Safety Management Systems for Part 121 Certificate Holders

Download PDF
Federal RegisterNov 5, 2010
75 Fed. Reg. 68224 (Nov. 5, 2010)

AGENCY:

Federal Aviation Administration (FAA), Department of Transportation (DOT).

ACTION:

Notice of proposed rulemaking (NPRM).

SUMMARY:

The FAA proposes to require each certificate holder operating under 14 CFR part 121 to develop and implement a safety management system (SMS) to improve the safety of their aviation related activities. A safety management system is a comprehensive, process-oriented approach to managing safety throughout an organization. An SMS includes an organization-wide safety policy; formal methods for identifying hazards, controlling, and continually assessing risk; and promotion of a safety culture. SMS stresses not only compliance with technical standards but increased emphasis on the overall safety performance of the organization.

DATES:

Send your comments on or before February 3, 2011.

ADDRESSES:

You may send comments identified by Docket Number FAA- 2009-0671 using any of the following methods:

  • Federal eRulemaking Portal: Go to http://www.regulations.gov and follow the instructions for sending your comments electronically.
  • Mail: Send comments to Docket Operations, M-30, U.S Department of Transportation, 1200 New Jersey Avenue, SE., West Building Ground Floor, Room W12-140, Washington, DC 20590-0001.
  • Fax: Fax comments to Docket Operations at (202) 493-2251.
  • Hand Delivery: Bring comments to Docket Operations in Room W12-140 of the West Building (Ground Floor) at 1200 New Jersey Avenue, SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. For more information on the rulemaking process, see the SUPPLEMENTARY INFORMATION section of this document.

Privacy: We will post all comments we receive, without change, to http://www.regulations.gov,, including any personal information you provide. Using the search function of our docket Web site, anyone can find and read the comments received into any of our dockets, including the name of the individual sending the comment (or signing the comment for an association, business, labor union, etc.). You may review DOT's complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477-78), or you may visit http://DocketsInfo.dot.gov.

Docket: To read background documents or comments received, go to http://www.regulations.gov at any time or to Docket Operations in Room W12- 140 of the West Building Ground Floor at 1200 New Jersey Avenue, SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.

FOR FURTHER INFORMATION CONTACT:

Scott Van Buren, Chief System Engineer for Aviation Safety, Office of Accident Investigation and Prevention (AVP), Federal Aviation Administration, 800 Independence Avenue, SW., Washington, DC 20591; telephone: (202) 494-8417; facsimile: (202) 267-3992; e-mail: scott.vanburen@faa.gov. For legal questions, contact Anne Bechdolt, Regulations Division, Office of the Chief Counsel, Federal Aviation Administration, 800 Independence Avenue, SW., Washington, DC 20591; telephone: (202) 267-3073; facsimile: (202) 267-7971; e-mail: anne.bechdolt@faa.gov.

SUPPLEMENTARY INFORMATION:

Later in this preamble under the Additional Information section, we discuss how you can comment on this proposal and how we will handle your comments. Included in this discussion is related information about the docket, privacy, and the handling of proprietary or confidential business information. We also discuss how you can get a copy of related rulemaking documents.

Authority for This Rulemaking

The FAA's authority to issue rules on aviation safety is found in Title 49 of the United States Code. This rulemaking is promulgated under the authority described in 49 U.S.C. 44701(a)(5), which requires the Administrator to promulgate regulations and minimum standards for other practices, methods, and procedures necessary for safety in air commerce and national security.

In addition, the Airline Safety and Federal Aviation Administration Extension Act of 2010 (the Act), Public Law 111-216, sec. 215 (August 1, 2010), requires the FAA to conduct rulemaking to “require all part 121 air carriers to implement a safety management system.” The rulemaking must consider, at a minimum, including an aviation safety action program (ASAP), flight operational quality assurance program (FOQA), a line operations safety audit (LOSA), and an advanced qualification program (AQP) as part of the SMS. The FAA must issue a notice of proposed rulemaking within 90 days of the passing of the Act, and a final rule within 24 months of the passing of the Act, requiring all part 121 air carriers to implement a safety management system.

Table of Contents

I. Executive Summary

II. Background

A. What is a Safety Management System?

B. Why is an SMS necessary?

C. Congressional Mandate

D. International Harmonization

E. NTSB Recommendations

F. FAA Aviation Safety (AVS) SMS Actions

III. Discussion of the Proposal

A. General Requirements

B. Safety Policy

C. Safety Risk Management

D. Safety Assurance

E. Safety Promotion

F. SMS Documentation and Recordkeeping

IV. Regulatory Notices and Analyses

I. Executive Summary

This proposal would require certificate holders authorized to conduct operations under 14 Code of Federal Regulations (CFR) part 121 to develop and implement a Safety Management System (SMS) of their aviation safety-related activities. An SMS includes an organization-wide safety policy; formal methods for identifying hazards, controlling, and continually assessing risk; and promotion of a safety culture. When systematically applied, an SMS provides a set of decision-making tools that certificate holders can use to improve safety.

The FAA is proposing this rule as part of its efforts to continuously improve safety in air transportation. The FAA proposes to add the SMS rule, a performance-based regulation, to existing regulations and technical operating standards to deal with gaps best addressed through improved management practices. SMS's proactive emphasis on hazard identification and mitigation, and on communication of safety issues, would provide certificate holders robust tools to improve safety.

The International Civil Aviation Organization (ICAO), in its March 2006 amendments to Annex 6 part I, which addresses operation of airplanes in international commercial air transport, establishes a standard for member states to mandate that each of these operators establish an SMS. In addition, the National Transportation Safety Board (NTSB) has recommended the FAA pursue rulemaking to require all 14 CFR part 121 operators to implement an SMS. Congress, in the Airline Safety and Federal Aviation Administration Extension Act of 2010 (Pub. L. 111-216, August 1, 2010), directed the FAA to issue a notice of proposed rulemaking within 90 days of enactment, and a final SMS rule by July 30, 2012. If this proposal is adopted, U.S. aviation safety regulations would be in conformance with ICAO standards, would fully address NTSB recommendations, and would comply with the statutory requirement.

A copy of Annex 6 has been placed in the docket for this rulemaking.

Recommendation A-07-10, dated January 23, 2007. This recommendation was issued in connection with the NTSB's investigation of Pinnacle Airlines flight 3701, which occurred on October 14, 2004.

The FAA anticipates a final rule would become effective 60 days after publication of the final rule in the Federal Register. The agency proposes to require current certificate holders to submit an SMS implementation plan for approval within six months of that effective date. The FAA solicits comments on the 60-day effective date, as well as the timeframe for submission of an SMS plan. The implementation plan would have to ensure the certificate holder's SMS would be fully operational within three years of the effective date. New applicants for certification to conduct operations under part 121 would be required to demonstrate prior to certification that they have an SMS that meets the requirements set forth in this proposal.

Under this proposal, the FAA would require each air carrier to develop an SMS that includes the four SMS components set forth in Annex 6: Safety Policy, Safety Risk Management, Safety Assurance, and Safety Promotion. To support each component, the FAA proposes a certificate holder implement a number of processes and procedures. Together, the four components and corresponding processes and procedures provide the general framework for an organization-wide safety management approach to air carrier operations.

The FAA projects that the compliance cost supporting each component would come from the initial development and documentation of the SMS, implementation and continuous operating costs to include the modification or purchasing of new equipment/software, additional staff and promotional materials, and training. Because SMS is inherently scalable, costs depend on the size of the carrier and the type of operations that it provides. Further, operators may have existing quality management systems or other voluntary programs, which may lower the estimated compliance costs. These components would also help air carriers effectively integrate formal risk control procedures into normal operational practices thus improving safety for all U.S. part 121 operators. Total benefits are estimated at $1,143.1 million ($500.8 million present value) and total costs are estimated at $710.8 million ($375.5 million present value).

II. Background

The FAA is committed to continuously improving safety in air transportation. Increased demand for air transportation, the impact of additional air traffic, changes in business models, advances in new technology, new routes, and transition of personnel can heighten the risk in air carrier operations. While the FAA's use of existing regulations and technical operating standards has been effective, these regulations may leave gaps best addressed through improved safety management practices. As the air carrier best understands its own unique operating environment, it is in the best position to identify these gaps and institute the proper controls to reduce or eliminate risk to its operations. The FAA would still set the safety standards, conduct inspections and maintain oversight. However, SMS's proactive emphasis on hazard identification and risk control, as well as communication and training of safety issues, would provide certificate holders conducting operations under 14 CFR part 121 with the necessary tools to improve safety within their organizations. SMS processes will also make the application of regulations more meaningful to achieve greater safety benefit.

Therefore, the FAA, in continuing to develop a comprehensive and integrated framework for safety management, is proposing a standardized set of requirements for the development and implementation of SMS. This proposal includes the four key components of an SMS as set forth in ICAO Annex 6.

A. What is a Safety Management System?

An SMS is an organization-wide approach to managing safety risk and assuring the effectiveness of safety risk controls. It would provide an air carrier with a set of decision-making processes and procedures that it would use to plan, organize, direct, and control its business activities in a manner that enhances safety and ensures compliance with regulatory standards. It includes an organization-wide safety policy; formal methods for identifying hazards, controlling, and continually assessing risk; and promotion of a safety culture. An SMS incorporates these procedures into normal, day-to-day business processes. SMS processes seek to identify potential organizational breakdowns and necessary process improvements allowing management to address a safety issue before a noncompliant or unsafe condition results. These tools are similar to those that management already uses to make operational decisions, such as adding new aircraft to its fleet or adding a new route. Using an SMS, however, is not a substitute for compliance with FAA regulations or FAA oversight activities. Rather, an SMS would, at its foundation, ensure compliance with safety-related statutory and regulatory requirements and allow certificate holders to address hazards unique to their operations.

There are four essential components of an SMS. These are based on the ICAO SMS framework and FAA guidance in Advisory Circular 120-92A, Safety Management Systems for Aviation Service Providers (August 12, 2010).

Additional information on ICAO's SMS standards and guidance may be found at http://www.icao.int/anb/safetymanagement. Copies of the ICAO standards and the ICAO SMS manual have been placed in the docket for this rulemaking.

The safety policy is the foundation of the organization's safety management system. It clearly states the organization's safety objectives and sets forth the policies, procedures, and organizational structures necessary to accomplish the safety objectives. The safety policy clearly delineates management and employee responsibilities for safety throughout the organization. It also ensures that management is actively engaged in the oversight of the company's safety performance by requiring regular review of the safety policy by a designated accountable executive.

The second component, safety risk management, requires development of processes and procedures to provide an understanding of the carrier's operational systems to allow individuals to identify hazards associated with those systems. Once hazards are identified, other procedures must be developed under safety risk management to analyze and assess the risk resulting from these hazards, as well as to institute controls to reduce or eliminate the risks from these hazards.

The third component, safety assurance, ensures the performance and effectiveness of safety risk controls established under safety risk management. Safety assurance is also designed to ensure that the organization meets or exceeds its safety objectives through the collection, analysis, and assessment of data regarding the organization's performance.

The fourth component of an SMS is safety promotion. Safety promotion requires a combination of training and communication of safety information to employees to enhance the organization's safety performance. How an organization seeks to comply with this component depends on the size and scope of the organization. It may include formal safety training for employees, a formal means of communicating safety information, and a means for employees to raise safety concerns without fear of retribution.

B. Why is an SMS necessary?

The commercial air carrier accident rate in the United States has decreased substantially over the past 10 years. This has been accomplished through a growing body of regulations, FAA oversight activities, and voluntary industry safety initiatives. However, over the past 10 years, the FAA has identified a more recent trend involving hazards that were revealed during incident and accident investigations. Many of these hazards could have been mitigated or eliminated earlier had a structured, organization-wide approach to managing air carrier's operations been in place. For example, FAA's Office of Accident Investigation and Prevention identified 172 accidents involving part 121 operators from fiscal year (FY) 2001 through FY 2010 that could have been mitigated if air carriers had implemented a safety management system to identify hazards in their daily operations and developed methods to control the risk. The following two accidents are representative of the 172 accidents reviewed by the FAA and discussed in the Initial Regulatory Evaluation. Summaries of these two accidents are included to illustrate the potential mitigations that could have resulted with SMS.

On January 8, 2003, Air Midwest flight 5481 crashed immediately after lift-off in Charlotte, North Carolina. The aircraft was destroyed by impact and post impact fire, resulting in twenty-one fatalities and one injury to a person on the ground. This accident occurred shortly after outsourced maintenance was completed on the airplane's elevator control system. The accident investigation revealed that the elevator controls were improperly rigged during maintenance. The crew was not aware of this unsafe condition. The following is an example of how maintenance hazards could have been identified and their associated risks mitigated if the carrier had implemented an SMS.

In this instance, the formal safety risk management analysis would have been triggered by the air carrier's plan to have aircraft maintenance performed at uncertificated repair facility using maintenance technicians provided by a third party sub-contractor. First, the air carrier's maintenance management would have conducted a thorough system analysis, reviewing its current maintenance program, including all relevant policies, processes, and procedures. It would have identified the personnel, procedures, equipment, and facilities necessary to perform the work and assessed whether the maintenance facility, its management, and the third party mechanics met those requirements. It also would have identified the personnel necessary to conduct oversight for the air carrier at the maintenance facility. Following the system analysis, the air carrier's maintenance management would have identified the following system hazards: (1) The maintenance facility was not a certificated repair station and therefore lacked the controls associated with regulatory certification; (2) the facility, its management and the actual workforce were provided by separate contractors; (3) the inadequate number of experienced air carrier maintenance representatives and their lack of authority under the contract to oversee the performance of the maintenance. The maintenance management team would have reported these issues to the management representative and the accountable executive.

