
[Federal Register Volume 75, Number 214 (Friday, November 5, 2010)]
[Proposed Rules]
[Pages 68224-68245]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-28050]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

14 CFR Parts 5 and 119

[Docket No. FAA-2009-0671; Notice No. 10-15]
RIN 2120-AJ86


Safety Management Systems for Part 121 Certificate Holders

AGENCY: Federal Aviation Administration (FAA), Department of 
Transportation (DOT).

ACTION: Notice of proposed rulemaking (NPRM).

-----------------------------------------------------------------------

SUMMARY: The FAA proposes to require each certificate holder operating 
under 14 CFR part 121 to develop and implement a safety management 
system (SMS) to improve the safety of their aviation related 
activities. A safety management system is a comprehensive, process-
oriented approach to managing safety throughout an organization. An SMS 
includes an organization-wide safety policy; formal methods for 
identifying hazards, controlling, and continually assessing risk; and 
promotion of a safety culture. SMS stresses not only compliance with 
technical standards but increased emphasis on the overall safety 
performance of the organization.

DATES: Send your comments on or before February 3, 2011.

ADDRESSES: You may send comments identified by Docket Number FAA- 2009-
0671 using any of the following methods:
     Federal eRulemaking Portal: Go to http://www.regulations.gov and follow the instructions for sending your 
comments electronically.
     Mail: Send comments to Docket Operations, M-30, U.S 
Department of Transportation, 1200 New Jersey Avenue, SE., West 
Building Ground Floor, Room W12-140, Washington, DC 20590-0001.
     Fax: Fax comments to Docket Operations at (202) 493-2251.
     Hand Delivery: Bring comments to Docket Operations in Room 
W12-140 of the West Building (Ground Floor) at 1200 New Jersey Avenue, 
SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, 
except Federal holidays. For more information on the rulemaking 
process, see the SUPPLEMENTARY INFORMATION section of this document.
    Privacy: We will post all comments we receive, without change, to 
http://www.regulations.gov, including any personal information you 
provide. Using the search function of our docket Web site, anyone can 
find and read the comments received into any of our dockets, including 
the name of the individual sending the comment (or signing the comment 
for an association, business, labor union, etc.). You may review DOT's 
complete Privacy Act Statement in the Federal Register published on 
April 11, 2000 (65 FR 19477-78), or you may visit http://DocketsInfo.dot.gov.
    Docket: To read background documents or comments received, go to 
http://www.regulations.gov at any time or to Docket Operations in Room 
W12- 140 of the West Building Ground Floor at 1200 New Jersey Avenue, 
SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, 
except Federal holidays.

FOR FURTHER INFORMATION CONTACT: Scott Van Buren, Chief System Engineer 
for Aviation Safety, Office of Accident Investigation and Prevention 
(AVP), Federal Aviation Administration, 800 Independence Avenue, SW., 
Washington, DC 20591; telephone: (202) 494-8417; facsimile: (202) 267-
3992; e-mail: scott.vanburen@faa.gov. For legal questions, contact Anne 
Bechdolt, Regulations Division, Office of the Chief Counsel, Federal 
Aviation Administration, 800 Independence

[[Page 68225]]

Avenue, SW., Washington, DC 20591; telephone: (202) 267-3073; 
facsimile: (202) 267-7971; e-mail: anne.bechdolt@faa.gov.

SUPPLEMENTARY INFORMATION: Later in this preamble under the Additional 
Information section, we discuss how you can comment on this proposal 
and how we will handle your comments. Included in this discussion is 
related information about the docket, privacy, and the handling of 
proprietary or confidential business information. We also discuss how 
you can get a copy of related rulemaking documents.

Authority for This Rulemaking

    The FAA's authority to issue rules on aviation safety is found in 
Title 49 of the United States Code. This rulemaking is promulgated 
under the authority described in 49 U.S.C. 44701(a)(5), which requires 
the Administrator to promulgate regulations and minimum standards for 
other practices, methods, and procedures necessary for safety in air 
commerce and national security.
    In addition, the Airline Safety and Federal Aviation Administration 
Extension Act of 2010 (the Act), Public Law 111-216, sec. 215 (August 
1, 2010), requires the FAA to conduct rulemaking to ``require all part 
121 air carriers to implement a safety management system.'' The 
rulemaking must consider, at a minimum, including an aviation safety 
action program (ASAP), flight operational quality assurance program 
(FOQA), a line operations safety audit (LOSA), and an advanced 
qualification program (AQP) as part of the SMS. The FAA must issue a 
notice of proposed rulemaking within 90 days of the passing of the Act, 
and a final rule within 24 months of the passing of the Act, requiring 
all part 121 air carriers to implement a safety management system.

Table of Contents

I. Executive Summary
II. Background
    A. What is a Safety Management System?
    B. Why is an SMS necessary?
    C. Congressional Mandate
    D. International Harmonization
    E. NTSB Recommendations
    F. FAA Aviation Safety (AVS) SMS Actions
III. Discussion of the Proposal
    A. General Requirements
    B. Safety Policy
    C. Safety Risk Management
    D. Safety Assurance
    E. Safety Promotion
    F. SMS Documentation and Recordkeeping
IV. Regulatory Notices and Analyses

I. Executive Summary

    This proposal would require certificate holders authorized to 
conduct operations under 14 Code of Federal Regulations (CFR) part 121 
to develop and implement a Safety Management System (SMS) of their 
aviation safety-related activities. An SMS includes an organization-
wide safety policy; formal methods for identifying hazards, 
controlling, and continually assessing risk; and promotion of a safety 
culture. When systematically applied, an SMS provides a set of 
decision-making tools that certificate holders can use to improve 
safety.
    The FAA is proposing this rule as part of its efforts to 
continuously improve safety in air transportation. The FAA proposes to 
add the SMS rule, a performance-based regulation, to existing 
regulations and technical operating standards to deal with gaps best 
addressed through improved management practices. SMS's proactive 
emphasis on hazard identification and mitigation, and on communication 
of safety issues, would provide certificate holders robust tools to 
improve safety.
    The International Civil Aviation Organization (ICAO), in its March 
2006 amendments to Annex 6 part I,\1\ which addresses operation of 
airplanes in international commercial air transport, establishes a 
standard for member states to mandate that each of these operators 
establish an SMS. In addition, the National Transportation Safety Board 
(NTSB) has recommended the FAA pursue rulemaking to require all 14 CFR 
part 121 operators to implement an SMS.\2\ Congress, in the Airline 
Safety and Federal Aviation Administration Extension Act of 2010 (Pub. 
L. 111-216, August 1, 2010), directed the FAA to issue a notice of 
proposed rulemaking within 90 days of enactment, and a final SMS rule 
by July 30, 2012. If this proposal is adopted, U.S. aviation safety 
regulations would be in conformance with ICAO standards, would fully 
address NTSB recommendations, and would comply with the statutory 
requirement.
---------------------------------------------------------------------------

    \1\ A copy of Annex 6 has been placed in the docket for this 
rulemaking.
    \2\ Recommendation A-07-10, dated January 23, 2007. This 
recommendation was issued in connection with the NTSB's 
investigation of Pinnacle Airlines flight 3701, which occurred on 
October 14, 2004.
---------------------------------------------------------------------------

    The FAA anticipates a final rule would become effective 60 days 
after publication of the final rule in the Federal Register. The agency 
proposes to require current certificate holders to submit an SMS 
implementation plan for approval within six months of that effective 
date. The FAA solicits comments on the 60-day effective date, as well 
as the timeframe for submission of an SMS plan. The implementation plan 
would have to ensure the certificate holder's SMS would be fully 
operational within three years of the effective date. New applicants 
for certification to conduct operations under part 121 would be 
required to demonstrate prior to certification that they have an SMS 
that meets the requirements set forth in this proposal.
    Under this proposal, the FAA would require each air carrier to 
develop an SMS that includes the four SMS components set forth in Annex 
6: Safety Policy, Safety Risk Management, Safety Assurance, and Safety 
Promotion. To support each component, the FAA proposes a certificate 
holder implement a number of processes and procedures. Together, the 
four components and corresponding processes and procedures provide the 
general framework for an organization-wide safety management approach 
to air carrier operations.
    The FAA projects that the compliance cost supporting each component 
would come from the initial development and documentation of the SMS, 
implementation and continuous operating costs to include the 
modification or purchasing of new equipment/software, additional staff 
and promotional materials, and training. Because SMS is inherently 
scalable, costs depend on the size of the carrier and the type of 
operations that it provides. Further, operators may have existing 
quality management systems or other voluntary programs, which may lower 
the estimated compliance costs. These components would also help air 
carriers effectively integrate formal risk control procedures into 
normal operational practices thus improving safety for all U.S. part 
121 operators. Total benefits are estimated at $1,143.1 million ($500.8 
million present value) and total costs are estimated at $710.8 million 
($375.5 million present value).

[[Page 68226]]

[GRAPHIC] [TIFF OMITTED] TP05NO10.000

II. Background

    The FAA is committed to continuously improving safety in air 
transportation. Increased demand for air transportation, the impact of 
additional air traffic, changes in business models, advances in new 
technology, new routes, and transition of personnel can heighten the 
risk in air carrier operations. While the FAA's use of existing 
regulations and technical operating standards has been effective, these 
regulations may leave gaps best addressed through improved safety 
management practices. As the air carrier best understands its own 
unique operating environment, it is in the best position to identify 
these gaps and institute the proper controls to reduce or eliminate 
risk to its operations. The FAA would still set the safety standards, 
conduct inspections and maintain oversight. However, SMS's proactive 
emphasis on hazard identification and risk control, as well as 
communication and training of safety issues, would provide certificate 
holders conducting operations under 14 CFR part 121 with the necessary 
tools to improve safety within their organizations. SMS processes will 
also make the application of regulations more meaningful to achieve 
greater safety benefit.
    Therefore, the FAA, in continuing to develop a comprehensive and 
integrated framework for safety management, is proposing a standardized 
set of requirements for the development and implementation of SMS. This 
proposal includes the four key components of an SMS as set forth in 
ICAO Annex 6.

A. What is a Safety Management System?

    An SMS is an organization-wide approach to managing safety risk and 
assuring the effectiveness of safety risk controls. It would provide an 
air carrier with a set of decision-making processes and procedures that 
it would use to plan, organize, direct, and control its business 
activities in a manner that enhances safety and ensures compliance with 
regulatory standards. It includes an organization-wide safety policy; 
formal methods for identifying hazards, controlling, and continually 
assessing risk; and promotion of a safety culture. An SMS incorporates 
these procedures into normal, day-to-day business processes. SMS 
processes seek to identify potential organizational breakdowns and 
necessary process improvements allowing management to address a safety 
issue before a noncompliant or unsafe condition results. These tools 
are similar to those that management already uses to make operational 
decisions, such as adding new aircraft to its fleet or adding a new 
route. Using an SMS, however, is not a substitute for compliance with 
FAA regulations or FAA oversight activities. Rather, an SMS would, at 
its foundation, ensure compliance with safety-related statutory and 
regulatory requirements and allow certificate holders to address 
hazards unique to their operations.
    There are four essential components of an SMS. These are based on 
the ICAO SMS framework and FAA guidance in Advisory Circular 120-92A, 
Safety Management Systems for Aviation Service Providers (August 12, 
2010).\3\
---------------------------------------------------------------------------

    \3\ Additional information on ICAO's SMS standards and guidance 
may be found at http://www.icao.int/anb/safetymanagement. Copies of 
the ICAO standards and the ICAO SMS manual have been placed in the 
docket for this rulemaking.
---------------------------------------------------------------------------

    The safety policy is the foundation of the organization's safety 
management system. It clearly states the organization's safety 
objectives and sets forth the policies, procedures, and organizational 
structures necessary to accomplish the safety objectives. The safety 
policy clearly delineates management and employee responsibilities for 
safety throughout the organization. It also ensures that management is 
actively engaged in the oversight of the company's safety performance 
by requiring regular review of the safety policy by a designated 
accountable executive.
    The second component, safety risk management, requires development 
of processes and procedures to provide an understanding of the 
carrier's operational systems to allow individuals to identify hazards 
associated with those systems. Once hazards are identified, other 
procedures must be developed under safety risk management to analyze 
and assess the risk resulting from these hazards, as well as to 
institute controls to reduce or eliminate the risks from these hazards.
    The third component, safety assurance, ensures the performance and 
effectiveness of safety risk controls established under safety risk 
management. Safety assurance is also designed to ensure that the 
organization meets or exceeds its safety objectives through the 
collection, analysis, and assessment of data regarding the 
organization's performance.
    The fourth component of an SMS is safety promotion. Safety 
promotion requires a combination of training and communication of 
safety information to employees to enhance the organization's safety 
performance. How an organization seeks to comply with this component 
depends on the size and scope of the organization. It may include 
formal safety training for employees, a formal means of communicating 
safety information, and a means for employees to raise safety concerns 
without fear of retribution.

