AeroSIFT
0 comment
05 Apr, 2026
Every major aviation accident of the past half-century has one thing in common: somewhere, someone already knew something was wrong. The signals were there. The system just wasn't listening. Safety Management Systems exist to make the system listen — proactively, systematically, and always.
For those working within civil aviation design, production, and maintenance organisations, SMS is no longer a forward-looking concept. It is a present regulatory obligation. This article traces where SMS came from, why it matters uniquely in the civil aircraft design context, what EASA, UK CAA and other regulatory bodies around the world now require, and how organisations can implement it in a way that genuinely works rather than simply ticking boxes.
Safety management is not a new idea, but it took decades of tragedy — and a gradual recognition that human error alone was never the full story — before the concept crystallised into formal systems.
The roots of SMS go back to industrial quality management in the 1970s and 1980s. Aviation regulators, particularly in New Zealand and through the European Joint Aviation Authority (JAA, the forerunner of EASA), began requiring their quality management systems to incorporate accident-prevention oversight. The standard safety model of that era was entirely reactive: wait for something to break, then investigate.
The 1977 Tenerife disaster — where two Boeing 747s collided on a runway, killing 583 people — and the 1978 United Airlines DC-8 crash in Portland, which ran out of fuel while the crew fixated on a landing gear indicator light, helped reshape the conversation. These events pointed not at faulty machines but at failed communication, flawed organisational culture, and the absence of any structured way to surface and act on known risks.
In the early 1990s, British Midland Flight 092 crashed after the crew shut down the wrong engine following a vibration warning. Post-investigation, it emerged the airline's own internal data already showed anomalous vibration patterns on that engine type. Had a structured hazard identification process been in place — one that routinely scanned operational data for safety signals — the risk might have been identified and mitigated before the accident. This case became a landmark argument for the kind of systematic, data-driven hazard hunting that SMS formalises.
By the mid-1990s, Transport Canada, the FAA, and EUROCONTROL were each building safety assurance frameworks that looked beyond rule compliance toward organisational performance. In 1995, the FAA created its Office of System Safety. In 1997, the FAA and industry formed the Commercial Aviation Safety Team (CAST), a collaborative body aimed at proactive risk reduction. By 2007, CAST had helped reduce the U.S. commercial aviation fatality risk by 83%.
The conceptual framework that underpins modern SMS — the Four Pillars — was developed by James P. Steward at Transport Canada and later adopted by ALPA International around the year 2000. From ALPA, it was picked up by ICAO, and the modern era of formal SMS had begun. In 2013, ICAO consolidated SMS requirements into Annex 19, the dedicated standard for safety management, pulling together guidance previously scattered across annexes covering operations, airworthiness, aerodromes, and ATM.
ICAO's SMS framework is built around four interlinked components that apply to every approved aviation organisation:
For airlines, airports, and MROs, SMS has been a regulatory reality for many years. For Design Organisations, the journey has been slower — and for good reason. The risks a DOA generates are different in character: they manifest not in daily operations but in the products and modifications that enter service, sometimes for decades.
A DOA that designs a structural repair scheme, approves an avionics upgrade, or certifies a new system installation influences the safety envelope of every aircraft that modification touches for its entire operational life. The hazard horizon is long, the feedback loop between design decision and operational consequence can stretch years, and the downstream population of affected aircraft can number in the thousands.
This is precisely why SMS for design organisations is not simply a bureaucratic echo of what maintenance organisations do. It needs to be woven into the design process itself: into how change proposals are scoped, how human factors are considered during design review, how compliance findings are tracked, and how the organisation learns from in-service data flowing back from the fleet.
"The potential of SMS is not only to address the risks of major occurrences, but to identify and tackle production inefficiencies, improve communication, foster a better company culture, and control more effectively contractors and suppliers. Investment in safety should be seen as an investment in productivity and organisational success."
— EASA Opinion 06/2016
EASA's philosophy, crystallised in Opinion 06/2016 and embedded in the amended Part 21, is that the Design Management System (DMS) mandated by 21.A.239 is not a bolt-on compliance exercise. It is the connective tissue between an organisation's safety culture and its design outputs — the mechanism by which the question shifts from "Are we compliant?" to "How well are we actually managing risk?"
The Boeing 737 MAX accidents of 2018–2019 are a stark case study in what happens when design risk management is inadequate. Post-investigation findings pointed to systemic failures in how hazard identification was conducted during MCAS development, how risk was communicated within the organisation and to regulators, and how design changes were assessed against safety assumptions. An effective, functioning SMS — with genuine leadership commitment to hazard transparency and independent safety oversight — is designed precisely to surface these signals before they become accidents. This is not a criticism of any single organisation; it is the argument for why SMS matters at the design stage.