The air carrier's maintenance management, in assessing the risk of these and other hazards, would have considered the worst credible outcome of the performance of the maintenance at that facility under those conditions. Those risks may have been determined to be unacceptable and appropriate risk controls would have been implemented. Such risk control options may have included contracting with a certificated part 145 repair station, revising the maintenance procedures and associated job aids for its maintenance and inspection programs, having additional experienced maintenance representatives of the air carrier, with appropriate contract authorities, stationed at the repair facility to monitor the performance of maintenance tasks and inspections. Also, through the SMS safety assurance processes, the air carrier would have evaluated the safety performance of its risk controls through its continuous analysis and surveillance system (CASS) to verify that the controls were effective. Errors in specific maintenance tasks or inspections may have been spotted by the on site air carrier maintenance representatives or through a confidential employee reporting system if any of these concerns were raised with regard to the maintenance activities. These reports would have been utilized to steer changes in existing policies or in more effective contracting and execution of maintenance. Using the SMS safety promotion component, the air carrier could have made these critical maintenance issues known to its entire maintenance workforce, including air carrier management. This would have increased awareness of hazards and enhanced the safety of the overall maintenance program for the air carrier.

A second example is Comair flight 5191. On August 27, 2006, at approximately 6 a.m., Comair flight 5191 crashed during takeoff from Blue Grass Airport, Lexington, Kentucky, en route to Atlanta, Georgia. The flightcrew received and acknowledged a clearance from the tower to take off from runway 22 but instead, they positioned the airplane on runway 26 and commenced the takeoff. The airplane ran off the end of the runway and impacted the airport perimeter fence, trees, and terrain. The pilot in command (PIC), flight attendant, and 47 passengers were killed. The second-in-command pilot sustained serious injuries. The airplane was destroyed by impact forces and a post-crash fire. The flightcrew believed that they had taxied the airplane to runway 22 when they had actually taxied onto runway 26 and initiated the takeoff roll. The flightcrew's noncompliance with standard operating procedures, including the PIC's abbreviated taxi briefing, combined with both pilots' non-pertinent conversation most likely created an atmosphere in the cockpit that enabled the crew's errors. The following is an example of how hazards relating to the flight operations of this accident could have been identified and the associated risks mitigated if the carrier had implemented an SMS.

In this instance, the SMS safety assurance component would have triggered a formal safety risk management analysis. Under the SMS safety assurance process, periodic audits of flight crew performance, such as Line Operations Safety Audits (LOSA), may have revealed systemic failures of crew coordination concepts and failures to follow standard procedures. Additionally, reports from a confidential employee reporting system like Aviation Safety Action Program (ASAP) would have indicated that deficiencies in flightcrew performance. LOSA audits or other structured operational checking procedures, combined with reports from a confidential employee reporting system regarding flight crew performance, would have indicated that the existing controls, such as operational procedures and preflight checklists were not effective, or flightcrew training and evaluation programs were ineffective.

Under a formal SMS safety risk management process, the management representative would have ensured that the flight operations management team conducted a system analysis, reviewing its operational control and flight operations procedures, the operating environment (runway conditions, airport configuration), as well as the personnel and equipment required for the safe operation of the airplane. The system analysis would have led to a discovery of hazards and possible errors that could be made at runway intersections, like the incorrect selection of the appropriate departure runway. The flight operations management team would have reported these issues to the management representative and the accountable executive.

Upon completion of the risk assessment, the flight operations management team could have developed risk controls, such as revising the checklists to require the positive verification of the airplane alignment on the correct runway and additional crew resource management training to enhance the crewmembers' situational awareness. These procedures could be incorporated into the company's flight manuals, checklists, and training curriculum. Once in place, the effectiveness of the risk controls would have been continuously monitored under the safety assurance processes.

From the SMS safety promotion component, the information gained through the safety risk management and safety assurance processes such as the employee reporting system, could be provided back to crews in the form of awareness tools such as company newsletters, bulletins to pilots, and other communications media.

C. Congressional Mandate

In addition to the FAA's accident review indicating a need for SMS, Congress recognized the need for air carriers to implement safety management systems. On August 1, 2010, The Airline Safety and Federal Aviation Administration Extension Act of 2010 (the Act), Public Law 111-216, was signed. The Act requires the FAA to conduct rulemaking to “require all part 121 air carriers to implement a safety management system.” Public Law 111-216, sec. 215.

The Act also requires the FAA to consider mandating as part of the SMS rulemaking, the following voluntary programs: ASAPs, flight operational quality assurance systems (FOQAs), LOSAs, and advanced qualification programs (AQPs). The FAA has reviewed these programs and finds they would be useful to meet the requirements to regularly review the safety performance of the organization (§ 5.25(b)(5)), to monitor the effectiveness of safety risk controls (§ 5.25(c)(2)), and to monitor and measure the organization's safety performance (§ 5.71). However, based on the following, the FAA has determined that it would not be appropriate to require all of these programs for all certificate holders conducting operations under 14 CFR part 121.

Aviation Safety Action Program (ASAP). ASAP is an employee reporting system that certificate holders may use to gather information from employees on safety compliance and performance issues. ASAP programs are intended for air carriers that operate under part 121 and major domestic repair stations certificated under part 145. The goal of ASAP is to enhance aviation safety voluntary reporting of safety issues and events that come to the attention of employees. The program encourages an employee to voluntarily report safety issues even though they may involve a potential violation(s) of Title 14 of the Code of Federal Regulations.

As of September 27, 2010, there are 90 certificate holders conducting operations under part 121. Approximately two-thirds of these certificate holders have implemented some type of ASAP program. While ASAP originally was limited to pilots and flight engineers, some air carriers have expanded the program to include its flight attendants, dispatchers, and mechanics. One carrier has an ASAP for ground service personnel. The program is a valuable way to bring employees into a proactive safety effort and can be a means of building trust throughout the organization. Single ASAP reports can generate safety risk management action if they reveal a hazard of high severity and high likelihood. Further, analysis of the aggregate ASAP data can also reveal trends that lead to safety risk management action. ASAP reports often serve as an indicator that risk controls are effective, or they may reveal that risk controls are not effective. Reports accepted into ASAP are protected from disclosure under the provisions of 14 CFR part 193, Protection of Voluntarily Submitted Information.

ASAP programs typically only cover selected employee groups. Even the largest air carriers do not have ASAPs that encompass all of their employees. Typically, each employee group ASAP has an event review committee (ERC) designed to take in data from employees, analyze the data, and develop corrective actions. The ERC consists of members of the air carrier's management team, the FAA's certificate management organization, and if applicable, the employee group's representative. The ERC considers each ASAP report for acceptance or denial, and if accepted, analyzes the report to determine the necessary controls to put into effect. ASAP is a good example of a confidential employee reporting system that an air carrier may develop to comply with the provisions of the proposed rule. Small carriers would likely not require such an expansive and complex system. Rather, a simpler employee reporting system may meet the needs of the smaller carriers. Further, the proposed SMS requirement for a confidential employee reporting system spans all employee groups. Thus, even a medium to large air carrier may be overly burdened by such a requirement if its current ASAPs do not cover all of its employees who perform aviation-safety related activities. In this case, the air carrier could use its existing ASAPs and develop simpler tools or procedures to allow the employees who are not currently covered under its ASAPs to report safety issues or concerns.

If the FAA were to require the use of ASAPs, the information submitted through ASAP would no longer be considered voluntary. As such, the protections under part 193 would no longer apply. One major concern of industry regarding a requirement for SMS is the possible disclosure of critical safety information. Industry is concerned that if information submitted through ASAP or any other employee reporting system is subject to disclosure, this would likely have a negative impact on the willingness of employees to disclose the data. The loss of these protections under 14 CFR part 193, therefore, would likely impede the air carrier's ability to gather this critical information for analysis. Thus, the FAA has determined that ASAP may be one means for compliance with certain provisions of the SMS, but would not be necessary to mandate for all air carriers. FAA seeks comments on how air carriers that are currently voluntarily implementing ASAP programs could integrate these programs into an SMS plan, and the incremental costs and benefits of doing so.

Flight Operational Quality Assurance (FOQA). FOQA provides the air carrier with accurate operational performance information covering all flights by multiple aircraft types such that single events can be analyzed or overall patterns of aircraft performance can be seen and analyzed. FOQA programs provide actual data that can be analyzed in the aggregate to determine trends specific to aircraft types, local flight path locations, and overall flight performance trends for the air carrier industry. FOQA information has proven effective in showing the need for changing air carrier operating procedures for specific aircraft fleets, and for changing air traffic control practices at certain airports with unique traffic pattern limitations. 41 of 90 part 121 carriers have voluntarily implemented FOQA programs, including 22 of 30 part 121 operators with a fleet of more than 50 airplanes. The 22 includes seven of the top eight largest passenger-carrying airlines, which each operate more than 200 airplanes. To have an FAA approved FOQA program, an air carrier must meet the requirements described in AC 120-82, Flight Operational Quality Assurance.

The FOQA program is described in AC 120-82, Flight Operational Quality Assurance ( http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgAdvisoryCircular.nsf/key/AC%20120-82 ).

Since 2005, ICAO Annex 6 part I has included a provision that commercial air carriers operating airplanes having a maximum gross takeoff weight in excess of approximately 59,400 lb. “* * * should establish and maintain a flight data analysis programme as part of its safety management system.” Flight Data Analysis Program (FDAP) is a general term encompassing a number of means by which routine flight operations data may be acquired, recorded, analyzed, and shared. FOQA is one such program. FOQA requires extensive flight data recording systems which facilitate rapid transfer of recorded data, de-identification of that data, and agreements between pilot organizations and the carriers which define how this information may be used. Further, FOQA requires comprehensive analysis of the information provided by technically competent staff using specialized equipment to derive useful safety enhancement opportunities. Although all operators meet the current regulatory requirements for flight data recording, many of the recorders used do not meet all the FOQA specifications. The part 121 fleet is diverse in terms of size, complexity, and age, as well as the size of the companies that operate them. Many of the older aircraft would require extensive modifications to adapt them to the technical requirements of a FOQA program. The investment and expense of implementing and maintaining such a system exceeds the financial capability of many smaller carriers.

Since the FOQA voluntary program requirements were established, technological advancements in lightweight self-contained flight data monitoring and recording systems have been developed that may provide alternative, cost effective means for accomplishing the same purpose as a FOQA. An air carrier may wish to acquire these tools rather than those necessary for FOQA and develop its own procedures to collect flight operational data for analysis. An air carrier may also choose a combination of tools, such as preflight risk assessment checklists and existing flight data recorders, to collect information on flight operational data. There are a number of ways to collect this information and the FAA does not believe it is appropriate to prescribe the exact method for collection and analysis of this type of data. The air carrier should develop and implement the processes and procedures suitable to the complexity and needs of its organization to identify hazards and assess risk to its operation. In addition, like ASAP, the FAA has determined that it is appropriate to protect certain information collected under FOQA from disclosure. If the FAA were to require FOQA this protection would be lost. Thus, while FOQA is an excellent tool for some air carriers and may be used as a process or procedure in the air carrier's SMS, this proposal would not require it for all certificate holders conducting operations under part 121. FAA seeks comments on how air carriers that are currently voluntarily implementing FOQA programs could integrate these programs into an SMS plan, and the incremental costs and benefits of doing so.

Line Operations Safety Audit (LOSA). The Line Operations Safety Audit (LOSA) is a voluntary safety audit focused on the discovery, mitigation, and management of human error in aviation operations. LOSA audits are mainly conducted for crewmembers and are performed in actual in-flight conditions. Thus, they provide a real-time assessment of system operations. During the flight, trained observers record any potential threats to safety, how a flightcrew handled the hazard and any errors the flightcrew committed in managing a threat. They may also document behaviors known to cause accidents or incidents.

Under LOSA programs, the certificate holder collects the data concerning the flightcrew's performance. While an air carrier may elect to share the results of a LOSA with the FAA, there is no requirement to do so. Data obtained from the LOSA can be used to modify the air carrier's training or other operational programs or procedures and shape basic organizational strategies to prevent accidents and incidents. The certificate holder may use the audit results to create better safety practices by improving operational processes and documentation, such as revising checklists, flight operations manuals, quick reaction handbooks, and developing training curricula for flight, maintenance, and ramp personnel.

In order to implement a LOSA program, significant resources are required. The air carrier would need to develop and produce the program and its associated materials. The following elements are part of LOSA: (1) Training check airmen or other observers on how to conduct the observations and data collection, (2) developing and maintaining schedules for LOSA observations, (3) staff time for observer preflight preparation, (4) in-flight observation, (5) post-flight briefing, (6) data transfer and entry, (7) information management software costs (software and staff time for data entry and database management), and (8) development and administration of data analysis processes. LOSA programs may be very complex and expensive. Air carriers that have not implemented a voluntary LOSA may be using audit tools that are more appropriately scaled to the size of their operation. Because there may be other, more effective means for conducting these audits, the FAA does not believe it is necessary to limit an air carrier to conducting audits and collecting data through a specific program like LOSA. Rather, the FAA has determined that participating in a LOSA program, may be one acceptable means to comply with the requirements of this proposal. FAA seeks comments on how air carriers that are currently voluntarily implementing LOSA programs could integrate these programs into an SMS plan, and the incremental costs and benefits of doing so.

