ICAO develops this manual, ICAO SAFETY MANAGEMENT fMANUAL (Doc 9859)1 as a guidance material for the fulfilment of the SARPs Annexes 1, 6, 8, 11, 13 & 14 on safety management. This manual contains a conceptual framework for managing safety and establishing a safety management as well as some of the systemic processes and activities used to meet the objectives of the State's safety programme.
A safety management should be considered as important to business survival as financial management system. The implementation of a safety management system provides considerable benefits for businesses by increasing efficiency and by preventing incidents or accidents. The primary objective is to suggest management tools for capitalizing on the strengths of the human being to improve safety and how SMS can intervene on the working environment to capitalize human flexibility, adaptability and good judgments. Moreover it will enhance organisation's safety performance, thus reduce insurance payments and ultimately lower premiums.

The manual is not designed to be read from start to finish. Relatively users are encouraged to focus on their areas of interest, depending on their level of knowledge and experience in the area of aviation safety management. Therefore what presented here are only the highlights of every chapter.


1.1 This manual, ICAO SMM, outlines the principles of safety management and provides guidance for the conduct of effective safety management programmes. It contains a detailed guidelines for developing an SMS and SSP to meet the objectives of ICAO SARPs2 in relation to safety concepts.

1.5.1 The manual presents a building-block approach into the development of safety management.


2.2.1 The concept of safety in aviation may have different connotations;

  • Zero accidents or serious incidents
  • Freedom from hazards
  • Employees’ attitudes towards unsafe acts and conditions
  • Error avoidance
  • Regulatory compliance

2.2.2 Whatever the connotation is, it is important to note that a 100% safety is an unachieveable goal. Despite the best efforts and practices to avoid the occurrence of failures and errors, they will still occur. There is no guarantee of completely eliminating errors or failures from human activity or human-made system to make it abolutely safe.

2.2.4 Safety is increasingly perceived as the management of risk, therefore for the purpose of this Manual, Safety is considered as the state in which the risk of harm to persons and equipments or property damage are reduced and maintained at or below an acceptable level through a continuing process of hazard identification and risk management.

2.3.3 Technological improvement has led to a decline in major air disasters, less catastrophic accidents and a whole range of incidents occur more frequently. These lesser safety events may be indications of undelying safety problems. Ignoring the underlying safety hazards could pave the way for an increase in the number of more serious accidents.

2.6.17 Aviation operational contexts take place in a complex environment where performance involves human interaction with other components of the operational contexts, as demonstrated in a SHEL model; HARDWARE, LIVEWARE, ENVIRONMENT, SOFTWARE. Understanding this complext interaction will assist organisations to develop an effective safety management processes to mitigate operational errors.

2.7.1 Most manufacturing companies in the modern aviation world are more focused on their production goal rather than balancing it with protection goal, in this scenario safety have been overlooked as manufacturers are concentrating on satisfying demand rather than dealing with existing safety issues. In order to achieve both production and protection goals, it is important that Liveware-Hardware3 interface is carefully considered to the required level to avoid unexpected failures causing operational errors.

2.8.3 This manual also discussed the importance of understanding culture as it determines human performance. Culture sets the rules of the game or the framework for all interpersonal interactions, therefore having a good understanding on organisation culture allows an organisation to promote safe operations. The three levels of culture relevant to safety management intiatives and determinants of organisational performance are;

  • National culture
  • Professional culture
  • Organisational culture

2.8.13 ICAO also emphasized the fact that an Effective safety reporting is one effective way of controling hazards in the workplace. Therefore it is important to be practiced within the organisation to enable operational personnel to identify and report hazrads so they can be continuously controlled.

2.9.1 Investigation of safety occurrences is another core activity of the safety management processes which need to be developed and practiced to the highest level. Investigation suppots safety management activities through identification of systemic deficiencies from findings whereby enables an organisation to establish effective ways of remedying the problem, hence improving the system.


3.2.1 In aviation a misperception has evovled regarding safety, due to the supreme value of human life, safety is considered as the first priority. however the perception in this manual is that safety is not the first priority of aviation organisations. It should be clear that management of safety is one important core business function and must be treated equally importance with other core business functions as it allows aviation organisations to achieve their business objectives through the delivery of their services.