B. Why is an SMS necessary?

    The commercial air carrier accident rate in the United States has 
decreased substantially over the past 10 years.\4\

[[Page 68227]]

This has been accomplished through a growing body of regulations, FAA 
oversight activities, and voluntary industry safety initiatives. 
However, over the past 10 years, the FAA has identified a more recent 
trend involving hazards that were revealed during incident and accident 
investigations. Many of these hazards could have been mitigated or 
eliminated earlier had a structured, organization-wide approach to 
managing air carrier's operations been in place. For example, FAA's 
Office of Accident Investigation and Prevention identified 172 
accidents involving part 121 operators from fiscal year (FY) 2001 
through FY 2010 that could have been mitigated if air carriers had 
implemented a safety management system to identify hazards in their 
daily operations and developed methods to control the risk. The 
following two accidents are representative of the 172 accidents 
reviewed by the FAA and discussed in the Initial Regulatory Evaluation. 
Summaries of these two accidents are included to illustrate the 
potential mitigations that could have resulted with SMS.
---------------------------------------------------------------------------

    \4\ NTSB Aviation Accident Statistics: http://www.ntsb.gov/aviation/Table5.htm, http://www.ntsb.gov/aviation/Table6.htm, and 
http://www.ntsb.gov/aviation/Table7.htm.
---------------------------------------------------------------------------

    On January 8, 2003, Air Midwest flight 5481 crashed immediately 
after lift-off in Charlotte, North Carolina. The aircraft was destroyed 
by impact and post impact fire, resulting in twenty-one fatalities and 
one injury to a person on the ground. This accident occurred shortly 
after outsourced maintenance was completed on the airplane's elevator 
control system. The accident investigation revealed that the elevator 
controls were improperly rigged during maintenance. The crew was not 
aware of this unsafe condition. The following is an example of how 
maintenance hazards could have been identified and their associated 
risks mitigated if the carrier had implemented an SMS.
    In this instance, the formal safety risk management analysis would 
have been triggered by the air carrier's plan to have aircraft 
maintenance performed at uncertificated repair facility using 
maintenance technicians provided by a third party sub-contractor. 
First, the air carrier's maintenance management would have conducted a 
thorough system analysis, reviewing its current maintenance program, 
including all relevant policies, processes, and procedures. It would 
have identified the personnel, procedures, equipment, and facilities 
necessary to perform the work and assessed whether the maintenance 
facility, its management, and the third party mechanics met those 
requirements. It also would have identified the personnel necessary to 
conduct oversight for the air carrier at the maintenance facility. 
Following the system analysis, the air carrier's maintenance management 
would have identified the following system hazards: (1) The maintenance 
facility was not a certificated repair station and therefore lacked the 
controls associated with regulatory certification; (2) the facility, 
its management and the actual workforce were provided by separate 
contractors; (3) the inadequate number of experienced air carrier 
maintenance representatives and their lack of authority under the 
contract to oversee the performance of the maintenance. The maintenance 
management team would have reported these issues to the management 
representative and the accountable executive.
    The air carrier's maintenance management, in assessing the risk of 
these and other hazards, would have considered the worst credible 
outcome of the performance of the maintenance at that facility under 
those conditions. Those risks may have been determined to be 
unacceptable and appropriate risk controls would have been implemented. 
Such risk control options may have included contracting with a 
certificated part 145 repair station, revising the maintenance 
procedures and associated job aids for its maintenance and inspection 
programs, having additional experienced maintenance representatives of 
the air carrier, with appropriate contract authorities, stationed at 
the repair facility to monitor the performance of maintenance tasks and 
inspections. Also, through the SMS safety assurance processes, the air 
carrier would have evaluated the safety performance of its risk 
controls through its continuous analysis and surveillance system (CASS) 
to verify that the controls were effective. Errors in specific 
maintenance tasks or inspections may have been spotted by the on site 
air carrier maintenance representatives or through a confidential 
employee reporting system if any of these concerns were raised with 
regard to the maintenance activities. These reports would have been 
utilized to steer changes in existing policies or in more effective 
contracting and execution of maintenance. Using the SMS safety 
promotion component, the air carrier could have made these critical 
maintenance issues known to its entire maintenance workforce, including 
air carrier management. This would have increased awareness of hazards 
and enhanced the safety of the overall maintenance program for the air 
carrier.
    A second example is Comair flight 5191. On August 27, 2006, at 
approximately 6 a.m., Comair flight 5191 crashed during takeoff from 
Blue Grass Airport, Lexington, Kentucky, en route to Atlanta, Georgia. 
The flightcrew received and acknowledged a clearance from the tower to 
take off from runway 22 but instead, they positioned the airplane on 
runway 26 and commenced the takeoff. The airplane ran off the end of 
the runway and impacted the airport perimeter fence, trees, and 
terrain. The pilot in command (PIC), flight attendant, and 47 
passengers were killed. The second-in-command pilot sustained serious 
injuries. The airplane was destroyed by impact forces and a post-crash 
fire. The flightcrew believed that they had taxied the airplane to 
runway 22 when they had actually taxied onto runway 26 and initiated 
the takeoff roll. The flightcrew's noncompliance with standard 
operating procedures, including the PIC's abbreviated taxi briefing, 
combined with both pilots' non-pertinent conversation most likely 
created an atmosphere in the cockpit that enabled the crew's errors. 
The following is an example of how hazards relating to the flight 
operations of this accident could have been identified and the 
associated risks mitigated if the carrier had implemented an SMS.
    In this instance, the SMS safety assurance component would have 
triggered a formal safety risk management analysis. Under the SMS 
safety assurance process, periodic audits of flight crew performance, 
such as Line Operations Safety Audits (LOSA), may have revealed 
systemic failures of crew coordination concepts and failures to follow 
standard procedures. Additionally, reports from a confidential employee 
reporting system like Aviation Safety Action Program (ASAP) would have 
indicated that deficiencies in flightcrew performance. LOSA audits or 
other structured operational checking procedures, combined with reports 
from a confidential employee reporting system regarding flight crew 
performance, would have indicated that the existing controls, such as 
operational procedures and preflight checklists were not effective, or 
flightcrew training and evaluation programs were ineffective.
    Under a formal SMS safety risk management process, the management 
representative would have ensured that the flight operations management 
team conducted a system analysis, reviewing its operational control and 
flight operations procedures, the operating environment (runway 
conditions, airport configuration), as well as the personnel and 
equipment required for the safe operation of the airplane. The system 
analysis would have led to a

[[Page 68228]]

discovery of hazards and possible errors that could be made at runway 
intersections, like the incorrect selection of the appropriate 
departure runway. The flight operations management team would have 
reported these issues to the management representative and the 
accountable executive.
    Upon completion of the risk assessment, the flight operations 
management team could have developed risk controls, such as revising 
the checklists to require the positive verification of the airplane 
alignment on the correct runway and additional crew resource management 
training to enhance the crewmembers' situational awareness. These 
procedures could be incorporated into the company's flight manuals, 
checklists, and training curriculum. Once in place, the effectiveness 
of the risk controls would have been continuously monitored under the 
safety assurance processes.
    From the SMS safety promotion component, the information gained 
through the safety risk management and safety assurance processes such 
as the employee reporting system, could be provided back to crews in 
the form of awareness tools such as company newsletters, bulletins to 
pilots, and other communications media.

C. Congressional Mandate

    In addition to the FAA's accident review indicating a need for SMS, 
Congress recognized the need for air carriers to implement safety 
management systems. On August 1, 2010, The Airline Safety and Federal 
Aviation Administration Extension Act of 2010 (the Act), Public Law 
111-216, was signed. The Act requires the FAA to conduct rulemaking to 
``require all part 121 air carriers to implement a safety management 
system.'' Public Law 111-216, sec. 215.
    The Act also requires the FAA to consider mandating as part of the 
SMS rulemaking, the following voluntary programs: ASAPs, flight 
operational quality assurance systems (FOQAs), LOSAs, and advanced 
qualification programs (AQPs). The FAA has reviewed these programs and 
finds they would be useful to meet the requirements to regularly review 
the safety performance of the organization (Sec.  5.25(b)(5)), to 
monitor the effectiveness of safety risk controls (Sec.  5.25(c)(2)), 
and to monitor and measure the organization's safety performance (Sec.  
5.71). However, based on the following, the FAA has determined that it 
would not be appropriate to require all of these programs for all 
certificate holders conducting operations under 14 CFR part 121.
    Aviation Safety Action Program (ASAP). ASAP is an employee 
reporting system that certificate holders may use to gather information 
from employees on safety compliance and performance issues. ASAP 
programs are intended for air carriers that operate under part 121 and 
major domestic repair stations certificated under part 145. The goal of 
ASAP is to enhance aviation safety voluntary reporting of safety issues 
and events that come to the attention of employees. The program 
encourages an employee to voluntarily report safety issues even though 
they may involve a potential violation(s) of Title 14 of the Code of 
Federal Regulations.
    As of September 27, 2010, there are 90 certificate holders 
conducting operations under part 121. Approximately two-thirds of these 
certificate holders have implemented some type of ASAP program. While 
ASAP originally was limited to pilots and flight engineers, some air 
carriers have expanded the program to include its flight attendants, 
dispatchers, and mechanics. One carrier has an ASAP for ground service 
personnel. The program is a valuable way to bring employees into a 
proactive safety effort and can be a means of building trust throughout 
the organization. Single ASAP reports can generate safety risk 
management action if they reveal a hazard of high severity and high 
likelihood. Further, analysis of the aggregate ASAP data can also 
reveal trends that lead to safety risk management action. ASAP reports 
often serve as an indicator that risk controls are effective, or they 
may reveal that risk controls are not effective. Reports accepted into 
ASAP are protected from disclosure under the provisions of 14 CFR part 
193, Protection of Voluntarily Submitted Information.
    ASAP programs typically only cover selected employee groups. Even 
the largest air carriers do not have ASAPs that encompass all of their 
employees. Typically, each employee group ASAP has an event review 
committee (ERC) designed to take in data from employees, analyze the 
data, and develop corrective actions. The ERC consists of members of 
the air carrier's management team, the FAA's certificate management 
organization, and if applicable, the employee group's representative. 
The ERC considers each ASAP report for acceptance or denial, and if 
accepted, analyzes the report to determine the necessary controls to 
put into effect. ASAP is a good example of a confidential employee 
reporting system that an air carrier may develop to comply with the 
provisions of the proposed rule. Small carriers would likely not 
require such an expansive and complex system. Rather, a simpler 
employee reporting system may meet the needs of the smaller carriers. 
Further, the proposed SMS requirement for a confidential employee 
reporting system spans all employee groups. Thus, even a medium to 
large air carrier may be overly burdened by such a requirement if its 
current ASAPs do not cover all of its employees who perform aviation-
safety related activities. In this case, the air carrier could use its 
existing ASAPs and develop simpler tools or procedures to allow the 
employees who are not currently covered under its ASAPs to report 
safety issues or concerns.
    If the FAA were to require the use of ASAPs, the information 
submitted through ASAP would no longer be considered voluntary. As 
such, the protections under part 193 would no longer apply. One major 
concern of industry regarding a requirement for SMS is the possible 
disclosure of critical safety information. Industry is concerned that 
if information submitted through ASAP or any other employee reporting 
system is subject to disclosure, this would likely have a negative 
impact on the willingness of employees to disclose the data. The loss 
of these protections under 14 CFR part 193, therefore, would likely 
impede the air carrier's ability to gather this critical information 
for analysis. Thus, the FAA has determined that ASAP may be one means 
for compliance with certain provisions of the SMS, but would not be 
necessary to mandate for all air carriers. FAA seeks comments on how 
air carriers that are currently voluntarily implementing ASAP programs 
could integrate these programs into an SMS plan, and the incremental 
costs and benefits of doing so.
    Flight Operational Quality Assurance (FOQA). FOQA provides the air 
carrier with accurate operational performance information covering all 
flights by multiple aircraft types such that single events can be 
analyzed or overall patterns of aircraft performance can be seen and 
analyzed. FOQA programs provide actual data that can be analyzed in the 
aggregate to determine trends specific to aircraft types, local flight 
path locations, and overall flight performance trends for the air 
carrier industry. FOQA information has proven effective in showing the 
need for changing air carrier operating procedures for specific 
aircraft fleets, and for changing air traffic control practices at 
certain airports with unique traffic pattern limitations. 41 of 90 part 
121 carriers have voluntarily implemented FOQA programs, including 22 
of 30 part 121 operators

[[Page 68229]]

with a fleet of more than 50 airplanes. The 22 includes seven of the 
top eight largest passenger-carrying airlines, which each operate more 
than 200 airplanes. To have an FAA approved FOQA program, an air 
carrier must meet the requirements described in AC 120-82, Flight 
Operational Quality Assurance.\5\
---------------------------------------------------------------------------

    \5\ The FOQA program is described in AC 120-82, Flight 
Operational Quality Assurance (http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgAdvisoryCircular.nsf/key/AC%20120-82).
---------------------------------------------------------------------------

    Since 2005, ICAO Annex 6 part I has included a provision that 
commercial air carriers operating airplanes having a maximum gross 
takeoff weight in excess of approximately 59,400 lb. ``* * * should 
establish and maintain a flight data analysis programme as part of its 
safety management system.'' Flight Data Analysis Program (FDAP) is a 
general term encompassing a number of means by which routine flight 
operations data may be acquired, recorded, analyzed, and shared. FOQA 
is one such program. FOQA requires extensive flight data recording 
systems which facilitate rapid transfer of recorded data, de-
identification of that data, and agreements between pilot organizations 
and the carriers which define how this information may be used. 
Further, FOQA requires comprehensive analysis of the information 
provided by technically competent staff using specialized equipment to 
derive useful safety enhancement opportunities. Although all operators 
meet the current regulatory requirements for flight data recording, 
many of the recorders used do not meet all the FOQA specifications. The 
part 121 fleet is diverse in terms of size, complexity, and age, as 
well as the size of the companies that operate them. Many of the older 
aircraft would require extensive modifications to adapt them to the 
technical requirements of a FOQA program. The investment and expense of 
implementing and maintaining such a system exceeds the financial 
capability of many smaller carriers.
    Since the FOQA voluntary program requirements were established, 
technological advancements in lightweight self-contained flight data 
monitoring and recording systems have been developed that may provide 
alternative, cost effective means for accomplishing the same purpose as 
a FOQA. An air carrier may wish to acquire these tools rather than 
those necessary for FOQA and develop its own procedures to collect 
flight operational data for analysis. An air carrier may also choose a 
combination of tools, such as preflight risk assessment checklists and 
existing flight data recorders, to collect information on flight 
operational data. There are a number of ways to collect this 
information and the FAA does not believe it is appropriate to prescribe 
the exact method for collection and analysis of this type of data. The 
air carrier should develop and implement the processes and procedures 
suitable to the complexity and needs of its organization to identify 
hazards and assess risk to its operation. In addition, like ASAP, the 
FAA has determined that it is appropriate to protect certain 
information collected under FOQA from disclosure. If the FAA were to 
require FOQA this protection would be lost. Thus, while FOQA is an 
excellent tool for some air carriers and may be used as a process or 
procedure in the air carrier's SMS, this proposal would not require it 
for all certificate holders conducting operations under part 121. FAA 
seeks comments on how air carriers that are currently voluntarily 
implementing FOQA programs could integrate these programs into an SMS 
plan, and the incremental costs and benefits of doing so.
    Line Operations Safety Audit (LOSA). The Line Operations Safety 
Audit (LOSA) is a voluntary safety audit focused on the discovery, 
mitigation, and management of human error in aviation operations. LOSA 
audits are mainly conducted for crewmembers and are performed in actual 
in-flight conditions. Thus, they provide a real-time assessment of 
system operations. During the flight, trained observers record any 
potential threats to safety, how a flightcrew handled the hazard and 
any errors the flightcrew committed in managing a threat. They may also 
document behaviors known to cause accidents or incidents.
    Under LOSA programs, the certificate holder collects the data 
concerning the flightcrew's performance. While an air carrier may elect 
to share the results of a LOSA with the FAA, there is no requirement to 
do so. Data obtained from the LOSA can be used to modify the air 
carrier's training or other operational programs or procedures and 
shape basic organizational strategies to prevent accidents and 
incidents. The certificate holder may use the audit results to create 
better safety practices by improving operational processes and 
documentation, such as revising checklists, flight operations manuals, 
quick reaction handbooks, and developing training curricula for flight, 
maintenance, and ramp personnel.
    In order to implement a LOSA program, significant resources are 
required. The air carrier would need to develop and produce the program 
and its associated materials. The following elements are part of LOSA: 
(1) Training check airmen or other observers on how to conduct the 
observations and data collection, (2) developing and maintaining 
schedules for LOSA observations, (3) staff time for observer preflight 
preparation, (4) in-flight observation, (5) post-flight briefing, (6) 
data transfer and entry, (7) information management software costs 
(software and staff time for data entry and database management), and 
(8) development and administration of data analysis processes. LOSA 
programs may be very complex and expensive. Air carriers that have not 
implemented a voluntary LOSA may be using audit tools that are more 
appropriately scaled to the size of their operation. Because there may 
be other, more effective means for conducting these audits, the FAA 
does not believe it is necessary to limit an air carrier to conducting 
audits and collecting data through a specific program like LOSA. 
Rather, the FAA has determined that participating in a LOSA program, 
may be one acceptable means to comply with the requirements of this 
proposal. FAA seeks comments on how air carriers that are currently 
voluntarily implementing LOSA programs could integrate these programs 
into an SMS plan, and the incremental costs and benefits of doing so.
    Advanced Qualification Program (AQP). AQP is an alternative method 
for developing training and testing materials for pilots, flight 
attendants, and aircraft dispatchers based on instructional systems 
design, advanced simulation equipment, and comprehensive data analysis 
to continuously validate curriculums. Although the FAA considers AQP to 
be an effective voluntary alternative for compliance with minimum 
training and qualification requirements, the FAA does not believe that 
it is appropriate to require all air carriers to train under AQP as 
part of their SMS processes and procedures. The FAA recognizes that AQP 
may not be appropriate for every certificate holder. The AQP is a 
voluntary program established to allow a greater degree of regulatory 
flexibility in the approval of innovative training programs. Based on a 
documented analysis of operational requirements, a certificate holder 
under AQP may propose to depart from the traditional practices with 
respect to what, how, when, and where training and testing is 
conducted. Detailed AQP documentation requirements, data collection, 
and analysis provide the FAA and the operator with the tools

