordance with the SMS safety risk
management and safety assurance GOSARPs. In this respect, there should be a record of the risk
assessment activity, discussions that took place and any decisions made by management.
The headquarters documentation review could, by way of records of safety events and safety risk
management/safety assurance actions, reveal the extent of the SMS activities at each station. Based on
reasoned judgment, queries could be raised and explored if one station appears to be less safe than
others, or if there is a marked difference in the number of safety reports generated at each station or how
safety issues are operationally addressed. This situation could indicate a lack of conformity with
processes and procedures at the headquarters or the station, and raised with the Provider for immediate
clarification or attention. If the reason for the anomalies is an issue at a station, the next planned audit at
that station should verify that corrective action has been successfully completed by the Provider. A
finding, however, has to be raised if the Provider’s oversight of effective SMS implementation is at fault.
Where a Provider has an extensive network of stations, perhaps 20 or more, a pragmatic approach should
be taken during the headquarters audit when assessing conformity of implementation and headquarters
oversight. A sample of stations may be chosen as a rational indication that GOSARP conformance at the
other stations is likely to be at least as good as those in the sample. In this respect, the number and
5
location of stations chosen by the auditor for the sample should consider the Provider’s ISAGO history
(in terms of results) and if potential weaknesses or failures of management oversight of station activities
are apparent. Where station sampling is used, justification, including the methodology and evidence used,
must be documented by the auditor in the headquarters audit report.
safety reports are received and, with other safety information, are processed according to the
procedures
safety risk assessment outcomes are handled correctly and efficiently
actions to control safety risks are implemented and monitored
safety performance is monitored and measured
reviews of the SMS performance take place.
The Safety Office may also be responsible for the dissemination of safety information and facilitator of
safety training.
As the SMS becomes more established the Safety Office should increase its presence and its influence
over the safety activities throughout the organization. In future, the Safety Office and the Safety Manager
might become the focal point for the ISAGO SMS audit.
6
Section 3 – SMS Audit by GOSARP
3.1 Introduction
This section aims to provide, where perhaps necessary, some guidance on the audit of each SMS
GOSARP.
The SMS GOSARPs follow a similar format to that of the ICAO SMS framework illustrated in Figure 1. Of
the four ICAO SMS framework components, the safety policy and objectives aspects are mostly
administrative and may not change significantly over a period of time. The fourth framework component,
safety promotion, is also administrative in nature but will most likely have regular tangible outcomes and
outputs that can be audited.
The two main SMS functional areas, involving routine activities, are safety risk management and safety
assurance. These are two functions expected to be administered by the Safety Office or, in kind, by a
person with safety responsibilities at the station. If addressed at the station (or the Safety Office is located
at the station) the audit should verify that the associated GOSARPs (ORM 3.2 and 3.3) are implemented
and that there is effective management control by the Provider at a headquarters level.
Documentation is needed in nearly all cases to verify conformance with the corresponding GOSARPs but,
in general, interviews with the nominated key safety personnel may be useful and, where practicable,
observations may take place.
ORM 1.1.2 The Provider shall identify one senior management official as the Accountable Executive who is
accountable for performance of the management system as specified in ORM 1.1.13 and:
(i) Irrespective of other functions, has ultimate responsibility and accountability on behalf of the Provider for the
implementation and maintenance of the safety management system (SMS) throughout the organization;
(ii) Has the authority to ensure the allocation of resources necessary to manage safety risks to ground operations;
(iii) Has overall responsibility and is accountable for ensuring operations are conducted in accordance with
applicable regulations and standards of the Provider. [SMS]
3 ORM 1.1.1 The Provider shall have a management system that ensures:
i. Management key policies, systems, programs, processes, procedures and/or plans are determined and implemented throughout the
organization;
ii. Lines of accountability for operational safety and security are defined throughout the organization;
iii. Resources necessary to conduct Operations in accordance with standards of the Provider, applicable regulations and requirements
of the customer airline(s) are granted at all times (GM)
7
A SMS is designed to be driven from the highest level of the organization, with clearly defined roles,
responsibilities and lines of authority and communication. At the top is the person nominated as the
Accountable Executive. An interview with this person, if possible, would be useful to ascertain the
management commitment, verify senior management involvement (in decision making) and awareness of
the SMS and its outcomes. The interview should establish whether the level of commitment typically
indicated in safety policies is in fact put into place. The answers given to simple questions can reveal a lot
and prepare the auditor for the rest of the audit.