3.3.6 The perspective of the management of safety as a core business function places safety accountability and responsibility at the highest level of aviation organisations along with decisions regarding the allocation of resources. This manual emphasised the fact that organisation should make sure that allocation of resources are balanced between the two Ps, protection and production goals to ensure that the company produces as well as protected. An unbalanced allocation of resources between the two Ps will result in either catastrophe or backruptcy.

3.5.1 In the case of unbalanced allocation of resources, hazards are likely to rise along the practical drift in which daily operations are conducted. For aviation organisations to successfully navigate along the operational drift, the three kinds of navigational aids are deployed to capture operational data and inform organisations of the best paths to take without encountering much trouble with the currents and obstacles along the operational drift. These three navigational aids are known as safety data collection methods, Reactive4, Proactive5, and Predictive6,.

3.5.8 Safety management requires the integration of the three safety data collection systems, Reactive, Proactive, Predictive in the safety management processess since these three safety collection methods collect safety data at different levels of the operational drift, therefore ensure that hazards can be picked up before increasing damaging potential if they progress unimpeded along the operational drift.

3.6.1 It is becoming evident that with the increase in global aviation activity, traditional7 methods of managing risks to an acceptable level may not be suffice to deal with these new emerging risks. It is, therefore, reccommended in this manual that a different and evolved methods of understanding and managing safety is more efficient and effective.

3.6.3 As stated in this manual a new and evolved method of understanding and managing safety is based on the notion that safety is managed through process control, beyond the traditional belief. This approach is well documented and explained in this manual and builds on three assumptions;

  • Operational performance leads to the practical drift
  • Real time performance is constantly monitored rather than relying on regulatory compliance
  • Minor, inconsequential deviations during routine operations are constantly tracked and analysed


4.2.3 A hazard is a situation that poses a level of threat to life, health, property, environment, or reduction of ability to perform a given task. Most hazards are not necessarily damaging, however, once a hazard interacts with the operation system its damaging potentials create an emergency situation.

4.2.6 As prescribed in this manual, hazards are part of operational context and therefore always present in the workplace even with the absence of operational personnel. For this reason, hazards are considered as physical components of the operational context and can be detected through assessment. Hazards can create consequences when interacting with certain operations of the system surfacing its damaging potentials. This conveys one essential principle of safety management which mitigation strategies should proactively aim at damaging potentials of hazards and not waiting for the consequences to reactively deal with such consequences.

4.2.7 For the purpose of safety management the consequences of hazards has to be expressed in operational terms to allow the management of safety to design mitigation strategies. Expressing the consequences of hazards in extreme terms will make it difficult for the management of safety to design mitigation strategies and may end up with the cancellation of the operation.

4.3.3 It should be noted that confusing hazards with its consequences will disguise the true nature of the damaging potential of the hazard in question; therefore it is best to properly name the hazards rather than stating it as a consequence so that the management of safety can correctly deduce the mechanisms of the hazard to evaluate the outcome in terms of the magnitude of the potential loss.

4.4.6 Hazard identification and reporting is everybody’s job, consequently all personnel should receive the appropriate safety management training at a level corresponding with their duties to be able to effectively identify and report hazards. If hazard identification and reporting is not well supported and practiced in an organization, hazards will naturally perpetuate in a system delivering their damaging potential.

4.5.1 On the other hand documentation of hazard is an essential requirement for hazard identification as well as an attribute of safety management. These documented data will generate safety knowledge in an organization rather than in the heads of individuals. Furthermore, having all the reports on hazards identification, it will facilitate the organization to analyze the information in the reports to determine any safety actions required, or make safety decisions based upon facts and not opinions.

4.3.5 Hazards is categorized into three groups;

  • Natural hazards
  • Technical hazards
  • Economic hazards


5.2.8 As explained in this manual, safety risk is hard to define as they are not tangible or visible components of any physical operational context. It is known as an artificial construct of humans and they do not really exist naturally. Safety risk is defined as the assessment of the consequence of hazards designated through alphanumeric convention that allows for their measurement, to express its probability and severity.