Advanced Qualification Program (AQP). AQP is an alternative method for developing training and testing materials for pilots, flight attendants, and aircraft dispatchers based on instructional systems design, advanced simulation equipment, and comprehensive data analysis to continuously validate curriculums. Although the FAA considers AQP to be an effective voluntary alternative for compliance with minimum training and qualification requirements, the FAA does not believe that it is appropriate to require all air carriers to train under AQP as part of their SMS processes and procedures. The FAA recognizes that AQP may not be appropriate for every certificate holder. The AQP is a voluntary program established to allow a greater degree of regulatory flexibility in the approval of innovative training programs. Based on a documented analysis of operational requirements, a certificate holder under AQP may propose to depart from the traditional practices with respect to what, how, when, and where training and testing is conducted. Detailed AQP documentation requirements, data collection, and analysis provide the FAA and the operator with the tools necessary to adequately monitor and administer an AQP. (See 14 CFR Part 121, subpart Y, paragraphs 121.901-121.925).

As mentioned above, AQP may not be appropriate for all certificate holders. Some air carriers may prefer the structured requirements of a traditional training program to the analytically-driven AQP program. Other air carriers that use contract training facilities may not find AQP to be a suitable alternative to traditional training requirements. The FAA also acknowledges that to get the most benefit from AQP, a stable work force and route structure is necessary. Therefore, for those air carriers that have a higher turnover in their pilot ranks or conduct supplemental operations where the routes may vary, AQP may not be appropriate. Thus, this proposal would not require all air carriers to implement AQP as the method for training its flightcrew members, flight attendants, aircraft dispatchers, and other operations personnel. FAA seeks comments on how air carriers that are currently voluntarily implementing AQP programs could integrate these programs into an SMS plan, and the incremental costs and benefits of doing so.

D. International Harmonization

In March 2006, ICAO amended Annex 6 part I—which addresses the operation of airplanes in international commercial air transport. Member states agreed to establish an SMS requirement for air carriers. The SMS, as outlined in this Annex, includes processes to identify safety hazards and ensure the implementation of risk controls and corrective actions necessary to maintain safety performance. The Annex also aims for improvement of the overall safety performance of the organization, with clearly defined lines of safety accountability throughout the operator's organization. Member states agreed to initiate compliance with amendments to Annex 6 part I by January 1, 2009. If adopted, the provisions in this rule would conform to these ICAO agreements.

On December 15, 2008, the FAA filed a difference to the SMS standard because the agency had not formally initiated rulemaking.

ICAO provides that each ICAO member state is the judge of whether its national SMS rules provide an acceptable level of safety. The FAA solicits comments on whether the SMS rules proposed in this NPRM could serve as a suitable basis for achieving an international harmonized regime.

E. National Transportation Safety Board (NTSB) Recommendations

The NTSB first recommended safety management systems in 1997, through recommendations aimed at improving safety in the maritime industry. Since then, a number of NTSB investigations related to other modes of transportation, including aviation, have cited organizational factors contributing to accidents and have recommended SMS as a way to prevent future accidents and improve safety. The NTSB first offered an SMS recommendation for part 121 air carriers (A-07-10) to the FAA after its investigation of the October 14, 2004 accident of Pinnacle Airlines flight 3701.

Pinnacle Airlines flight 3701 was on a repositioning flight between Little Rock National Airport and Minneapolis-St. Paul International Airport when both engines flamed out after a pilot-induced aerodynamic stall at high altitude. The pilots were unable to regain control, and the aircraft crashed in a residential area south of Jefferson City, Missouri. The NTSB's investigation revealed “the accident was the result of poorly performing pilots who intentionally deviated from standard operating procedures and basic airmanship.” The NTSB further stated “operators have the responsibility for a flightcrew's cockpit discipline and adherence to standard operating procedures” and offered an SMS as a means to help air carriers ensure safety. The NTSB formally recommended the FAA “require all 14 CFR part 121 operators establish Safety Management System programs.” NTSB Safety Recommendation A-07-10 (January 23, 2007). That recommendation recognized that “air carriers need to ensure safety through a formalized system safety process. One such process is a safety management system program, which incorporates proactive safety methods for air carriers to identify hazards, mitigate risk, and monitor the extent that the carriers are meeting their objectives.” Id. at p. 12. The NTSB recommended the FAA pursue rulemaking to require commercial operators to implement an SMS. In discussing this recommendation, the NTSB noted it would evaluate any rulemaking proposal based on ICAO's minimum requirement: “(a) Identifies safety hazards; (b) ensures that remedial action necessary to maintain an acceptable level of safety is implemented; (c) provides for continuous monitoring and regular assessment of the safety level achieved; and (d) aims to make continuous improvement to the overall level of safety.” Id. Adoption of this proposal would address this NTSB recommendation.

F. FAA Aviation Safety (AVS) SMS Actions

Guidance Materials. This rulemaking would also codify existing FAA SMS guidance material. In June 2006, FAA Flight Standards published Advisory Circular, AC 120-92, Introduction to Safety Management Systems for Air Operators based on the Joint Planning and Development Office (JPDO) SMS Standard. The FAA also used this work to develop internal guidance, using SMS principles, and incorporated them in FAA Order 8000.369, Safety Management System Guidance and FAA Order VS 8000.367, Aviation Safety (AVS) Safety Management System Requirements. AC 120-92 was revised in August 2010 to become AC 120-92A to reflect the ICAO framework. This proposal is based on the guidance material in AC-120-92A and FAA Orders, as well as the ICAO SMS framework and guidance in the ICAO Safety Management Manual. Copies of these documents are available in the docket for this rulemaking.

See ICAO, Safety Management Manual, at 6.5.3 ICAO Doc. 9859-AN/474 (2nd ed. 2009) ( http://www.icao.int/anb/safetymanagement/DOC_9859_FULL_EN.pdf ).

SMS Pilot Project. To assist operators choosing to implement SMS voluntarily, the FAA initiated an SMS Pilot Project. The program, which currently includes 26 part 121 air carriers of varying sizes and complexities, allows these certificate holders and their FAA oversight organizations to learn the means of applying SMS to their unique management and environmental conditions and to demonstrate their commitment to comply with international standards. The SMS pilot projects have provided experience in implementation and oversight processes. Lessons the FAA has learned from the pilot projects include findings in the areas of management involvement, training requirements, gap analysis and implementation planning, and the development of risk tools.

Advanced Notice of Proposed Rulemaking (ANPRM). In addition to the pilot project, the FAA also issued an ANPRM on July 23, 2009 (74 FR 36414), soliciting comments on the appropriate applicability and scope of a potential SMS rule. The ANPRM requested information from air carriers, operators conducting charters, maintenance repair stations, and design and manufacturing organizations on their experiences with SMS; the costs associated with implementing SMS in their organization; and recommendations for documentation, recordkeeping, data collection and sharing, and training requirements necessary for implementation of an SMS. The FAA received 89 comments in response to the ANPRM from a variety of commenters, including air carriers, aircraft design and manufacturing organizations, service facilities, trade associations, and private citizens.

Seven part 121 operators and six trade associations representing the 121 operators or their employees submitted comments in response to the ANPRM. Each of the seven 121 operators said it has an SMS or a system with some SMS components. Six of the seven operators reported positive results after applying SMS to their operations. Operators reported improving their safety performance and regulatory compliance by improving their ability to detect possible nonconformities to policies and regulations before an accident or serious incident occurs. One commenter stated that by implementing SMS the organization has “seen some successes in reducing risk, decreasing operating costs, and managing safety through a structured process.”

An SMS requires that organizations identify hazards and address the risk associated with the products or services they provide. It also requires documenting the decisions made to address safety risk. Commenters expressed concern that this information could be misinterpreted or mischaracterized and they stressed the need to protect SMS data.

A majority of the commenters recommended the FAA issue a performance-based regulation, consistent with the ICAO framework, which would allow organizations flexibility in how they meet the standards, and enable them to integrate their existing systems into an SMS rather than requiring a stand-alone system. Commenters also said the requirements should be scalable to accommodate organizations that vary in size, complexity, structure, and focus. Some commenters recognized a need for SMS for part 135 operators and part 145 repair stations, and design and manufacturing organizations based on the ICAO requirements for these sectors of the industry. This rulemaking, however, focuses only on certificate holders conducting operations under part 121.

Aviation Rulemaking Committee (ARC). On February 12, 2009, the FAA chartered the SMS ARC to solicit recommendations from industry experts on the scope of this rulemaking. The ARC is comprised of representatives from air carriers, maintenance organizations, and design and manufacturing organizations and associations. On March 31, 2010, the ARC submitted its report to the FAA with the recommendations summarized in the paragraphs below.

The ARC recommended that the FAA SMS regulations and guidance be closely aligned and consistent with the ICAO SMS framework to allow for ease of acceptance of an organization's SMS by a foreign civil aviation authority. The ARC also recommended that the SMS rule apply to organizations subject to 14 CFR parts 21, 119, 121, 125, 135, 141, 142, and 145 as listed in the ANPRM, as well as 14 CFR part 91, subpart K, to ensure consistency of applicability with ICAO's SMS Framework. Furthermore, it suggested that an SMS regulation should acknowledge and permit incorporation of existing voluntary and regulatory (e.g., CASS) safety management efforts that fit, or that could be adapted to fit, the SMS construct. For air carriers, such programs include aviation safety action programs, flight operational quality assurance programs, line operations safety audits, and quality management systems. To avoid duplicative practices, the ARC stressed the importance of allowing organizations to build upon these existing systems and processes rather than requiring them to build a whole new safety system. For example, rather than mandate a separate manual outlining the air carrier's SMS, the air carrier should have the option of either developing a new manual or including it in the manual required by § 121.133. This flexibility would allow the certificate holder to document the SMS in the way that best fits its operations while still providing the FAA appropriate insight into the organization's SMS for assessment and oversight. In addition, the ARC asserted that SMS should not be an add-on to the organization's operational system but rather part of the operational system.

In acknowledging a potential significant impact of an SMS rule on small businesses, the ARC stressed the importance of creating a regulatory framework that is scalable and flexible to accommodate a broad range of organizations, from small operators and manufacturers to large organizations holding multiple types of FAA certificates or approvals. This would ensure that the level of SMS-required complexity imposed on a small organization would not interfere with the company's ability to pursue its business, or impose a degree of SMS data analysis that would result in insufficient time left to develop, implement and monitor risk mitigation procedures. It also recommended the FAA consider alternative strategies for SMS implementation, such as continuing with the voluntary program for operators that engage in international commercial activity.

The ARC was also concerned with the protection of SMS safety information and proprietary data. Therefore, it noted that there should be protection of safety information and proprietary data from disclosure and use for other purposes. Safety information is vitally important to an SMS. Without the development, documentation, and sharing of safety information SMS benefits will not be fully realized. According to the ARC, protecting safety information from use in litigation (discovery), Freedom of Information Act (FOIA) requests, and FAA enforcement action is necessary to ensure the availability of this information, which is essential to SMS. The ARC recommended either a new regulation or a revision and strengthening of existing part 193, Protection of Voluntarily Submitted Information, to include SMS information. Further, the ARC recommended that the FAA establish policy or regulation which provides limits on enforcement action applicable to information that is identified or produced by an SMS.

The ARC recommended that the FAA ensure that sufficient planning, policy and guidance, and workforce training be in place prior to SMS implementation to accommodate efficient, timely, objective and consistent assessment and oversight of SMS. To accomplish this, the ARC also suggested a phased promulgation of extending the applicability of a set of general SMS requirements to different populations. For example, the ARC recommended extending the set of general requirements to part 121 operators first, followed by part 135 operators and part 145 repair stations conducting maintenance for part 121 and part 135 operators, and extending the requirements to regulated entities under part 21 as part of the last phase of implementation. The ARC noted that this phased promulgation would allow earlier deployment of new regulations in the area of greatest operational exposure and greatest implementation experience, while allowing the necessary time for the development of sector-specific guidance and operation of pilot programs for remaining certificate and approval holders. For example, the design and manufacturing community has less experience in applying SMS than many commercial operators that are participating in SMS pilot projects with AFS. The ARC has recommended that the FAA sponsor an SMS pilot program within the design and manufacturing sector to further develop implementation experience.

In addition to the phased promulgation of the applicability of SMS requirements, the ARC also recommended a phased implementation of SMS requirements within individual companies. For example, the first stage of implementation would require an implementation plan to be completed six months after the effective date of a final rule, with the next level focusing on implementing safety risk management processes. The next level would focus on the proactive and predictive processes in safety assurance.

A copy of the ARC's recommendations is available for review in the docket for this rulemaking.

