FAA Publishes SNPRM Related to SMS

I. Background

Safety Management Systems

The Federal Aviation Administration (FAA) defines a safety management system (SMS) as a “system to assure the safe operation of aircraft through effective management of safety risk…designed to continuously improve safety by identifying hazards, collecting and analyzing data and continuously assessing safety risks.”¹ SMS has four main elements: safety policy, safety risk management, safety assurance, and safety promotion.

The FAA is pursuing several SMS initiatives simultaneously as part of an international effort to implement SMS throughout the aviation industry. The FAA has said it will implement SMS for all aviation components that it oversees or regulates: airports, air carriers, and air traffic. This discussion paper focuses narrowly on FAA’s SMS initiative for airports.

On October 7, 2010, the FAA published a Notice of Proposed Rulemaking (NPRM) to amend FAR Part 139 to add the following requirement: “Each certificate holder, or applicant for an Airport Operating Certificate, must develop and maintain an Airport Safety Management System that is approved by the Administrator.”²

On July 14, 2016, the FAA published a Supplemental Notice of Proposed Rulemaking (SNPRM) that modifies the NPRM and addresses many, but not all, of the comments submitted in response to the NPRM. The major changes from the NPRM to the SNPRM, as well as a summary of potential issues with the SNPRM, is included in sections II and III.

The deadline to submit comments to the SNPRM was September 12, 2016.³

II. Major Changes from the NPRM to the SNPRM

Applicability: Under the SNPRM, SMS applicability requirements would apply only to about half of all Part 139 commercial airports. The SMS requirements would apply to 268 airports, as opposed to all 544 Part 139 airports that would have been covered under the NPRM. The following categories of certificated airports would be required to implement SMS under the SNPRM:
(1) Airports classified as a small, medium, or large hub airport in the National Plan of Integrated Airport Systems (NPIAS);
(2) Airports identified by U.S. Customs and Border Protection (CBP) as a port of entry, designated international airport, landing rights airport, or user fee airport (collectively referred to throughout the SNPRM as “international airports”); or
(3) Airports that have more than 100,000 total annual operations (according to best available data).⁴ The SNPRM uses 2012 data but there are few changes in this list since 2012.
Training: The SNPRM revises the training approach from the NPRM, which originally proposed an SMS training requirement for all employees and tenants with access to the movement and non-movement areas of the airport. In contrast, the SNPRM proposes a two-pronged approach to the training requirement for all employees and tenants with access to the movement and non-movement areas of the airport.⁵ The first prong requires SMS training specific to an individual’s role and responsibility in implementation and maintenance of the SMS.⁶ The second prong requires hazard awareness and reporting awareness orientation for all other individuals with access to the movement and non-movement areas.⁷
In addition, unlike the NPRM, the SNPRM includes a requirement for recurrent training every other year and also would require the update of publications for the hazard awareness orientation requirement on the same schedule.⁸ The FAA believes this revision will limit the pool of employees that must be trained to approximately 3 to 10 people per airport.
Airports should consider the following issues concerning the SNPRM’s new training requirements:

Is the FAA’s assertion that between 3 and 10 employees per airport will need training an accurate estimate?
Will the SNPRM training requirements be cumbersome, time consuming, and/or excessively costly?
What types of individuals, and how many, would be affected by an obligation to train certain individuals with access to the movement and non-movement areas?
How would the airport develop and administer a training program?
What will be the administrative and recordkeeping implications of the SMS training program?

Data Protection: The SNPRM requires an airport sponsor to establish a confidential hazard reporting system and encourages hazard reporting by all persons accessing the movement and non-movement area.⁹
Implementation: The SNPRM extends the timeline for submission of an implementation plan to within 12 months of the effective date of a final rule and submission of the SMS manual and/or Airport Certification Manual update to within 24 months of the effective date of the final rule.¹⁰ This extends the one-year timeline established in the NPRM. The FAA believes this time extension will help airport sponsors in their implementation process.
The SNPRM did not address commenters’ data protection concerns in the NPRM. Airports should consider:

Whether and how the airport will work with state and local legislators to provide additional protection from data and disclosure.
Whether to submit additional comments to the SNPRM regarding the scope of data disclosure and its potential chilling effect on voluntary reporting by private entities.