Question – Is the Accountable Executive made fully aware of the level
of operational safety of the organization, including all the stations?
Question – What has been done to address safety issues, improve
safety and improve the SMS?
The Accountable Executive is the only person with accountability for the safety performance of the
organization and therefore should be fully aware of the SMS outputs and effectiveness.
Recommendation – Ask the Accountable Executive what the Provider’s top, say,
3 safety risks are and verify that they are represented by safety performance
indicators/targets (and possibly safety risk mitigation plans).
If it is not possible to arrange an interview, verify through documentation and questioning those persons
with SMS responsibilities that the Accountable Executive takes an active role in the SMS and for allocating
resources. The Accountable Executive should not be just a signature.
3.3.1 SMS
ORM 1.1.3 The Provider should have an SMS that is implemented and integrated throughout the organization to ensure
management of the safety risks associated with ground operations. [SMS]
Note: Within 2019, this recommended practice will be upgraded to a standard. Conformity with ORM 1.1.3 is
possible only when the Provider is in conformity with all standards and recommended practices that are identified
by the [SMS] symbol.
All components and elements of the SMS framework have to be in place for the SMS to function properly.
Conformance with this GOSARP would depend upon conformance with all other SMS GOSARPs. In many
cases this will not be the case; hence, the reason why this GOSARP has a standard upgrade date of 2019,
after all the other GOSARPs have been upgraded too, and the requirement for the SMS implementation
plan (ORM 3.1.8). Note that it is intended that ORM 3.1.8 will be removed once the IATA strategic
implementation plan is completed.
3.3.2 (The Safety) Manager
ORM 1.1.4 The Provider shall appoint a manager who is responsible for the implementation, maintenance and the
day-to-day administration and operation of the SMS at the corporate level and throughout the organization on
behalf of the AE. [SMS]
8
Another key safety role is that of the Manager assigned to administer the SMS – usually called the Safety
Manager. The role and responsibilities of this person (or persons depending upon if the role is spread
across several stations) should be clearly defined and there should be documented evidence of the person
performing the role. If more than one Safety Manager (or other defined job title) exists then there should be
defined lines of authority and communication such that there is no ambiguity or interference with performing
the safety responsibilities within the organization.
Question – Ask the Safety Manager or person responsible at a station
the same questions suggested to the Accountable Executive.
Question – Can the Safety Manager explain the organization’s safety
hierarchy and the lines of responsibility?
The Safety Manager should be able to demonstrate that the SMS policy and objectives, and the associated
processes and procedures are implemented at all stations. The Safety Manager should also be able to
provide evidence of the way that safety reports and safety information is processed (through the safety risk
management process) and that records and other documentation is controlled.
Recommendation – As time allows, trace a safety report through the safety risk
management process (see 3.4). Wherever possible, choose at least one that
results in a safety recommendation that required a management decision, and
mitigation measures with documented performance indicators and targets.
3.3.3 Safety Roles & Responsibilities
ORM 1.6.1 The Provider shall define the safety responsibilities of management and non-management personnel
throughout the organization and specify the levels of management with the authority to make decisions that affect
the safety of ground operations. [SMS]
.
Other key safety roles would probably be those of station personnel with direct management or supervisory
responsibilities for ground operations. Apart from documented details of the roles and responsibilities of
named persons, there should be evidence of their involvement in safety risk management and safety
assurance activities, usually as an operational expert. An interview should test the awareness and
knowledge of the assigned roles and responsibilities, and confirm recent activity.
Recommendation – Look for evidence of the named persons responsible for
ground operational safety involvement in the implementation and monitoring of
safety risk mitigation or control activities.
3.3.4 Corporate Safety Policy (Safety Objectives)
ORM 1.2.2 The Provider shall have a corporate safety policy that:
(i) Reflects the organizational commitment regarding safety;
(ii) Includes a statement about the provision of the necessary resources for the implementation of the safety
policy;
(iii) Includes safety reporting procedures as specified in ORM 3.2.2;
(iv) Indicates which types of behaviors are unacceptable and includes the circumstances under which disciplinary
action would not apply as specified in ORM 3.1.5;
(v) Is signed by the Accountable Executive of the organization;
(vi) Is communicated, with visible endorsement, throughout the organization;
(vii) Is periodically reviewed to ensure it remains relevant and appropriate to the Provider. [SMS]
9
It should be clear from the safety policy that it is relevant to the Provider and there should be evidence of
implementation. Implementation in this sense means that it is clear that safety activities exist or actions are
taken directly as a result of the policy.