Both EASA and the UK CAA have embedded SMS requirements into their Part 21 frameworks, with deadlines that are either already in force or imminent. Understanding the specific obligations for each authority is essential for DOA holders operating under either regime.
| Authority & Approval Type | Deadline | Key Obligation |
|---|---|---|
| EASA — Part 21 DOA | 7 March 2025 | All DOA holders under EASA Part 21 Subpart J must have implemented a compliant SMS. Findings for non-compliance are being issued through normal oversight activities. |
| EASA — Part 21 POA | 7 March 2025 | All EASA Part 21 Production Organisation Approval holders must have implemented SMS. A Generic Level 2 Finding was issued on 7 March 2023 to begin the transition process. |
| UK CAA — Part 21 DOA | 1 July 2026 | Following SI 2023 No. 588 (in force July 2024), all UK CAA Part 21 DOA holders must implement SMS. Non-compliance after this date risks approval limitation, suspension, or revocation. |
| UK CAA — Part 145 & POA | 1 July 2026 | UK Part 145 approved maintenance organisations and Part 21 Subpart G production organisations face the same deadline. The CAA has confirmed there is currently no application fee for SMS transition. |
Under the amended Regulation (EU) No 748/2012, DOA holders must establish a Design Management System (DMS) incorporating ICAO Annex 19 safety management principles. This means: a formal safety policy endorsed by the accountable manager; systematic hazard identification integrated with design change processes; safety risk assessment and risk tolerability decisions documented against the organisation's risk acceptance criteria; safety performance monitoring through indicators aligned to organisational safety goals; an internal occurrence reporting scheme per 21.A.3A; and a designated safety manager — who, in smaller organisations, may combine this role with the quality manager role, subject to competent authority agreement.
EASA oversight now includes a standard two-year oversight cycle with SMS as a core audit element. Non-compliance findings follow an escalation path: from observation to Level 2 finding, and potentially to Level 1 if unresolved — which can trigger approval suspension or revocation.
The UK CAA's requirement, driven by SI 2023 No. 588, closely mirrors EASA's framework given its derivation from the same ICAO Annex 19 standards. UK DOA holders must submit an updated Design Organisation Handbook (DOH) incorporating SMS procedures, together with a completed CAA SMS Evaluation Tool V7 (SRG1776). The CAA processes applications through an allocated Oversight Specialist who conducts a desktop review. Once the DOH is approved, the SMS transition is formally complete, followed by an onsite verification within the next two years.
Crucially, the CAA has stated that implementation findings must be closed before 1 July 2026, and organisations that have not corrected non-compliance by that date face limitation, suspension, or revocation of their approval certificate.
It is entirely understandable that many DOA holders approach SMS compliance with a mixture of anxiety and reluctance. Teams are already fully stretched managing certification programmes, customer commitments, and regulatory submissions. The prospect of a new management system feels, to many, like one more layer of documentation for its own sake.
This perception is worth examining — because it is both understandable and, on reflection, mistaken.
The mindset shift starts here: SMS is not asking you to do new things. It is asking you to do what you are already doing — managing design risk, tracking compliance, investigating anomalies, training your staff — but more systematically, more visibly, and with a feedback loop that closes. In many cases, a DOA that already has a mature quality system, a functioning Independent System Monitoring (ISM) process, and active occurrence reporting is closer to SMS compliance than it realises.
"The written word — procedures — does not produce SMS outputs. The question has changed from 'Are we compliant?' to the far more robust questions of 'How well are we managing compliance? How well are we controlling our business? Where are we weak and vulnerable?' Only once we can answer these questions can we move from a reactive management system to a proactive and predictive one."
— Baines Simmons, DOA Safety Management Commentary
From a business perspective, a functioning SMS reduces rework and certification delays by catching issues at the design stage before they become compliance findings, saving costly late-stage redesigns. It strengthens customer and regulator confidence: in an era of performance-based oversight, authorities direct their resources toward organisations that demonstrate weak safety management, and a strong SMS moves you into the lower-risk bracket. It protects the approval itself — post-2025/2026, SMS compliance is a condition of holding a DOA. And it creates institutional memory: safety performance data, risk registers, and lessons-learned records build a living knowledge base that protects the organisation as staff turn over and programmes evolve.
EASA's own performance-based oversight model is designed to reward organisations with effective SMS: less prescriptive oversight, more trust-based engagement, and longer oversight cycles where performance justifies it. The regulatory relationship that SMS enables is qualitatively different from one based purely on documentary compliance checks.
