2.0 FAA Safety Risk Management Policy _{(Revised 12/2004)}

This section describes the System Risk Management policies and guidance used within the FAA. The overarching documents are FAA Order 8040.4, Safety Management System (SMS) guidance, and Acquisition Management System (AMS) policy.

2.1 FAA Order 8040.4 Safety Risk Management _{(Revised 12/2004)}

The primary policy governing safety risk management and system safety in the FAA is Order 8040.4. This order sets requirements for the implementation of safety risk management within the FAA.

FAA Order 8040.4 requires the FAA-wide implementation of safety risk management in a formalized, disciplined, and documented manner for all high-consequence decisions as defined in Order 8040.4. Each program office and LOB is required to establish and implement the policy contained within Order 8040.4 consistent with that program office and LOBs role in the FAA. The Order remains valid and is applicable to the ATO and its operational service managers or Vice Presidents.³ While the methods and documentation can be tailored with sufficient rationale, each program office and LOB is required to satisfy the following criteria: _{(Revised 12/2004)}

Implement safety risk management by performing risk assessment and analysis and using the results to make decisions

Plan – the risk assessment and analysis must be predetermined, documented in a plan which must include the criteria for acceptable risk

Hazard identification – the hazard analyses and assessments required in the plan must identify the safety risks associated with the system or operations under evaluation

Analysis – the risks must be characterized in terms of severity of consequence and likelihood of occurrence

Risk Assessment – the risk assessment of the hazards examined must be compared to the acceptability criteria specified in the plan and the results provided in a manner and method easily adapted for decisionmaking

Decision – the risk management decision must include the safety risk assessment and the risk assessments may be used to compare and contrast options

The order permits quantitative or qualitative assessments, but states a preference for quantitative. It requires the assessments, to the maximum extent feasible, to be scientifically objective, unbiased, and inclusive of all relevant data. Assumptions must be avoided when feasible, but when unavoidable they must be conservative and the basis for the assumption must be clearly identified. As a decision tool, the risk assessment should be related to current risks and should compare the risks of various alternatives when applicable.

In addition, the order requires each LOB or program office to plan the following for each high-consequence decision:

Perform and provide a risk assessment that compares each alternative considered (including no action or change, or baseline) for the purpose of ranking the alternatives for decisionmaking

Assess the costs and safety risk reduction or increase (or other benefits) associated with each alternative under final consideration. Requirements of comparative safety assessments may identify levels of additional safety risk for each of the alternatives, which may affect cost and schedule by requiring different levels of additional safety analyses to address properly the different risk levels.

The AMS policy contains the following paragraphs in 2.9.12:

System Safety Management shall be conducted and documented throughout the acquisition management lifecycle. Critical safety issues identified during mission analysis are recorded in the Mission Need Statement; a system safety assessment of candidate solutions to mission need is reported in the Investment Analysis Report; and Integrated Product Teams provide for program-specific safety risk management planning in the Acquisition Strategy Paper.

Each line of business involved in acquisition management shall institute a system safety program that includes at a minimum: hazard identification, hazard classification (severity of consequences and likelihood of occurrence), measures to mitigate hazards or reduce risk to an acceptable level, verification that mitigation measures are incorporated into product design and implementation, and assessment of residual risk. Status of system safety shall be presented at all JRCs. Detailed guidelines for system safety management are found in the FAST Toolset. _{(Revised 04/2003)}

This SSMP and the Integrated Safety Plan are an integral part of the Integrated Program Plan (IPP) statement of work and requirements that are available to the IA to satisfy the requirement to institute a repeatable disciplined process for conducting SRM in the acquisition of systems for the entire lifecycle. It includes provisions for hazard identification, classification of risk, risk control, and acceptance. _{(Revised 01/2004)}

The Safety Management System (SMS) provides a systematic and integrated method for managing safety of ATC and navigation services in the NAS. The SMS requires that all organizations that have a role in air traffic service provision, including those external to the Air Traffic Organization (ATO), identify and mitigate safety risk. Documentation such as safety risk management documents (SRMDs), safety incident reports, and safety inspection and evaluation reports, provide managers with needed information regarding safety hazards and risks associated with systems (hardware and software), procedures⁵, and airspace designs.

In many instances, formal SRM is already part of engineering, acquisition, and management processes, and safety data monitoring is an every day activity in many organizations. In these cases, the SMS integrates existing safety management processes, documentation, and daily activities.

As the SMS is implemented, organizations will integrate SRM principles and processes into their national, regional, and local activities and processes. The Air Traffic Safety Service Unit will facilitate SMS implementation and is responsible for managing SMS processes and documents, facilitating SMS training, providing safety risk management expertise when necessary, auditing SRM processes, and evaluating the SMS.

The SMS provides a common framework to assess safety risks of changes to the NAS. The SMS addresses all aspects of ATC and navigation services, including: airspace changes, air traffic procedures and standards, airport procedures and standards, and new and modified equipment (hardware/software). The SMS facilitates cross-functional safety risk management among the ATC service providers and ensures intra-agency stakeholder participation in solving the safety challenges of an increasingly complex NAS. The SMS helps reduce the number of isolated safety decisions, which at times, result in wasted time and resources.

The AMS process primarily applies to the acquisition of new systems and is robust enough to follow those new systems through the JRC process, including the In-Service Decision and deployment. It also can address changes or modifications during rebaselining activities.

The SMS incorporates all AMS safety provisions but expands its guidance to allow the SRM process to address changes to air traffic operations, maintenance, airspace and procedures development, airports, new systems, and modifications to existing systems (hardware and software). The SMS requires that SRM practices be applied when proposed changes to the NAS have significant hazards associated with them (e.g., modifying existing or implementing new operations, procedures and/or hardware and software systems). The SMS requires that SRM be performed early in the planning or change proposal process. It is conducted when proposed changes to the NAS (e.g., modifying existing or implementing new operations, procedures, and/or hardware and software systems) result in hazards that introduce risk, which must be mitigated. Thus, SRM is a fundamental component of the AMS and the SMS — it ensures that safety-related changes are documented and resolved, whether the change is to a component, a system, or the NAS itself.

As the SMS is implemented, organizations will integrate SRM principles and processes into their national, regional, and local activities and processes. The ATO Safety Service Unit, led by the Vice President for Safety, will facilitate SMS implementation and is responsible for managing SMS processes and documents, facilitating SMS training, providing safety risk management expertise when necessary, interfacing with the Air Traffic Safety Oversight Service (AOV), and auditing SRM processes.⁶

As depicted in the SMS manual, a systematic SRM process proceeds through five general phases. These five phases are:

• describe the system
• identify the hazards (be conservative)
• analyze the risk
• assess the risk
• treat the risk (i.e., mitigate, monitor and track)

Chapter 4 of the SMS manual contains a full description of the process.

³ Under the previous organization, ASD-103, the Chief Engineer for Safety, was available to provide technical support to accomplish saftey risk management.  That person and staff remain available during the ATO implementation phase.  Support eventually will be provided by the CSES, assigned System Safety Engineers (SSE), and the ATO Safety Service Unit.

⁴ The SMS is a function of the Air Traffic Organization's Vice President for Safety.

⁵ See Appendix C in the SMS Manual for a discussion on using the SMS process to assess risk incident to changes in ATC procedures.

⁶ See Chapter 11 of the SMS manual for a complete description of the roles and responsibilities of the Air Traffic Safety Oversight Service (AOV), located within AVR.