Question – Is the safety policy generic (indicating a possible lack of
detail/sincerity) or contains policies specific to the organization, or to a
station?
Resources (ORM 1.2.2(ii)) would usually be in the form of funding, people and equipment. Time, allocated
to undertake SMS activities could also be included. A typical indication of inadequate resourcing is where
SMS activities are delayed or if safety recommendations are postponed. Another indicator of inadequate
resourcing is where key safety personnel posts remain vacant for a prolonged period of time or are assigned
to people with inadequate credentials and time to undertake the extra responsibilities.
Recommendation – Examine the CVs and SMS training records of key
personnel.
For ORM 1.2.2(iii) see ORM 3.1.5 and ORM 3.2.2.
A behavior policy (ORM 1.2.2(vii)) should be clear, comprehensive and communicated to all employees.
There could be evidence provided of an example where the policy was invoked and action was taken but
be careful to respect sensitive information. Note that a non-punitive behavior policy may require approval
from a regulatory body. For example, in aviation there are instances where a mandatory report is required
but the organization may be authorized to investigate and, subject to the outcome, address the issue without
recourse to the regulatory authority.
Periodic review of the safety policy (ORM 1.2.2(vii)) would normally be covered by ORM 3.4.1 (the Quality
Assurance program – see Appendix A) but may also depend upon the implementation of ORM 3.3.4. It is
typical for a two-year review period to apply.
Although not explicitly required as a GOSARP at this time, the Provider’s safety objectives should be
documented with the safety policy. There is, however, inference of the requirement for safety objectives in
ORM 2.1.3 and 3.1.8 in documentation and the implementation plan respectively. In any case, safety
objectives should be linked to the safety policy and the safety assurance component.
Question – Are safety objectives relevant to the organization stated (or
related to safety mitigation activities)?
Safety objectives should be derived as a consequence of ORM 3.3.2. The safety objectives should reflect
any high level safety performance indicators and targets that the Provider sets and, once the safety
assurance component is fully functional, may include significant safety objectives, i.e. set as a direct result
of the Provider’s safety risk management and related to an assessment or, perhaps, set by a regulatory
authority as part of a national issue or safety campaign.
Recommendation – Look for evidence of the safety objectives incorporating an
objective that reflects an established safety performance indicator(s) associated
with a significant safety risk mitigation or control activity.
3.3.5 Safety Reporting Policy
ORM 3.1.5 The Provider shall have a corporate safety reporting policy that encourages personnel to report
hazards to ground operations and, in addition, defines the Provider's policy regarding disciplinary action, to
include:
(i) Types of operational behaviors that are unacceptable;
(ii) Conditions under which disciplinary action would not be taken by the Provider. [SMS]
10
The safety reporting policy supports the policy outlined in ORM 1.2.2(iii) and the behavior policy in ORM
1.2.2(iv) but has to specifically address safety reporting. In this respect, the policy should outline clearly
what should be reported, by whom and when. The behavior policy should reflect the “non-punitive”
requirement in ORM 3.2.2.
The safety reporting policy should also address the data protection aspects of ORM 3.2.2(iv), which may
be subject to applicable national regulations or guidelines.
Question – Is the Provider aware of the data protection regulatory
guidance provided by ICAO in Annex 19?
The Provider's ERP should describe in a suitable document who does what, when and how for all perceived
emergency situations. The ERP should address the emergency procedures that maintain operational safety
from the time that an emergency is declared until normal operations are resumed. ERP should also address
security events.
The ERP should be made available and be known to all relevant personnel. Named persons or those in
named posts should be interviewed to test their knowledge and understanding of the ERP and their roles
and responsibilities. Personnel should also be trained and equipped to deal with their roles and
responsibilities.
While the Provider should develop its own ERP, specifying what its staff should do, it is highly likely that
the Provider’s station personnel will play a participative or perhaps a coordination role in the ERP of the
airport with some supervisory roles and functions (particularly for passenger handling). Look for the
association of the Provider with the ERP or other such contingency plans of the customer airline(s) and,
importantly, that of the airport authority. There should be evidence of collaboration in the ERP development
as required in ORM 3.1.6(ii).
Recommendation – Confirm that the Provider actively participates in the
development, maintenance and testing of the ERP of the airport.