III. Discussion of the Proposal

A. General Requirements

Applicability. The FAA proposes to add a new part 5 to title 14 of the CFR, creating the general framework for an SMS that a part 121 air carrier may adapt to fit the needs of its operation. The new part 5 is modeled after the International Civil Aviation Organization (ICAO) framework in Annex 6, Operation of Aircraft, which was adopted in March 2006 and is designed for broad application. It is also consistent with the ARC's recommendations to use the ICAO framework and develop SMS requirements that are scalable and flexible to accommodate all business models. Therefore, the proposed requirements are meant to be applicable to organizations of various sizes and complexities, as well as adaptable to fit the different types of organizations in the air transportation system and operations within an individual company. The proposed SMS construct is also consistent with AC-120-92A, Safety Management Systems for Aviation Service Providers, and FAA Order 8000.367, Aviation Safety (AVS) Safety Management System (SMS) Requirements.

Although this proposal extends only to part 121 operators, the FAA has developed these general requirements with the intent that in the future, they could be applied to other FAA-regulated entities, such as part 135 operators, part 145 repair stations, and part 21 aircraft design and manufacturing organizations and approval holders, consistent with ICAO requirements. This proposal also acknowledges the SMS ARC's recommendation for phased promulgation of SMS regulations to apply SMS requirements to certificate holders under different parts of title 14 of the CFR in successive phases. The FAA solicits comments on possible future application of these general requirements.

Amendment 33 to Annex 6 part 1 addresses part 121, 135, and 145 operations. It has a compliance date of November 18, 2010 and was announced in State Letter AN 11/1.3.19-06/34 24 (March 2006). Amendment 101 to Annex 8 addresses Design and Manufacturing. It has a compliance date of November 14, 2013 and was announced in State Letter AN 3/5.6-09/21 (April 3, 2009).

In addition, it is not the FAA's intent that this rule would result in contractors or subcontractors, or entities not directly regulated by the FAA, being required to develop an SMS. Current processes require air carriers to ensure that the employees or businesses with whom they contract to conduct training or maintenance activities on their behalf are qualified, capable, and have the necessary equipment and facilities to perform the work. This proposal would not expand these existing requirements. However, the FAA seeks specific comment on the potential impact of a trickle down effect of this proposal to these entities.

Scalable and Flexible. The proposed SMS regulation is designed as a performance based regulation. It requires a number of processes (for safety policy, safety risk management, safety assurance, and safety promotion) which are flexible, and can be tailored to provide relevant, yet robust management systems for each carrier. The SMS provides a framework for safety decision making by requiring structured processes for gathering and using information necessary to make sound management decisions. Because the part 121 air carrier population is extremely diverse in complexity related to both aircraft fleet sizes and numbers of employees, this proposal was designed to accommodate a variety of business models and sizes.

The components of SMS are scalable relative to the size and complexity of the operator. For instance, the objective of safety risk management is the same regardless of the size of the carrier. That objective is to understand the operations and the tools and processes used to accomplish the work. While specialists in information technology and statistical analysis may be necessary in large, sophisticated carriers' operations, the safety risk management steps could be accomplished by the management and employees of even the smallest organization. For smaller operators, this process need not employ sophisticated techniques or be overly detailed. For example, a whiteboard, pencil, and paper, may be all that are needed to consider, analyze, and record the characteristics of the systems. Likewise, recording and tracking the results of the safety risk management process need not be extensive or overly sophisticated. They may be captured with paper records or simple electronic files using common word processing or spreadsheet applications.

The safety assurance processes can also be scaled to the size and complexity of the operator. Its purpose is to provide key managers with only the information that they need to assure that the risk controls they have implemented remain valid and their processes are on track. An organization would determine what audit tools are needed to acquire only the information that it needs to maintain compliance with CFRs and company policies and procedures, e.g., airplane inspection intervals, open Minimum Equipment List (MEL) items, pilot training, and checking intervals, and dates and other key information. Internal evaluation and management review processes are used to evaluate the performance of major systems (i.e., flight operations, training, maintenance, inspection, and engineering, etc.). All part 121 carriers have a Continuing Analysis and Surveillance system (CASS) required by 14 CFR 121.373. Most companies have Internal Evaluation Programs based on guidance in AC 120-59A, Air Carrier Internal Evaluation Programs, and other audit structures. These existing programs would likely satisfy the safety assurance requirements in this proposal. In very small companies, these may be performed personally by senior managers, specialist personnel, the Director of Safety, or the Chief Inspector required by 14 CFR 119.65. Analysis of audits, evaluations, employee reports, and internal investigations may be as simple as reading narratives, simple trend analysis of problems, and discussion among key management personnel.

The safety management system may be adapted and scalable based on the complexity of the air carrier's operations. For example, some air carriers may have multiple certificates, authorizing them to conduct flight operations and also perform aircraft maintenance for other organizations. These air carriers may only want to implement one SMS that encompasses all of these aviation-related safety activities, and some may want to expand SMS to encompass all activities of the business. As another example, some certificate holders only have a few aircraft and service a limited area. These certificate holders may choose to implement a smaller, simpler SMS consistent with requirements, but sized and designed for their operation. The FAA invites comments on how air carriers may approach the design and implementation of their SMS.

The previous discussion indicates that certificate holders could comply with the proposed SMS requirements through a variety of means. The FAA intends these proposed requirements to be scalable and flexible to the size and complexity of the certificate holder's organization. In addition, the FAA also recognizes that certificate holders may already have systems and processes in place that meet the proposed SMS requirements. The FAA believes these systems and processes could easily be incorporated into an SMS and does not intend to create duplicative burdens. The FAA requests comments specifically identifying how the FAA could clarify or improve the incorporation of existing systems and processes into an SMS to improve the efficiency, scalability, and flexibility of this proposal.

Compliance with other Regulatory and Statutory Requirements. The SMS requirements, as described in this section, would not be considered a substitute for compliance with existing technical and performance standards. Technical and performance standards would still be considered the baseline for safety performance. These general requirements for SMS would require air carriers to be able to demonstrate their capability to assess and control risk in their highly variable individual operational environments. While several air carriers currently may be in the process of implementing, or have implemented an SMS in accordance with FAA guidance material, these air carriers would need to ensure their system meets the regulatory requirements set forth in this proposal, and follow the same process for acceptance as an air carrier who is implementing SMS for the first time. The SMS may be adapted and scaled based on the complexity of the airline operations. If the FAA agrees that all regulatory requirements are met, the implementation plan will be approved. This includes all air carriers participating in the FAA's SMS Pilot Project.

Under new § 5.1, the FAA would require each air carrier to develop an SMS to include the four SMS components: Safety policy, safety risk management, safety assurance, and safety promotion. To support each component, the FAA proposes a certificate holder implement a number of processes contained in the proposed subparts for each component. Together, the four components and their underlying elements and processes provide the general framework for an organization-wide safety management approach to air carrier operations. To the extent possible, air carriers may leverage existing voluntary and required programs by integrating these activities and existing information collection streams into their SMS system and plans.

Protection of Data. The ARC, as well as several commenters to the ANPRM, raised concerns regarding the protection of data submitted through the SMS. The ARC recommended the FAA revise current requirements under 14 CFR part 193, Protection of Voluntarily Submitted Information, to protect any SMS data from disclosure. In this proposal, the FAA would not require the submission of any SMS data. Rather, the certificate holder must make its documentation available for inspection to determine whether the certificate holder has implemented and is maintaining an SMS that meets the requirements of part 5. Existing protections for voluntary programs such as Aviation Safety Action Program (ASAP) and Flight Operational Quality Assurance (FOQA) data would still apply as the FAA is not mandating these programs. However, at this time, the FAA would not extend the protections of part 193 beyond those afforded to current voluntary programs. The FAA invites comment on the protection of safety data and on potential information architectures which could allow carriers to collect information while reducing disclosure concerns.

Implementation and Compliance. Under this proposal, current certificate holders, within six months of the effective date of the final rule, would be required under § 119.8 to submit an implementation plan for approval that ensures the certificate holder's SMS would be fully operational within three years of the effective date of the final rule. Under the implementation plan, the certificate holder may decide to gradually phase-in the requirements of this rule over the three-year period consistent with the current process in the FAA SMS Pilot Project. A copy of this implementation process is provided in the draft advisory circular that is available for review in the docket for this rulemaking. An air carrier is not required to follow this format for implementation, but rather should develop a plan for implementation that meets the needs of its organization.

Many air carriers may already be in the process of developing an SMS in accordance with existing guidance material or otherwise have some elements of SMS in existence. In developing the implementation plan, air carriers should review existing programs to identify elements already in place that comply with provisions of part 5 and plan for implementation. Experience in the SMS Pilot Projects has found that this process is necessary to identify gaps in processes and management controls, documentation that is not up to date or is incomplete, and vague interfaces between processes or departments. The implementation planning and SMS documentation have helped to bring improvements in these areas. Thus, as proposed, the implementation plan should cover all the proposed part 5 requirements across all of the aviation safety-related operational processes of the company.

This plan would be submitted to the air carrier's certificate-holding district office, and approval of the plan would be coordinated with the SMS Program Office within the Flight Standards Service, Certification & Surveillance Division (AFS-900). In addition, anyone who submits a certification application under § 119.35 to conduct operations under part 121 would be required to demonstrate that it has incorporated an SMS that meets the requirements of part 5.

Although the implementation plan must be approved, the FAA has proposed, under § 5.3, that the certificate holder's SMS would have to be accepted by the FAA. Given the dynamic nature of an air carrier's operating environment, the air carrier needs to be able to continuously improve its SMS, rather than wait for approval of the proposed change before taking necessary action. Acceptance of the SMS would allow the organization to proceed with implementation of necessary changes while the FAA reviews SMS documentation to determine whether the air carrier has met the requirements of this rule. Upon review, if the FAA determines that changes must be made to the SMS, the air carrier would be responsible for making those changes. This process for acceptance would allow the air carrier the flexibility necessary to continuously monitor and adapt its SMS to address emerging safety concerns in its operating environment.

B. Safety Policy

Subpart B sets forth the requirements for the certificate holder's safety policy, the foundation of the SMS. All organizations must define policies, procedures, and organizational structures to accomplish their safety objectives and goals. It is important to have a documented safety policy to assure all employees of the organization of management's commitment to achieving the organization's safety objectives. A documented safety policy also ensures that all employees are aware of their own role in maintaining the safety objectives of the company. Thus, proposed § 5.21 would require a documented safety policy statement that establishes the organization's safety objectives, provides for a safety reporting policy, defines unacceptable behavior and conditions for disciplinary action, and establishes standard operating procedures for transitioning from normal to emergency operations.

A key aspect of the documented safety policy is the confidential safety reporting policy requirement proposed in § 5.21(a)(4). This requirement is distinguishable from the disciplinary action policy requirement proposed in § 5.21(a)(5) in that the safety reporting policy must allow employees to report unsafe working conditions or equipment for correction without fear of reprisal by either management or labor groups within the organization. As discussed earlier, many air carriers may already meet part of this safety reporting policy requirement by having an ASAP in place for selected employee groups. ASAP, as described in AC 120-66B, Aviation Safety Action Program, (November 15, 2002), allows certain safety issues to be addressed through corrective action rather than through disciplinary or enforcement action. Under ASAP, corrective action may be taken for inadvertent regulatory violations that do not appear to involve an intentional disregard for safety and events that do not appear to involve criminal activity, substance or controlled substance abuse, or intentional falsification. A corrective action is developed by the air carrier which may include training or education on an issue or changes to operational procedures to prevent a future occurrence of the same safety problem. These same concepts, inherent in ASAP, may be relevant for consideration by an air carrier who has not implemented an ASAP in developing a safety reporting policy pursuant to proposed § 5.21. As discussed previously, the FAA would not mandate that each air carrier implement an ASAP because the complexity of ASAP may not fit all air carriers or their FAA oversight organizations. However, if an air carrier has an ASAP in place or wishes to develop an ASAP, the FAA would view this program as one means of compliance with the proposed safety reporting policy requirement for the employee group(s) covered by the ASAP program(s).

Just as the safety reporting policy must describe those types of events that can be reported without fear of reprisal, the disciplinary policy proposed under § 5.21(a)(5) would require the air carrier to define unacceptable behaviors and conditions for disciplinary action. Some examples to consider, which are currently included in ASAP programs as described in AC-120-66B, include an intentional disregard for safety, suspected criminal activity, and substance abuse, as well as those instances when employees fail to complete a corrective action developed by the air carrier to address a safety hazard.

Consistent with the ICAO framework, the FAA is proposing, as part of the documented safety policy, to include emergency response planning. Emergency response planning provides the basis for a systematic approach to managing the organization's operations in the aftermath of a significant unplanned event or during an ongoing emergency situation. The overall objective is the safe continuation of operations and the return to normal operations as soon as possible. It is an important element of an SMS because in the transition from normal to emergency operations and back again, additional risk may be introduced and the organization should be monitoring and taking action to mitigate those risks. An effective emergency response also provides an opportunity to develop and apply learned safety lessons.

The type of commitment required by the safety policy mandates the active engagement of all employees in the safety performance of the organization and, in particular, specific safety responsibilities of management officials. Direct, personal involvement on the part of all levels of management is a bedrock principle of any management system. However, experience in the SMS Pilot Project has indicated that this is not universally and commonly understood. To ensure this type of engagement, § 5.23 would require the air carrier to clearly define all employees' responsibilities for the safety performance of the organization, from line staff to executive management. Clearly delineating safety responsibilities throughout the organization is a foundational characteristic of any management system. It also allows for greater communication and integration of practices and procedures employed throughout the organization, resulting in effective management of the air carrier's operations.