[[Page 68230]]

necessary to adequately monitor and administer an AQP. (See 14 CFR Part 
121, subpart Y, paragraphs 121.901-121.925).
    As mentioned above, AQP may not be appropriate for all certificate 
holders. Some air carriers may prefer the structured requirements of a 
traditional training program to the analytically-driven AQP program. 
Other air carriers that use contract training facilities may not find 
AQP to be a suitable alternative to traditional training requirements. 
The FAA also acknowledges that to get the most benefit from AQP, a 
stable work force and route structure is necessary. Therefore, for 
those air carriers that have a higher turnover in their pilot ranks or 
conduct supplemental operations where the routes may vary, AQP may not 
be appropriate. Thus, this proposal would not require all air carriers 
to implement AQP as the method for training its flightcrew members, 
flight attendants, aircraft dispatchers, and other operations 
personnel. FAA seeks comments on how air carriers that are currently 
voluntarily implementing AQP programs could integrate these programs 
into an SMS plan, and the incremental costs and benefits of doing so.

D. International Harmonization

    In March 2006, ICAO amended Annex 6 part I--which addresses the 
operation of airplanes in international commercial air transport. 
Member states agreed to establish an SMS requirement for air carriers. 
The SMS, as outlined in this Annex, includes processes to identify 
safety hazards and ensure the implementation of risk controls and 
corrective actions necessary to maintain safety performance. The Annex 
also aims for improvement of the overall safety performance of the 
organization, with clearly defined lines of safety accountability 
throughout the operator's organization. Member states agreed to 
initiate compliance with amendments to Annex 6 part I by January 1, 
2009.\6\ If adopted, the provisions in this rule would conform to these 
ICAO agreements.
---------------------------------------------------------------------------

    \6\ On December 15, 2008, the FAA filed a difference to the SMS 
standard because the agency had not formally initiated rulemaking.
---------------------------------------------------------------------------

    ICAO provides that each ICAO member state is the judge of whether 
its national SMS rules provide an acceptable level of safety. The FAA 
solicits comments on whether the SMS rules proposed in this NPRM could 
serve as a suitable basis for achieving an international harmonized 
regime.

E. National Transportation Safety Board (NTSB) Recommendations

    The NTSB first recommended safety management systems in 1997, 
through recommendations aimed at improving safety in the maritime 
industry. Since then, a number of NTSB investigations related to other 
modes of transportation, including aviation, have cited organizational 
factors contributing to accidents and have recommended SMS as a way to 
prevent future accidents and improve safety. The NTSB first offered an 
SMS recommendation for part 121 air carriers (A-07-10) to the FAA after 
its investigation of the October 14, 2004 accident of Pinnacle Airlines 
flight 3701.
    Pinnacle Airlines flight 3701 was on a repositioning flight between 
Little Rock National Airport and Minneapolis-St. Paul International 
Airport when both engines flamed out after a pilot-induced aerodynamic 
stall at high altitude. The pilots were unable to regain control, and 
the aircraft crashed in a residential area south of Jefferson City, 
Missouri. The NTSB's investigation revealed ``the accident was the 
result of poorly performing pilots who intentionally deviated from 
standard operating procedures and basic airmanship.'' The NTSB further 
stated ``operators have the responsibility for a flightcrew's cockpit 
discipline and adherence to standard operating procedures'' and offered 
an SMS as a means to help air carriers ensure safety. The NTSB formally 
recommended the FAA ``require all 14 CFR part 121 operators establish 
Safety Management System programs.'' NTSB Safety Recommendation A-07-10 
(January 23, 2007). That recommendation recognized that ``air carriers 
need to ensure safety through a formalized system safety process. One 
such process is a safety management system program, which incorporates 
proactive safety methods for air carriers to identify hazards, mitigate 
risk, and monitor the extent that the carriers are meeting their 
objectives.'' Id. at p. 12. The NTSB recommended the FAA pursue 
rulemaking to require commercial operators to implement an SMS. In 
discussing this recommendation, the NTSB noted it would evaluate any 
rulemaking proposal based on ICAO's minimum requirement: ``(a) 
Identifies safety hazards; (b) ensures that remedial action necessary 
to maintain an acceptable level of safety is implemented; (c) provides 
for continuous monitoring and regular assessment of the safety level 
achieved; and (d) aims to make continuous improvement to the overall 
level of safety.'' Id. Adoption of this proposal would address this 
NTSB recommendation.

F. FAA Aviation Safety (AVS) SMS Actions

    Guidance Materials. This rulemaking would also codify existing FAA 
SMS guidance material. In June 2006, FAA Flight Standards published 
Advisory Circular, AC 120-92, Introduction to Safety Management Systems 
for Air Operators based on the Joint Planning and Development Office 
(JPDO) SMS Standard.\7\ The FAA also used this work to develop internal 
guidance, using SMS principles, and incorporated them in FAA Order 
8000.369, Safety Management System Guidance and FAA Order VS 8000.367, 
Aviation Safety (AVS) Safety Management System Requirements. AC 120-92 
was revised in August 2010 to become AC 120-92A to reflect the ICAO 
framework. This proposal is based on the guidance material in AC-120-
92A and FAA Orders, as well as the ICAO SMS framework and guidance in 
the ICAO Safety Management Manual.\8\ Copies of these documents are 
available in the docket for this rulemaking.
---------------------------------------------------------------------------

    \7\  http://www.jpdo.gov/library/InformationPapers/JPDO_SMS_SPC_v1_4.pdf.
    \8\ See ICAO, Safety Management Manual, at 6.5.3 ICAO Doc. 9859-
AN/474 (2nd ed. 2009) (http://www.icao.int/anb/safetymanagement/DOC_9859_FULL_EN.pdf).
---------------------------------------------------------------------------

    SMS Pilot Project. To assist operators choosing to implement SMS 
voluntarily, the FAA initiated an SMS Pilot Project. The program, which 
currently includes 26 part 121 air carriers of varying sizes and 
complexities, allows these certificate holders and their FAA oversight 
organizations to learn the means of applying SMS to their unique 
management and environmental conditions and to demonstrate their 
commitment to comply with international standards. The SMS pilot 
projects have provided experience in implementation and oversight 
processes. Lessons the FAA has learned from the pilot projects include 
findings in the areas of management involvement, training requirements, 
gap analysis and implementation planning, and the development of risk 
tools.
    Advanced Notice of Proposed Rulemaking (ANPRM). In addition to the 
pilot project, the FAA also issued an ANPRM on July 23, 2009 (74 FR 
36414), soliciting comments on the appropriate applicability and scope 
of a potential SMS rule. The ANPRM requested information from air 
carriers, operators conducting charters, maintenance repair stations, 
and design and manufacturing organizations on their experiences with 
SMS; the costs associated with

[[Page 68231]]

implementing SMS in their organization; and recommendations for 
documentation, recordkeeping, data collection and sharing, and training 
requirements necessary for implementation of an SMS. The FAA received 
89 comments in response to the ANPRM from a variety of commenters, 
including air carriers, aircraft design and manufacturing 
organizations, service facilities, trade associations, and private 
citizens.
    Seven part 121 operators and six trade associations representing 
the 121 operators or their employees submitted comments in response to 
the ANPRM. Each of the seven 121 operators said it has an SMS or a 
system with some SMS components. Six of the seven operators reported 
positive results after applying SMS to their operations. Operators 
reported improving their safety performance and regulatory compliance 
by improving their ability to detect possible nonconformities to 
policies and regulations before an accident or serious incident occurs. 
One commenter stated that by implementing SMS the organization has 
``seen some successes in reducing risk, decreasing operating costs, and 
managing safety through a structured process.''
    An SMS requires that organizations identify hazards and address the 
risk associated with the products or services they provide. It also 
requires documenting the decisions made to address safety risk. 
Commenters expressed concern that this information could be 
misinterpreted or mischaracterized and they stressed the need to 
protect SMS data.
    A majority of the commenters recommended the FAA issue a 
performance-based regulation, consistent with the ICAO framework, which 
would allow organizations flexibility in how they meet the standards, 
and enable them to integrate their existing systems into an SMS rather 
than requiring a stand-alone system. Commenters also said the 
requirements should be scalable to accommodate organizations that vary 
in size, complexity, structure, and focus. Some commenters recognized a 
need for SMS for part 135 operators and part 145 repair stations, and 
design and manufacturing organizations based on the ICAO requirements 
for these sectors of the industry. This rulemaking, however, focuses 
only on certificate holders conducting operations under part 121.
    Aviation Rulemaking Committee (ARC). On February 12, 2009, the FAA 
chartered the SMS ARC to solicit recommendations from industry experts 
on the scope of this rulemaking. The ARC is comprised of 
representatives from air carriers, maintenance organizations, and 
design and manufacturing organizations and associations. On March 31, 
2010, the ARC submitted its report to the FAA with the recommendations 
summarized in the paragraphs below.
    The ARC recommended that the FAA SMS regulations and guidance be 
closely aligned and consistent with the ICAO SMS framework to allow for 
ease of acceptance of an organization's SMS by a foreign civil aviation 
authority. The ARC also recommended that the SMS rule apply to 
organizations subject to 14 CFR parts 21, 119, 121, 125, 135, 141, 142, 
and 145 as listed in the ANPRM, as well as 14 CFR part 91, subpart K, 
to ensure consistency of applicability with ICAO's SMS Framework. 
Furthermore, it suggested that an SMS regulation should acknowledge and 
permit incorporation of existing voluntary and regulatory (e.g., CASS) 
safety management efforts that fit, or that could be adapted to fit, 
the SMS construct. For air carriers, such programs include aviation 
safety action programs, flight operational quality assurance programs, 
line operations safety audits, and quality management systems. To avoid 
duplicative practices, the ARC stressed the importance of allowing 
organizations to build upon these existing systems and processes rather 
than requiring them to build a whole new safety system. For example, 
rather than mandate a separate manual outlining the air carrier's SMS, 
the air carrier should have the option of either developing a new 
manual or including it in the manual required by Sec.  121.133. This 
flexibility would allow the certificate holder to document the SMS in 
the way that best fits its operations while still providing the FAA 
appropriate insight into the organization's SMS for assessment and 
oversight. In addition, the ARC asserted that SMS should not be an add-
on to the organization's operational system but rather part of the 
operational system.
    In acknowledging a potential significant impact of an SMS rule on 
small businesses, the ARC stressed the importance of creating a 
regulatory framework that is scalable and flexible to accommodate a 
broad range of organizations, from small operators and manufacturers to 
large organizations holding multiple types of FAA certificates or 
approvals. This would ensure that the level of SMS-required complexity 
imposed on a small organization would not interfere with the company's 
ability to pursue its business, or impose a degree of SMS data analysis 
that would result in insufficient time left to develop, implement and 
monitor risk mitigation procedures. It also recommended the FAA 
consider alternative strategies for SMS implementation, such as 
continuing with the voluntary program for operators that engage in 
international commercial activity.
    The ARC was also concerned with the protection of SMS safety 
information and proprietary data. Therefore, it noted that there should 
be protection of safety information and proprietary data from 
disclosure and use for other purposes. Safety information is vitally 
important to an SMS. Without the development, documentation, and 
sharing of safety information SMS benefits will not be fully realized. 
According to the ARC, protecting safety information from use in 
litigation (discovery), Freedom of Information Act (FOIA) requests, and 
FAA enforcement action is necessary to ensure the availability of this 
information, which is essential to SMS. The ARC recommended either a 
new regulation or a revision and strengthening of existing part 193, 
Protection of Voluntarily Submitted Information, to include SMS 
information. Further, the ARC recommended that the FAA establish policy 
or regulation which provides limits on enforcement action applicable to 
information that is identified or produced by an SMS.
    The ARC recommended that the FAA ensure that sufficient planning, 
policy and guidance, and workforce training be in place prior to SMS 
implementation to accommodate efficient, timely, objective and 
consistent assessment and oversight of SMS. To accomplish this, the ARC 
also suggested a phased promulgation of extending the applicability of 
a set of general SMS requirements to different populations. For 
example, the ARC recommended extending the set of general requirements 
to part 121 operators first, followed by part 135 operators and part 
145 repair stations conducting maintenance for part 121 and part 135 
operators, and extending the requirements to regulated entities under 
part 21 as part of the last phase of implementation. The ARC noted that 
this phased promulgation would allow earlier deployment of new 
regulations in the area of greatest operational exposure and greatest 
implementation experience, while allowing the necessary time for the 
development of sector-specific guidance and operation of pilot programs 
for remaining certificate and approval holders. For example, the design 
and manufacturing community has less experience in applying SMS than 
many commercial operators that are participating in SMS

[[Page 68232]]

pilot projects with AFS. The ARC has recommended that the FAA sponsor 
an SMS pilot program within the design and manufacturing sector to 
further develop implementation experience.
    In addition to the phased promulgation of the applicability of SMS 
requirements, the ARC also recommended a phased implementation of SMS 
requirements within individual companies. For example, the first stage 
of implementation would require an implementation plan to be completed 
six months after the effective date of a final rule, with the next 
level focusing on implementing safety risk management processes. The 
next level would focus on the proactive and predictive processes in 
safety assurance.
    A copy of the ARC's recommendations is available for review in the 
docket for this rulemaking.