5.2.1 Safety in this manual is delineated as the outcome of the management of a number of organizational processes, which are deployed to keep safety risks under organizational control. This gives us a perception that safety is an outcome while safety risk management is another core activity that supports the management of safety contributing to other indirectly related organizational processes.
5.2.3 The term safety risk management discussed in this manual is not similar to the term risk management and therefore it should be understood that the management of safety will not be directly aim at the management of financial risk, legal risk, economic risk and so forth. The management of safety argued in this manual focused mainly on the management of safety risks.

5.3.1 Safety risk management covers the evaluation and mitigation of the safety risks of the consequences of hazards that threaten the abilities of an organization to a level as low as reasonably practicable (ALARP). The assessment of safety risk is assessed with the use of an inverted triangle to represent a notion that aviation is a top heavy from a safety risk perspective.

5.3.2 Safety risks which are falling at the top part of an inverted triangle are considered to be at the intolerable region and are unacceptable under any circumstances. The threat and magnitude are treated as high and serious therefore need immediate mitigation action to bring those safety risks to the tolerable or acceptable regions. Safety initially falling in the middle part of an inverted triangle are at the tolerable region and considered too serious as those in the intolerable region, but should be kept under organizational control to a level that is as low as reasonably practicable (ALARP).

5.3.5 The acronym ALARP depicts the notion that in aviation safety risks cannot be eliminated but can be managed to a level that reasonably practicable to the organization. This means that further risk reduction is either a waste of resources or the risk has reached an acceptable level. In this case, the remaining safety risk is tolerably considered to be outweighed by the benefits.

5.4.2 For the process of bringing the safety risks of the consequences of hazards under organizational control has to begin with the assessment of the probability and secondly the assessment of the severity of the consequences of hazards appear during operations aimed at the delivery of services to ensure appropriate actions are taken so that operations can be continued.

5.8.1 When establishing an organization’s safety risk management it should aim at maximizing the benefits of accepting a safety risk while minimizing the risk itself. It is vital that all safety risk decisions are corresponded to the stakeholders affected by them to get their acceptance. Additionally all safety risks assessments and mitigations have to be recorded for future reference.

5.7.6 Safety risk control or mitigation strategies discussed in this manual are mostly based on the deployment of additional defenses or reinforcement of the existing ones. The defenses in aviation is grouped into three categories;

  • Technology
  • Training
  • Regulations


6.2.1 From a regulatory standpoint, ICAO provides procedures and guidance for the safety management of international aircraft operations and to foster the planning and development of air transport. This is largely achieved by developing Standard and Recommended Practices (SARPs) which are contained in Annexes 1; 6, Parts I and III; 8; 11; 13 and 14. The safety management SARPs, in Annex 1, are limited entirely to approved training organizations that are exposed to safety risks during the provision of their services.

6.2.2 The methods and procedures described in this manual have been compiled to meet the requirements to successfully develop the safety management for States and service providers. Service provides refers to any organization providing aviation services, and the term includes approved training organizations that are exposed to safety risk during provision of their services, aircraft operators, approved maintenance organizations , planners and manufacturers of air transportations, air traffic service providers and so forth.

6.2.3 Additionally, ICAO safety management has three discrete requirements;

  • Requirements regarding the State safety programme (SSP), including the acceptable level of safety (ALoS) of an SSP
  • Requirements regarding safety management system (SMS), including the safety performance of an SMS
  • Requirements regarding management accountability in relation to the management of safety during the provision of services

6.2.4 The acceptable level of safety as introduced in the ICAO safety management SARPs is a way for articulating the minimum degree of safety which has been recognized by the States and must be supported by an SSP, whereas safety performance is a way of evaluating the safety performance of a service provider and its SMS.

6.3.1 ICAO safety management SARPs contained in the annexes exclusively discussed in this manual include the requirement for States to develop an SSP as a framework into achieving acceptable level of safety (ALoS) in aviation organizations. An SSP is considered as a management system for the management of safety by the State.