To ensure that executive management is involved in the oversight of the organization's safety performance, § 5.25 would require the certificate holder to designate a single accountable executive who has the final authority over operations and is ultimately responsible for the safety performance of the air carrier. The accountable executive would need to be able to organize, direct, and control the organization's activities, as well as allocate resources to make safety controls effective. The accountable executive would be required to develop the documented safety policy proposed under § 5.21, communicate the policy throughout the organization, and regularly review the safety policy and safety performance of the organization. The accountable executive would review safety information to assess the overall performance of the organization and make necessary changes.

To assist in the collection and analysis of the data, the accountable executive also would be required to designate a management representative to monitor the performance of the SMS, facilitate hazard identification and safety risk analysis, and report regularly to the accountable executive on the safety performance of the organization. The FAA does not believe these requirements would necessarily result in part 121 air carriers hiring new personnel to serve these functions. The FAA recognizes that many of the daily oversight activities that are proposed for the management representative are currently being performed by the required management personnel under 14 CFR 119.65. Any one of these individuals could be designated to serve in this role.

C. Safety Risk Management

Safety risk management is a core component in an air carrier's SMS. A comprehensive SMS using safety risk management would provide management tools for identifying hazards and assessing risk, as well as developing risk controls to reduce or eliminate risk associated with the hazards. As proposed in § 5.5, a hazard would be considered a condition that can lead to injury, illness or death to people; damage to or loss of a system, equipment, or property; or damage to the environment. The intent of this subpart is for the certificate holder to focus on the areas of greatest risk from a safety perspective, taking into account system complexity and scope of the operations to develop and implement appropriate risk controls. While each certificate holder's safety risk management processes may be unique to its organizational structure and operating environment, the FAA would require it to incorporate safety risk management steps as described in §§ 5.53 and 5.55. These steps provide for system analysis, identifying hazards associated with the system, analyzing the risk associated with the hazards, assessing risk associated with the hazards, and controlling the risks of identified hazards when necessary. These steps are based on the safety risk management processes in the ICAO framework, as well as AC 120-92A, Safety Management Systems for Aviation Service Providers, and FAA Orders 8000.367, Aviation Safety (AVS) Safety Management System Requirements and 8000.369, Safety Management System Guidance.

Proposed § 5.51 establishes when an air carrier would need to apply safety risk management processes and procedures to systems to assess the hazards and risk associated with the systems. An air carrier may learn of a hazard from a variety of sources, such as voluntary reporting systems, industry alerts from the FAA or manufacturers, or from internal assessments and audits. The system in which the hazard lies may be a small scale system that is easily defined, such as the development of maintenance (M) and operational (O) items for consideration to add an individual aircraft system to a Minimum Equipment List (MEL), or it may be a system large in scope that may have multiple hazards, like the addition of a new fleet of aircraft. Whenever a new system is implemented (e.g., new crew scheduling software), or an existing system is revised (e.g., a change to a training program), or new operational procedures are developed (e.g., changes in cockpit checklists or maintenance work procedures), safety risk management would be applied to ensure that hazards are identified and proper controls are put in place to mitigate the risk associated with them. Safety risk management would also be applied to analyze new hazards or ineffective risk controls that are identified under the safety assurance processes in subpart D of the new part 5.

It is not the intent of this proposed rule to require the application of safety risk management processes and procedures to activities that are not related to aviation operations. As an example, safety risk management would not be necessary when changing accounting practices or administrative computer software. Similarly, the FAA does not intend for an air carrier to apply safety risk management processes retroactively to established systems and processes. However, carriers may need to use the safety risk management process to review processes for which problems have been found in the past. For example, an air carrier would initiate safety risk management after learning that deicing operations at a particular airport are not effective. In that case, the air carrier would use safety risk management to analyze the deicing operation. First, it would review the deicing system to understand how it functions, to include the personnel responsible for deicing, the air carrier's guidance, processes, and training regarding deicing, as well as the deicing equipment that is used. Once the air carrier has an understanding of the system, the air carrier should be able to identify hazards and assess the risk associated with those hazards and make the necessary changes to the deicing system to control those risks. As a result of safety risk management, the air carrier may determine that controls such as implementing additional training, requiring inspection of the equipment, or revising operating procedures would be needed to control the risk in the deicing operation. Contrast this simple system with an air carrier that is changing its business model from conducting domestic operations in medium class turbo-prop aircraft to conducting international flights in turbojet aircraft. In this case, the systems involved are more numerous and more complex. The air carrier would apply safety risk management by defining the systems involved (i.e., flight operations, operational control and dispatch, maintenance, ground operations and servicing) and would review items such as the operating requirements for the aircraft as defined in title 14 of the CFR, the crewmember qualification and training requirements for the new aircraft, the operating limitations of the aircraft, and the proposed route structure for the international flights. While the existing regulations that govern these kinds of operations would serve as the primary risk controls for the proposed operations, the air carrier would use safety risk management to establish any additional risk controls to mitigate risks identified as a result of defining and analyzing the system and to design systems that incorporate the regulations in a way that best achieves their intent in terms of risk reduction.

The first step of safety risk management is analyzing the system. Once an air carrier determines that the processes of safety risk management have been triggered under proposed § 5.51, it would conduct a system analysis, as required by § 5.53. The system analysis, also referred to as the system description in the ICAO Safety Management Manual, serves as the initial source for hazard identification when new systems are designed, when systems are revised, or when operational procedures are developed. The system analysis processes must ensure that information regarding the function and purpose of the system, the system's operating environment, and the personnel, equipment and facilities that the system requires for operation, is analyzed so that hazards may be appropriately identified. While the system analysis should be documented, no particular format is required. The system analysis could provide the basis for the development of the operator's manual system required by § 121.133, as well as checklists and other job aids, organizational charts, and personnel position descriptions. A typical functional breakdown of operational and support processes for air operators might include:

  • Flight operations;
  • Dispatch/flight following;
  • Maintenance and inspection;
  • Cabin safety;
  • Ground handling and servicing;
  • Cargo handling; and
  • Training.

Long and excessively detailed system analyses are not necessary, provided they are sufficiently detailed to perform hazard and risk analyses.

The second step of safety risk management, set forth in § 5.53(b), would allow a certificate holder to identify hazards in a systematic way based on the system analyses conducted in the first step of safety risk management. While identification of every possible hazard would be unlikely, aviation service providers would be expected to exercise due diligence in identifying significant and reasonably foreseeable hazards related to their operations. A certificate holder should implement hazard identification processes relative to the complexity of its management structure and operations. The system analysis should be used to determine if there is a good integration of equipment, facilities, personnel, procedures, supervision, training, and the operational environment and if there are any characteristics of those system components or other conditions that could compromise safety. Any such conditions would meet the definition of “hazards.”

The third step of safety risk management would require the analysis of risk to determine the severity and likelihood associated with the hazards identified in step two of safety risk management. A common tool used in this analysis for risk decision making and acceptance is a risk matrix similar to those in the ICAO Safety Management Manual (SMM), and in Appendix 3 of AC 120-92A (August 12, 2010). A certificate holder may design a matrix similar to these to categorize the potential severity of the worst credible projected outcome (consequence) of an event related to the hazard. For example, a tower or terrain in the takeoff path of an airport presents a hazard to departing aircraft. The worst credible event related to these obstacles would be for an aircraft to collide with it, resulting in loss of the aircraft and loss of life. Risk matrices typically use levels such as: Catastrophic (meaning outcome results in multiple fatalities and destroyed equipment), hazardous (would result in serious injury or death, major equipment damage), major (would result in injury, serious incident), minor (would result in minor incident, use of emergency procedures), and negligible (little consequence). Once the severity of the potential event has been determined, the certificate holder would then determine the likelihood of the event, for example, to determine whether the event is likely to occur frequently, occasionally, remotely, or is improbable or extremely improbable. Based on these categories, a likelihood and severity of the occurrence is selected for each hazard. This is just one method for analyzing hazards. Certificate holders should develop processes that reflect the complexity of their operations.

See ICAO, Safety Management Manual, at 6.5.3 ICAO Doc. 9859-AN/474 (2nd ed. 2009). ( http://www.icao.int/anb/safetymanagement/DOC_9859_FULL_EN.pdf ).

The fourth step of safety risk management, risk assessment, first requires the certificate holder to determine acceptability of safety risk. The starting foundation for each determination of acceptable safety risk would be the corresponding regulatory requirements and technical or performance standards. As indicated in § 5.23, the certificate holder would be required to identify the levels of management that are authorized to accept risk. The certificate holder may opt to use a risk matrix similar to that in Appendix 3 of AC 120-92A. A risk matrix graphically depicts the various levels of severity and likelihood as they relate to levels of risk (acceptable, acceptable with controls, or unacceptable). When the likelihood and severity of a potential outcome are plotted on the risk matrix, the certificate holder can see whether the hazard's safety risk is acceptable to the organization. Generally, as the likelihood and severity increase, the risk increases. For example, an outcome with an assessed likelihood of frequent and severity of catastrophic would be classified as an unacceptable risk in the matrix. The certificate holder would use this information to determine whether it may accept the risk, accept the risk provided risk controls are instituted, or whether the risk is too great and must be avoided.

The final step of safety risk management would require the certificate holder to develop processes and procedures for the development and implementation of risk controls. The development of risk controls is dependent upon the risk assessment conducted under step four of safety risk management. Risk controls may be additional or changed procedures, new supervisory controls, addition of organizational hardware, or software aids, changes to training, additional, or modified equipment, changes to staffing arrangements, or any of a number of other system changes. After these controls are developed but before the system is placed into operation, an assessment must be made of whether the controls are likely to be effective. This is also necessary to avoid introducing new hazards to the system. When the controls are acceptable, the system is placed into operation. The controls would then be continuously monitored under the processes and procedures developed under subpart D, Safety Assurance, to ensure they remain effective.

D. Safety Assurance

An organization needs to ensure that risk controls put into place under safety risk management continue to be effective in maintaining risk within the acceptable levels and that the organization's safety performance is meeting or exceeding its safety objectives. This is accomplished in the safety assurance component of SMS. Safety assurance has three purposes: (1) To confirm that risk controls established during safety risk management are effective; (2) to determine what new risk controls should be developed if new hazards or changes in risk levels are revealed, and (3) to take steps to assure the effectiveness of existing risk controls (e.g., completion of required training by employees, increased supervisory emphasis). To accomplish this, safety assurance has three elements: (1) Safety performance monitoring and measurement (§ 5.71); (2) safety performance assessment (§ 5.73); and (3) continuous improvement (§ 5.75).

The first tool, safety performance monitoring and measuring, would require the development and maintenance of processes or systems that monitor system operations and collect data on the performance of the organization. There are already many sources, processes and systems in place in air carrier operations that collect this type of data. Some of these sources are based on current regulatory requirements and programs that have been voluntarily implemented. The following are just a few examples of existing processes and systems that would satisfy the requirements of safety assurance.

○ Continuing Analysis and Surveillance System (CASS) (§ 121.373). CASS is a currently required system that is used to assure the performance and effectiveness of maintenance and inspection programs, to identify deficiencies, and to determine and implement appropriate action. A typical CASS includes internal auditing of the maintenance and inspection programs, analysis of the resulting data, and development of corrective actions to those programs. This system would be an appropriate process required under subpart D and would be accepted as one means of complying with the provisions of proposed § 5.71(a)(1), (2), (3), (5), and (7).

○ Line Operations Safety Audit (LOSA): LOSA, as described previously, is a voluntary program that could provide partial compliance with the internal auditing requirements of the systems.

○ Flight Operational Quality Assurance (FOQA): FOQA, as discussed previously, could provide information useful to monitor flight operations and maintenance programs. FOQA could provide data useful to compliance with the monitoring and measurement provisions of the proposed rule.

○ Internal Evaluation Program (IEP): IEP is a comprehensive program for evaluating an air carrier's operational systems as well as its assurance programs. It builds on the auditing programs of the internal audit function and provides management with an additional level of assurance that is independent of the operational sub-organizations' audits and reviews. IEPs are required of carriers who contract with the Department of Defense but are not currently required by the FAA. However, many of the auditing and evaluation safety assurance processes of the proposed rule can be addressed by established IEP processes at the carriers who have implemented them.

○ Aviation Safety Action Program (ASAP): ASAPs, as discussed previously, could be used to meet the employee reporting requirements of the proposed rule for those employee groups covered by the ASAP.

○ Voluntary Disclosure Reporting Program (VDRP): VDRP is an FAA program designed for certificate holders to promptly report regulatory violations and show that corrective actions were taken to address the violations. As used in safety assurance, the certificate holder could track the reports submitted through VDRP, analyze the reports to identify compliance trends, and develop and report corrective actions.