III. Discussion of the Proposal

A. General Requirements

    Applicability. The FAA proposes to add a new part 5 to title 14 of 
the CFR, creating the general framework for an SMS that a part 121 air 
carrier may adapt to fit the needs of its operation. The new part 5 is 
modeled after the International Civil Aviation Organization (ICAO) 
framework in Annex 6, Operation of Aircraft, which was adopted in March 
2006 and is designed for broad application. It is also consistent with 
the ARC's recommendations to use the ICAO framework and develop SMS 
requirements that are scalable and flexible to accommodate all business 
models. Therefore, the proposed requirements are meant to be applicable 
to organizations of various sizes and complexities, as well as 
adaptable to fit the different types of organizations in the air 
transportation system and operations within an individual company. The 
proposed SMS construct is also consistent with AC-120-92A, Safety 
Management Systems for Aviation Service Providers, and FAA Order 
8000.367, Aviation Safety (AVS) Safety Management System (SMS) 
Requirements.
    Although this proposal extends only to part 121 operators, the FAA 
has developed these general requirements with the intent that in the 
future, they could be applied to other FAA-regulated entities, such as 
part 135 operators, part 145 repair stations, and part 21 aircraft 
design and manufacturing organizations and approval holders, consistent 
with ICAO requirements.\9\ This proposal also acknowledges the SMS 
ARC's recommendation for phased promulgation of SMS regulations to 
apply SMS requirements to certificate holders under different parts of 
title 14 of the CFR in successive phases. The FAA solicits comments on 
possible future application of these general requirements.
---------------------------------------------------------------------------

    \9\ Amendment 33 to Annex 6 part 1 addresses part 121, 135, and 
145 operations. It has a compliance date of November 18, 2010 and 
was announced in State Letter AN 11/1.3.19-06/34 24 (March 2006). 
Amendment 101 to Annex 8 addresses Design and Manufacturing. It has 
a compliance date of November 14, 2013 and was announced in State 
Letter AN 3/5.6-09/21 (April 3, 2009).
---------------------------------------------------------------------------

    In addition, it is not the FAA's intent that this rule would result 
in contractors or subcontractors, or entities not directly regulated by 
the FAA, being required to develop an SMS. Current processes require 
air carriers to ensure that the employees or businesses with whom they 
contract to conduct training or maintenance activities on their behalf 
are qualified, capable, and have the necessary equipment and facilities 
to perform the work. This proposal would not expand these existing 
requirements. However, the FAA seeks specific comment on the potential 
impact of a trickle down effect of this proposal to these entities.
    Scalable and Flexible. The proposed SMS regulation is designed as a 
performance based regulation. It requires a number of processes (for 
safety policy, safety risk management, safety assurance, and safety 
promotion) which are flexible, and can be tailored to provide relevant, 
yet robust management systems for each carrier. The SMS provides a 
framework for safety decision making by requiring structured processes 
for gathering and using information necessary to make sound management 
decisions. Because the part 121 air carrier population is extremely 
diverse in complexity related to both aircraft fleet sizes and numbers 
of employees, this proposal was designed to accommodate a variety of 
business models and sizes.
    The components of SMS are scalable relative to the size and 
complexity of the operator. For instance, the objective of safety risk 
management is the same regardless of the size of the carrier. That 
objective is to understand the operations and the tools and processes 
used to accomplish the work. While specialists in information 
technology and statistical analysis may be necessary in large, 
sophisticated carriers' operations, the safety risk management steps 
could be accomplished by the management and employees of even the 
smallest organization. For smaller operators, this process need not 
employ sophisticated techniques or be overly detailed. For example, a 
whiteboard, pencil, and paper, may be all that are needed to consider, 
analyze, and record the characteristics of the systems. Likewise, 
recording and tracking the results of the safety risk management 
process need not be extensive or overly sophisticated. They may be 
captured with paper records or simple electronic files using common 
word processing or spreadsheet applications.
    The safety assurance processes can also be scaled to the size and 
complexity of the operator. Its purpose is to provide key managers with 
only the information that they need to assure that the risk controls 
they have implemented remain valid and their processes are on track. An 
organization would determine what audit tools are needed to acquire 
only the information that it needs to maintain compliance with CFRs and 
company policies and procedures, e.g., airplane inspection intervals, 
open Minimum Equipment List (MEL) items, pilot training, and checking 
intervals, and dates and other key information. Internal evaluation and 
management review processes are used to evaluate the performance of 
major systems (i.e., flight operations, training, maintenance, 
inspection, and engineering, etc.). All part 121 carriers have a 
Continuing Analysis and Surveillance system (CASS) required by 14 CFR 
121.373. Most companies have Internal Evaluation Programs based on 
guidance in AC 120-59A, Air Carrier Internal Evaluation Programs, and 
other audit structures. These existing programs would likely satisfy 
the safety assurance requirements in this proposal. In very small 
companies, these may be performed personally by senior managers, 
specialist personnel, the Director of Safety, or the Chief Inspector 
required by 14 CFR 119.65. Analysis of audits, evaluations, employee 
reports, and internal investigations may be as simple as reading 
narratives, simple trend analysis of problems, and discussion among key 
management personnel.
    The safety management system may be adapted and scalable based on 
the complexity of the air carrier's operations. For example, some air 
carriers may have multiple certificates, authorizing them to conduct 
flight operations and also perform aircraft maintenance for other 
organizations. These air carriers may only want to implement one SMS 
that encompasses all of these aviation-related safety activities, and 
some may want to expand SMS to encompass all activities of the 
business. As another example, some certificate holders only have a few 
aircraft and service a limited area. These certificate holders may 
choose to

[[Page 68233]]

implement a smaller, simpler SMS consistent with requirements, but 
sized and designed for their operation. The FAA invites comments on how 
air carriers may approach the design and implementation of their SMS.
    The previous discussion indicates that certificate holders could 
comply with the proposed SMS requirements through a variety of means. 
The FAA intends these proposed requirements to be scalable and flexible 
to the size and complexity of the certificate holder's organization. In 
addition, the FAA also recognizes that certificate holders may already 
have systems and processes in place that meet the proposed SMS 
requirements. The FAA believes these systems and processes could easily 
be incorporated into an SMS and does not intend to create duplicative 
burdens. The FAA requests comments specifically identifying how the FAA 
could clarify or improve the incorporation of existing systems and 
processes into an SMS to improve the efficiency, scalability, and 
flexibility of this proposal.
    Compliance with other Regulatory and Statutory Requirements. The 
SMS requirements, as described in this section, would not be considered 
a substitute for compliance with existing technical and performance 
standards. Technical and performance standards would still be 
considered the baseline for safety performance. These general 
requirements for SMS would require air carriers to be able to 
demonstrate their capability to assess and control risk in their highly 
variable individual operational environments. While several air 
carriers currently may be in the process of implementing, or have 
implemented an SMS in accordance with FAA guidance material, these air 
carriers would need to ensure their system meets the regulatory 
requirements set forth in this proposal, and follow the same process 
for acceptance as an air carrier who is implementing SMS for the first 
time. The SMS may be adapted and scaled based on the complexity of the 
airline operations. If the FAA agrees that all regulatory requirements 
are met, the implementation plan will be approved. This includes all 
air carriers participating in the FAA's SMS Pilot Project.
    Under new Sec.  5.1, the FAA would require each air carrier to 
develop an SMS to include the four SMS components: Safety policy, 
safety risk management, safety assurance, and safety promotion. To 
support each component, the FAA proposes a certificate holder implement 
a number of processes contained in the proposed subparts for each 
component. Together, the four components and their underlying elements 
and processes provide the general framework for an organization-wide 
safety management approach to air carrier operations. To the extent 
possible, air carriers may leverage existing voluntary and required 
programs by integrating these activities and existing information 
collection streams into their SMS system and plans.
    Protection of Data. The ARC, as well as several commenters to the 
ANPRM, raised concerns regarding the protection of data submitted 
through the SMS. The ARC recommended the FAA revise current 
requirements under 14 CFR part 193, Protection of Voluntarily Submitted 
Information, to protect any SMS data from disclosure. In this proposal, 
the FAA would not require the submission of any SMS data. Rather, the 
certificate holder must make its documentation available for inspection 
to determine whether the certificate holder has implemented and is 
maintaining an SMS that meets the requirements of part 5. Existing 
protections for voluntary programs such as Aviation Safety Action 
Program (ASAP) and Flight Operational Quality Assurance (FOQA) data 
would still apply as the FAA is not mandating these programs. However, 
at this time, the FAA would not extend the protections of part 193 
beyond those afforded to current voluntary programs. The FAA invites 
comment on the protection of safety data and on potential information 
architectures which could allow carriers to collect information while 
reducing disclosure concerns.
    Implementation and Compliance. Under this proposal, current 
certificate holders, within six months of the effective date of the 
final rule, would be required under Sec.  119.8 to submit an 
implementation plan for approval that ensures the certificate holder's 
SMS would be fully operational within three years of the effective date 
of the final rule. Under the implementation plan, the certificate 
holder may decide to gradually phase-in the requirements of this rule 
over the three-year period consistent with the current process in the 
FAA SMS Pilot Project. A copy of this implementation process is 
provided in the draft advisory circular that is available for review in 
the docket for this rulemaking. An air carrier is not required to 
follow this format for implementation, but rather should develop a plan 
for implementation that meets the needs of its organization.
    Many air carriers may already be in the process of developing an 
SMS in accordance with existing guidance material or otherwise have 
some elements of SMS in existence. In developing the implementation 
plan, air carriers should review existing programs to identify elements 
already in place that comply with provisions of part 5 and plan for 
implementation. Experience in the SMS Pilot Projects has found that 
this process is necessary to identify gaps in processes and management 
controls, documentation that is not up to date or is incomplete, and 
vague interfaces between processes or departments. The implementation 
planning and SMS documentation have helped to bring improvements in 
these areas. Thus, as proposed, the implementation plan should cover 
all the proposed part 5 requirements across all of the aviation safety-
related operational processes of the company.
    This plan would be submitted to the air carrier's certificate-
holding district office, and approval of the plan would be coordinated 
with the SMS Program Office within the Flight Standards Service, 
Certification & Surveillance Division (AFS-900). In addition, anyone 
who submits a certification application under Sec.  119.35 to conduct 
operations under part 121 would be required to demonstrate that it has 
incorporated an SMS that meets the requirements of part 5.
    Although the implementation plan must be approved, the FAA has 
proposed, under Sec.  5.3, that the certificate holder's SMS would have 
to be accepted by the FAA. Given the dynamic nature of an air carrier's 
operating environment, the air carrier needs to be able to continuously 
improve its SMS, rather than wait for approval of the proposed change 
before taking necessary action. Acceptance of the SMS would allow the 
organization to proceed with implementation of necessary changes while 
the FAA reviews SMS documentation to determine whether the air carrier 
has met the requirements of this rule. Upon review, if the FAA 
determines that changes must be made to the SMS, the air carrier would 
be responsible for making those changes. This process for acceptance 
would allow the air carrier the flexibility necessary to continuously 
monitor and adapt its SMS to address emerging safety concerns in its 
operating environment.

B. Safety Policy

    Subpart B sets forth the requirements for the certificate holder's 
safety policy, the foundation of the SMS. All organizations must define 
policies, procedures, and organizational structures to accomplish their 
safety objectives and goals. It is important to

[[Page 68234]]

have a documented safety policy to assure all employees of the 
organization of management's commitment to achieving the organization's 
safety objectives. A documented safety policy also ensures that all 
employees are aware of their own role in maintaining the safety 
objectives of the company. Thus, proposed Sec.  5.21 would require a 
documented safety policy statement that establishes the organization's 
safety objectives, provides for a safety reporting policy, defines 
unacceptable behavior and conditions for disciplinary action, and 
establishes standard operating procedures for transitioning from normal 
to emergency operations.
    A key aspect of the documented safety policy is the confidential 
safety reporting policy requirement proposed in Sec.  5.21(a)(4). This 
requirement is distinguishable from the disciplinary action policy 
requirement proposed in Sec.  5.21(a)(5) in that the safety reporting 
policy must allow employees to report unsafe working conditions or 
equipment for correction without fear of reprisal by either management 
or labor groups within the organization. As discussed earlier, many air 
carriers may already meet part of this safety reporting policy 
requirement by having an ASAP in place for selected employee groups. 
ASAP, as described in AC 120-66B, Aviation Safety Action Program, 
(November 15, 2002), allows certain safety issues to be addressed 
through corrective action rather than through disciplinary or 
enforcement action. Under ASAP, corrective action may be taken for 
inadvertent regulatory violations that do not appear to involve an 
intentional disregard for safety and events that do not appear to 
involve criminal activity, substance or controlled substance abuse, or 
intentional falsification. A corrective action is developed by the air 
carrier which may include training or education on an issue or changes 
to operational procedures to prevent a future occurrence of the same 
safety problem. These same concepts, inherent in ASAP, may be relevant 
for consideration by an air carrier who has not implemented an ASAP in 
developing a safety reporting policy pursuant to proposed Sec.  5.21. 
As discussed previously, the FAA would not mandate that each air 
carrier implement an ASAP because the complexity of ASAP may not fit 
all air carriers or their FAA oversight organizations. However, if an 
air carrier has an ASAP in place or wishes to develop an ASAP, the FAA 
would view this program as one means of compliance with the proposed 
safety reporting policy requirement for the employee group(s) covered 
by the ASAP program(s).
    Just as the safety reporting policy must describe those types of 
events that can be reported without fear of reprisal, the disciplinary 
policy proposed under Sec.  5.21(a)(5) would require the air carrier to 
define unacceptable behaviors and conditions for disciplinary action. 
Some examples to consider, which are currently included in ASAP 
programs as described in AC-120-66B, include an intentional disregard 
for safety, suspected criminal activity, and substance abuse, as well 
as those instances when employees fail to complete a corrective action 
developed by the air carrier to address a safety hazard.
    Consistent with the ICAO framework, the FAA is proposing, as part 
of the documented safety policy, to include emergency response 
planning. Emergency response planning provides the basis for a 
systematic approach to managing the organization's operations in the 
aftermath of a significant unplanned event or during an ongoing 
emergency situation. The overall objective is the safe continuation of 
operations and the return to normal operations as soon as possible. It 
is an important element of an SMS because in the transition from normal 
to emergency operations and back again, additional risk may be 
introduced and the organization should be monitoring and taking action 
to mitigate those risks. An effective emergency response also provides 
an opportunity to develop and apply learned safety lessons.
    The type of commitment required by the safety policy mandates the 
active engagement of all employees in the safety performance of the 
organization and, in particular, specific safety responsibilities of 
management officials. Direct, personal involvement on the part of all 
levels of management is a bedrock principle of any management system. 
However, experience in the SMS Pilot Project has indicated that this is 
not universally and commonly understood. To ensure this type of 
engagement, Sec.  5.23 would require the air carrier to clearly define 
all employees' responsibilities for the safety performance of the 
organization, from line staff to executive management. Clearly 
delineating safety responsibilities throughout the organization is a 
foundational characteristic of any management system. It also allows 
for greater communication and integration of practices and procedures 
employed throughout the organization, resulting in effective management 
of the air carrier's operations.
    To ensure that executive management is involved in the oversight of 
the organization's safety performance, Sec.  5.25 would require the 
certificate holder to designate a single accountable executive who has 
the final authority over operations and is ultimately responsible for 
the safety performance of the air carrier. The accountable executive 
would need to be able to organize, direct, and control the 
organization's activities, as well as allocate resources to make safety 
controls effective. The accountable executive would be required to 
develop the documented safety policy proposed under Sec.  5.21, 
communicate the policy throughout the organization, and regularly 
review the safety policy and safety performance of the organization. 
The accountable executive would review safety information to assess the 
overall performance of the organization and make necessary changes.
    To assist in the collection and analysis of the data, the 
accountable executive also would be required to designate a management 
representative to monitor the performance of the SMS, facilitate hazard 
identification and safety risk analysis, and report regularly to the 
accountable executive on the safety performance of the organization. 
The FAA does not believe these requirements would necessarily result in 
part 121 air carriers hiring new personnel to serve these functions. 
The FAA recognizes that many of the daily oversight activities that are 
proposed for the management representative are currently being 
performed by the required management personnel under 14 CFR 119.65. Any 
one of these individuals could be designated to serve in this role.