Accountable Executive: The SNPRM provides for slight changes in the definition of an “accountable executive.” Under the SNPRM, “accountable executive” now means:
“an individual designated by the certificate holder to act on its behalf for the implementation and maintenance of the Airport Safety Management System. The Accountable Executive has control of the certificate holder’s human and financial resources for operations conducted under the Airport’s Operating Certificate. The Accountable Executive has ultimate responsibility to the FAA, on behalf of the certificate holder, for the safety performance of operations conducted under the holder’s Airport Operating Certificate.”¹¹

III. Summary of Potential Issues with the SNPRM

Data Protection: A number of comments on the NPRM addressed issues of data protection, including claims that persons not employed by an airport sponsor would be reluctant to voluntarily share information or report hazards for fear of litigation or public perception if the information was released through state or local sunshine laws.¹²
In response, the FAA reiterated that 49 U.S.C. § 44735 contemplates protection of SMS data that is voluntarily submitted to the FAA but such protection is not afforded to SMS information that must be submitted to the FAA.¹³For these reasons, the FAA is not proposing data reporting requirements for safety-related data created under an SMS and it believes there should be no implications under FOIA for such safety-related data.¹⁴
The SNPRM was not revised to address the public disclosure concerns submitted in comments to the NPRM. Airport sponsors will have to work with state and local legislators to provide additional protection from data disclosure.¹⁵
Interoperability: The FAA received a number of comments on the NPRM regarding interoperability and how the various SMS efforts and requirements will work together.¹⁶ In response to these comments, the FAA proposes to revise the definition for “hazard” and “risk” to harmonize with the Part 121 (air carrier) SMS.¹⁷ The SNPRM, however, does not do much to enhance the interoperability of the various SMS efforts although the FAA asserts that it continues to explore efforts to enhance interoperability and states that it is open to commenters’ suggestions.¹⁸
Non-movement Area: The FAA received a number of comments criticizing the NPRM’s proposal that SMS apply to the non-movement area. Commenters questioned the FAA’s definition of “non-movement area,” suggesting that the definition could lead to confusion.¹⁹ Commenters also made various recommendations about the scope of the definition.²⁰ The FAA concluded, however, that the proposed definition is “consistent with existing guidance on distinguishing airport areas based on whether aircraft are subject to air traffic control.”²¹ The FAA also determined that the “air operations area” definition in 14 C.F.R. § 153.3 should not replace the proposed non-movement area definition because the term is associated with security-related issues, rather than operational safety issues.²²
In addition, the FAA received over twenty-five comments regarding the application of SMS in the non-movement area.²³The FAA disagreed with these comments because aircraft and airside personnel routinely flow between the two areas.²⁴As a result, like the NPRM, the SNPRM applies SMS to both movement and non-movement areas.
Accountable Executive: Under the SNPRM, each airport sponsor must identify an accountable executive who will have control of the human and financial resources for operations conducted under the Airport’s Operating Certificate and has ultimate responsibility to the FAA for the safety performance of operations conducted under the Airport Operating Certificate. The FAA expects in most instances that the airport director would be designated the accountable executive.
Airports should consider the following issues concerning the requirement to designate an accountable executive:

Who would assume the role of the airport’s accountable executive under the revised definition of the SNPRM?
Would the accountable executive have the time and ability to fulfill the obligations of the position, in addition to other existing responsibilities?
Would changes in delegations and authorities to the accountable executive be necessary to ensure that the individual has the “ultimate responsibility” required under the SNPRM?
Would the prospective accountable executive need additional training to fulfill the obligations to implement SMS?
Would the accountable executive need additional delegation of authority from the local elected body?
Would the airport have to amend the airport organizational chart, position descriptions, internal procedures, manuals, or other internal documents to account for these new responsibilities and reporting obligations, including providing “whistle-blower” protection for employer reporting hazards?

IV. Conclusion

The FAA has modified the proposal set forth in the NPRM in an effort to address some, but not all, of the concerns raised by airports. In conclusion, the major changes in the SNPRM modify the NPRM by:

Significantly narrowing the SMS requirements to roughly half of all Part 139 certificated airports;
Establishing a new two-pronged approach to the training requirement for all employees and tenants with access to the movement and non-movement areas of an airport;
Extending the timeline for which airport sponsors will be required to develop and implement an SMS within two years of the effective date of the final rule; and
Slightly revising the definition of an accountable executive that allows airport directors to assume the role of an accountable executive.

