Quick answer
See the highlighted block above the contents list for the short version. Below, each of the four components gets its own section: what it is, which of the twelve elements it holds, the records it produces, and the single most common way it fails. The final section shows how one occurrence moves through all four. If you want the higher-level definition first, start with what an SMS is.
Safety Policy
Safety Policy is the foundation the other three components stand on. It is where the organisation commits to safety in writing, names who owns what, and puts the supporting structure in place. In the ICAO Annex 19 framework it holds five of the twelve elements:
- Management commitment, a signed, resourced safety policy from the top.
- Safety accountability and responsibilities, who is answerable for safety, from the accountable executive down.
- Appointment of key safety personnel, a named person responsible for the SMS.
- Coordination of emergency response planning, the response plan tied into the SMS.
- SMS documentation, the framework and records that describe the system.
What it produces as records: the signed safety policy statement, an accountability map, appointment records for the accountable executive and the safety manager, the emergency response plan, and the SMS documentation set that indexes everything else.
The common failure mode: commitment on paper, not in the budget. The policy is signed and framed, the accountable executive is named in the manual, and then nothing is resourced. Safety competes for time and money like any other function and quietly loses. When the top of the system is ceremonial, the reporting, analysis and correction below it never get the authority or the resources they need, and the other three components run on goodwill until the goodwill runs out.
Safety Risk Management
Safety Risk Management is the engine of the SMS: the component that actually finds hazards and does something about them. It holds two of the twelve elements, hazard identification and safety risk assessment and mitigation, but those two carry most of the safety value in the whole system.
Hazards arrive from three directions. Reactive sources are the events that already happened: occurrence reports, incidents, findings. Proactive sources look before anything goes wrong: audits, surveys, line observations, flight-data monitoring. Predictive sources model what could combine to cause harm. Whatever the source, each hazard is assessed for the risk it carries, typically the severity of the worst credible outcome against how likely it is, and then controlled with barriers until the residual risk is at a level the organisation has decided is acceptable.
What it produces as records: the hazard register, individual risk assessments, the risk-matrix scores, bow-tie models that lay out the threats and barriers around a top event, the barriers themselves, and the mitigation actions raised to strengthen them. If you want the barrier view without the spreadsheet, see the bow-tie explainer.
The common failure mode:risk assessed once, filed, and never revisited. A hazard log becomes a graveyard of entries nobody reopens, a risk is scored on the day it is raised and then frozen even as the operation changes around it, and mitigation collapses into “provide training” with no check that the training changed anything. The matrix gets used backwards, too, reverse-engineered to land on the answer someone already wanted rather than to reveal the risk honestly.
Safety Assurance
Safety Assurance is the check. Safety Risk Management builds the barriers; Safety Assurance proves they are still standing and still working. It holds three of the twelve elements:
- Safety performance monitoring and measurement, indicators, targets and internal audits that show whether safety is actually being delivered.
- The management of change, assessing the risk of a planned change before it is made, not after.
- Continuous improvement of the SMS, auditing the system itself and acting on what the audit finds.
What it produces as records: safety performance indicators and their control charts, internal audit reports and the findings they raise, occurrence investigations, assessments for the management of change, and the corrective actions (CAPA) that carry a finding through to closure. Indicators are the heartbeat here: see the SPI library for how a leading-indicator set is built.
The common failure mode:monitoring that measures activity rather than performance. Indicators are drawn as coloured arrows or a red-amber-green wall instead of real statistical control, so normal variation looks like a trend and a genuine shift hides in the noise. Findings are raised and then never close. Investigations stop at “human error” instead of the conditions that made the error likely. And change happens first and gets risk-assessed afterwards, if at all. The fix for the indicator half is real process control: see control charts versus trend bars.
Safety Promotion
Safety Promotion is the fuel. It keeps people competent in their safety duties and keeps safety visible and two-way, which is what keeps the reports flowing into Safety Risk Management in the first place. It holds the last two of the twelve elements, training and education and safety communication.
What it produces as records: training and competency records, the training matrix, safety bulletins and lessons-learned communications, survey results that read the safety culture, and the feedback records that show reporters their reports went somewhere. That feedback is not a courtesy: a closed just-culture loop is what sustains reporting, and we walk through it in just culture in five questions.
The common failure mode: broadcast, not dialogue. Training becomes a one-time slide deck at induction and is never refreshed. Communication runs one way, from management to staff, with no channel back. Lessons from an investigation stay locked in the investigation file and never reach the crews who need them. And reporters who file in good faith never hear what happened, so they slowly stop filing. When Safety Promotion fails, the failure is invisible for a while and then shows up as a reporting rate that quietly falls, starving the rest of the system of its most important input.