C. Safety Risk Management

    Safety risk management is a core component in an air carrier's SMS. 
A comprehensive SMS using safety risk management would provide 
management tools for identifying hazards and assessing risk, as well as 
developing risk controls to reduce or eliminate risk associated with 
the hazards. As proposed in Sec.  5.5, a hazard would be considered a 
condition that can lead to injury, illness or death to people; damage 
to or loss of a system, equipment, or property; or damage to the 
environment. The intent of this subpart is for the certificate holder 
to focus on the areas of greatest risk from a safety perspective, 
taking into account system complexity and scope of the operations to 
develop and implement appropriate risk controls. While each

[[Page 68235]]

certificate holder's safety risk management processes may be unique to 
its organizational structure and operating environment, the FAA would 
require it to incorporate safety risk management steps as described in 
Sec. Sec.  5.53 and 5.55. These steps provide for system analysis, 
identifying hazards associated with the system, analyzing the risk 
associated with the hazards, assessing risk associated with the 
hazards, and controlling the risks of identified hazards when 
necessary. These steps are based on the safety risk management 
processes in the ICAO framework, as well as AC 120-92A, Safety 
Management Systems for Aviation Service Providers, and FAA Orders 
8000.367, Aviation Safety (AVS) Safety Management System Requirements 
and 8000.369, Safety Management System Guidance.
    Proposed Sec.  5.51 establishes when an air carrier would need to 
apply safety risk management processes and procedures to systems to 
assess the hazards and risk associated with the systems. An air carrier 
may learn of a hazard from a variety of sources, such as voluntary 
reporting systems, industry alerts from the FAA or manufacturers, or 
from internal assessments and audits. The system in which the hazard 
lies may be a small scale system that is easily defined, such as the 
development of maintenance (M) and operational (O) items for 
consideration to add an individual aircraft system to a Minimum 
Equipment List (MEL), or it may be a system large in scope that may 
have multiple hazards, like the addition of a new fleet of aircraft. 
Whenever a new system is implemented (e.g., new crew scheduling 
software), or an existing system is revised (e.g., a change to a 
training program), or new operational procedures are developed (e.g., 
changes in cockpit checklists or maintenance work procedures), safety 
risk management would be applied to ensure that hazards are identified 
and proper controls are put in place to mitigate the risk associated 
with them. Safety risk management would also be applied to analyze new 
hazards or ineffective risk controls that are identified under the 
safety assurance processes in subpart D of the new part 5.
    It is not the intent of this proposed rule to require the 
application of safety risk management processes and procedures to 
activities that are not related to aviation operations. As an example, 
safety risk management would not be necessary when changing accounting 
practices or administrative computer software. Similarly, the FAA does 
not intend for an air carrier to apply safety risk management processes 
retroactively to established systems and processes. However, carriers 
may need to use the safety risk management process to review processes 
for which problems have been found in the past. For example, an air 
carrier would initiate safety risk management after learning that 
deicing operations at a particular airport are not effective. In that 
case, the air carrier would use safety risk management to analyze the 
deicing operation. First, it would review the deicing system to 
understand how it functions, to include the personnel responsible for 
deicing, the air carrier's guidance, processes, and training regarding 
deicing, as well as the deicing equipment that is used. Once the air 
carrier has an understanding of the system, the air carrier should be 
able to identify hazards and assess the risk associated with those 
hazards and make the necessary changes to the deicing system to control 
those risks. As a result of safety risk management, the air carrier may 
determine that controls such as implementing additional training, 
requiring inspection of the equipment, or revising operating procedures 
would be needed to control the risk in the deicing operation. Contrast 
this simple system with an air carrier that is changing its business 
model from conducting domestic operations in medium class turbo-prop 
aircraft to conducting international flights in turbojet aircraft. In 
this case, the systems involved are more numerous and more complex. The 
air carrier would apply safety risk management by defining the systems 
involved (i.e., flight operations, operational control and dispatch, 
maintenance, ground operations and servicing) and would review items 
such as the operating requirements for the aircraft as defined in title 
14 of the CFR, the crewmember qualification and training requirements 
for the new aircraft, the operating limitations of the aircraft, and 
the proposed route structure for the international flights. While the 
existing regulations that govern these kinds of operations would serve 
as the primary risk controls for the proposed operations, the air 
carrier would use safety risk management to establish any additional 
risk controls to mitigate risks identified as a result of defining and 
analyzing the system and to design systems that incorporate the 
regulations in a way that best achieves their intent in terms of risk 
reduction.
    The first step of safety risk management is analyzing the system. 
Once an air carrier determines that the processes of safety risk 
management have been triggered under proposed Sec.  5.51, it would 
conduct a system analysis, as required by Sec.  5.53. The system 
analysis, also referred to as the system description in the ICAO Safety 
Management Manual, serves as the initial source for hazard 
identification when new systems are designed, when systems are revised, 
or when operational procedures are developed. The system analysis 
processes must ensure that information regarding the function and 
purpose of the system, the system's operating environment, and the 
personnel, equipment and facilities that the system requires for 
operation, is analyzed so that hazards may be appropriately identified. 
While the system analysis should be documented, no particular format is 
required. The system analysis could provide the basis for the 
development of the operator's manual system required by Sec.  121.133, 
as well as checklists and other job aids, organizational charts, and 
personnel position descriptions. A typical functional breakdown of 
operational and support processes for air operators might include:
     Flight operations;
     Dispatch/flight following;
     Maintenance and inspection;
     Cabin safety;
     Ground handling and servicing;
     Cargo handling; and
     Training.

Long and excessively detailed system analyses are not necessary, 
provided they are sufficiently detailed to perform hazard and risk 
analyses.

    The second step of safety risk management, set forth in Sec.  
5.53(b), would allow a certificate holder to identify hazards in a 
systematic way based on the system analyses conducted in the first step 
of safety risk management. While identification of every possible 
hazard would be unlikely, aviation service providers would be expected 
to exercise due diligence in identifying significant and reasonably 
foreseeable hazards related to their operations. A certificate holder 
should implement hazard identification processes relative to the 
complexity of its management structure and operations. The system 
analysis should be used to determine if there is a good integration of 
equipment, facilities, personnel, procedures, supervision, training, 
and the operational environment and if there are any characteristics of 
those system components or other conditions that could compromise 
safety. Any such conditions would meet the definition of ``hazards.''
    The third step of safety risk management would require the analysis

[[Page 68236]]

of risk to determine the severity and likelihood associated with the 
hazards identified in step two of safety risk management. A common tool 
used in this analysis for risk decision making and acceptance is a risk 
matrix similar to those in the ICAO Safety Management Manual (SMM),\10\ 
and in Appendix 3 of AC 120-92A (August 12, 2010). A certificate holder 
may design a matrix similar to these to categorize the potential 
severity of the worst credible projected outcome (consequence) of an 
event related to the hazard. For example, a tower or terrain in the 
takeoff path of an airport presents a hazard to departing aircraft. The 
worst credible event related to these obstacles would be for an 
aircraft to collide with it, resulting in loss of the aircraft and loss 
of life. Risk matrices typically use levels such as: Catastrophic 
(meaning outcome results in multiple fatalities and destroyed 
equipment), hazardous (would result in serious injury or death, major 
equipment damage), major (would result in injury, serious incident), 
minor (would result in minor incident, use of emergency procedures), 
and negligible (little consequence). Once the severity of the potential 
event has been determined, the certificate holder would then determine 
the likelihood of the event, for example, to determine whether the 
event is likely to occur frequently, occasionally, remotely, or is 
improbable or extremely improbable. Based on these categories, a 
likelihood and severity of the occurrence is selected for each hazard. 
This is just one method for analyzing hazards. Certificate holders 
should develop processes that reflect the complexity of their 
operations.
---------------------------------------------------------------------------

    \10\ See ICAO, Safety Management Manual, at 6.5.3 ICAO Doc. 
9859-AN/474 (2nd ed. 2009). (http://www.icao.int/anb/safetymanagement/DOC_9859_FULL_EN.pdf).
---------------------------------------------------------------------------

    The fourth step of safety risk management, risk assessment, first 
requires the certificate holder to determine acceptability of safety 
risk. The starting foundation for each determination of acceptable 
safety risk would be the corresponding regulatory requirements and 
technical or performance standards. As indicated in Sec.  5.23, the 
certificate holder would be required to identify the levels of 
management that are authorized to accept risk. The certificate holder 
may opt to use a risk matrix similar to that in Appendix 3 of AC 120-
92A. A risk matrix graphically depicts the various levels of severity 
and likelihood as they relate to levels of risk (acceptable, acceptable 
with controls, or unacceptable). When the likelihood and severity of a 
potential outcome are plotted on the risk matrix, the certificate 
holder can see whether the hazard's safety risk is acceptable to the 
organization. Generally, as the likelihood and severity increase, the 
risk increases. For example, an outcome with an assessed likelihood of 
frequent and severity of catastrophic would be classified as an 
unacceptable risk in the matrix. The certificate holder would use this 
information to determine whether it may accept the risk, accept the 
risk provided risk controls are instituted, or whether the risk is too 
great and must be avoided.
    The final step of safety risk management would require the 
certificate holder to develop processes and procedures for the 
development and implementation of risk controls. The development of 
risk controls is dependent upon the risk assessment conducted under 
step four of safety risk management. Risk controls may be additional or 
changed procedures, new supervisory controls, addition of 
organizational hardware, or software aids, changes to training, 
additional, or modified equipment, changes to staffing arrangements, or 
any of a number of other system changes. After these controls are 
developed but before the system is placed into operation, an assessment 
must be made of whether the controls are likely to be effective. This 
is also necessary to avoid introducing new hazards to the system. When 
the controls are acceptable, the system is placed into operation. The 
controls would then be continuously monitored under the processes and 
procedures developed under subpart D, Safety Assurance, to ensure they 
remain effective.

D. Safety Assurance

    An organization needs to ensure that risk controls put into place 
under safety risk management continue to be effective in maintaining 
risk within the acceptable levels and that the organization's safety 
performance is meeting or exceeding its safety objectives. This is 
accomplished in the safety assurance component of SMS. Safety assurance 
has three purposes: (1) To confirm that risk controls established 
during safety risk management are effective; (2) to determine what new 
risk controls should be developed if new hazards or changes in risk 
levels are revealed, and (3) to take steps to assure the effectiveness 
of existing risk controls (e.g., completion of required training by 
employees, increased supervisory emphasis). To accomplish this, safety 
assurance has three elements: (1) Safety performance monitoring and 
measurement (Sec.  5.71); (2) safety performance assessment (Sec.  
5.73); and (3) continuous improvement (Sec.  5.75).
    The first tool, safety performance monitoring and measuring, would 
require the development and maintenance of processes or systems that 
monitor system operations and collect data on the performance of the 
organization. There are already many sources, processes and systems in 
place in air carrier operations that collect this type of data. Some of 
these sources are based on current regulatory requirements and programs 
that have been voluntarily implemented. The following are just a few 
examples of existing processes and systems that would satisfy the 
requirements of safety assurance.
    [cir] Continuing Analysis and Surveillance System (CASS) (Sec.  
121.373). CASS is a currently required system that is used to assure 
the performance and effectiveness of maintenance and inspection 
programs, to identify deficiencies, and to determine and implement 
appropriate action. A typical CASS includes internal auditing of the 
maintenance and inspection programs, analysis of the resulting data, 
and development of corrective actions to those programs. This system 
would be an appropriate process required under subpart D and would be 
accepted as one means of complying with the provisions of proposed 
Sec.  5.71(a)(1), (2), (3), (5), and (7).
    [cir] Line Operations Safety Audit (LOSA): LOSA, as described 
previously, is a voluntary program that could provide partial 
compliance with the internal auditing requirements of the systems.
    [cir] Flight Operational Quality Assurance (FOQA): FOQA, as 
discussed previously, could provide information useful to monitor 
flight operations and maintenance programs. FOQA could provide data 
useful to compliance with the monitoring and measurement provisions of 
the proposed rule.
    [cir] Internal Evaluation Program (IEP): IEP is a comprehensive 
program for evaluating an air carrier's operational systems as well as 
its assurance programs. It builds on the auditing programs of the 
internal audit function and provides management with an additional 
level of assurance that is independent of the operational sub-
organizations' audits and reviews. IEPs are required of carriers who 
contract with the Department of Defense but are not currently required 
by the FAA. However, many of the auditing and evaluation safety 
assurance processes of the proposed rule can be addressed by