3.3.7 SMS Documentation (SMS Manual)
ORM 2.1.3 The Provider shall have SMS documentation that includes a description of:
(i) The safety policy and objectives, SMS requirements, SMS processes and procedures, the accountabilities,
authorities and responsibilities for processes and procedures, and the SMS outputs;
(ii) Its approach to the management of safety, which is contained in a manual as a means of communication
throughout the organization. [SMS]
A SMS Manual is the recommended method of collating and documenting all the administrative SMS
policies, processes, procedures when developed. ICAO and regulatory authorities produce guidelines on
the typical content of the manual. There should be a full description of the Provider’s SMS that details what
it entails, its objectives, and the roles and safety responsibilities throughout the organization. There should
11
also be a description of how safety management activities are coordinated between the organization’s
corporate and station entities. A diagram (organizational chart) of the roles and reporting lines would be
useful. There should also be details of the corporate safety policies (management commitment to provide
resources and conformance with regulations and standards); the safety reporting system; staff behavior
and punitive actions; personnel training and safety communications.
The SMS Manual may have referenced sub-parts or other documents. It is possible that the SMS Manual
and other documents are not paper-based, but are digital files or recorded and visible only on an
internet/intranet based application. This should not make any difference but obviously the way in which a
document review is conducted could differ, perhaps in a positive way as digital media is more efficiently
transferable or transportable.
Other SMS documentation would include safety reports, safety risk management records of assessments
and decisions, safety assurance reports, internal reviews, training material and records, safety
notices/communications and other SMS products and outcomes.
In reviewing the documentation, the auditor should look not only for conformance with the GOSARP but
also for completeness and continuity of the content/information. Whatever the format, the documentation
must show evidence of document/version control or being part of a document/record management system
(as per ORM 2.1.1)4 and distribution (as per ORM 1.4.1)5.
The distance between the corporate and station locations should not result in the organizations failure to
comply with its own processes and procedures, and this is an important aspect to test when conducting a
station audit.
See 1.2.
4 ORM 2.1.1 The Provider shall have a system for the management and control of the internal and external documentation and/or data used
directly in the conduct or support of operations. Such system shall comprise the elements specified in Table 1.1 and shall include
documentation provided to external entities, if applicable.
5 ORM 1.4.1 The Provider shall have a communication system that:
(i) Enables and ensures an exchange of information that is relevant to the conduct of ground operations;
(ii) Ensures changes that affect operational responsibilities or performance are communicated as soon as feasible to applicable management
and front line personnel.
12
accessible within the Provider’s document control system. Operational personnel may be enlisted to assist
in conducting assessments and therefore should be familiar with the processes or procedures involved.
Continuity is a key aspect of the safety risk management function. An audit may take an example safety
report and “follow” it through the process of hazard identification, safety risk assessment and, as necessary,
the development of recommended risk reduction actions. There should be a record and description of each
step taken, the decisions made and their rationales. If a significant action is recommended (i.e. one that
involves budgeting, resources and planning) and is referred to senior management, the audit of the process
could be extended to the concluding events covered by the SMS safety assurance function, whereby the
action is implemented, monitored and measured. The documentation for these activities may only be
available on request, at the Safety Office or at the relevant station; however, the documentation should be
consistent.
An effective safety reporting system is arguably the most important element of the SMS. Without it, there
would be little or no safety data directly relevant to the Provider’s ground operations to base safety risk
management on. Even so, the type and amount of safety reports that are received would be dependent
upon many factors - operational, logistical and cultural - and meaningful data (such that might show trends
or latent conditions) may take some time to accumulate. Nevertheless, the safety reporting system
documentation should describe what it is, its purpose and method of operation. There should be records of
each safety report submitted and, in other processes, what happened to it. Ideally, there would be evidence
13
of the safety report using a taxonomy that was consistent with that of the safety reporting systems of the
other organizations on the airport or the regulatory authority.
The safety reporting policy (as outlined in 3.3.5) should encourage the reporting of reactive (has happened),
proactive (may happen) and, possibly, predictive (looks likely with an estimated degree of certainty to
happen) events or situations. Conformance with ORM 3.2.2(i) would include evidence of the processing of
mandatory safety reports through the appropriate internal channels.
Question – Is there a means of submitting voluntary or confidential
reports?
Internal mandatory safety reports may also be mandatory in a legal or regulatory sense. Verification that
the Provider’s safety reporting system complies with local requirements would show conformance with ORM
3.2.2(ii).
ORM 3.2.2(iii) is also related to and may be addressed by ORM 3.2.3.