In addition to these tools that could be used in safety performance monitoring and measurement, external audits conducted by outside organizations such as the FAA, the Department of Defense, code-share partners, industry organizations, or other third parties selected by the operator provide an excellent source of information regarding the safety performance of the organization. FAA oversight processes provide an external source of safety assurance of the carrier's operational processes and their SMS. Current practices of the Air Transportation Oversight System (ATOS) are designed to evaluate the design of air carrier processes and programs prior to certification, approval, or acceptance. Once systems or programs are in place, FAA inspectors conduct assessments of the programs' performance based upon FAA's assessment of risk as well as randomly sampled inspection activities. Information from these inspections could be used by air carriers to provide independent assessments of their processes and information on areas needing improvement. The air carrier's processes (as described in proposed §§ 5.71, 5.73, and 5.75) would be used to process FAA inspection data, as well as other external audit data. These processes can also be used to demonstrate the carrier's actions in correcting problems that are subjects of self disclosures or other regulatory issues.

If an organization uses an external audit as described above, the organization should use the audit data to augment the data that the organization gained with its own tools. The proposed SMS requirements do not require, however, that operators, especially small scale operators, hire external auditors to evaluate the safety performance of their organization. This is just one option that an air carrier of any size may choose to employ to evaluate its safety performance.

Safety assurance processes would also include investigations as noted under § 5.71(a)(5). Investigations are a reactive tool aimed at specific problems or occurrences in an organization and are a good source of performance data. In an SMS, the objective of investigating is to identify systemic safety deficiencies rather than to assign blame. A company's safety performance is enhanced by removing systemic deficiencies rather than by disciplining individuals who may only have made an error. Errors are not intentional actions and they are common; however, they can have negative outcomes. In an SMS, the point is to prevent the errors from happening or arrange company processes so that mistakes do not have unfortunate effects. Investigations should be done with the understanding of the difference between making an error, committing purposeful harm, or displaying a lack of competence or qualification.

Employee reporting systems provide another excellent source of information regarding the performance of the organization. ASAP is just one example of an employee reporting system that provides specific types of employees to report safety issues or concerns.

Once the air carrier collects the data through the processes under proposed § 5.71(a), it must have processes in place to analyze the data to determine the overall safety performance of the organization. This step is used to transform raw data into usable information that can support informed decision making.

The next step in safety assurance, the safety performance assessment under proposed § 5.73, analyzes the data collected against the safety objectives established by the air carrier in its safety policy. This function includes reviews by the accountable executive, who would review the information and analysis on a regular basis to ensure the organization's compliance with applicable regulatory requirements and safety controls established by the air carrier, to evaluate the performance of the SMS and the effectiveness of the safety controls, to identify changes in the operational environments, and to identify potential new hazards or safety issues. If the assessment reveals new hazards or safety issues, the certificate holder must initiate the processes under safety risk management to evaluate and, if necessary, control the risk to its operation.

The last component of safety assurance is continuous improvement under proposed § 5.75. This step is designed to ensure that the air carrier is correcting substandard safety performance identified during the safety performance assessment to continuously improve the organization's safety performance. The analysis and assessment functions of safety assurance are essential in alerting the organization to significant changes in the operating environment, possibly indicating a need for system change to maintain effective risk controls. The certificate holder should use safety and quality practices, audit and evaluation results, analysis of data, corrective actions, and management reviews developed under this subpart. For example, the certificate holder would take steps to correct noncompliance with existing regulatory requirements or safety controls initiated by the certificate holder.

E. Safety Promotion

An organizational safety effort cannot succeed purely by mandate or strict implementation of policy. The organizational culture and individual attitudes set the tone for the organization's safety performance. An organization's culture consists of the values, beliefs, mission, goals, and sense of responsibility held by the organization's members. The culture ties together the organization's policies, procedures, and processes and provides a sense of purpose to safety efforts. The fourth component of SMS, safety promotion, seeks to enhance the safety culture in an organization through increased employee communication and training.

The safety promotion component requires organizations to ensure employees throughout the organization are trained and competent to perform their safety-related job functions. This training may vary somewhat depending on where in the organization an employee works. Additionally, it is important for all employees to know how to report safety concerns and understand that it is their responsibility to do so. It is not the intent of this rule to establish mandatory training hours or a prescriptive training program. Rather, the training required under proposed § 5.91 may be incorporated into the air carrier's existing training programs, or may be provided separately, as changes are made to the operating system for which the individual is responsible. Training may range from formal classroom training to simple notice alerts when changes are made to update a system. For these reasons the FAA has determined that it is appropriate for the air carrier to develop training that meets the needs of the organization, including the content, methods of delivery, and frequency of training.

In addition to training, communication of critical safety information is essential to building a positive safety culture. The organization must put in place processes that allow for open communication among employees and the organization's management. The organization must make every effort to communicate its goals and objectives, as well as the current status of its activities and significant events. Likewise, the organization must supply a means of communication that fosters an environment of collaboration, trust, and respect. Thus, proposed § 5.93 would require the certificate holder to develop and maintain a means for communicating safety information.

F. SMS Documentation and Recordkeeping

Documentation of SMS requirements, processes and procedures, and outputs is necessary in order for certificate holders to conduct a meaningful analysis under safety risk management, to review safety assurance activities, and for the FAA to review for compliance during inspections. Documentation and recordkeeping also ensure that safety-related decisions are consistent with safety policies and goals and provide historical information that can be used to make future safety-related decisions.

The FAA, therefore, is proposing a set of documentation and recordkeeping requirements under subpart F of part 5. As proposed in § 5.91, the air carrier would be required to document its safety policy and SMS processes and procedures. The safety policy requirements are described in more detail in proposed § 5.21. Documentation of the certificate holder's SMS processes and procedures include the steps involved, methods to be used and associated criteria, objectives, expected outputs, and outcomes necessary to meet the regulatory requirements. For instance, proposed § 5.71(a)(3) requires internal audits. Proposed § 5.95(b) requires that the audit processes and procedures be documented. This would also include the criteria, scope, and frequency of the audits.

As proposed in § 5.97, the air carrier would maintain records of the outputs (risk assessments, implemented risk controls) of safety risk management and safety assurance processes. Outputs of safety risk management processes would be retained for as long as they remain relevant to the operation. For risk assessments, this may mean for as long as the air carrier engages in that activity. For risk controls, it may mean for as long as the risk control remains in effect. These records can be kept either electronically or in paper format. In addition, the certificate holder would be required to retain outputs of safety assurance processes for a minimum of five years, and training and communication records for a minimum of 24 months. The timelines associated with the retention of these documents ensure that they are kept for a time period that provides the air carrier with sufficient historical data to conduct the required analyses and assessments. The retention requirements are consistent with other retention requirements in part 121. Furthermore, these are minimum retention requirements. A certificate holder may retain its documents for longer time periods if necessary.

IV. Regulatory Notices and Analyses

Paperwork Reduction Act

The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires that the FAA consider the impact of paperwork and other information collection burdens imposed on the public. According to the 1995 amendments to the Paperwork Reduction Act (5 CFR 1320.8(b)(2)(vi)), an agency may not collect or sponsor the collection of information, nor may it impose an information collection requirement unless it displays a currently valid Office of Management and Budget (OMB) control number.

This action contains the following proposed new information collection requirements. As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), the FAA will be submitting these proposed information collection amendments to OMB for its review and approval before the information collection related provisions go into effect. FAA specifically requests comments regarding the cost and staff hours necessary for information collection and record keeping required under proposed part 5.

Summary: The new 14 CFR part 5 would require certificate holders authorized to conduct operations under part 121 to develop and implement a Safety Management System (SMS) for all of their aviation safety-related activities. An SMS is a formalized approach to managing safety by developing an organization-wide safety policy, developing formal methods of identifying hazards, analyzing, and mitigating risk, developing methods for ensuring continuous safety improvement, and creating organization-wide safety promotion strategies. When systematically applied in an SMS, these activities provide a set of decision-making tools that certificate holders can use to improve safety.

Use: Each certificate holder operating under a part 121 certificate would develop its SMS based on its own unique operating environment. The FAA expects an SMS comprised of four key components: Safety Policy, Safety Risk Management, Safety Assurance, and Safety Promotion. Collection and analysis of safety data is an essential part of an SMS. In addition, a primary component of an SMS is the publication of safety policy, which establishes the foundation for the SMS. Two other essential components of SMS are safety risk management and safety assurance. The certificate holder is required to maintain records of the outputs of these processes. Safety promotion is the other component of SMS. Within it, the certificate holder is required to maintain training records and records of communications used to promote safety. However, it is important to note that some part 121 certificate holders already have and maintain some of these documents and records as a result of other voluntary or required programs. Finally, because of the complexity involved in the development and implementation of an SMS, a phased approach to implementation within the certificate holder's organization will be used. Part of the initial phase is the development of an implementation plan, which will guide the certificate holder's implementation, as well as provide the basis for the FAA's oversight during the development and implementation phases. The implementation plan is the only new document or data the certificate holder will submit to the FAA due to the new rule.

Respondents: 90.

Frequency: Initial and Annual Burden (ongoing collection and record keeping)

Sec. 119.8/5.95 Implementation Plan/SMS Documentation

The FAA estimates that there are approximately 90 operators who would be respondents that would be in compliance with these proposed requirements. All certificate holders are required to develop and submit an implementation plan to establish and document a safety policy that outlines the policy and objectives of the company. Although much of the information would depend on a carrier's specific operation and size, all carriers would need to document the following: implementation plan, commitment to safety management and objectives, responsibilities of an accountable executive and management representatives, and a coordinated emergency response plan. Costs for SMS documentation come from both the necessary man hours to research and document the safety policy, processes, and procedures, as well as the actual documentation. Carriers also reported recurring costs for updates to the document. The FAA assumes that the majority of document updates are minor at minimal.

Implementation Plan and SMS Documentation (Initial Hourly Burden):

2 full time employees per carrier; 3000 hours per year.

90 certificated carriers × 3000 hours annually = 270,000 hours annually.

270,000 hours annually * 3 years = 810,000 total hours.

$38,880,000 Total Initial Labor Costs for 3 years.

+ 25,733,400 Material Costs of Documentation for 3 years.

$64,613,400 Total Estimated Initial Cost Burden for 3 years.

Estimated Recurring Annual Cost for SMS Documentation:

  • 2 full time employees per carrier; 350 hours per year.
  • 90 certificated carriers * 350 hours = 31,000 hours annually.

$1,125,000 Total Labor Cost per Year.

+$252,000 Material Costs of Documentation per Year.

$1,377,000 Total Estimated Annual Recurring SMS Documentation.

Sec. 5.97 SMS records

This proposed rule would require carriers to record output from their safety risk management (SRM) process, safety assurance (SA) process, safety communications, and SMS training. All of these records depend on a carrier's operations. The FAA does not specify how, or in what media, documents and records must be maintained relative to the requirements in this proposed rule. However, it encourages certificates holders to use existing mechanisms and systems to minimize the burden. The FAA also believes that there would be minimal additional costs for the maintenance of training records since part 121 certificate holders already maintain training records.

Estimated Implementation Costs:

  • 2 full time employees per carrier; 2000 hours per year.
  • 90 certificated carriers * 2000 hours = 180,000 hours annually.
  • 180,000 hours annually * 3 years = 540,000 total hours.

$25,920,000 Total Labor Cost for 3 Years.

+ $26,356,200 Equipment/Software Implementation Costs for 3 Years.

$52,276,200 Total Estimated Implementation Cost Burden for 3 Years.

Estimated Annual Operating Costs:

  • 2 full time employees per carrier; 3500 hours per year. The agency is soliciting comments to—

(1) Evaluate whether the proposed information collection requirements (including recordkeeping, record retention, and auditing) are necessary for the proper performance of the functions of the agency, including whether the information will have practical utility;

(2) Evaluate the accuracy of the agency's estimate of the burden;

(3) Enhance the quality, utility, and clarity of the information to be collected; and

(4) Minimize the burden of collecting information on those who are to respond, including by using appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.

Individuals and organizations may send comments on the information collection requirement by February 3, 2011, and should direct them to the address listed in the ADDRESSES section at the beginning of this preamble. Comments also should be submitted to the Office of Management and Budget, Office of Information and Regulatory Affairs, Attention: Desk Officer for FAA, New Executive Office Building, Room 10202, 725 17th Street, NW., Washington, DC 20053.

International Compatibility

In keeping with U.S. obligations under the Convention on International Civil Aviation, it is FAA policy to conform to International Civil Aviation Organization (ICAO) Standards and Recommended Practices to the maximum extent practicable. The FAA has reviewed the corresponding ICAO Standards and Recommended Practices and has identified the following differences with these proposed regulations. Amendment 30 to Annex 6 part I Section 3.2 Safety Management, Paragraph 3.3.6 effective 1 January, 2009 requires that a Flight Data Analysis Program be in the SMS standard. If this proposal is adopted, the FAA intends to file a difference with ICAO.

ICAO Annex 6 part I includes a provision that part 121 air carriers operating airplanes having a maximum gross takeoff weight in excess of 27,000 kg (approximately 59,400 lb). “* * * shall establish and maintain a flight data analysis programme as part of its safety management system.” Flight Data Analysis Program (FDAP) is a general term encompassing a number of means by which routine flight operations data may be acquired, recorded, analyzed, and shared. Flight Operational Quality Assurance (FOQA) is one such program. FOQA is a formal voluntary program which has been implemented by 41 certificate holders conducting operations under part 121. FOQA specifications include installation of extensive flight data recording systems which facilitate rapid transfer of recorded data, de-identification of that data, and agreements between pilot organizations and the carriers which define how this information may be used.