[[Page 68237]]

established IEP processes at the carriers who have implemented them.
    [cir] Aviation Safety Action Program (ASAP): ASAPs, as discussed 
previously, could be used to meet the employee reporting requirements 
of the proposed rule for those employee groups covered by the ASAP.
    [cir] Voluntary Disclosure Reporting Program (VDRP): VDRP is an FAA 
program designed for certificate holders to promptly report regulatory 
violations and show that corrective actions were taken to address the 
violations. As used in safety assurance, the certificate holder could 
track the reports submitted through VDRP, analyze the reports to 
identify compliance trends, and develop and report corrective actions.
    In addition to these tools that could be used in safety performance 
monitoring and measurement, external audits conducted by outside 
organizations such as the FAA, the Department of Defense, code-share 
partners, industry organizations, or other third parties selected by 
the operator provide an excellent source of information regarding the 
safety performance of the organization. FAA oversight processes provide 
an external source of safety assurance of the carrier's operational 
processes and their SMS. Current practices of the Air Transportation 
Oversight System (ATOS) are designed to evaluate the design of air 
carrier processes and programs prior to certification, approval, or 
acceptance. Once systems or programs are in place, FAA inspectors 
conduct assessments of the programs' performance based upon FAA's 
assessment of risk as well as randomly sampled inspection activities. 
Information from these inspections could be used by air carriers to 
provide independent assessments of their processes and information on 
areas needing improvement. The air carrier's processes (as described in 
proposed Sec. Sec.  5.71, 5.73, and 5.75) would be used to process FAA 
inspection data, as well as other external audit data. These processes 
can also be used to demonstrate the carrier's actions in correcting 
problems that are subjects of self disclosures or other regulatory 
issues.
    If an organization uses an external audit as described above, the 
organization should use the audit data to augment the data that the 
organization gained with its own tools. The proposed SMS requirements 
do not require, however, that operators, especially small scale 
operators, hire external auditors to evaluate the safety performance of 
their organization. This is just one option that an air carrier of any 
size may choose to employ to evaluate its safety performance.
    Safety assurance processes would also include investigations as 
noted under Sec.  5.71(a)(5). Investigations are a reactive tool aimed 
at specific problems or occurrences in an organization and are a good 
source of performance data. In an SMS, the objective of investigating 
is to identify systemic safety deficiencies rather than to assign 
blame. A company's safety performance is enhanced by removing systemic 
deficiencies rather than by disciplining individuals who may only have 
made an error. Errors are not intentional actions and they are common; 
however, they can have negative outcomes. In an SMS, the point is to 
prevent the errors from happening or arrange company processes so that 
mistakes do not have unfortunate effects. Investigations should be done 
with the understanding of the difference between making an error, 
committing purposeful harm, or displaying a lack of competence or 
qualification.
    Employee reporting systems provide another excellent source of 
information regarding the performance of the organization. ASAP is just 
one example of an employee reporting system that provides specific 
types of employees to report safety issues or concerns.
    Once the air carrier collects the data through the processes under 
proposed Sec.  5.71(a), it must have processes in place to analyze the 
data to determine the overall safety performance of the organization. 
This step is used to transform raw data into usable information that 
can support informed decision making.
    The next step in safety assurance, the safety performance 
assessment under proposed Sec.  5.73, analyzes the data collected 
against the safety objectives established by the air carrier in its 
safety policy. This function includes reviews by the accountable 
executive, who would review the information and analysis on a regular 
basis to ensure the organization's compliance with applicable 
regulatory requirements and safety controls established by the air 
carrier, to evaluate the performance of the SMS and the effectiveness 
of the safety controls, to identify changes in the operational 
environments, and to identify potential new hazards or safety issues. 
If the assessment reveals new hazards or safety issues, the certificate 
holder must initiate the processes under safety risk management to 
evaluate and, if necessary, control the risk to its operation.
    The last component of safety assurance is continuous improvement 
under proposed Sec.  5.75. This step is designed to ensure that the air 
carrier is correcting substandard safety performance identified during 
the safety performance assessment to continuously improve the 
organization's safety performance. The analysis and assessment 
functions of safety assurance are essential in alerting the 
organization to significant changes in the operating environment, 
possibly indicating a need for system change to maintain effective risk 
controls. The certificate holder should use safety and quality 
practices, audit and evaluation results, analysis of data, corrective 
actions, and management reviews developed under this subpart. For 
example, the certificate holder would take steps to correct 
noncompliance with existing regulatory requirements or safety controls 
initiated by the certificate holder.

E. Safety Promotion

    An organizational safety effort cannot succeed purely by mandate or 
strict implementation of policy. The organizational culture and 
individual attitudes set the tone for the organization's safety 
performance. An organization's culture consists of the values, beliefs, 
mission, goals, and sense of responsibility held by the organization's 
members. The culture ties together the organization's policies, 
procedures, and processes and provides a sense of purpose to safety 
efforts. The fourth component of SMS, safety promotion, seeks to 
enhance the safety culture in an organization through increased 
employee communication and training.
    The safety promotion component requires organizations to ensure 
employees throughout the organization are trained and competent to 
perform their safety-related job functions. This training may vary 
somewhat depending on where in the organization an employee works. 
Additionally, it is important for all employees to know how to report 
safety concerns and understand that it is their responsibility to do 
so. It is not the intent of this rule to establish mandatory training 
hours or a prescriptive training program. Rather, the training required 
under proposed Sec.  5.91 may be incorporated into the air carrier's 
existing training programs, or may be provided separately, as changes 
are made to the operating system for which the individual is 
responsible. Training may range from formal classroom training to 
simple notice alerts when changes are made to update a system. For 
these reasons the FAA has determined that it is appropriate for the air 
carrier to develop training that meets the needs of the organization, 
including

[[Page 68238]]

the content, methods of delivery, and frequency of training.
    In addition to training, communication of critical safety 
information is essential to building a positive safety culture. The 
organization must put in place processes that allow for open 
communication among employees and the organization's management. The 
organization must make every effort to communicate its goals and 
objectives, as well as the current status of its activities and 
significant events. Likewise, the organization must supply a means of 
communication that fosters an environment of collaboration, trust, and 
respect. Thus, proposed Sec.  5.93 would require the certificate holder 
to develop and maintain a means for communicating safety information.

F. SMS Documentation and Recordkeeping

    Documentation of SMS requirements, processes and procedures, and 
outputs is necessary in order for certificate holders to conduct a 
meaningful analysis under safety risk management, to review safety 
assurance activities, and for the FAA to review for compliance during 
inspections. Documentation and recordkeeping also ensure that safety-
related decisions are consistent with safety policies and goals and 
provide historical information that can be used to make future safety-
related decisions.
    The FAA, therefore, is proposing a set of documentation and 
recordkeeping requirements under subpart F of part 5. As proposed in 
Sec.  5.91, the air carrier would be required to document its safety 
policy and SMS processes and procedures. The safety policy requirements 
are described in more detail in proposed Sec.  5.21. Documentation of 
the certificate holder's SMS processes and procedures include the steps 
involved, methods to be used and associated criteria, objectives, 
expected outputs, and outcomes necessary to meet the regulatory 
requirements. For instance, proposed Sec.  5.71(a)(3) requires internal 
audits. Proposed Sec.  5.95(b) requires that the audit processes and 
procedures be documented. This would also include the criteria, scope, 
and frequency of the audits.
    As proposed in Sec.  5.97, the air carrier would maintain records 
of the outputs (risk assessments, implemented risk controls) of safety 
risk management and safety assurance processes. Outputs of safety risk 
management processes would be retained for as long as they remain 
relevant to the operation. For risk assessments, this may mean for as 
long as the air carrier engages in that activity. For risk controls, it 
may mean for as long as the risk control remains in effect. These 
records can be kept either electronically or in paper format. In 
addition, the certificate holder would be required to retain outputs of 
safety assurance processes for a minimum of five years, and training 
and communication records for a minimum of 24 months. The timelines 
associated with the retention of these documents ensure that they are 
kept for a time period that provides the air carrier with sufficient 
historical data to conduct the required analyses and assessments. The 
retention requirements are consistent with other retention requirements 
in part 121. Furthermore, these are minimum retention requirements. A 
certificate holder may retain its documents for longer time periods if 
necessary.

IV. Regulatory Notices and Analyses

Paperwork Reduction Act

    The Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)) requires 
that the FAA consider the impact of paperwork and other information 
collection burdens imposed on the public. According to the 1995 
amendments to the Paperwork Reduction Act (5 CFR 1320.8(b)(2)(vi)), an 
agency may not collect or sponsor the collection of information, nor 
may it impose an information collection requirement unless it displays 
a currently valid Office of Management and Budget (OMB) control number.
    This action contains the following proposed new information 
collection requirements. As required by the Paperwork Reduction Act of 
1995 (44 U.S.C. 3507(d)), the FAA will be submitting these proposed 
information collection amendments to OMB for its review and approval 
before the information collection related provisions go into effect. 
FAA specifically requests comments regarding the cost and staff hours 
necessary for information collection and record keeping required under 
proposed part 5.
    Summary: The new 14 CFR part 5 would require certificate holders 
authorized to conduct operations under part 121 to develop and 
implement a Safety Management System (SMS) for all of their aviation 
safety-related activities. An SMS is a formalized approach to managing 
safety by developing an organization-wide safety policy, developing 
formal methods of identifying hazards, analyzing, and mitigating risk, 
developing methods for ensuring continuous safety improvement, and 
creating organization-wide safety promotion strategies. When 
systematically applied in an SMS, these activities provide a set of 
decision-making tools that certificate holders can use to improve 
safety.
    Use: Each certificate holder operating under a part 121 certificate 
would develop its SMS based on its own unique operating environment. 
The FAA expects an SMS comprised of four key components: Safety Policy, 
Safety Risk Management, Safety Assurance, and Safety Promotion. 
Collection and analysis of safety data is an essential part of an SMS. 
In addition, a primary component of an SMS is the publication of safety 
policy, which establishes the foundation for the SMS. Two other 
essential components of SMS are safety risk management and safety 
assurance. The certificate holder is required to maintain records of 
the outputs of these processes. Safety promotion is the other component 
of SMS. Within it, the certificate holder is required to maintain 
training records and records of communications used to promote safety. 
However, it is important to note that some part 121 certificate holders 
already have and maintain some of these documents and records as a 
result of other voluntary or required programs. Finally, because of the 
complexity involved in the development and implementation of an SMS, a 
phased approach to implementation within the certificate holder's 
organization will be used. Part of the initial phase is the development 
of an implementation plan, which will guide the certificate holder's 
implementation, as well as provide the basis for the FAA's oversight 
during the development and implementation phases. The implementation 
plan is the only new document or data the certificate holder will 
submit to the FAA due to the new rule.
    Respondents: 90.
    Frequency: Initial and Annual Burden (ongoing collection and record 
keeping)

Sec. 119.8/5.95 Implementation Plan/SMS Documentation

    The FAA estimates that there are approximately 90 operators who 
would be respondents that would be in compliance with these proposed 
requirements. All certificate holders are required to develop and 
submit an implementation plan to establish and document a safety policy 
that outlines the policy and objectives of the company. Although much 
of the information would depend on a carrier's specific operation and 
size, all carriers would need to document the following: implementation 
plan, commitment to

[[Page 68239]]

safety management and objectives, responsibilities of an accountable 
executive and management representatives, and a coordinated emergency 
response plan. Costs for SMS documentation come from both the necessary 
man hours to research and document the safety policy, processes, and 
procedures, as well as the actual documentation. Carriers also reported 
recurring costs for updates to the document. The FAA assumes that the 
majority of document updates are minor at minimal.
    Implementation Plan and SMS Documentation (Initial Hourly Burden):
    2 full time employees per carrier; 3000 hours per year.
    90 certificated carriers x 3000 hours annually = 270,000 hours 
annually.
    270,000 hours annually * 3 years = 810,000 total hours.
    $38,880,000 Total Initial Labor Costs for 3 years.
    + 25,733,400 Material Costs of Documentation for 3 years.
    $64,613,400 Total Estimated Initial Cost Burden for 3 years.
    Estimated Recurring Annual Cost for SMS Documentation:
     2 full time employees per carrier; 350 hours per year.
     90 certificated carriers * 350 hours = 31,000 hours 
annually.
    $1,125,000 Total Labor Cost per Year.
    +$252,000 Material Costs of Documentation per Year.
    $1,377,000 Total Estimated Annual Recurring SMS Documentation.

Sec. 5.97 SMS records

    This proposed rule would require carriers to record output from 
their safety risk management (SRM) process, safety assurance (SA) 
process, safety communications, and SMS training. All of these records 
depend on a carrier's operations. The FAA does not specify how, or in 
what media, documents and records must be maintained relative to the 
requirements in this proposed rule. However, it encourages certificates 
holders to use existing mechanisms and systems to minimize the burden. 
The FAA also believes that there would be minimal additional costs for 
the maintenance of training records since part 121 certificate holders 
already maintain training records.
    Estimated Implementation Costs:
     2 full time employees per carrier; 2000 hours per year.
     90 certificated carriers * 2000 hours = 180,000 hours 
annually.
     180,000 hours annually * 3 years = 540,000 total hours.
    $25,920,000 Total Labor Cost for 3 Years.
    + $26,356,200 Equipment/Software Implementation Costs for 3 Years.
    $52,276,200 Total Estimated Implementation Cost Burden for 3 Years.
    Estimated Annual Operating Costs:
     2 full time employees per carrier; 3500 hours per year. 
The agency is soliciting comments to--
    (1) Evaluate whether the proposed information collection 
requirements (including recordkeeping, record retention, and auditing) 
are necessary for the proper performance of the functions of the 
agency, including whether the information will have practical utility;
    (2) Evaluate the accuracy of the agency's estimate of the burden;
    (3) Enhance the quality, utility, and clarity of the information to 
be collected; and
    (4) Minimize the burden of collecting information on those who are 
to respond, including by using appropriate automated, electronic, 
mechanical, or other technological collection techniques or other forms 
of information technology.
    Individuals and organizations may send comments on the information 
collection requirement by February 3, 2011, and should direct them to 
the address listed in the ADDRESSES section at the beginning of this 
preamble. Comments also should be submitted to the Office of Management 
and Budget, Office of Information and Regulatory Affairs, Attention: 
Desk Officer for FAA, New Executive Office Building, Room 10202, 725 
17th Street, NW., Washington, DC 20053.

International Compatibility

    In keeping with U.S. obligations under the Convention on 
International Civil Aviation, it is FAA policy to conform to 
International Civil Aviation Organization (ICAO) Standards and 
Recommended Practices to the maximum extent practicable. The FAA has 
reviewed the corresponding ICAO Standards and Recommended Practices and 
has identified the following differences with these proposed 
regulations. Amendment 30 to Annex 6 part I Section 3.2 Safety 
Management, Paragraph 3.3.6 effective 1 January, 2009 requires that a 
Flight Data Analysis Program be in the SMS standard. If this proposal 
is adopted, the FAA intends to file a difference with ICAO.
    ICAO Annex 6 part I includes a provision that part 121 air carriers 
operating airplanes having a maximum gross takeoff weight in excess of 
27,000 kg (approximately 59,400 lb). ``* * * shall establish and 
maintain a flight data analysis programme as part of its safety 
management system.'' Flight Data Analysis Program (FDAP) is a general 
term encompassing a number of means by which routine flight operations 
data may be acquired, recorded, analyzed, and shared. Flight 
Operational Quality Assurance (FOQA) is one such program. FOQA is a 
formal voluntary program which has been implemented by 41 certificate 
holders conducting operations under part 121. FOQA specifications 
include installation of extensive flight data recording systems which 
facilitate rapid transfer of recorded data, de-identification of that 
data, and agreements between pilot organizations and the carriers which 
define how this information may be used.
    The part 121 fleet is diverse in terms of size, complexity, and 
age, as well as the size of the companies that operate them. Many of 
the older aircraft would require extensive modifications to adapt them 
to the technical requirements of a FOQA program. The investment and 
expense of implementing and maintaining such a system exceeds the 
financial capability of many smaller carriers. There are a number of 
ways to meet the requirements of an FDAP. Therefore, the FAA will not 
require FOQA in this rule. This issue is discussed further in the 
Congressional Mandate section of this NPRM.

