Safety Management System Data, 60080-60084 [2021-23522]

Agencies

• Federal Aviation Administration
• DEPARTMENT OF TRANSPORTATION

[Federal Register Volume 86, Number 207 (Friday, October 29, 2021)]
[Notices]
[Pages 60080-60084]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-23522]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

[Docket No.: FAA-2021-0733]


Safety Management System Data

AGENCY: Federal Aviation Administration (FAA), Department of 
Transportation (DOT).

ACTION: Notice of availability and request for comments.

-----------------------------------------------------------------------

SUMMARY: The FAA is proposing to designate certain reports, data, and 
information created as part of the development and implementation of 
safety management systems (SMS) as protected information when the 
information is voluntarily provided to the agency. Protected 
information generally is not subject to public disclosure. The 
designation is intended to encourage certificate holders to voluntarily 
share SMS-related data with the FAA and to protect the voluntarily 
provided information if the FAA has a need to share it with other 
Federal agencies with safety or security responsibilities.

DATES: Send comments on or before November 29, 2021.

ADDRESSES: Send comments identified by docket number FAA-2021-0733 
using any of the following methods:
     Federal eRulemaking Portal: Go to https://www.regulations.gov and follow the online instructions for submitting 
comments.
     Fax: 202-493-2251.
     Mail: Send comments to Docket Operations, M-30; U.S. 
Department of Transportation (DOT), Docket Operations, M-30, West 
Building Ground Floor, Room W12-140, 1200 New Jersey Avenue, 
Washington, DC 20590.
     Hand Delivery: Deliver to Mail address above between 9 
a.m. and 5 p.m., Monday through Friday, except Federal holidays.
     Privacy: In accordance with 5 U.S.C. 553(c), DOT solicits 
comments from the public to better inform its rulemaking process. DOT 
posts these comments, without edit, including any personal information 
the commenter provides, to https://www.regulations.gov, as described in 
the system of records notice (DOT/ALL-14 FDMS), which can be reviewed 
at https://www.dot.gov/privacy.
     Docket: Background documents or comments received may be 
read at https://www.regulations.gov at any time. Follow the online 
instructions for accessing the docket or go to the Docket Operations in 
Room W12-140 of the West Building Ground Floor at 1200 New Jersey 
Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through 
Friday, except Federal holidays.

FOR FURTHER INFORMATION CONTACT: Dale Whitmore, Flight Standards 
Service, AFS-910, Federal Aviation Administration, 800 Independence 
Ave. SW, Washington, DC 20591, telephone (703) 342-9253.

SUPPLEMENTARY INFORMATION:

I. Executive Summary

    The FAA is proposing to designate certain reports, data, and 
information created as part of the development and implementation of 
SMSs as protected from public disclosure when the information is 
voluntarily provided to the agency. Part 5 of title 14 of the Code of 
Federal Regulations requires that certificate holders under 14 CFR part 
119 authorized to conduct operations in accordance with the 
requirements of 14 CFR part 121 establish SMS. SMS may also be 
developed and implemented voluntarily by other types of certificate 
holders, such as, but not limited to, 14 CFR part 135 air operators, 
and 14 CFR part 145 repair stations, 14 CFR part 141, 142, 147 aviation 
training organizations, as well as certain other aviation service 
providers such as design and manufacturing organizations and non-
certificated airports.
    An SMS consists of a set of processes divided into four major 
components: (1)

[[Page 60081]]

Safety policy; (2) safety risk management; (3) safety assurance; and 
(4) safety promotion. The intent of these systems is to enhance the 
decision-making capabilities of aviation service providers to address 
risks inherent in their operations and activities.
    In accordance with the FAA's statutory authority at Title 49 U.S.C. 
40123 and the FAA's implementing regulations at 14 CFR part 193, as 
described more fully below, the FAA is proposing that reports, data, 
and other information voluntarily provided to the agency in connection 
with the development and implementation of SMS be designated in an FAA 
order as protected information that is not subject to public 
disclosure. While this type of information enjoys some protection from 
disclosure in accordance with 49 U.S.C. 44735,the FAA intends this 
designation to further encourage certificate holders to voluntarily 
share SMS-related data with the FAA to protect the voluntarily provided 
information if the FAA has a need to share it with other Federal 
agencies with safety or security responsibilities.