Verification of a process and/or procedure to implement the safety data protection policy (see 3.3.5), to
protect the reporter or dissemination of the safety data, would demonstrate conformance with ORM
3.2.2(iv).
A selection of safety reports should be examined to verify compliance with the safety reporting policy and
procedures.
14
3.4.4 Accident/incident Investigation & Reporting
ORM 3.2.4 The Provider should have a process:
(i) To conduct and/or participate in an investigation of an incident/accident where its services were involved, to
include reporting of events, in accordance with requirements of the costumer airline(s), the Airport Authority, and/or
State, as applicable;
(ii) For identifying and investigating irregularities and other non-routine operational occurrences that might be
precursors to an accident or incident. [SMS]
Note: Within 2018, this recommended practice will be upgraded to a standard.
Conformance with ORM 3.2.4(i) requires the Provider to specify what it does, when required, in the event
of an investigation. The process or procedure(s) should outline the roles and responsibilities of key
personnel, including for coordination with other organizations that may be involved or leading the
investigation. The audit should verify not only the relevance and implementation of the procedure(s) but
also that these personnel are identified and fully aware of what they will have to do (or not have to do if that
is the case). There may be differences in the procedures according to State or airport, and with respect to
an airline if relevant.
Conformance with ORM 3.2.4(ii) should be verified by evaluation of the procedure(s) and any recorded
instance of where the outcome of an investigation may have had safety implications (perhaps safety
recommendations or lessons learnt) for the Provider.
15
Although the functional aspects of safety assurance might be performed by the Safety Office or other
administrative personnel, the data or information provided would normally be provided by operational
personnel or specific operational monitoring activities.
3.5.1 Safety Assurance Program
ORM 3.3.1 The Provider should have a safety assurance program, including a detailed audit planning process
and sufficient resources that provides for the auditing and evaluation of the effectiveness of the management
system and ground operations at all stations to ensure the Provider is:
(i) Complying with applicable safety regulations and requirements of the customer airline(s);
(ii) Identifying hazards to operations;
(iii) Monitoring effectiveness of safety risk controls;
(iv) Verifying safety performance in reference to the safety performance indicators and safety performance
targets. [SMS]
Note: Within 2019, this recommended practice will be upgraded to a standard.
In a similar manner to that of existing quality assurance GOSARPs, the SMS safety assurance program
comprises internal processes and procedures for the evaluation of the safety risk management function
and monitoring an implemented safety risk management recommendation.
Conformance with ORM 3.3.1(i) would be demonstrated by records of periodic or on-demand assessments
of internal procedures with external requirements, which may have changed during the course of ISAGO
certification or since the last audit. This aspect should also confirm the interaction that the Provider has with
all external parties at the airport.
Conformance with ORM 3.3.1(ii) would be demonstrated by records of periodic assessments of the
effectiveness of the hazard identification process in ORM 3.2.1.
Conformance with ORM 3.3.1(iii) would be demonstrated by records of periodic assessments of the
appropriateness of the in-progress or completed safety action plans for the implementation of safety risk
controls developed in ORM 3.2.3(iii).
Conformance with ORM 3.3.1(iv) would be demonstrated by an examination of the process or procedure
for the development of the safety performance metrics (safety indicators, targets etc.) and the periodic
measurement of the metrics with respect to the in-progress or completed safety action plans for the
implementation of safety risk controls developed in ORM 3.2.3(iii). A procedure should also be in place in
the event of loss of safety performance or failure to meet a specified safety performance target, which might
be to re-initiate the safety risk management process.
3.5.2 Safety Performance Metrics
ORM 3.3.2 The Provider should have processes for setting performance objectives and measures as a means to
monitor the operational safety performance of the organization and to validate the effectiveness of safety risk
controls. [SMS]
Note: Within 2019, this recommended practice will be upgraded to a standard.
The development of safety performance metrics is a consequence of the implementation of safety risk
controls, which in the case of ground operations, where interaction with other operations is likely, could be
developed in collaboration with the airport or the airline. If such collaboration exists, and hopefully it does,
the safety performance metrics may not be developed specifically or only by the Provider. However, the
contribution made by the Provider in monitoring and assessing safety performance is a useful indicator for
assessing the effectiveness of the SMS.
16
Question – Has an external organization (airport, airline or regulatory
body) requested an input or information relating to the safety performance
metrics?
Question – Are the safety performance metrics realistic? Has there been
any change made as a result of a review?