How the four connect
The four components are often drawn as four boxes, which makes them look like four separate workstreams. They are not. Here they are at a glance, and then we follow one event through all four.
| Component | Key elements | Produces (records) | Common failure mode |
|---|---|---|---|
| Safety Policy | Commitment, accountabilities, key safety personnel, emergency response, documentation | Signed policy, accountability map, appointment records, emergency response plan | Commitment on paper, not in the budget |
| Safety Risk Management | Hazard identification; risk assessment and mitigation | Hazard register, risk assessments, bow-tie models, barriers, mitigations | Risk assessed once, filed, never revisited |
| Safety Assurance | Performance monitoring; management of change; continuous improvement | Indicators and charts, audit findings, investigations, change assessments, CAPA | Findings that never close, arrows instead of control charts |
| Safety Promotion | Training and education; safety communication | Training and competency records, safety bulletins, survey results, feedback | Broadcast, not dialogue; reporters never hear back |
Take one everyday occurrence, a rejected takeoff, a ground-handling contact, an unstable approach that was taken around, and follow it. Safety Promotion is why the report exists at all: someone was trained to file it and trusted that it would be handled fairly. Safety Risk Management catches it: the hazard it exercised is identified, the barrier that failed is named, and the risk is reassessed on the matrix. Safety Assurance takes over: the event is investigated, a corrective action is raised to restore the barrier, and the indicator that tracks that hazard is watched for recurrence, with a closure gate holding the record open until the action is proven effective. Safety Policy sits over all of it: it defines who is accountable for accepting or mitigating the residual risk and who resources the fix, and the accountable executive sees the movement in the risk profile. One occurrence, all four components, in order.
Now picture the same occurrence in an operation where the four components are separate systems. The report lands in an inbox. Nobody links it to the hazard. The corrective action, if one is raised, lives in a different tracker and closes without anyone checking the barrier. The indicator that would have flagged the pattern is in a spreadsheet the investigator never opens. Every component technically exists, and the occurrence still dies quietly. That is why the connection between the four components is not a nice-to-have: it is the mechanism by which an SMS actually reduces risk.
This is exactly what eAviora is built for. The whole SMS runs as one operational graph, so an occurrence links to its hazard, the failed barrier, the corrective action, the indicator and the Safety Risk Profile automatically, rather than being re-keyed between four tools. Enforced closure gates stop a record closing over open risk, so a degraded barrier cannot be signed off until a linked corrective action is proven effective. Indicators run on real statistical process control, and the risk profile is computed rather than asserted. See how the records wire together in connect occurrence, CAPA, SPI and risk profile and enforced closure gates, or explore the SMS module.
Frequently asked questions
What are the four components of a safety management system?
The four components (or pillars) of an SMS are Safety Policy, Safety Risk Management, Safety Assurance and Safety Promotion. Safety Policy sets management commitment, safety accountabilities and the appointment of key safety personnel. Safety Risk Management identifies hazards and assesses and controls their risk. Safety Assurance monitors safety performance, manages the risk of change and drives continuous improvement. Safety Promotion delivers safety training and two-way safety communication. The four are defined in ICAO Annex 19 and required by national rules such as FAA 14 CFR Part 5.
What are the 12 elements of an SMS?
In the ICAO Annex 19 framework the four components hold twelve elements. Safety Policy has five: management commitment; safety accountability and responsibilities; appointment of key safety personnel; coordination of emergency response planning; and SMS documentation. Safety Risk Management has two: hazard identification; and safety risk assessment and mitigation. Safety Assurance has three: safety performance monitoring and measurement; the management of change; and continuous improvement of the SMS. Safety Promotion has two: training and education; and safety communication. Five plus two plus three plus two makes twelve.
What does each SMS component produce as records?
Safety Policy produces the signed safety policy statement, the accountability map, appointment records for key safety personnel, the emergency response plan and the SMS documentation set. Safety Risk Management produces the hazard register, risk assessments, risk-matrix scores, bow-tie models, barriers and mitigation actions. Safety Assurance produces safety performance indicators and their charts, internal audit reports and findings, occurrence investigations, management-of-change assessments and corrective actions. Safety Promotion produces training and competency records, safety bulletins, survey results and just-culture feedback records. Those records are the evidence an auditor asks to see.
What is the most common way each SMS component fails?
Safety Policy fails when commitment is on paper but not in the budget, and the accountable executive is named but not engaged. Safety Risk Management fails when a hazard is assessed once, filed, and never revisited, or when mitigation is just "provide training" with no verification. Safety Assurance fails when indicators are coloured arrows instead of real statistical control, and when findings are raised but never close. Safety Promotion fails when it becomes one-way broadcast: induction slides once, lessons stuck in the investigation file, and reporters who never hear back, so the reporting culture that feeds the whole system quietly decays.
How do the four components of an SMS connect?
They connect through the events flowing through the system. Take one occurrence: Safety Promotion is why it was reported at all, Safety Risk Management identifies the hazard it exercised and the barrier that failed, Safety Assurance investigates it and raises a corrective action while watching the indicator that tracks it, and Safety Policy defines who is accountable for the residual risk and resources the fix. One occurrence exercises all four components in order. That is why an SMS only works when the components are connected: run as four separate archives, the occurrence dies in an inbox and never reduces risk.