Regulatory Evaluation, Regulatory Flexibility Determination, 
International Trade Impact Assessment, and Unfunded Mandates Assessment

    Changes to Federal regulations must undergo several economic 
analyses. First, Executive Order 12866 directs that each Federal agency 
shall propose or adopt a regulation only upon a reasoned determination 
that the benefits of the intended regulation justify its costs. Second, 
the Regulatory Flexibility Act of 1980 (Pub. L. 96-354) requires 
agencies to analyze the economic impact of regulatory changes on small 
entities. Third, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires agencies to prepare a written assessment of the costs, 
benefits, and other effects of proposed or final rules that include a 
Federal mandate likely to result in the expenditure by State, local, or 
tribal governments, in the aggregate, or by the private sector, of $100 
million or more annually (adjusted for inflation with base year of 
1995). This portion of the preamble summarizes the FAA's analysis of 
the economic impacts of this proposed rule. Readers seeking greater 
detail should read the full regulatory evaluation, a copy of which we 
have placed in the docket for this rulemaking.
    In conducting these analyses, the FAA has determined that this 
proposed rule has benefits that justify its costs, is not

[[Page 68240]]

an economically ``significant regulatory action'' as defined in section 
3(f) of Executive Order 12866, (3) is ``significant'' as defined in 
DOT's Regulatory Policies and Procedures; (4) would have a significant 
economic impact on a substantial number of small entities; and (5) 
would not impose an unfunded mandate on state, local, or tribal 
governments, or on the private sector by exceeding the threshold 
identified above. These analyses are summarized below.

Total Benefits and Costs of This Rule

    Who is Potentially Affected by this Rule?
All Part 121 Operators

Assumptions

     All costs and benefits are presented in 2010 dollars.
     All costs and benefits are estimated over a 20-year period 
from 2012 through 2031.
     Benefits of SMS implementation would begin to accrue in 
2015.
     Costs to airlines and air carriers would begin to accrue 
in 2012.
     The present value discount rate of 7 percent
    The estimated cost of this proposed rule is $710.8 million ($375.5 
million in present value terms). The estimated potential benefits from 
avoided casualties, aircraft damage and accident investigation costs 
are $1,143.1 million ($500.8 million in present value terms).

Benefits of This Rule

    The benefits of this proposed rule consist of the value of averted 
casualties, aircraft damage, and accident investigation costs by 
identifying safety issues and spotting trends before they result in a 
near-miss, incident, or accident. Although, an SMS would help carriers 
detect problems early, the FAA also recognizes that both the severity 
of the problem and possible mitigations impact the rate at which future 
accidents would be prevented. Over the 20-year period of analysis, the 
FAA estimates potential benefits of $1,143.1 million ($500.8 million in 
present value terms).

Costs of This Rule

    Each air carrier would be required to develop an SMS that includes 
the four SMS components: Safety Policy, Safety Risk Management, Safety 
Assurance, and Safety Promotion. To support each component, the FAA 
projects that the compliance cost of this proposed rule would come from 
the initial development and documentation of their SMS, implementation 
and continuous operating costs to include the modification or 
purchasing of new equipment/software, additional staff and promotional 
materials, and training. Costs range depending on the size of the 
carrier and the type of operations that they provide. Further, 
operators have existing quality management systems which may lower the 
estimated compliance costs. In total this proposed rule is estimated to 
cost carriers $710.8 million dollars over 20 years ($375.5 million 
present value).

Regulatory Flexibility Determination

    The Regulatory Flexibility Act of 1980 (Pub L. 96-354) (RFA) 
establishes ``as a principle of regulatory issuance that agencies shall 
endeavor, consistent with the objectives of the rule and of applicable 
statutes, to fit regulatory and informational requirements to the scale 
of the businesses, organizations, and governmental jurisdictions 
subject to regulation. To achieve this principle, agencies are required 
to solicit and consider flexible regulatory proposals and to explain 
the rationale for their actions to assure that such proposals are given 
serious consideration.'' The RFA covers a wide-range of small entities, 
including small businesses, not-for-profit organizations, and small 
governmental jurisdictions.
    Agencies must perform a review to determine whether a rule will 
have a significant economic impact on a substantial number of small 
entities. If the agency determines that it will, the agency must 
prepare a regulatory flexibility analysis as described in the RFA.
    Each initial regulatory flexibility analysis required under this 
section shall contain--
    1. A description of the reasons why action by the agency is being 
considered:
    The objective of SMS is to proactively manage safety, to identify 
potential hazards, to determine risk, and to implement measures that 
mitigate the risk. The FAA envisions operators being able to use all of 
the components of SMS to enhance a carrier's ability to identify safety 
issues and spot trends before they result in a near-miss, incident, or 
accident. For this reason, the FAA seeks to require carriers to develop 
and implement an SMS. Lastly, the proposed rule meets a congressional 
mandate.
    2. A succinct statement of the objectives of and legal basis for, 
the proposed rule:
    The authority for this rulemaking is derived from Title 49 of the 
United States Code in addition to the Airline Safety and Federal 
Aviation Administration Extension Act of 2010 (the Act), Public Law 
111-216, Sec.  215 (August 1, 2010). The Act requires the FAA to 
conduct rulemaking ``requiring all part 121 air carriers to implement a 
safety management system.''
    3. A description of and, where feasible, an estimate of the number 
of small entities to which the proposed rule will apply:
    Under NAICS codes 481111 and 481112, for scheduled air 
transportation, small entities would be all part 121 carriers with less 
than 1,500 employees. The FAA estimates that there are approximately 90 
part 121 operators and 64 of these operators meet the definition of a 
small entity; therefore the FAA believes that there are a substantial 
number of small entities impacted by this rule.
    4. A description of the projected reporting, recordkeeping and 
other compliance requirements of the proposed rule, including an 
estimate of the classes of small entities which will be subject to the 
requirement and the type of professional skills necessary for 
preparation of the report or record:
    An SMS is a formalized approach to managing safety by developing an 
organization-wide safety policy, developing formal methods of 
identifying hazards, analyzing and mitigating risk, developing methods 
for ensuring continuous safety improvement, and creating organization-
wide safety promotion strategies. Each air carrier would be required to 
develop an SMS that includes the four SMS components: Safety Policy, 
Safety Risk Management, Safety Assurance, and Safety Promotion. To 
support each component, the FAA projects that the compliance cost of 
this proposed rule would come from the initial development and 
documentation of their SMS, implementation and continuous operating 
costs to include the modification or purchasing of new equipment/
software, additional staff and promotional materials, and training. 
Costs range depending on the size of the carrier and the type of 
operations that they provide. The FAA estimates that for a small 
carrier, with less than 9 aircraft, compliance would cost $253,500 per 
year for the first three years and then roughly $233,000 per year for 
subsequent years. For medium sized carriers, that have 10 to 49 
aircraft, but still have less than 1,500 employees the compliance cost 
would be $342,450 per carrier per year for the first 3 years and then 
$222,500 every years after. Although, the compliance costs are more 
than 3% of a small to medium carriers operating costs, there is a lot 
of variability surrounding these estimates. Carriers could spend more 
or less given

[[Page 68241]]

the flexibility of this proposed rule, and the FAA believes that 
carriers would choose an option where they can maximize their benefits 
and minimize their costs. The FAA has determined that this proposed 
rule has a significant economic impact on small carriers.
    5. An identification, to the extent practicable, of all relevant 
Federal rules which may duplicate, overlap or conflict with the 
proposed rule:
    The FAA is not aware of any Federal rules that would duplicate, 
overlap or conflict with this proposed rule.
    Each initial regulatory flexibility analysis shall also contain a 
description of any significant alternatives to the proposed rule which 
accomplish the stated objectives of applicable statutes and which 
minimize any significant economic impact of the proposed rule on small 
entities. Consistent with the stated objectives of applicable statutes, 
the analysis shall discuss significant alternatives such as:
    1. The establishment of differing compliance or reporting 
requirements or timetables that take into account the resources 
available to small entities;
    2. Clarification, consolidation, or simplification of compliance 
and reporting requirements under the rule for such small entities;
    3. The use of performance rather than design standards; and
    4. An exemption from coverage of the rule, or any part thereof, for 
such small entities.
    This proposed rule is congressionally mandated leaving little room 
for alternatives in terms of adopting a safety management system. All 
Part 121 operators would be required to establish an SMS with no 
exemptions for small entities. However, to accommodate small businesses 
the FAA intends to make the implementation of SMS flexible and 
scalable. Carriers can adapt SMS to their existing programs therein 
reducing the cost. There are already many sources, processes and 
systems in place in air carrier operations that collect this type of 
data that could be utilized to meet this requirement for an SMS. As 
described throughout this document, Flight Operational Quality 
Assurance (FOQA) and Aviation Safety Action Program (ASAP) are good 
examples of a source that is already in place for a large number of 
carriers. Following congressional direction the FAA is not considering 
other alternatives and requests comments on potential alternatives that 
would minimize the impact on small businesses.
    The FAA believes that this proposed rule would have a significant 
impact on a substantial number of small entities for the following 
reasons: We estimate that 64 operators are small entities and the 
compliance costs could be higher than three percent of their operating 
costs. Even though the proposed rule responds to the PL 111-216 
Congressional requirement, we structured the requirement such that 
small entities could meet the requirements with lower costs than a 
larger firm.

Unfunded Mandates Assessment

    Title II of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) requires each Federal agency to prepare a written statement 
assessing the effects of any Federal mandate in a proposed or final 
agency rule that may result in an expenditure of $100 million or more 
(in 1995 dollars) in any one year by State, local, and tribal 
governments, in the aggregate, or by the private sector; such a mandate 
is deemed to be a ``significant regulatory action.'' The FAA currently 
uses an inflation-adjusted value of $143.1 million in lieu of $100 
million. This proposed rule does not contain such a mandate; therefore, 
the requirements of Title II of the Act do not apply.

Executive Order 13132, Federalism

    The FAA has analyzed this proposed rule under the principles and 
criteria of Executive Order 13132, Federalism. We determined that this 
action would not have a substantial direct effect on the States, on the 
relationship between the national Government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government, and, therefore, would not have federalism implications.

Environmental Analysis

    FAA Order 1050.1E identifies FAA actions that are categorically 
excluded from preparation of an environmental assessment or 
environmental impact statement under the National Environmental Policy 
Act in the absence of extraordinary circumstances. The FAA has 
determined this proposed rulemaking action qualifies for the 
categorical exclusion identified in paragraph Chapter 3, paragraph 312d 
and involves no extraordinary circumstances.

Regulations That Significantly Affect Energy Supply, Distribution, or 
Use

    The FAA has analyzed this NPRM under Executive Order 13211, Actions 
Concerning Regulations that Significantly Affect Energy Supply, 
Distribution, or Use (May 18, 2001). We have determined that it is not 
a ``significant energy action'' under the executive order, and it is 
not likely to have a significant adverse effect on the supply, 
distribution, or use of energy.
Additional Information
    Comments Invited:
    The FAA invites interested persons to participate in this 
rulemaking by submitting written comments, data, or views. We also 
invite comments relating to the economic, environmental, energy, or 
federalism impacts that might result from adopting the proposals in 
this document. FAA also intends to propose separate SMS rulemakings in 
other sectors of the aviation industry. When the FAA does propose any 
such rulemaking, the FAA will take into account the unique qualities of 
the industry to which they will apply, and will use lessons learned 
from this rulemaking, to include: Scalability, flow-through, 
flexibility, performance standards, and status of existing SMS 
programs. The most helpful comments reference a specific portion of the 
proposal, explain the reason for any recommended change, and include 
supporting data. To ensure the docket does not contain duplicate 
comments, please send only one copy of written comments, or if you are 
filing comments electronically, please submit your comments only one 
time.
    We will file in the docket all comments we receive, as well as a 
report summarizing each substantive public contact with FAA personnel 
concerning this proposed rulemaking. Before acting on this proposal, we 
will consider all comments we receive on or before the closing date for 
comments. We will consider comments filed after the comment period has 
closed if it is possible to do so without incurring expense or delay. 
We may change this proposal in light of the comments we receive.

Proprietary or Confidential Business Information

    Do not file in the docket information that you consider to be 
proprietary or confidential business information. Send or deliver this 
information directly to the person identified in the FOR FURTHER 
INFORMATION CONTACT section of this document. You must mark the 
information that you consider proprietary or confidential. If you send 
the information on a disk or CD-ROM, mark the outside of the disk or 
CD-ROM and also identify electronically within the disk or CD-ROM the 
specific information that is proprietary or confidential.
    Under 14 CFR 11.35(b), when we are aware of proprietary information 
filed with a comment, we do not place it in

[[Page 68242]]

the docket. We hold it in a separate file to which the public does not 
have access, and we place a note in the docket that we have received 
it. If we receive a request to examine or copy this information, we 
treat it as any other request under the Freedom of Information Act (5 
U.S.C. 552). We process such a request under the DOT procedures found 
in 49 CFR part 7.
Availability of Rulemaking Documents
    You can get an electronic copy of rulemaking documents using the 
Internet by--
    1. Searching the Federal eRulemaking Portal (http://www.regulations.gov);
    2. Visiting the FAA's Regulations and Policies web page at http://www.faa.gov/regulations_policies or
    3. Accessing the Government Printing Office's web page at http://www.gpoaccess.gov/fr/index.html.
    You can also get a copy by sending a request to the Federal 
Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence 
Avenue, SW., Washington, DC 20591, or by calling (202) 267-9680. Make 
sure to identify the docket or notice number of this rulemaking.
    You may access all documents the FAA considered in developing this 
proposed rule, including economic analyses and technical reports, from 
the internet through the Federal eRulemaking Portal referenced in 
paragraph (1).

List of Subjects

14 CFR Part 5

    Air carriers, Aircraft, Airmen, Aviation safety, Reporting and 
recordkeeping requirements, Safety, Transportation.

14 CFR Part 119

    Administrative practice and procedure, Air carriers, Aircraft, 
Aviation safety, Charter flights, Reporting and recordkeeping 
requirements.