6.4.11 States bear the responsibility for selecting safety indicators and safety targets that are favorable to the development of ALoS, the minimum degree of safety in civil aviation that must be assured by the SSP in actual practice. At the development of ALoS further consideration must be given to the following;

  • Level of safety that applies
  • Safety risk tolerance
  • Cost/benefits of improvements to the aviation system
  • Public expectations about the civil aviation system

6.4.12 As emphasized in this manual it is also important that to allow for a proper development of ALoS regarding an SSP to ascertain a full understanding between the two concepts; SAFETY MEASUREMENT and SAFETY PERFORMANCE MEASUREMENT as they are closely interconnected and may cause confusions for their applicability.

6.8.1 In order to clarify the relationship between an SMS and SSP, this manual made it clear that States are responsible for the development and establishment of an SSP whereas service providers are responsible for the development and establishment of an SMS, nevertheless States are obliged in the ICAO SARPs Annexes to accept and oversee the development.

6.7.1 The last issue dictated in the ICAO safety management SARPs in Annexes 1, 6, 8, 11, 13 and 14 is management accountability. It is the responsibility of all States to ensure that an accepted safety management system clearly defines the lines of safety accountability throughout the approved training organizations that are exposed to safety risks during the provision of service, aircraft operators, and so forth.

6.7.3 Successful safety management depends entirely on the active participation of all levels of management and supervision. It is the role of an organization to design an organizational structure to support this and define, document and communicate these responsibilities, accountabilities and authorities to all personnel concerned.

6.9.8 As an overview of this chapter; the following are obligations to the ICAO safety management SARPs;

  • States shall establish an SSP in order to achieve an acceptable level of safety
  • The acceptable level of safety to be achieved shall be established by the State
  • Service providers shall implement a safety management system that;
        1. Identifies safety hazards
        2. Ensures remedial action to maintain safety performance
        3. Provides continuous monitoring and regular assessment of the safety performance
        4. Aims at continuous improvement of the overall performance of the SMS


7.2.1 In an aviation context, SMS is compared to a toolbox as it contains the required mechanisms to control the safety risks of the consequences of the hazards. According to this manual an SMS is a tool where the actual tools are deployed to conduct the two basic safety management processes known as hazard identification and safety risk management. The mechanisms contained in an SMS are appropriate to the size and complexity of the organization.

7.2.2 Additionally when developing an SMS, ensure that it meets the following requirements when specific tools are needed for hazard identification and safety risk managements;

  • Right tools for the task are available for the organization
  • Tools and tasks are properly related
  • Tools are commensurate with the needs and constraints of the organization
  • Tools can be easily found within the toolbox without unnecessary waste of time and resources

If an SMS does not contain proper mechanisms, such as those mentioned above, for delivering safety management processes in the organization it is considered to be defenseless.

7.2.4 Since senior management is responsible for the allocation of resources within the organization, SMS is suggested to start with senior management as it requires resources just like other core business. If the senior management is not involved with the development of an organization’s SMS, resources allocation will not be done to the appropriate level to deal with the safety risks that may hinder the capabilities of an organization.

7.2.5 The sole objective of an SMS is to continuously improving the overall level of safety of an organization. Therefore in accordance to the nature of safety management, SMS involves a non-stop, daily hazard identification, collection and analysis, safety risk estimation, and implementation of mitigation strategies. This is what distinguished an SMS from the tradition notion of an accident investigation, which waited for an accident to occur then extracted safety lessons from that in order to prevent recurrence. Contrastingly, an SMS actively identify hazards and continuously assess safety risks to manage them before turning into accidents.

7.2.8 Aviation stakeholders are increasingly recognizing the strong links between aviation safety and profitability. They understand that an accident by one airline compromise their own business, therefore they maintain an active watch of industry developments in technology, procedures and practices. In this sense, all stakeholders should be involved in the developments and establishment of an SMS to ensure that their input and knowledge relevant to safety risk decisions are taken into consideration before such decisions are taken.

7.3.1 As a prescription to an SMS dictated in this manual, organizations should ensure that when developing an SMS, it inherit the following three characteristics;

  • Systematic
  • Proactive
  • Explicit

7.4.5 The manual clearly indicated that a system description is the first requirement to the development of an SMS in any organization. The description of the system should detail out the safety management processes installed to mitigate hazards and risks within the system. It is also important to point out how sufficient the system is in encompassing the possible hazards that system could possibly generate or confront. Moreover the description of the system should also address contingency measures and other non-normal operations within the system such as failure for communications or navigation aids.