Established safety performance metrics should be translated into safety objectives for the organization, see
3.3.4.
17
3.5.5 Management Safety Decision Making
ORM 3.3.5 The Provider should have a process for management consideration of and decision-making to ensure
significant issues arising from:
(i) The safety risk assessment and mitigation program, and;
(ii) The safety assurance program are subject to management review in accordance with ORM 3.3.4 and ORM
1.5.1, as applicable. [SMS]
Note: Within 2019, this recommended practice will be upgraded to a standard.
As stated, the SMS is foremost a management decision making tool. It follows that there should be a
GOSARP that requires the Provider to have in place a process or procedure for management review of the
SMS outcomes, specifically the safety risk management and safety assurance functions. GOSARP ORM-
1.5.16 is the requirement for a periodic review of the effectiveness of a management system, which would
include the SMS, and complementary to ORM 3.3.4 if implemented in full.
Conformance would be demonstrated by examination of the processes and records of meetings, decisions
taken etc. The decision making aspect should clearly indicate who made the decision and why.
The SMS communication aspects are covered specifically in ORM 3.5 (as opposed to organization
communications in general); however, the means of communication may be the same. Whatever the
communication means, conformance is demonstrated by evidence of the intended audience receiving and
understanding or complying with the message or required action. Random samples should be requested
or interviews with selected personnel could reveal whether messages are being received and complied with
and the effectiveness of the safety communication process overall within the organization.
3.6.2 Safety Information
ORM 3.5.2 The Provider should have a means for disseminating information from:
(i) The safety risk assessment and mitigation program, and;
(ii) The safety assurance program to management and non-management operational personnel as appropriate to
ensure an organizational awareness of compliance with applicable regulatory and other safety requirements.
[SMS]
Note: Within 2019, this recommended practice will be upgraded to a standard.
Similar to ORM 1.4.2, the Provider should be able to demonstrate the processes in place to disseminate
safety information. The outputs of the safety risk management and safety assurance functions may be of a
specialist nature, sensitive or for a specific purpose. The communication process should detail precisely
how the various SMS information is handled and examples of each should be demonstrated by the Provider.
6 ORM 1.5.1 The Provider shall have a process to review the management system at intervals not exceeding one year to ensure its continuing
suitability, adequacy and effectiveness in the management and control of ground operations. A review shall include assessing opportunities for
improvement and the need for changes to the system, including, but not limited to, organizational structure, reporting lines, authorities,
responsibilities, policies, processes, procedures and the allocation of resources.
18
Question – How often are safety communiqués transmitted?
Question – Does the organization promulgate safety performance
information to its personnel?
3.6.3 Safety Training
ORM 5.7.2 The Provider should have a program that ensures personnel throughout the organization are trained
and competent to perform SMS duties. The scope of such training should be appropriate to each individual's
involvement in the SMS as detailed:
(i) In Table 1.2 for all personnel, and
(ii) In Table 1.16 for personnel with specific assigned duties in the safety management system. [SMS]
Note: Within 2018, this recommended practice will be upgraded to a standard.
Tables 1.2 and 1.16 are detailed at Appendix A to this document.
Personnel safety training is covered on two separate levels. All personnel within the organization should
receive basic safety awareness training and familiarization of the SMS and their safety roles and
responsibilities.
Conformance with ORM 5.7.2(i) could be demonstrated by training course records and schedules (the
content of which should cover the subjects listed in Table 1.2) and the training records of personnel with a
range of duties.
ORM 5.7.2(ii) refers to training for personnel needing specific SMS skill-sets as listed in Table 1.16.
Conformance could also be demonstrated by training records/schedules.
While generic safety training could be handled in-house, the more specific training would most likely be
delivered by expert training service providers.
19
3.7 SMS Checklist
The following checklist may help summarize the main aspects of the SMS audit. The checklist could be
used as a summary of the organization as a whole, or for a corporate/station pair where there are multiple
stations. The GOSM (6th Edition) ORM Section is used as a reference.
More detailed checklists (and hence more appropriate for a well-established SMS) may be found in the
ICAO Doc 9859, Safety Management Manual and ACI SMS Handbook Step A.