The part 121 fleet is diverse in terms of size, complexity, and age, as well as the size of the companies that operate them. Many of the older aircraft would require extensive modifications to adapt them to the technical requirements of a FOQA program. The investment and expense of implementing and maintaining such a system exceeds the financial capability of many smaller carriers. There are a number of ways to meet the requirements of an FDAP. Therefore, the FAA will not require FOQA in this rule. This issue is discussed further in the Congressional Mandate section of this NPRM.

Regulatory Evaluation, Regulatory Flexibility Determination, International Trade Impact Assessment, and Unfunded Mandates Assessment

Changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866 directs that each Federal agency shall propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (Pub. L. 96-354) requires agencies to analyze the economic impact of regulatory changes on small entities. Third, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation with base year of 1995). This portion of the preamble summarizes the FAA's analysis of the economic impacts of this proposed rule. Readers seeking greater detail should read the full regulatory evaluation, a copy of which we have placed in the docket for this rulemaking.

In conducting these analyses, the FAA has determined that this proposed rule has benefits that justify its costs, is not an economically “significant regulatory action” as defined in section 3(f) of Executive Order 12866, (3) is “significant” as defined in DOT's Regulatory Policies and Procedures; (4) would have a significant economic impact on a substantial number of small entities; and (5) would not impose an unfunded mandate on state, local, or tribal governments, or on the private sector by exceeding the threshold identified above. These analyses are summarized below.

Total Benefits and Costs of This Rule

Who is Potentially Affected by this Rule?

All Part 121 Operators

Assumptions

  • All costs and benefits are presented in 2010 dollars.
  • All costs and benefits are estimated over a 20-year period from 2012 through 2031.
  • Benefits of SMS implementation would begin to accrue in 2015.
  • Costs to airlines and air carriers would begin to accrue in 2012.
  • The present value discount rate of 7 percent

The estimated cost of this proposed rule is $710.8 million ($375.5 million in present value terms). The estimated potential benefits from avoided casualties, aircraft damage and accident investigation costs are $1,143.1 million ($500.8 million in present value terms).

Benefits of This Rule

The benefits of this proposed rule consist of the value of averted casualties, aircraft damage, and accident investigation costs by identifying safety issues and spotting trends before they result in a near-miss, incident, or accident. Although, an SMS would help carriers detect problems early, the FAA also recognizes that both the severity of the problem and possible mitigations impact the rate at which future accidents would be prevented. Over the 20-year period of analysis, the FAA estimates potential benefits of $1,143.1 million ($500.8 million in present value terms).

Costs of This Rule

Each air carrier would be required to develop an SMS that includes the four SMS components: Safety Policy, Safety Risk Management, Safety Assurance, and Safety Promotion. To support each component, the FAA projects that the compliance cost of this proposed rule would come from the initial development and documentation of their SMS, implementation and continuous operating costs to include the modification or purchasing of new equipment/software, additional staff and promotional materials, and training. Costs range depending on the size of the carrier and the type of operations that they provide. Further, operators have existing quality management systems which may lower the estimated compliance costs. In total this proposed rule is estimated to cost carriers $710.8 million dollars over 20 years ($375.5 million present value).

Regulatory Flexibility Determination

The Regulatory Flexibility Act of 1980 (Pub L. 96-354) (RFA) establishes “as a principle of regulatory issuance that agencies shall endeavor, consistent with the objectives of the rule and of applicable statutes, to fit regulatory and informational requirements to the scale of the businesses, organizations, and governmental jurisdictions subject to regulation. To achieve this principle, agencies are required to solicit and consider flexible regulatory proposals and to explain the rationale for their actions to assure that such proposals are given serious consideration.” The RFA covers a wide-range of small entities, including small businesses, not-for-profit organizations, and small governmental jurisdictions.

Agencies must perform a review to determine whether a rule will have a significant economic impact on a substantial number of small entities. If the agency determines that it will, the agency must prepare a regulatory flexibility analysis as described in the RFA.

Each initial regulatory flexibility analysis required under this section shall contain—

1. A description of the reasons why action by the agency is being considered:

The objective of SMS is to proactively manage safety, to identify potential hazards, to determine risk, and to implement measures that mitigate the risk. The FAA envisions operators being able to use all of the components of SMS to enhance a carrier's ability to identify safety issues and spot trends before they result in a near-miss, incident, or accident. For this reason, the FAA seeks to require carriers to develop and implement an SMS. Lastly, the proposed rule meets a congressional mandate.

2. A succinct statement of the objectives of and legal basis for, the proposed rule:

The authority for this rulemaking is derived from Title 49 of the United States Code in addition to the Airline Safety and Federal Aviation Administration Extension Act of 2010 (the Act), Public Law 111-216, § 215 (August 1, 2010). The Act requires the FAA to conduct rulemaking “requiring all part 121 air carriers to implement a safety management system.”

3. A description of and, where feasible, an estimate of the number of small entities to which the proposed rule will apply:

Under NAICS codes 481111 and 481112, for scheduled air transportation, small entities would be all part 121 carriers with less than 1,500 employees. The FAA estimates that there are approximately 90 part 121 operators and 64 of these operators meet the definition of a small entity; therefore the FAA believes that there are a substantial number of small entities impacted by this rule.

4. A description of the projected reporting, recordkeeping and other compliance requirements of the proposed rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for preparation of the report or record:

An SMS is a formalized approach to managing safety by developing an organization-wide safety policy, developing formal methods of identifying hazards, analyzing and mitigating risk, developing methods for ensuring continuous safety improvement, and creating organization-wide safety promotion strategies. Each air carrier would be required to develop an SMS that includes the four SMS components: Safety Policy, Safety Risk Management, Safety Assurance, and Safety Promotion. To support each component, the FAA projects that the compliance cost of this proposed rule would come from the initial development and documentation of their SMS, implementation and continuous operating costs to include the modification or purchasing of new equipment/software, additional staff and promotional materials, and training. Costs range depending on the size of the carrier and the type of operations that they provide. The FAA estimates that for a small carrier, with less than 9 aircraft, compliance would cost $253,500 per year for the first three years and then roughly $233,000 per year for subsequent years. For medium sized carriers, that have 10 to 49 aircraft, but still have less than 1,500 employees the compliance cost would be $342,450 per carrier per year for the first 3 years and then $222,500 every years after. Although, the compliance costs are more than 3% of a small to medium carriers operating costs, there is a lot of variability surrounding these estimates. Carriers could spend more or less given the flexibility of this proposed rule, and the FAA believes that carriers would choose an option where they can maximize their benefits and minimize their costs. The FAA has determined that this proposed rule has a significant economic impact on small carriers.

5. An identification, to the extent practicable, of all relevant Federal rules which may duplicate, overlap or conflict with the proposed rule:

The FAA is not aware of any Federal rules that would duplicate, overlap or conflict with this proposed rule.

Each initial regulatory flexibility analysis shall also contain a description of any significant alternatives to the proposed rule which accomplish the stated objectives of applicable statutes and which minimize any significant economic impact of the proposed rule on small entities. Consistent with the stated objectives of applicable statutes, the analysis shall discuss significant alternatives such as:

1. The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities;

2. Clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities;

3. The use of performance rather than design standards; and

4. An exemption from coverage of the rule, or any part thereof, for such small entities.

This proposed rule is congressionally mandated leaving little room for alternatives in terms of adopting a safety management system. All Part 121 operators would be required to establish an SMS with no exemptions for small entities. However, to accommodate small businesses the FAA intends to make the implementation of SMS flexible and scalable. Carriers can adapt SMS to their existing programs therein reducing the cost. There are already many sources, processes and systems in place in air carrier operations that collect this type of data that could be utilized to meet this requirement for an SMS. As described throughout this document, Flight Operational Quality Assurance (FOQA) and Aviation Safety Action Program (ASAP) are good examples of a source that is already in place for a large number of carriers. Following congressional direction the FAA is not considering other alternatives and requests comments on potential alternatives that would minimize the impact on small businesses.

The FAA believes that this proposed rule would have a significant impact on a substantial number of small entities for the following reasons: We estimate that 64 operators are small entities and the compliance costs could be higher than three percent of their operating costs. Even though the proposed rule responds to the PL 111-216 Congressional requirement, we structured the requirement such that small entities could meet the requirements with lower costs than a larger firm.

Unfunded Mandates Assessment

Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) requires each Federal agency to prepare a written statement assessing the effects of any Federal mandate in a proposed or final agency rule that may result in an expenditure of $100 million or more (in 1995 dollars) in any one year by State, local, and tribal governments, in the aggregate, or by the private sector; such a mandate is deemed to be a “significant regulatory action.” The FAA currently uses an inflation-adjusted value of $143.1 million in lieu of $100 million. This proposed rule does not contain such a mandate; therefore, the requirements of Title II of the Act do not apply.

Executive Order 13132, Federalism

The FAA has analyzed this proposed rule under the principles and criteria of Executive Order 13132, Federalism. We determined that this action would not have a substantial direct effect on the States, on the relationship between the national Government and the States, or on the distribution of power and responsibilities among the various levels of government, and, therefore, would not have federalism implications.

Environmental Analysis

FAA Order 1050.1E identifies FAA actions that are categorically excluded from preparation of an environmental assessment or environmental impact statement under the National Environmental Policy Act in the absence of extraordinary circumstances. The FAA has determined this proposed rulemaking action qualifies for the categorical exclusion identified in paragraph Chapter 3, paragraph 312d and involves no extraordinary circumstances.

Regulations That Significantly Affect Energy Supply, Distribution, or Use

The FAA has analyzed this NPRM under Executive Order 13211, Actions Concerning Regulations that Significantly Affect Energy Supply, Distribution, or Use (May 18, 2001). We have determined that it is not a “significant energy action” under the executive order, and it is not likely to have a significant adverse effect on the supply, distribution, or use of energy.

Additional Information

Comments Invited:

The FAA invites interested persons to participate in this rulemaking by submitting written comments, data, or views. We also invite comments relating to the economic, environmental, energy, or federalism impacts that might result from adopting the proposals in this document. FAA also intends to propose separate SMS rulemakings in other sectors of the aviation industry. When the FAA does propose any such rulemaking, the FAA will take into account the unique qualities of the industry to which they will apply, and will use lessons learned from this rulemaking, to include: Scalability, flow-through, flexibility, performance standards, and status of existing SMS programs. The most helpful comments reference a specific portion of the proposal, explain the reason for any recommended change, and include supporting data. To ensure the docket does not contain duplicate comments, please send only one copy of written comments, or if you are filing comments electronically, please submit your comments only one time.

We will file in the docket all comments we receive, as well as a report summarizing each substantive public contact with FAA personnel concerning this proposed rulemaking. Before acting on this proposal, we will consider all comments we receive on or before the closing date for comments. We will consider comments filed after the comment period has closed if it is possible to do so without incurring expense or delay. We may change this proposal in light of the comments we receive.

Proprietary or Confidential Business Information

Do not file in the docket information that you consider to be proprietary or confidential business information. Send or deliver this information directly to the person identified in the FOR FURTHER INFORMATION CONTACT section of this document. You must mark the information that you consider proprietary or confidential. If you send the information on a disk or CD-ROM, mark the outside of the disk or CD-ROM and also identify electronically within the disk or CD-ROM the specific information that is proprietary or confidential.

Under 14 CFR 11.35(b), when we are aware of proprietary information filed with a comment, we do not place it in the docket. We hold it in a separate file to which the public does not have access, and we place a note in the docket that we have received it. If we receive a request to examine or copy this information, we treat it as any other request under the Freedom of Information Act (5 U.S.C. 552). We process such a request under the DOT procedures found in 49 CFR part 7.

Availability of Rulemaking Documents

You can get an electronic copy of rulemaking documents using the Internet by—

1. Searching the Federal eRulemaking Portal ( http://www.regulations.gov );

2. Visiting the FAA's Regulations and Policies web page at http://www.faa.gov/regulations_policies or

3. Accessing the Government Printing Office's web page at http://www.gpoaccess.gov/fr/index.html.

You can also get a copy by sending a request to the Federal Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence Avenue, SW., Washington, DC 20591, or by calling (202) 267-9680. Make sure to identify the docket or notice number of this rulemaking.

You may access all documents the FAA considered in developing this proposed rule, including economic analyses and technical reports, from the internet through the Federal eRulemaking Portal referenced in paragraph (1).

List of Subjects

14 CFR Part 5

  • Air carriers
  • Aircraft
  • Airmen
  • Aviation safety
  • Reporting and recordkeeping requirements
  • Safety
  • Transportation

14 CFR Part 119

  • Administrative practice and procedure
  • Air carriers
  • Aircraft
  • Aviation safety
  • Charter flights
  • Reporting and recordkeeping requirements

The Proposed Amendment

For the reasons stated in the preamble, the Federal Aviation Administration proposes to amend 14 CFR Chapter I as follows:

1. The heading for subchapter A is revised to read as follows:

Subchapter A—Definitions and General Requirements

2. Add part 5 to read as follows:

PART 5—SAFETY MANAGEMENT SYSTEMS

Subpart A—General
5.1
Applicability.
5.3
General requirements.
5.5
Definitions.
Subpart B—Safety Policy
5.21
Safety policy.
5.23
Safety accountability and authority.
5.25
Designation and responsibilities of required safety management personnel.
5.27
Coordination of emergency response planning.
Subpart C—Safety Risk Management
5.51
Applicability.
5.53
System analysis and hazard identification.
5.55
Safety risk assessment and control.
Subpart D—Safety Assurance
5.71
Safety performance monitoring and measurement.
5.73
Safety performance assessment.
5.75
Continuous improvement.
Subpart E—Safety Promotion
5.91
Competencies and training.
5.93
Safety communication.
Subpart F—SMS Documentation and Recordkeeping
5.95
SMS documentation.
5.97
SMS records.