7.5.1 For the implementation of an SMS, the service provider bears the responsibility to conduct an analysis of its system to determine which components and elements of an SMS are already exist and which are not. In this case it will enable an organization to identify which components and elements to be added or adjusted in order to meet the implementation requirement.


8.1 This chapter describes the requirement associated with the planning of an SMS, including the structure of an SMS implementation plan. The chapter, however, concentrates on the first component of the SMS framework, safety policy and objectives.

8.4.2 As part of the SMS planning discussed in this manual, safety policy shall be classified to ensure effectiveness and efficiency. The responsibility for defining the safety policy of the organization is rested with the senior management and shall be developed to meet these obligations,

  • achieve the highest safety standards;
  • observe all applicable legal requirements and international standards, and best effective practices;
  • provide all appropriate resources;
  • enforce safety as a primary responsibility of all managers;
  • ensure that the policy is understood, implemented and maintained at all levels

8.4.7 As an overview to the requirement of safety accountabilities and for the purpose of SMS planning, the organization shall identify;

  • The Accountable Executive who shall ultimately responsibility and accountable for the implementation and maintenance of an SMS

8.5.2 It is also stated in this manual the safety accountabilities for ensuring safe operations are materialize through the organization of SMS. Therefore the key personnel has to be identified to deal with the organization of SMS and should extend to include the allocation of;

  • Human resources issues
  • Financial issues
  • Technical issues and
  • Other resources necessary for the effective and efficient performance of the SMS

8.6.2 For effective functioning of a safety office the key person has to be appointed to in-charge of the daily operation of the office. For the sake of this manual, this key person has to be known as a safety manager, who will be the responsible individual and focal point for the implementation and maintenance of an effective SMS. The responsibilities shall include;

  • Advising senior management on safety matters
  • Assisting line managers
  • Overseeing hazards identification systems
  • Manages SMS implementation plan

8.7.1 Additionally, a coordination of emergency response planning need to be established, therefore the organization shall ensure that an emergency response plan that provides for the orderly and efficient transition from normal to emergency operations and the return to normal operations is properly coordinated.

8.8.2 Furthermore, an SMS documentation is another requirement for an SMS planning and it is the responsibility of the organization to develop and maintain it and should describe the following;

  • Safety policy and objectives
  • SMS requirements
  • SMS processes and procedures
  • The accountabilities, responsibilities and authorities for processes and procedures
  • SMS Manual

8.9.1 An SMS implementation plan is another topic to be included during the SMS planning, and this has to be developed by a planning group that made up of appropriate experience base and meet regularly with senior management. The implementation plan should contain a realistic strategy for the implementation of an SMS that will meet the organization’s safety performance needs.

8.9.4 A typical implementation time frame will be one to four years ahead.


9.2.1 The organization has to ensure that safety management processes deployed to manage safety risks of the consequences of hazards in critical activities during operations are efficient and effective. This can be achieved if the safety risk management managed to control safety risks to a level as low as reasonably practicable.

9.3.3 In order to guarantee that most hazards in the system’s operational environment are identified an effective technique has to be installed and implemented. A structured approach is applied and to ensure the effectiveness of this approach, these techniques need to be engaged with it;

  • Checklist and group review

9.4.2 When safety risks have been assessed with the application of safety management processes in place, it is vital that safety risk controls are designed and implemented. These could be additional or modified procedures to be redeployed in the system for mitigation strategies. These techniques will monitor safety risk controls to ensure they continue to be designed and implemented and continuously effective in the dynamic operational environment.

9.5.6 With the design of those safety risks control, the organization has an important role of designing and implementing all operational processes and to integrate safety risk controls based on a sound application of safety management principles. For an organization to assure that these safety risk controls attain the organization’s objectives, quality assurance techniques can be applied to safety assurance. The organization’s objectives should have been carefully set and measured with respect to safety prior to the application of safety assurance techniques.