GOSARP Subject
ORM 3.1.8 There is a SMS implementation plan
ORM 1.1.3 An effective SMS is in place
ORM 1.1.2 There is a nominated Accountable Executive that has final authority over all the
aviation activities of the organization
ORM 1.1.4 There is a person/Safety Manager who performs the role of administering the
SMS
ORM 1.6.1 The SMS roles and responsibilities of all personnel are clearly defined
ORM 1.2.2 There is a safety policy statement relevant to the scope and complexity of the
organization’s operations, and there is evidence of the policies resulting in
safety activities or actions
ORM 3.1.5 There is an effective safety reporting system
ORM 3.2.2
ORM 3.1.6 Procedures are in place for an emergency response plan
ORM 2.1.3 All SMS information is recorded in an organization-wide document control
management system
ORM 3.2.1 Procedures are in place for the assessment of safety reports
ORM 3.2.3 Procedures are in place for the identification of hazards, evaluation of safety
risks, and development of recommendations for safety action plans to control
unacceptable safety risks
ORM 3.2.4 Procedures are in place for the participation in incident/accident investigations
ORM 3.2.10 Procedures are in place for the reporting of ground damage to the IATA GDDB
ORM 3.3.1 Procedures are in place for the monitoring of safety risk controls
ORM 3.3.2 Procedures are in place for setting safety performance metrics
ORM 3.3.3 Procedures are in place for the assessment of safety issues related to change
management
ORM 3.3.4 Procedures are in place for the review of SMS processes and procedures
ORM 3.3.5 Procedures are in place for the management review of SMS outputs and the
effectiveness of the SMS
ORM 1.4.2 Safety information is promulgated throughout the organization
20
ORM 3.5.2
ORM 5.7.2 All personnel receive relevant safety training
21
Section 4 – Audit Summary Report - Assessment of the
SMS
4.1 Introduction
The assessment should be produced that provides a “snap-shot” of the SMS within the organization. While
the checklists provide a high-level overview of the SMS functions that correspond to the GOSARPs,
consider again the audit focus and the 4 qualities that sum up the main objectives of a SMS:
If evidence was produced at the audit that proved that all 4 qualities were fully embedded within the
organization then it could be said that the SMS was fully functional. However, it is unlikely at this time that
an organization will have implemented all the SMS processes and procedures in full, throughout the
organization, and producing results. It is more likely that some functions of the SMS were in place and
working but, perhaps in a multi-station organization, not all in the same way or to the same extent.
The assessment should therefore also consider, and evaluate, the level of implementation of the SMS. An
indication of the level of implementation should be provided in the audit report, in terms of the extent to
which each applicable GOSARP is in conformity. A measure of conformity could be the number of
framework elements implemented in full or partially per station and whether they are effective, or some
other form of gap analysis.
22
local operation. Full implementation of the SMS at station C and integration with the corporate
SMS is expected in Q3/20XX.
The SMS documentation provided was assessed as [satisfactory/unsatisfactory and details of the
identified deficiencies were notified to the Provider]. The SMS documentation [provided/did not provide]
a clear description of the:
SMS functionality
For example: The description of SMS functionality in the corporate SMS Manual had not been
updated to include the new Safety Office that had been established in the corporate headquarters.
As a consequence virtually all of the processes and procedures for the safety risk management
and safety assurance functions were invalid and the effectiveness of the SMS could be brought
into question.
Roles and responsibilities
For example: Evidence of job descriptions and lines of responsibility was provided to verify that all
roles and responsibilities for the SMS were identified and described in full.
------------------------------------
23
Appendix A – QA Provisions & SMS Training Tables
ORM
ORM 3.4.1 The Provider shall have a quality assurance program, including a detailed audit planning process and sufficient
resources that provides for the auditing and evaluation of the management system and ground operations at all stations to
ensure the Provider is:
ORM 3.4.5 The Provider shall have a means for disseminating information from the quality assurance program and station quality control
program, as specified in ORM 3.4.1 and ORM 3.4.2, to management and non-management operational personnel as appropriate to ensure an
organizational awareness of compliance with applicable regulatory and other requirements.
ORM 3.4.6 The Provider shall ensure the quality assurance program utilizes auditors that:
(i) Have been trained and are qualified;
(ii) Are impartial and functionally independent from operational areas to be audited.
24
Table 1.2 Safety Training Specifications
Functional Groups
For the purpose of determining the applicability of airside safety training subject areas, ground handling personnel are grouped according to
operational function as follows. Note 1
Function 1: Personnel whose duties require access to airside areas.
Function 2: Personnel whose duties require operation of basic GSE (e.g., tractors, belt loaders).
