As the industry approaches the milestone deadline for SMS in May 2027 (458 days as of this writing, but who’s counting?), organizations far and wide are deep in conversations around how to build a proactive, structured, and reliable safety program within their organization. Even if your organization isn’t subject to the new requirements, or already has an established SMS, you almost certainly work every day to improve your programs and your level of safety. Of course, there is no universal way to do this, since an SMS can be run on a whiteboard or in a million-dollar software suite. However, the FAA has a useful framework to help you evaluate your processes to determine if they are safety centered. The driving force is the Seven Safety Attributes.
It’s important to note, the Seven Safety Attributes don’t just apply to SMS or safety processes, they apply to everyoperational process. In a perfect world, all operational processes contain all seven attributes, ensuring high system reliability. As you review each, consider the following: how can I structure my SMS to ensure that when operational processes change, the attributes are present? How can I structure my audit program to validate that the attributes exist within processes?
Here’s what each means, and why it matters.
Responsibility and Authority
These are two separate safety attributes, but they’re combined here because they are often mistaken for one another.
Responsibility is an individual, clearly identified, who is accountable to ensure three things for any given process: appropriate financial resourcing, appropriate personnel resourcing, and the safety and quality performance of the process.
Authority is also an easily identified individual, who is qualified and knowledgeable in the process, that plans and directs actions. They make procedure changes and administer the process day-to-day.
A good example for a mid-sized organization would be a VP of Operations and their Director of Operations. The VP is responsible for ensuring the department is staffed and given adequate resources to discharge their duties. The Director has authority over how those resources are used, and the procedures that make up the process.
Importantly, authority can be delegated. Sticking with the above example, a director can have multiple managers that are each delegated authority for different processes under their purview.
Responsibility, however, cannot be delegated. Basically, it’s where the buck stops.
Controls
In aviation, as in most high-risk industries, most processes contain risks. Smart safety management ensures risks are mitigated to the lowest possible level through controls. This relationship between risks and controls is the foundation of any effective SMS. Often, organizations will do this risk controlling at a macro level by controlling risk for a project, a change, a new procedure.
Controlling risks at a process level is a much more efficient and effective approach. If all processes are evaluated for risk, and all the risk is mitigated to the lowest possible level, the operation’s risk is as low as reasonably practicable, or ALARP. This means you’ve reduced risk as far as is feasible given available resources.
It’s difficult to do this for every existing process, but you can work this idea into how you structure your Safety Risk Management procedures to start capturing these risks and controls.
Process Measurement
An unmeasured process is an unreliable process. Very few things in aviation are “set it and forget it” without consequences. Processes should be measured for safety and quality performance, with clear guidelines for how problems are corrected. This is one of the best paths to proactivity, identifying potential cracks in the armor before they widen. Controls don’t stay effective in perpetuity, and there are usually warning signs.
For any new process or process change, organizations should consider what safety and quality success looks like for that process. What are the alarm bells, and what do we do when they sound? Different processes may have different success metrics. They may also have different thresholds that define what constitutes a problem.
Again, tailoring these measurements to individual processes versus a one-size-fits-all approach is a far more fluid and effective approach.
Procedures
Procedures are often confused with processes. Organizations may think they have robust procedures but really have complex processes. A process is the “what we are doing”. The procedure is the “how we are doing it”.
Documented procedure is very important in any reliable system. It provides continuity, reduces reliance on tacit knowledge, which is the unwritten expertise that lives only in someone’s head and walks out the door when they do, and clearly shows the reader how the process is completed.
The biggest benefit to every process having strong procedures is that they limit variance. In any repeatable, predictable system, you need the execution to be as close to identical as possible time after time. This ensures that the controls are properly executed, and that potential problems pop up through the process measurement mechanism. Maybe you’re sensing a pattern here…
Interfaces
The connection point between different processes is a breeding ground for issues. You can have every other attribute on this list nailed, and still fail because of a clunky handoff from one process to another, or worse, you didn’t know that two processes interact at all. Clunky connections also make it far easier to fix one process while unknowingly breaking another. A pristine and safe process connected to a broken process is just…part of a broken system.
This magnifies significantly when the connected processes have different people with authority over them. One process owner can make a change in the name of continuous improvement, and succeed, but downstream of that it creates a problem in another area. A small upstream change can cascade into a downstream failure.
Knowing how processes interact and overlap is a key piece of a reliable system. Making sure that all stakeholders that could be affected are involved in process changes is critical. It’s often said that SMS is partially designed to break down silos, and managing interfaces is the wrecking ball that does it.
Safety Ownership
This is the newest of the Seven Safety Attributes, and it was added for good reason. Every person, in every department, at every aviation organization has a role to play in the safety of the organization. How many of them know exactly what that role is and how to perform it? The answer is probably somewhere between “I’m not sure” and “most but not everyone” and that’s okay, because now you’ll know how to fix it.
Safety training and messaging should be targeted to the people that need it. A Line Service Technician may not need to know the entire risk management process from front to back. They do, however, need to know that their role in the process is to report potential risks that they see in the operation. Similarly, a C-Suite officer may not need to know every button to click to file a report, but they need to understand the organization’s risk management strategy fully, and their role in accepting risk on behalf of the company.
Each level should have a working knowledge of the other levels’ responsibilities, but they need a precise and detailed understanding of their own. This is the tie that binds them all together.
The Seven Safety Attributes, as you may have noticed, are interconnected. Think of them less as a checklist and more as a system. A gap in one attribute creates pressure on the others. The goal isn’t to have each attribute present in isolation — it’s to have them working together, reinforcing one another across every process in your operation.
As May 2027 approaches, the organizations that will thrive aren’t necessarily those with the most sophisticated software or the thickest manuals. They’ll be the ones that have taken the time to honestly evaluate their processes against these attributes and found creative, practical ways to close the gaps. That work starts now.