The Proposed Amendment

    For the reasons stated in the preamble, the Federal Aviation 
Administration proposes to amend 14 CFR Chapter I as follows:
    1. The heading for subchapter A is revised to read as follows:

Subchapter A--Definitions and General Requirements

    2. Add part 5 to read as follows:

PART 5--SAFETY MANAGEMENT SYSTEMS

Subpart A--General
Sec.
5.1 Applicability.
5.3 General requirements.
5.5 Definitions.
Subpart B--Safety Policy
5.21 Safety policy.
5.23 Safety accountability and authority.
5.25 Designation and responsibilities of required safety management 
personnel.
5.27 Coordination of emergency response planning.
Subpart C--Safety Risk Management
5.51 Applicability.
5.53 System analysis and hazard identification.
5.55 Safety risk assessment and control.
Subpart D--Safety Assurance
5.71 Safety performance monitoring and measurement.
5.73 Safety performance assessment.
5.75 Continuous improvement.
Subpart E--Safety Promotion
5.91 Competencies and training.
5.93 Safety communication.
Subpart F--SMS Documentation and Recordkeeping
5.95 SMS documentation.
5.97 SMS records.

    Authority:  Public Law 111-216, sec. 215 (Aug. 1, 2010); 49 
U.S.C. 106(g), 40101, 40113, 40119, 41706, 44101, 44701-44702, 
44705, 44709-44711, 44713, 44716-44717, 44722, 46105.

Subpart A--General


Sec.  5.1  Applicability.

    (a) A certificate holder under part 119 of this chapter authorized 
to conduct operations in accordance with the requirements of part 121 
of this chapter must have a Safety Management System that meets the 
requirements of this part and is acceptable to the Administrator by 
[date 3 years after the effective date of final rule].
    (b) A certificate holder must submit an implementation plan to the 
FAA Administrator for approval no later than [date 6 months after the 
effective date of the final rule].
    (c) The implementation plan may include any of the certificate 
holder's existing programs, policies, or procedures that it intends to 
use to meet the requirements of this part, including components of an 
existing SMS.


Sec.  5.3  General requirements.

    (a) Any certificate holder required to have a Safety Management 
System under this part must submit the Safety Management System to the 
Administrator for acceptance. The Safety Management System must include 
at least the following components:
    (1) Safety policy in accordance with the requirements of subpart B 
of this part;
    (2) Safety risk management in accordance with the requirements of 
subpart C of this part;
    (3) Safety assurance in accordance with the requirements of subpart 
D of this part; and
    (4) Safety promotion in accordance with the requirements of subpart 
E of this part.
    (b) The Safety Management System must be maintained in accordance 
with the recordkeeping requirements in subpart F of this part.
    (c) The Safety Management System must ensure compliance with the 
relevant regulatory standards in chapter I of Title 14 of the Code of 
Federal Regulations.


Sec.  5.5   Definitions.

    Hazard means a condition that can lead to injury, illness or death 
to people; damage to or loss of a system, equipment, or property; or 
damage to the environment.
    Risk means the composite of predicted severity and likelihood of 
the potential effect of a hazard.
    Risk control means a means to reduce or eliminate the effects of 
hazards.
    Safety assurance means processes within the SMS that function 
systematically to ensure the performance and effectiveness of safety 
risk controls and that the organization meets or exceeds its safety 
objectives through the collection, analysis, and assessment of 
information.
    Safety Management System (SMS) means the formal, top-down, 
organization-wide approach to managing safety risk and assuring the 
effectiveness of safety risk controls. It includes systematic 
procedures, practices, and policies for the management of safety risk.
    Safety objective means a measurable goal or desirable outcome 
related to safety.
    Safety performance means realized or actual safety accomplishment 
relative to the organization's safety objectives.
    Safety policy means the certificate holder's documented commitment 
to safety, which defines its safety objectives and the accountabilities 
and responsibilities of its employees in regards to safety.
    Safety promotion means a combination of training and communication 
of safety information to support the implementation and operation of an 
SMS in an organization.

[[Page 68243]]

    Safety Risk Management means a process within the SMS composed of 
describing the system, identifying the hazards, and analyzing, 
assessing and controlling risk.

Subpart B--Safety Policy


Sec.  5.21  Safety policy.

    (a) The certificate holder must have a safety policy that includes 
at least the following:
    (1) The safety objectives of the certificate holder.
    (2) A commitment of the certificate holder to fulfill the 
organization's safety objectives.
    (3) A clear statement about the provision of the necessary 
resources for the implementation of the SMS.
    (4) A safety reporting policy that defines requirements for 
employee reporting of safety hazards or issues.
    (5) A policy that defines unacceptable behavior and conditions for 
disciplinary action.
    (6) An emergency response plan that provides for the safe 
transition from normal to emergency operations in accordance with the 
requirements of Sec.  5.27.
    (b) The safety policy must be in accordance with all applicable 
regulatory requirements in Chapter I of Title 14 of the Code of Federal 
Regulations and must reflect the certificate holder's commitment to 
safety.
    (c) The safety policy must be signed by the accountable executive 
described in Sec.  5.25.
    (d) The safety policy must be documented and communicated 
throughout the certificate holder organization.
    (e) The safety policy must be regularly reviewed by the accountable 
executive to ensure it remains relevant and appropriate to the 
certificate holder.


Sec.  5.23  Safety accountability and authority.

    (a) The certificate holder must define accountability for safety 
within the organization's safety policy for the following individuals:
    (1) Accountable executive, as described in Sec.  5.25.
    (2) All members of management in regard to developing, 
implementing, and maintaining SMS processes within their area of 
responsibility, including, but not limited to:
    (i) Hazard identification and safety risk assessment.
    (ii) Assuring the effectiveness of safety risk controls.
    (iii) Promoting safety as required in subpart E of this part.
    (iv) Advising the accountable executive on the performance of the 
SMS and on any need for improvement.
    (3) Employees relative to the certificate holder's safety 
performance.
    (b) The certificate holder must identify the levels of management 
with the authority to make decisions regarding safety risk acceptance.


Sec.  5.25  Designation and responsibilities of required safety 
management personnel.

    (a) Designation of the accountable executive. The certificate 
holder must identify an accountable executive who, irrespective of 
other functions, satisfies the following:
    (1) Is the final authority over operations authorized to be 
conducted under the certificate holder's certificate(s).
    (2) Controls the financial resources required for the operations to 
be conducted under the certificate holder's certificate(s).
    (3) Controls the human resources required for the operations 
authorized to be conducted under the certificate holder's 
certificate(s).
    (4) Retains ultimate responsibility for the safety performance of 
the operations conducted under the certificate holder's certificate.
    (b) Responsibilities of the accountable executive. The accountable 
executive must accomplish the following:
    (1) Ensure that the SMS is properly implemented and performing in 
all areas of the certificate holder's organization.
    (2) Develop and sign the safety policy of the certificate holder.
    (3) Communicate the safety policy throughout the certificate 
holder's organization.
    (4) Regularly review the certificate holder's safety policy to 
ensure it remains relevant and appropriate to the certificate holder.
    (5) Regularly review the safety performance of the certificate 
holder's organization and direct actions necessary to address 
substandard safety performance in accordance with Sec.  5.75.
    (c) Designation of a management representative. The accountable 
executive must designate a management representative who, on behalf of 
the accountable executive, must be responsible for the following:
    (1) Facilitating hazard identification and safety risk analysis.
    (2) Monitoring the effectiveness of safety risk controls.
    (3) Ensuring safety promotion throughout the certificate holder's 
organization as required in subpart E of this part.
    (4) Regularly reporting to the accountable executive on the 
performance of the SMS and on any need for improvement.


Sec.  5.27  Coordination of emergency response planning.

    Where emergency response procedures are necessary, the accountable 
executive and management representative must develop, as part of the 
safety policy of the certificate holder, an emergency response plan 
that addresses at least the following:
    (a) Delegation of emergency authority throughout the certificate 
holder's organization;
    (b) Assignment of employee responsibilities during the emergency; 
and
    (c) Coordination of the certificate holder's emergency response 
plans with the emergency response plans of other organizations it must 
interface with during the provision of its services.

Subpart C--Safety Risk Management


Sec.  5.51  Applicability.

    A certificate holder must apply safety risk management to a system 
under any of the following conditions:
    (a) Implementation of new systems.
    (b) Revision of existing systems.
    (c) Development of operational procedures.
    (d) Identification of hazards or ineffective risk controls through 
the safety assurance processes in subpart D of this part.


Sec.  5.53  System analysis and hazard identification.

    (a) When applying safety risk management, the certificate holder 
must have a process to describe and analyze the system for use in 
identifying hazards under paragraph (c) of this section, and developing 
and implementing risk controls related to the system under Sec.  
5.55(c).
    (b) In conducting the system analysis, the following information 
must be considered:
    (1) Function and purpose of the system.
    (2) The system's operating environment.
    (3) An outline of the system's processes and procedures.
    (4) The personnel, equipment, and facilities necessary for 
operation of the system.
    (c) The certificate holder must develop and maintain processes to 
identify hazards within the context of the system analysis.


Sec.  5.55  Safety risk assessment and control.

    (a) The certificate holder must develop and maintain processes to 
analyze safety risk associated with the hazards identified in Sec.  
5.53(c).

[[Page 68244]]

    (b) The certificate holder must define a process for conducting 
risk assessment that allows for the determination of acceptable safety 
risk. Acceptable safety risk must, at a minimum, comply with the 
applicable regulatory requirements set forth in Chapter I of title 14 
of the Code of Federal Regulations.
    (c) The certificate holder must develop and maintain processes to 
develop safety risk controls that are necessary as a result of the 
safety risk assessment process under paragraph (b) of this section.
    (1) The certificate holder must evaluate whether the risk will be 
acceptable with the proposed safety risk control applied, before the 
safety risk control is implemented.
    (2) The safety risk controls must, at a minimum, comply with the 
applicable regulatory requirements set forth in Chapter I of title 14 
of the Code of Federal Regulations.

Subpart D--Safety Assurance


Sec.  5.71  Safety performance monitoring and measurement.

    (a) The certificate holder must develop and maintain processes and 
systems to acquire data with respect to its operations, products, and 
services to monitor the safety performance of the organization. These 
processes and systems must include, at a minimum, processes, and 
systems for the following:
    (1) Continuous monitoring of operational processes.
    (2) Periodic monitoring of the operational environment to detect 
changes.
    (3) Auditing of operational processes and systems.
    (4) Evaluations of the SMS and operational processes and systems.
    (5) Investigations of incidents and accidents.
    (6) Investigations of reports regarding potential non-compliance 
with regulatory standards or other safety risk controls established by 
the certificate holder through the safety risk management process 
established in subpart B of this part.
    (7) A confidential employee reporting system in which employees can 
report, including, but not limited to: Hazards, issues, concerns, 
occurrences, incidents, as well as propose solutions and safety 
improvements.
    (b) The certificate holder must develop and maintain processes that 
analyze the data acquired through the processes and systems identified 
under paragraph (a) of this section and any other relevant data with 
respect to its operations, products, and services.


Sec.  5.73  Safety performance assessment.

    (a) The certificate holder must conduct assessments of its safety 
performance against its safety objectives, which include reviews by the 
accountable executive, to:
    (1) Ensure the certificate holder's compliance with the applicable 
regulatory requirements in Chapter I of title 14 of the Code of Federal 
Regulations and additional safety risk controls established by the 
certificate holder.
    (2) Evaluate the performance of the SMS.
    (3) Evaluate the effectiveness of the safety risk controls 
established under Sec.  5.55(c) and identify any ineffective controls.
    (4) Identify changes in the operational environment that may 
introduce new hazards.
    (5) Identify potential new hazards or safety issues and concerns.
    (b) Upon completion of the assessment, if ineffective controls, new 
hazards, or potential hazards are identified under paragraph (a)(2) 
through (a)(4) of this section, the certificate holder must use the 
safety risk management process described in subpart C of this part.


Sec.  5.75  Continuous improvement.

    The certificate holder must establish and implement processes to 
correct substandard safety performance identified in the assessments 
conducted under Sec.  5.73.

Subpart E--Safety Promotion


Sec.  5.91  Competencies and training.

    The certificate holder must provide training to each individual 
identified in Sec.  5.23 to ensure the individuals attain and maintain 
the qualifications necessary to perform their duties relevant to the 
operation and performance of the SMS.


Sec.  5.93  Safety communication.

    (a) The certificate holder must develop and maintain means for 
communicating safety information that, at a minimum:
    (b) Ensures that all personnel are aware of the SMS.
    (c) Conveys safety critical information.
    (d) Explains why particular safety actions are taken.
    (e) Explains why safety procedures are introduced or changed.

Subpart F--SMS Documentation and Recordkeeping


Sec.  5.95  SMS documentation.

    The certificate holder must develop and maintain SMS documentation 
that describes the certificate holder's:
    (a) Safety policy.
    (b) SMS processes and procedures.


Sec.  5.97  SMS records.

    (a) The certificate holder must maintain records of outputs of 
safety risk management processes as described in subpart C of this 
part. Such records must be retained for as long as the control remains 
relevant to the operation.
    (b) The certificate holder must maintain records of outputs of 
safety assurance processes as described in subpart D of this part. Such 
records must be retained for a minimum of 5 years.
    (c) The certificate holder must maintain a record of all training 
provided under Sec.  5.91 for each individual. Such records must be 
retained for a minimum of 24 consecutive calendar months after 
completion of the training.
    (d) The certificate holder must retain records of all 
communications provided under Sec.  5.93 for a minimum of 24 
consecutive calendar months.

PART 119--CERTIFICATION: AIR CARRIERS AND COMMERCIAL OPERATORS

    3. The authority citation for part 119 is revised to read as 
follows:

    Authority: Public Law 111-216, sec. 215 (August 1, 2010); 49 
U.S.C. 106(g), 1153, 40101, 40102, 40103, 40113, 44105, 44106, 
44111, 44701-44717, 44722, 44901, 44903, 44904, 44906, 44912, 44914, 
44936, 44938, 46103, 46105.

    4. Add Sec.  119.8 to read as follows:


Sec.  119.8  Safety Management Systems.

    (a) Certificate holders authorized to conduct operations under part 
121 of this chapter must have a safety management system that meets the 
requirements of part 5 of this chapter and is acceptable to the 
Administrator by [date 3 years after effective date of final rule].
    (b) Certificate holders required to have an SMS under this section 
must submit an SMS implementation plan in a form and manner prescribed 
by the Administrator to the certificate-holding district office for 
approval by [date 6 months after effective date of final rule].
    (c) A person applying to the Administrator for an air carrier 
certificate or operating certificate to conduct operations under part 
121 of

[[Page 68245]]

this chapter after [effective date of final rule] must demonstrate, as 
part of the application process under Sec.  119.35, that it has an SMS 
that meets the standards set forth in part 5 of this chapter and is 
acceptable to the Administrator.

    Issued in Washington, DC, on October 29, 2010.
Margaret Gilligan,
Associate Administrator, Office of Aviation Safety.
[FR Doc. 2010-28050 Filed 11-4-10; 8:45 am]
BILLING CODE 4910-13-P