The following approaches are drawn from best practice across the design and airworthiness community. They are not shortcuts — SMS cannot be genuinely implemented by shortcuts — but they are ways to build a real system without reinventing the wheel or burying your team in process for its own sake.
Before writing a single new procedure, map what you already do against the four pillars of ICAO Annex 19. Most DOAs have significant existing infrastructure — quality audits, ISM, occurrence reporting, change-risk reviews — that maps directly to SMS elements. The CAA's SRG1776 Evaluation Tool and EASA's Management System Assessment Tool are both designed for this and give you a structured starting point, not a blank sheet.
The most common SMS implementation mistake is building it as a parallel structure alongside the existing quality system. Instead, integrate: extend your existing hazard identification process to include organisational-level risks, embed safety risk assessment into your change management procedure, and align safety KPIs with existing performance reviews. One management system, not two competing ones.
In smaller DOAs, the Safety Manager and Quality Manager roles can be combined — EASA and the UK CAA both allow this with competent authority agreement. What matters is that the person holding the role has genuine authority to raise safety issues, direct resources toward risk mitigation, and report directly to the Accountable Manager. Title-sharing is fine; role-marginalising is not.
Resist the temptation to define SPIs that are easy to measure but tell you nothing. Instead of counting the number of safety reports submitted, try measuring the percentage of identified hazards with closed risk controls, the average time to close safety actions, or the occurrence of repeat findings in the same process area. SPIs should make the question "are we getting safer?" answerable — not just auditable.
A safety reporting scheme that staff don't trust, or don't use, is worse than no scheme at all — it creates a false sense of visibility. Before launching your occurrence reporting process, invest in a clear, communicated Just Culture policy, anonymised reporting options where appropriate, and visible management responses to reports raised. People report when they see that reporting leads to action, not blame.
One of the most powerful — and underused — SMS capabilities for DOAs is the structured analysis of in-service feedback. Field reports, warranty claims, continued airworthiness findings, and operator-reported anomalies are all signals about the safety performance of your approved designs. Build a formal mechanism to route these into your hazard identification process: not just for mandatory occurrence reporting, but as a source of proactive design risk intelligence.
Regulators evaluate SMS on substance, not volume. A focused, well-structured SMS Manual — or a DOH section that clearly addresses each required element — will satisfy a competent authority far more than a hundred pages of generic policy text that nobody reads. Write for the people who will use the system, not for the auditor who will audit it. If your team can't explain what your SPIs mean, your SMS isn't working yet.
Both EASA and the UK CAA have explicitly acknowledged that a fully mature, operationally effective SMS is not expected at the point of initial compliance approval. What is expected is a functioning, credible system with genuine leadership commitment and a clear improvement trajectory. Plan for an SMS that matures over two to three years: document your current state honestly, set realistic improvement milestones, and demonstrate progress at each oversight cycle.
A mid-size UK DOA with approximately 80 design staff recently completed their CAA SMS transition by taking a four-phase approach. Phase 1 (months 1–2) was a gap analysis against SRG1776, identifying that their existing ISM process and change risk procedure already covered roughly 60% of required SMS elements. Phase 2 (months 3–5) focused on formalising hazard identification procedures and establishing three clear SPIs tied to their existing management review cycle. Phase 3 (month 6) produced an updated DOH section incorporating SMS, submitted for CAA desktop review. Phase 4 (ongoing) is continuous: quarterly SPI reviews, an annual SMS effectiveness review feeding into the management review, and a safety action tracker reviewed at each project milestone. Total elapsed time: under eight months. Additional headcount: zero. The perception of SMS as a burden dissolved once the team realised it was largely making explicit what good engineers were already doing implicitly.
Aviation has become the safest form of mass transportation in human history not by accident, but by systematically learning to manage risk before it manifests as harm. Every evolution in that journey — from accident investigation to quality assurance, from crew resource management to safety management systems — has met initial resistance, then become indispensable.
For DOA holders approaching the EASA or UK CAA SMS deadlines, the practical imperative is clear: the compliance clock has run or is running out. But the strategic opportunity is equally clear. Organisations that implement SMS as a genuine management tool — not a paper exercise — will enter their next oversight cycle with better visibility of their own risks, stronger regulator relationships, and a more resilient basis for growth.
The question is not whether to implement SMS. That question has been answered. The question is how to implement it in a way that serves your organisation, your people, and the safety of the products you put into service.
Disclaimer: This article was generated for the purpose of knowledge sharing and education with the assistance of AI technology to provide comprehensive and accurate information & it has been reviewed and edited by experienced professional.
AeroSIFT
0 comment