Authority: Public Law 111-216, sec. 215 (Aug. 1, 2010); 49 U.S.C. 106(g), 40101, 40113, 40119, 41706, 44101, 44701-44702, 44705, 44709-44711, 44713, 44716-44717, 44722, 46105.

Subpart A—General

§ 5.1
Applicability.

(a) A certificate holder under part 119 of this chapter authorized to conduct operations in accordance with the requirements of part 121 of this chapter must have a Safety Management System that meets the requirements of this part and is acceptable to the Administrator by [date 3 years after the effective date of final rule].

(b) A certificate holder must submit an implementation plan to the FAA Administrator for approval no later than [date 6 months after the effective date of the final rule].

(c) The implementation plan may include any of the certificate holder's existing programs, policies, or procedures that it intends to use to meet the requirements of this part, including components of an existing SMS.

§ 5.3
General requirements.

(a) Any certificate holder required to have a Safety Management System under this part must submit the Safety Management System to the Administrator for acceptance. The Safety Management System must include at least the following components:

(1) Safety policy in accordance with the requirements of subpart B of this part;

(2) Safety risk management in accordance with the requirements of subpart C of this part;

(3) Safety assurance in accordance with the requirements of subpart D of this part; and

(4) Safety promotion in accordance with the requirements of subpart E of this part.

(b) The Safety Management System must be maintained in accordance with the recordkeeping requirements in subpart F of this part.

(c) The Safety Management System must ensure compliance with the relevant regulatory standards in chapter I of Title 14 of the Code of Federal Regulations.

§ 5.5
Definitions.

Hazard means a condition that can lead to injury, illness or death to people; damage to or loss of a system, equipment, or property; or damage to the environment.

Risk means the composite of predicted severity and likelihood of the potential effect of a hazard.

Risk control means a means to reduce or eliminate the effects of hazards.

Safety assurance means processes within the SMS that function systematically to ensure the performance and effectiveness of safety risk controls and that the organization meets or exceeds its safety objectives through the collection, analysis, and assessment of information.

Safety Management System (SMS) means the formal, top-down, organization-wide approach to managing safety risk and assuring the effectiveness of safety risk controls. It includes systematic procedures, practices, and policies for the management of safety risk.

Safety objective means a measurable goal or desirable outcome related to safety.

Safety performance means realized or actual safety accomplishment relative to the organization's safety objectives.

Safety policy means the certificate holder's documented commitment to safety, which defines its safety objectives and the accountabilities and responsibilities of its employees in regards to safety.

Safety promotion means a combination of training and communication of safety information to support the implementation and operation of an SMS in an organization.

Safety Risk Management means a process within the SMS composed of describing the system, identifying the hazards, and analyzing, assessing and controlling risk.

Subpart B—Safety Policy

§ 5.21
Safety policy.

(a) The certificate holder must have a safety policy that includes at least the following:

(1) The safety objectives of the certificate holder.

(2) A commitment of the certificate holder to fulfill the organization's safety objectives.

(3) A clear statement about the provision of the necessary resources for the implementation of the SMS.

(4) A safety reporting policy that defines requirements for employee reporting of safety hazards or issues.

(5) A policy that defines unacceptable behavior and conditions for disciplinary action.

(6) An emergency response plan that provides for the safe transition from normal to emergency operations in accordance with the requirements of § 5.27.

(b) The safety policy must be in accordance with all applicable regulatory requirements in Chapter I of Title 14 of the Code of Federal Regulations and must reflect the certificate holder's commitment to safety.

(c) The safety policy must be signed by the accountable executive described in § 5.25.

(d) The safety policy must be documented and communicated throughout the certificate holder organization.

(e) The safety policy must be regularly reviewed by the accountable executive to ensure it remains relevant and appropriate to the certificate holder.

§ 5.23
Safety accountability and authority.

(a) The certificate holder must define accountability for safety within the organization's safety policy for the following individuals:

(1) Accountable executive, as described in § 5.25.

(2) All members of management in regard to developing, implementing, and maintaining SMS processes within their area of responsibility, including, but not limited to:

(i) Hazard identification and safety risk assessment.

(ii) Assuring the effectiveness of safety risk controls.

(iii) Promoting safety as required in subpart E of this part.

(iv) Advising the accountable executive on the performance of the SMS and on any need for improvement.

(3) Employees relative to the certificate holder's safety performance.

(b) The certificate holder must identify the levels of management with the authority to make decisions regarding safety risk acceptance.

§ 5.25
Designation and responsibilities of required safety management personnel.

(a) Designation of the accountable executive. The certificate holder must identify an accountable executive who, irrespective of other functions, satisfies the following:

(1) Is the final authority over operations authorized to be conducted under the certificate holder's certificate(s).

(2) Controls the financial resources required for the operations to be conducted under the certificate holder's certificate(s).

(3) Controls the human resources required for the operations authorized to be conducted under the certificate holder's certificate(s).

(4) Retains ultimate responsibility for the safety performance of the operations conducted under the certificate holder's certificate.

(b) Responsibilities of the accountable executive. The accountable executive must accomplish the following:

(1) Ensure that the SMS is properly implemented and performing in all areas of the certificate holder's organization.

(2) Develop and sign the safety policy of the certificate holder.

(3) Communicate the safety policy throughout the certificate holder's organization.

(4) Regularly review the certificate holder's safety policy to ensure it remains relevant and appropriate to the certificate holder.

(5) Regularly review the safety performance of the certificate holder's organization and direct actions necessary to address substandard safety performance in accordance with § 5.75.

(c) Designation of a management representative. The accountable executive must designate a management representative who, on behalf of the accountable executive, must be responsible for the following:

(1) Facilitating hazard identification and safety risk analysis.

(2) Monitoring the effectiveness of safety risk controls.

(3) Ensuring safety promotion throughout the certificate holder's organization as required in subpart E of this part.

(4) Regularly reporting to the accountable executive on the performance of the SMS and on any need for improvement.

§ 5.27
Coordination of emergency response planning.

Where emergency response procedures are necessary, the accountable executive and management representative must develop, as part of the safety policy of the certificate holder, an emergency response plan that addresses at least the following:

(a) Delegation of emergency authority throughout the certificate holder's organization;

(b) Assignment of employee responsibilities during the emergency; and

(c) Coordination of the certificate holder's emergency response plans with the emergency response plans of other organizations it must interface with during the provision of its services.

Subpart C—Safety Risk Management

§ 5.51
Applicability.

A certificate holder must apply safety risk management to a system under any of the following conditions:

(a) Implementation of new systems.

(b) Revision of existing systems.

(c) Development of operational procedures.

(d) Identification of hazards or ineffective risk controls through the safety assurance processes in subpart D of this part.

§ 5.53
System analysis and hazard identification.

(a) When applying safety risk management, the certificate holder must have a process to describe and analyze the system for use in identifying hazards under paragraph (c) of this section, and developing and implementing risk controls related to the system under § 5.55(c).

(b) In conducting the system analysis, the following information must be considered:

(1) Function and purpose of the system.

(2) The system's operating environment.

(3) An outline of the system's processes and procedures.

(4) The personnel, equipment, and facilities necessary for operation of the system.

(c) The certificate holder must develop and maintain processes to identify hazards within the context of the system analysis.

§ 5.55
Safety risk assessment and control.

(a) The certificate holder must develop and maintain processes to analyze safety risk associated with the hazards identified in § 5.53(c).

(b) The certificate holder must define a process for conducting risk assessment that allows for the determination of acceptable safety risk. Acceptable safety risk must, at a minimum, comply with the applicable regulatory requirements set forth in Chapter I of title 14 of the Code of Federal Regulations.

(c) The certificate holder must develop and maintain processes to develop safety risk controls that are necessary as a result of the safety risk assessment process under paragraph (b) of this section.

(1) The certificate holder must evaluate whether the risk will be acceptable with the proposed safety risk control applied, before the safety risk control is implemented.

(2) The safety risk controls must, at a minimum, comply with the applicable regulatory requirements set forth in Chapter I of title 14 of the Code of Federal Regulations.

Subpart D—Safety Assurance

§ 5.71
Safety performance monitoring and measurement.

(a) The certificate holder must develop and maintain processes and systems to acquire data with respect to its operations, products, and services to monitor the safety performance of the organization. These processes and systems must include, at a minimum, processes, and systems for the following:

(1) Continuous monitoring of operational processes.

(2) Periodic monitoring of the operational environment to detect changes.

(3) Auditing of operational processes and systems.

(4) Evaluations of the SMS and operational processes and systems.

(5) Investigations of incidents and accidents.

(6) Investigations of reports regarding potential non-compliance with regulatory standards or other safety risk controls established by the certificate holder through the safety risk management process established in subpart B of this part.

(7) A confidential employee reporting system in which employees can report, including, but not limited to: Hazards, issues, concerns, occurrences, incidents, as well as propose solutions and safety improvements.

(b) The certificate holder must develop and maintain processes that analyze the data acquired through the processes and systems identified under paragraph (a) of this section and any other relevant data with respect to its operations, products, and services.

§ 5.73
Safety performance assessment.

(a) The certificate holder must conduct assessments of its safety performance against its safety objectives, which include reviews by the accountable executive, to:

(1) Ensure the certificate holder's compliance with the applicable regulatory requirements in Chapter I of title 14 of the Code of Federal Regulations and additional safety risk controls established by the certificate holder.

(2) Evaluate the performance of the SMS.

(3) Evaluate the effectiveness of the safety risk controls established under § 5.55(c) and identify any ineffective controls.

(4) Identify changes in the operational environment that may introduce new hazards.

(5) Identify potential new hazards or safety issues and concerns.

(b) Upon completion of the assessment, if ineffective controls, new hazards, or potential hazards are identified under paragraph (a)(2) through (a)(4) of this section, the certificate holder must use the safety risk management process described in subpart C of this part.

§ 5.75
Continuous improvement.

The certificate holder must establish and implement processes to correct substandard safety performance identified in the assessments conducted under § 5.73.

Subpart E—Safety Promotion

§ 5.91
Competencies and training.

The certificate holder must provide training to each individual identified in § 5.23 to ensure the individuals attain and maintain the qualifications necessary to perform their duties relevant to the operation and performance of the SMS.

§ 5.93
Safety communication.

(a) The certificate holder must develop and maintain means for communicating safety information that, at a minimum:

(b) Ensures that all personnel are aware of the SMS.

(c) Conveys safety critical information.

(d) Explains why particular safety actions are taken.

(e) Explains why safety procedures are introduced or changed.

Subpart F—SMS Documentation and Recordkeeping

§ 5.95
SMS documentation.

The certificate holder must develop and maintain SMS documentation that describes the certificate holder's:

(a) Safety policy.

(b) SMS processes and procedures.

§ 5.97
SMS records.

(a) The certificate holder must maintain records of outputs of safety risk management processes as described in subpart C of this part. Such records must be retained for as long as the control remains relevant to the operation.

(b) The certificate holder must maintain records of outputs of safety assurance processes as described in subpart D of this part. Such records must be retained for a minimum of 5 years.

(c) The certificate holder must maintain a record of all training provided under § 5.91 for each individual. Such records must be retained for a minimum of 24 consecutive calendar months after completion of the training.

(d) The certificate holder must retain records of all communications provided under § 5.93 for a minimum of 24 consecutive calendar months.

PART 119—CERTIFICATION: AIR CARRIERS AND COMMERCIAL OPERATORS

3. The authority citation for part 119 is revised to read as follows:

Authority: Public Law 111-216, sec. 215 (August 1, 2010); 49 U.S.C. 106(g), 1153, 40101, 40102, 40103, 40113, 44105, 44106, 44111, 44701-44717, 44722, 44901, 44903, 44904, 44906, 44912, 44914, 44936, 44938, 46103, 46105.

4. Add § 119.8 to read as follows:

§ 119.8
Safety Management Systems.

(a) Certificate holders authorized to conduct operations under part 121 of this chapter must have a safety management system that meets the requirements of part 5 of this chapter and is acceptable to the Administrator by [date 3 years after effective date of final rule].

(b) Certificate holders required to have an SMS under this section must submit an SMS implementation plan in a form and manner prescribed by the Administrator to the certificate-holding district office for approval by [date 6 months after effective date of final rule].

(c) A person applying to the Administrator for an air carrier certificate or operating certificate to conduct operations under part 121 of this chapter after [effective date of final rule] must demonstrate, as part of the application process under § 119.35, that it has an SMS that meets the standards set forth in part 5 of this chapter and is acceptable to the Administrator.

Issued in Washington, DC, on October 29, 2010.

Margaret Gilligan,

Associate Administrator, Office of Aviation Safety.

[FR Doc. 2010-28050 Filed 11-4-10; 8:45 am]

BILLING CODE 4910-13-P