Safety Assurance (SMS Pillar 3)

Safety Assurance is where the SMS produces evidence. Pillars 1 and 2 — policy and risk management — define commitments and controls. Safety Assurance determines whether those controls are functioning as intended, whether safety performance is trending in the right direction, and whether the SMS itself is effective enough to satisfy the organization's stated safety objectives. Without a functioning Safety Assurance process, an SMS is unfalsifiable: there is no mechanism to know if it is working.

ICao Doc 9859, Chapter 6, specifies the three core activities of Safety Assurance. First: Safety Performance Monitoring and Measurement. The organization must maintain a set of Safety Performance Indicators (SPIs) — quantitative metrics derived from operational data — tied to Safety Performance Targets (SPTs) defined in the Safety Management Policy. SPIs typically cover accident and incident rates, mandatory occurrence report volumes, hazard register metrics (open hazards, overdue reviews, hazards with intolerable residual risk), audit finding rates, and — for flight training — specific training-environment metrics such as dual-instruction exceedance rates or go-around frequency on solo circuits. EASA AMC1 ORO.GEN.200(a)(4) requires that SPIs be reviewed at defined intervals by the Safety Review Board with documented evidence of the review.

Second: Management of Change. Every operational change — new aircraft, new route, new post-holder, new procedure — must pass through a change-management assessment before implementation. The change management process under ICAO Doc 9859 Section 6.4 requires: identification of the change and its scope; a safety risk assessment of the change (linking directly to Pillar 2); implementation of risk controls for any identified hazards; and post-implementation review to confirm that residual risk remains within acceptable limits after the change is operating in practice. FAA Part 5 §5.73 (Safety Performance Assessment) and §5.75 (Continuous Improvement) together frame the equivalent requirement.

Third: Continuous Improvement of the SMS. The organization must have a defined process for identifying SMS deficiencies — gaps between the system as designed and the system as operating — and correcting them. Sources for SMS deficiencies include: internal audit findings against the SMS Manual; Safety Review Board observations; competent authority audit findings; SPI trends that reveal systematic underperformance; and lessons learned from industry-wide events. EASA Part-ORO ORO.GEN.200(a)(4) requires that the SMS include processes for continuous improvement, and the competent authority verifies this during oversight through examination of SMS audit records and corrective action plans.

The relationship between Compliance Monitoring and Safety Assurance is technically distinct but practically overlapping. Compliance Monitoring — the function under EASA Part-ORO ORO.GEN.200(a)(6), performed by or under the Compliance Monitoring Manager — focuses on regulatory compliance: does the organization operate in accordance with its approvals, its manuals, and applicable regulations? Safety Assurance focuses on safety performance: are the risk controls working? Is the SMS effective? In practice, the audit program for Compliance Monitoring and the monitoring activity for Safety Assurance often use the same audit schedule, the same checklists, and the same personnel — the conceptual distinction is in what each is measuring and what triggers corrective action. A Compliance Monitoring finding triggers a corrective action plan against the regulatory gap; a Safety Assurance finding triggers a risk control review and potential SPI recalibration.

FAA Part 5 §5.71 (Continuous Monitoring) requires that the safety performance of the SMS be continuously assessed using the SPIs and SPTs. §5.73 (Safety Performance Assessment) requires periodic formal assessments that include SPI trend analysis, audit findings review, and accident/incident analysis. §5.75 (Continuous Improvement) requires a documented process for identifying and correcting SMS deficiencies. These three paragraphs together constitute the FAA's Safety Assurance equivalent for mandatory SMS operators.

The dominant operational failure of Safety Assurance in flight schools and ATOs is measurement without analysis. Organizations maintain SPIs — they count occurrence reports filed, log hazards in the register, record audit findings — but the data is not connected to decisions. A Safety Review Board that meets quarterly and reviews a table of SPI numbers without structured analysis of trends, without variance from target investigation, and without formal corrective action assignment is producing paperwork, not Safety Assurance. ICAO Doc 9859 specifically cautions against this: Section 6.3.4 notes that SPIs that are not analyzed and acted upon do not contribute to safety performance improvement and create a false sense of compliance.

For combined ATO/AOC operators, Safety Assurance must span both certificates but maintain visibility into each. An SPI trend that appears acceptable at the combined-organization level may mask a deteriorating trend in one certificate environment: declining hazard report rates from the AOC operation while ATO rates hold steady, or a pattern of audit findings concentrated in maintenance that does not appear in operations SPIs. The Safety Review Board must review SPI data disaggregated by operational area, not only in aggregate.

Aviatize's KPI reporting and dashboards module is the operational implementation of Safety Assurance monitoring. SPIs defined in the SMS Manual are configured as tracked metrics in the platform, pulling from live operational data — occurrence reports, hazard register status, work order and squawk rates, audit finding counts, mandatory occurrence report filings — without manual data extraction. The Safety Review Board view presents SPI trends over rolling 12-month periods against defined targets, with variance indicators that surface SPIs outside their acceptable range before the review meeting rather than during it.

The change-management workflow in the compliance and auditing module enforces the post-implementation review step that organizations most commonly skip: 30, 60, or 90 days after a change goes live (configurable), the system re-opens the change assessment record and requires the safety manager to confirm that risk controls implemented pre-change are operating effectively and that residual risk remains within the originally assessed range. If post-implementation data shows an SPI deterioration correlating with the change period, the platform flags the correlation for Safety Review Board attention. For continuous SMS improvement, all audit findings — whether from Compliance Monitoring audits or internal safety assurance reviews — flow into a single corrective action plan register with assigned owners, due dates, and effectiveness-review tasks, giving the Accountable Manager a consolidated view of open SMS deficiencies at any point.