Things to Prepare for Aviation SMS Audits
There are many aviation audit checklists available online.
While these checklists offer many specific tasks you need to perform, few checklists offer a broad overview of things that airports, airlines, and other aviation service providers should do to augment audit performance.
The purpose of aviation safety management systems (SMS) is to continuously improve safety performance while also improving the business' operational processes. This continuous improvement is expected to be realized by:
- Identifying hazards to operational safety;
- Reporting the safety hazard to management to be treated;
- Collecting and analyzing safety information;
- Determining whether hazard's associated risk is acceptable;
- Implementing or reinforcing risk controls to mitigate risk; and
- Continue to monitor the system for hazards.
Related Articles on Aviation SMS Audits
- How Integrating QMS and SMS Will Improve Aviation Safety Audit Performance
- Aviation Safety Audit Preparation - 4 Free SMS Audit Checklist Templates
- 5 Ways to Prepare for Aviation SMS Audits
Aviation SMS Audit Demonstrate Compliance and Provide Assurance
Aviation SMS audits assure the accountable manager that the SMS is implemented properly and functioning as designed. However, other stakeholders are interested in assuring themselves that your company has a compliant SMS. These stakeholders may include:
- Senior managers;
- Client with SMS as a contractual requirement;
- Civil aviation authorities; and
- Standards-setting bodies, such as IATA, IS-BAO, and Flight Safety Foundation.
The aviation audit checklist items below are items you probably won’t see in standard checklists but will prove indispensable in audit preparation for your aviation safety management system (SMS).
Consider using these audit checklist items in conjunction with more itemized checklists offered by your oversight agency.
Below are 10 things to do before aviation SMS audits.
1 – Review Audit History
It looks very bad when an auditor shows up and hits you with findings that you also received in previous audits. Even if other areas of your safety management system are shining, repeat audit findings will overshadow everything else. Not only is it an avoidable finding, but it hurts goodwill with oversight agencies.
When you know that auditors are coming to inspect your organization, the first thing you need to do is review your last audit and establish:
- What the audit findings were;
- What the concerns were;
- Any notes/suggestions made by the auditor(s);
- Review any implemented corrective actions and preventive actions (CPAs);
- Determine whether any planned CPAs are still in progress of being implemented; and
- Determine whether any of the most recent audit findings or concerns were repeat findings.
Ensuring that, at the very least, your organization has addressed these points will be the top priority in preparing for the new audit.
Related Articles on Aviation SMS Audits
- How to Audit Previously Managed Safety Issues in Aviation SMS
- How to Conduct Internal SMS Audits in Aviation Industry
- How to Create an Aviation SMS Audit Plan
2 – Perform Internal Audit
Performing an internal SMS audit is not only a good idea, but it's also necessary. This audit should:
- Ensure that previous audit findings and concerns were ameliorated;
- Alert you to other potential non-compliance issues; and
- Allow you to perform a high-level review of the aviation SMS.
Internal audits are test runs. They allow you to evaluate your SMS risk management processes with similar standards as outlined by your impending audit protocols. Moreover, internal audits give all employees in your company a chance to practice their jobs in a compliant way (if they already aren’t doing so).
Related Articles on Aviation Risk Management Processes
- The Process of Aviation Risk Management
- How to Document Your System Processes in Aviation SMS
- How to Optimize Risk Management Processes for Aviation SMS
3 – Cleanup Hazard Register
Ideally, it has been a while since your last audit. If this is the case, your Hazard Register probably needs some organization and/or cleanup. What does this look like?
- Verifying that the hazard register documentation is current (not a problem if using an aviation SMS database);
- Establish top hazards in a company and per division (i.e., different locations, branches of a company, etc.);
- Ensure top hazards correlate to established safety objectives;
- Ensure that all hazard’s controls are documented and up to date, such as having no existing controls that are not documented as being assigned to a particular hazard;
- Be prepared to demonstrate how you monitor hazards and their associated risk controls; and
- For top hazards, be prepared to show a list of safety reports that are related to these top hazards.
Auditors are going to inspect your hazard register and ask questions, especially if you are expected to have a mature SMS. For operators in Phase I, II, or III, your hazard register may not be under much scrutiny. This will also hold true for corporate operators (GA), FBOs, and smaller aviation maintenance organizations. The rule of thumb is that the more complex your operation, the more scrutiny auditors will invest in our hazard register.
Another rule of thumb is that the more advanced your SMS maturation level, the higher level of scrutiny you should expect on your hazard register. For example, if you are in Phase 4 of your SMS implementation, or Stage 3 IS-BAO, then you are advised to have hazard documentation and be able to demonstrate safety performance monitoring and measurement of your top hazards.
Another tip related to your hazard register is to be prepared to show your safety objectives and key performance indicators (KPIs) or you may know them as safety performance indicators (SPIs). Your safety objectives should correlate with your KPIs, of which your top hazards should also be listed as your KPIs.