9.6. 11 Safety reviews is one important aspect of SMS that must be conducted during the introduction of new technologies, change to or implementation of procedures in operational context. The objective is to evaluate the effectiveness and appropriateness of safety management activities in relation to the new changes. Safety reviews are a valuable source of information and decision making under conditions of changes.

9.11.4 An organization safety effort cannot succeed by mandate or strictly through mechanistic implementation of policies, if all staff cannot communicate openly among themselves or with the organization’s management. Effective communication within the organization can be achieved through the provision of relevant training to operational personnel related to safety issues and ways of communication. In this case, it indicates management’s dedication to an effective SMS, similarly ensures that operational personnel are competent to perform SMS duties. Safety training should consist of the following;

  • a documented process to identify training requirements;
  • a validation process that measures the effectiveness of training;
  • initial (general safety) job-specific training;
  • indoctrination/initial training incorporating SMS, including Human Factors and organizational factors
  • recurrent safety training


10.2.2 The implementation of an SMS is an effortless process; however it can be a daunting task if the resources needed to complete the activity are not available. In order to facilitate the problem, the four implementation phases (phased approach) are introduced for three reasons;

  • Provides a manageable series of steps to follow in implementing an SMS, including allocation of resources
  • Effectively manages the workload associated with SMS implementation
  • Provides a robust SMS and not simply an empty shell

10.3.3 Phase I, is basically a planning stage, and in this phase the following activities should be accomplished;

  • Identify the Accountable Executive and the safety accountabilities of managers.
  • Identify the planning group within the organization responsible for implementing the SMS.
  • System description
  • Conduct a gap analysis of the organization’s existing resources compared with the requirements of establishing an SMS
  • Develop an SMS implementation plan
  • Develop documentation relevant to safety policy and objectives.
  • Develop and establish means for safety communication.

10.4.4 Phase II, at this stage essential safety management processes has to be developed and implemented to assist organizations to perform safety information analyses based on information attained through Reactive methods of data collection.

10.5.1 Phase III, Safety information management and analytical processes are polished and new data collection methods are developed and implemented to improve safety information management and analytical processes. These two new safety data collection methods are Proactive and Predictive methods.

10.6.2 Phase IV, in this last phase operational safety assurance is appraised through the use of periodic monitoring and feedback to maintain the effectiveness of safety risk controls during periods of change in the operational context.


11.2.1 An SSP as discussed in this manual is a method for a State to fulfill its safety responsibilities, as it enables the State to integrate its multi-disciplinary safety activities into a coherent whole.

11.2.2 Developing an SSP requires 4 core components, also known as building blocks of an SSP and they are;

  • State safety policy and objectives
  • State safety risk management
  • State safety assurance
  • State safety promotion

Safety risk management and State safety assurance are known to be core operational activities of an SSP taking place under state safety policy and objectives, supported by the state safety promotion.

11.4.10 The development of an SSP should be based on the safety management principles theoretical policy of both an SSP and SMS to bridge the gap between the internal and external safety processes within the State and internal safety processes of service providers. The collaboration between the SSP and SMS will support an effective interaction between the State and service providers in the resolution of safety concerns.

11.6.1 As mentioned in this manual, an important and foremost objective of an SSP is a fundamental supporter of the implementation of an effective SMS by service providers. This highlighted the fact that service provider’s SMS cannot perform effectively on its own with the absence of an SSP, therefore SSP is needed to allow States to assess service provider’s adherence to the regulations when implementing SMS.

11.4.1 The development of an SSP is proposed to follow ICAO framework, which constitute of 4 components combined with 11 elements8.

11.5.1 For further information regarding the development of an SSP, refer to appendix 2 of this chapter or visit this SSP example developed by the UK CAA.

1. ICAO (2009).2nd edition ICAO Safety Management Manual. http://www.icao.int/anb/safetymanagement/DOC_9859_FULL_EN.pdf, Retrieved on the 17th September 2010.
+++ Footnotes +++
2. ###

Want to know more?

ICAO Safety management manual for full acess of what summarised here.
This website shows an SSP example developed by the UK, it will give you further knowledge on how to develop one for your organisation.

Contributors to this page

Authors / Editors


Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License