Throughout the SNPRM, the FAA requests input and comments from interested parties who may be impacted by the proposed changes in the SNPRM. Airport sponsors and other interested parties should take advantage of this opportunity to provide input and, where warranted, request additional information or explanation from the FAA if previous comments or concerns were not adequately addressed.

No participant in the aviation industry ever wants to oppose reasonable safety efforts. Nevertheless, the FAA’s SMS initiatives have the potential to pose considerable new administrative, recordkeeping, and oversight obligations on certain Part 139 airports. Airports need to consider how to prepare for these possible new obligations and to identify funding and administrative structures in advance.

Although the precise SMS requirements may well change when the FAA considers comments on its proposed rule, it is almost certain that some new SMS requirements will be imposed.

In preparing comments, remember to comment on both the changes in the SNPRM and the original NPRM. Airports should consider the following issues if they are planning to submit comment on the SNPRM and airport SMS generally:

How does the narrowed scope of applicability in the SNPRM affect the airport sponsor?
Has the narrowed scope gone far enough?
Is the airport sponsor comfortable with the data protection provisions outlined in the SNPRM and with communicating with state and local legislators to provide additional protection from data disclosure?
Do the revised timelines proposed in the SNPRM provide an adequate amount of time to develop and implement an SMS
What activities not currently covered in the Airport Certification Manual might be included in the SMS Manual?
What areas of the airport might be included in the SMS Manual and what level of access and operational control does the airport exercise over each such area?
Is it practical to implement all components of SMS immediately and simultaneously? If not, consider commenting to the FAA on a phase-in schedule that might be practical.
Can the airport’s existing permitting and security badging policies and procedures be changed to impose SMS responsibilities on airport tenants and users, especially in non-movement areas?
What changes in primary regulatory documents (e.g., Rules and Regulations, Minimum Standards) and airport agreements (e.g., leases, permits) would be necessary to implement SMS?
What changes in policies, procedures, and regulatory documents would be needed to ensure that airport tenants and users implement mitigation measures identified in the safety risk management process, in addition to existing prescriptive requirements in, for example, Airport Rules and Regulations, Minimum Standards, leases, and permits?

This discussion paper is not intended to provide legal advice but is provided as information as a courtesy to our clients and friends. Please contact your attorney for legal advice.

If you have any questions or would like to learn more about the topics addressed in this discussion paper, please contact Peter Kirsch at pkirsch@kaplankirsch.com or at 303.825.7000.

¹FAA, Draft Advisory Circular 150/5200-37A, 1 (June 21, 2016) (citing the International Civil Aviation Organization, Safety Management Manual, 6.5.3 ICAO Doc. 9859-AN/4744 (3rd ed. 2013)).
²FAA, Supplemental Notice of Proposed Rulemaking, Safety Management System for Certificated Airports, 81 Fed. Reg. 45872 (July 14, 2016).
³ Id. at 45872.
⁴ Id. at 45875.
⁵ Id.
⁶ Id. at 45876.
⁷ Id.
⁸ Id.
⁹ Id. at 45884.
¹⁰ Id.
¹¹Id. at 45907.
¹²Id.
¹³Id.
¹⁴Id.
¹⁵ Id. at 45883.
¹⁶ Id. at 45887.
¹⁷ Id. at 45888.
¹⁸ Id.
¹⁹ Id. at 45881.
²⁰Id.
²¹ Id.
²²Id.
²³ Id.
²⁴Id. at 45882.

A PDF of this discussion paper is available.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
algoliasearch-client-js	1 year	Necessary in order to optimize the web site's search-bar function . The cookie ensures accurate and fast search results.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-unclassified	1 year	Description is currently not available.
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	1 year	Registers a unique ID that is used to generate statistical data on how the visitor uses the web site.
_ga_#	1 year	Used by Google Analytics to collect data on the number of times a user has visited the web site as well as dates for the first and most recent visit.

Cookie	Duration	Description
ads/ga-audiences	1 year	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behavior across web sites.
guest_id	1 year 1 month	Twitter sets this cookie to identify and track the website visitor. It registers if a user is signed in to the Twitter platform and collects information about ad preferences.