KPI = SPI
Having top hazards (which will be your KPIs), updated risk controls and updated hazards will greatly improve your chances of no audit findings regarding your Safety Risk Management processes.
Moreover, cleaning up your Hazard Register gives you an opportunity to review your SMS program's hazards and controls, and better answer questions elsewhere in the safety program.
Related Articles on Key Performance Indicators (KPIs) in Aviation SMS
- What Is a Key Performance Indicator (KPI) in Aviation SMS?
- How to Set and Monitor Key Performance Indicators (KPIs) in Existing SMS
- How to Automate Key Performance Indicator KPI Monitoring
4 – Ensure All Safety Issues and Corrective Actions Are Current
Much like cleaning up your Hazard Register, you should clean up the documentation of any reported safety issues that were neglected and not properly closed. What do we mean by this? For example, Joe Wrenchfoot submitted a safety report about an employee not following prescribed maintenance procedures. During the initial investigation, it was discovered that the employee had followed the procedures, but Joe was distracted and didn't see the entire process, and missed a step. The safety team saw this as a non-issue and forgot to complete the documentation because the risk was acceptable. Their SMS processes didn't have alerts to notify the safety team of the open safety report, so the report just "hung out" in the SMS database.
This is a common scenario in spreadsheets and even SMS databases that do have automated alerts.
Joe's safety report is just an example. There may be many other reasons why you might have safety issues still open and hanging around in your SMS database or spreadsheet – maybe:
- The reported safety issue wasn’t valid as in our example;
- Reported safety issue's risk was acceptable and your policy doesn't require treating safety reports with acceptable risk levels;
- Your safety culture stinks and department heads are not completing assigned safety tasks as per policy;
- All corrective actions weren’t completed or documentation was neglected; or
- You simply forgot to update the status as closed.
Whatever the reason, having issues or CPAs that are neglected and apparently abandoned for many months will reflect very poorly upon your aviation SMS record-keeping practices. SMS documentation requirements can be very complex and time-consuming to fulfill properly.
Neglected or poorly documented safety reports are a big red flag for auditors. As auditors uncover these loose ends, these abandoned safety issues may lead to much greater scrutiny of your SMS, which can in turn lead to more audit findings.
To avoid this, you need to work diligently to close those neglected issues and CPAs by whatever means are efficient and compliant.
5 – Address Overdue Issues and Corrective Preventative Actions
In addition to cleaning up abandoned safety issues, you also need to ensure that by the time of the audit, there should be no overdue issues unless there is a valid reason behind the delay. For example, there may be safety reports that require manual revisions that must be approved by the regulatory authority. As you know, things move very slowly at the CAA and months may pass before the manual revision is reviewed, accepted, and implemented.
While having overdue reported issues isn’t as egregious as abandoned, incomplete safety reports, it’s still better not to have them.
There are two simple ways to address overdue safety issues:
- Simply change the due date for the item; or
- Put overdue items as the highest priority task for risk management processing.
Having all safety reports completed on time and documented is best practiced on a regular basis. Note here that "completed documentation" is part of the risk management process. An issue should not be considered complete until the documentation is complete.
This is a very valid point that I must make at least four times each year to safety managers. Over and again, a different safety manager will come to me and ask: "Why can't I complete documenting my safety report in the SMS database after I closed it?" By now, most of you know that we provide an SMS database to aviation service providers on a worldwide basis. This is why I get to hear this same story, over and again. My response is always: documentation is part of the risk management process. If the documentation is incomplete, then the safety report is not complete and should not be closed.
This is not a big deal to half of these safety managers after they understand the logic. They simply change the status of their safety report back to "In Progress" and finish the documentation. But the other half become frustrated and realize that if they re-open the safety report, the safety report will not be considered completed on time. Which is the truth! When documentation is incomplete, safety reports should not be closed simply to "play the stats game" and make the risk management team appear more responsive than what is truly happening.
This is the beauty of having an SMS database versus using spreadsheets. If you want an honest accounting of what is transpiring in your SMS, the SMS affords the most accurate picture for:
- what activities are happening;
- when these activities are happening; and
- who performed these activities.
Related Aviation SMS Database Articles
- What Is an Aviation Safety Database
- How to Choose the Best Aviation Safety Database Software
- How to Manage Aviation Safety Programs without Complex SMS Databases
It is much more difficult to "juke the stats" using an SMS database. If you are not familiar with "juking the stats," this term was coined by the television series "The Wire."
If your safety culture prefers to "juke the stats," then you may not want an SMS database that accurately tracks your risk management activities. If I were the accountable executive, I would want the assurance that my safety team is honest and accurately reporting what is happening in the trenches and not putting on a show to make the safety team or the company appear to be better than what they truly are.