Function 3: Personnel whose duties require: (1) operation of specialized equipment (e.g., aircraft movement units, container/pallet loaders,
de-icing vehicles, catering vehicles), (2) exercise of control during aircraft movement operations, or (3) performance of lead
responsibility over other personnel.
Function 4: Personnel in first level management, to include supervisors having responsibility for: (1) directing staff and/or equipment
resources, or (2) controlling an operational activity.
Function 5 Personnel in station management having responsibility for resource issues, health and safety, incident management and
budgetary control.
Function 6 Personnel with duties in ticketing, check-in and boarding activities.
Function 7 Personnel operating within Cargo warehouse
Note 1: Functional definitions may be varied as determined by local requirements or considerations
Training Subject Areas
Safety training shall address, according to assigned operational function(s).
1.1.1 Safety Philosophy
a) Company safety policy and program [SMS] All Functions
b) Employer/employee responsibilities [SMS] All Functions
1.1.2 Safety Regulations
a) International aviation regulations [SMS] All Functions
b) State aviation regulations [SMS] All Functions
c) Airport airside regulations [SMS] All Functions
d) Safe working and operating practices [SMS] All Functions
1.1.3 Hazards Note 2
a) Vehicle movements All Functions
b) Pedestrian movements All Functions
c) Aircraft movements All Functions
d) Jet engines All Functions
e) Propeller-driven aircraft and helicopters All Functions
f) Aircraft antennae and other protrusions All Functions
g) GSE Functions 2-5
h) Aircraft fuelling and fuel spills All Functions
i) Adverse and seasonal weather conditions All Functions
j) Night operations All Functions
k) Working at height All Functions
l) Slips, trips and falls All Functions
m) Noise All Functions
n) Manual handling All Functions
o) Confined Spaces All Functions
p) Office Equipment All Functions
q) Display Screen Equipment (DSE) All Functions
r) Violence (physical & verbal attack and public disorder) All Functions
s) Lone working All Functions
Note 2: Subject areas a) through s) are applicable to personnel as appropriate to specific function and types of operations conducted.
25
Table 1.2 Safety Training Specifications (cont’d)
1.1.4 Human Factors
a) Motivation and attitude All Functions
b) Human behavior Functions 4, 5
c) Communication skills All Functions
d) Stress All Functions
e) Ergonomics All Functions
f) Effects of psychoactive substances (drugs and alcohol) All Functions
g) Fatigue All Functions
h) Time pressure All Functions
i) Peer management pressure All Functions
j) Situational awareness All Functions
k) Teamwork All Functions
1.1.5 Airside Markings and Signage Functions 1 to 5
Note 3
1.1.6 Emergency Situations
a) Reporting [SMS] All Functions
b) Injuries All Functions
c) Security threats All Functions
d) Spillage Functions 1 to 5
e) Alarms and emergency stops Functions 1 to 5
f) Fuel shut-offs Functions 1 to 5
g) Ground-to-flight deck emergency hand signals Functions 1 to 5
h) Fire All Functions
i) Severe weather Functions 1 to 5
j) Aircraft stand emergency procedures Functions 1 to 5
Note 3: Subject areas a) through j) are applicable to personnel as appropriate to specific function and types of operations conducted.
1.1.7 FOD prevention Functions 1 to 5
1.1.8 Personal protection Note 4
a) Personal protective equipment All Functions
b) Occupational health and safety All Functions
c) Musculoskeletal injury prevention All Functions
d) Weather exposure Functions 1 to 5
Note 4: Subject areas a) through d) are applicable to personnel as appropriate to specific function and types of operations conducted.
1.1.9 Accidents, Incidents, Near Misses Note 5
a) Personnel injuries [SMS] All Functions
b) Damage to aircraft, GSE, facilities Functions 1 to 5
c) Reporting [SMS] All Functions
d) Investigation Functions 4, 5
e) Prevention [SMS] All Functions
f) Cost of accidents, incidents [SMS] All Functions
g) Risk assessment All Functions
Note 5: Subject areas a) through g) are applicable to personnel as appropriate to specific function and types of operations conducted.
26
Table 1.2 Safety Training Specifications (cont’d)
1.1.10 Airside Safety Supervision
a) Creating an open reporting culture [SMS] Functions 4, 5
b) Performance monitoring Functions 4, 5
c) Coordination of airside activities Functions 4, 5
d) Workload management Functions 4, 5
e) Decision making Functions 4, 5
f) Planning Functions 4, 5
b) hazard identification;
c) hazard analysis;
End
27