We've beaten this enough, but the basic fact is that for most SMS in the earlier stages of implementation, things fall through the cracks. Audits allow you to correct this and you should not be afraid to show your SMS processes for what they are. When risk management processes are not perfect, an audit helps guide the operator toward compliance.
6 – Notify Employees of Impending Audit (and Offer Guidance)
Employees absolutely need to be notified of an impending audit, including:
- What will be audited;
- Their role in the audit;
- How they can prepare for the audit (such as knowing their documented safety duties and responsibilities, the name of the safety manager, how to report a safety concern, etc.);
- What questions they will be asked, or different positions that will be inspected; and
- Links to resources that they can use to prepare.
Notifying and preparing employees is an often overlooked or undervalued step in preparing for audits. It can do wonders for making your SMS human element perform (or at least appear to behave) cohesively.
While we are speaking about "training employees" on how to behave during an audit, we should not neglect to coach the accountable executive and upper management. Knowing what to say is as important as knowing not what to say. There are SMS consultants who specialize in preparing accountable executives for audits. I don't have any more to say about this.
7 – Review Policies and Procedures to Ensure Currency
Updating safety policies is probably the most over-stressed area of audit preparation. It's usually a mainstay of most audit checklists. Granted, it is an important element of audit preparation. However, updating policies should be considered of equal importance as other, previously mentioned activities.
Reviewing safety policy is simply a matter of:
- Ensuring that actual practice matches documentation; and
- No documentation is obsolete.
This should be the extent of reviewing safety policy, though you may also double-check safety policy compliance requirements as well. When safety policies are updated, make sure that the safety policy has been reviewed and dated by the accountable executive. I've seen a few audit findings of this nature... not many, but it does happen that there is no documentation that the accountable executive had actually reviewed the updated safety policy.
Related Articles on Aviation SMS Safety Policy
- Writing Awesome Aviation Safety Policy Statements
- What Should Be in Your Safety Policy in Aviation SMS
- How to Know if Your Aviation Safety Policy Is Complete
8 – Random Sample Inspection of Reported Safety Issues
Simply put, you should take a random sample of reported safety issues and inspect them. This sample should include:
- High risk issues;
- Medium risk issues; and
- Low risk issues.
The inspection should force you to:
- Ensure that risk management processes were followed as per SMS manual;
- Ensure that the issue was reviewed to ensure controls remain effective (if this procedure follows your established risk management processes; and
- Properly justify all classifications (such as the hazard) and risk management decisions with little difficulty.
9 – Gather Performance Data and Charts since the Last Audit
Organizing documentation and safety data into easy-to-navigate categories will make your auditor's job a whole lot easier and will demonstrate that your SMS is “on top of it.” Things like:
- Hazard register reports;
- Safety training documentation;
- Safety goals and objectives;
- Safety policy and documentation;
- Key performance monitoring activities;
- Safety meetings and communication activities; and
- Safety promotional activities.
A best practice is to organize them in the order you can expect your SMS auditor to follow through with his/her SMS audit checklist. If your auditors prefer a “binder” you should do that. If your oversight agency is more “modern” and is comfortable navigating this documentation in a digital format, this will require less work on your end.
There are a few auditors who will refuse to view SMS documentation in electronic formats, such as excel reports or logging in directly to your SMS database. They will make you kill a few trees and print out piles of documentation. This is senseless to many of us, but there are reasons. The most obvious reason is that the auditor came to your operation to audit your SMS documentation and risk management processes. The auditor did not come to learn about your SMS database or how to find risk controls buried in a software program. They may feel uncomfortable, like a fish out of water, sitting in front of a strange computer screen looking at a strange SMS database. This uncomfortable position leaves them feeling vulnerable and takes away some of their "power." Before the auditor comes, you may ask what types of SMS performance monitoring documentation they wish to review and the format they prefer.
Related Articles on Performance Monitoring in Aviation SMS
- How to Be Compliant with ICAO Safety Performance Monitoring and Measurement
- 4 Pillars | How to Conduct Safety Performance Monitoring and Measurement
- 5 Useful Safety Performance Monitoring Tools in Aviation SMS
10 – Be Confident and Self-Reliant, Not Subordinate
The relationship you establish with your auditor is extremely important. Subordination and pandering can give the impression that you are either hiding something or that the aviation SMS is not performing well.
Your auditor is there to help you and work with you. However, auditors can only do that if they are confident in the SMS's performance and have strong reasons for the actions they have taken in the documented risk management activities. Remember, you should NOT depend on your inspector for answers to regulatory questions – this is a common pitfall.
YOU should interpret regulatory requirements and count on your auditor to put you back on track if your interpretation is off balance. This is the kind of collaborative, cordial relationship that pleases auditors and benefits your aviation SMS.
You may find these two resources valuable for audit preparation.
Aviation SMS Audit Checklists to Download
Last updated August 2023.