II. Statutory Authorities

    Title 49 U.S.C. 44735 offers statutory protection from disclosure 
under the Freedom of Information Act, pursuant to 5 U.S.C. 
552(b)(3)(B), for certain reports, data, or other information that are 
submitted to the FAA voluntarily and that are not required to be 
submitted to the Administrator under any other provision of law. 
Section 44735(b)(4) extends the limitation on disclosure to ``reports, 
data, or other information produced or collected for purposes of 
developing and implementing a safety management system acceptable to 
the Administrator.'' Section 44735(b)(5) also extends the limitation on 
disclosure to ``reports, analyses, and directed studies, based in whole 
or in part on reports, data or other information'' related to the 
development and implementation of a safety management system (SMS).
    Under 49 U.S.C. 40123, notwithstanding any other provision of law, 
neither the FAA Administrator nor any agency receiving information from 
the Administrator shall disclose voluntarily-provided safety or 
security related information if the Administrator finds that the 
disclosure of the information would inhibit the voluntary provision of 
that type of information and that the receipt of that type of 
information aids in fulfilling the Administrator's safety and security 
responsibilities; and withholding such information from disclosure 
would be consistent with the Administrator's safety and security 
responsibilities. This statutory provision grants the Administrator the 
authority to issue regulations to carry out the provision. Those 
regulations are found in 14 CFR part 193.

III. Description of Safety Management System Data Subject to the 
Proposed Part 193 Program

A. SMS Description

    As summarized above, an SMS consists of a set of processes divided 
into four major components: (1) Safety policy; (2) safety risk 
management; (3) safety assurance; and (4) safety promotion. The 
principal components are safety risk management and safety assurance. 
Safety policy provides overarching safety philosophy and establishes 
safety responsibilities in the organization's management and staff. The 
safety promotion component provides for training and competencies 
necessary for safety risk management and safety assurance as well as 
communication of critical safety information to the certificate 
holder's workforce.
    The safety risk management component consists of processes to 
analyze systems, identify potential hazards in those systems, analyze 
and assess risk associated with those systems, and, where necessary, 
develop risk controls. These processes are required any time the 
organization proposes to develop and implement new systems or 
procedures or to revise existing ones. Open exchange of information on 
these actions would be highly advantageous to the certificate holder 
and to FAA oversight organizations tasked with evaluating and 
approving, accepting, or certificating these systems and changes.
    The safety assurance component is used to assess the effectiveness 
of risk controls developed under the safety risk management component 
and to provide a means of detecting new or otherwise unaddressed 
hazards. The safety assurance component includes processes for 
monitoring, auditing, and evaluating a carrier certificate holder's 
technical and operational processes. It also includes processes for 
internal investigations of accidents, incidents, and potential 
regulatory noncompliance. The latter element also provides a structured 
means of interacting with the FAA on compliance issues.
    The safety assurance component further includes a requirement for 
confidential employee reporting on the part of all employee groups 
within the certificate holder. It also requires a safety assessment 
process, including management reviews by senior management, including 
the top-level accountable executive of the certificate holder.
    Open exchange of information from these processes and open dialogue 
on the contents of the information greatly enhances the ability of the 
certificate holder and FAA oversight to assure effective compliance 
with regulations as well as safety issues outside of the scope of 
existing regulations.

B. Summary of SMS Part 193 Program

    1. Who may participate: Certificate holders under 14 CFR part 119 
authorized to conduct operations in accordance with the requirements of 
14 CFR part 121 are required to have an SMS that meets the requirements 
of 14 CFR part 5 and, to such extent, may participate. A certificate 
holder subject to other provisions of 14 CFR may participate if that 
certificate holder (i) is required to develop and implement an SMS that 
meets the requirements as identified in 14 CFR part 5; or (ii) that 
certificate holder voluntarily develops and implements an SMS that is 
accepted by the FAA, and maintains the SMS in acceptable active status 
\1\ under the SMS Voluntary Program (SMSVP) standard \2\ or under 
another FAA-sponsored SMS voluntary program.
---------------------------------------------------------------------------

    \1\ Active status refers to the organization's continuing to 
conform to the regulations or voluntary program standards as 
assessed by the FAA organization responsible for their oversight.
    \2\ The SMSVP standard is derived from and functionally 
equivalent to 14 CFR part 5 and is published in FAA Order 8900.1.
---------------------------------------------------------------------------

    2. Data covered from protection from disclosure will not include 
reports or other data involving possible criminal activity, substance 
abuse, improper use of controlled substances and/or alcohol, or 
intentional falsification. In addition, any record, document, or report 
required for the FAA to determine statutory or regulatory compliance 
that the FAA specifically requests is not considered protected.\3\
---------------------------------------------------------------------------

    \3\ For example, under 14 CFR 119.59(e), the failure by any 
certificate holder to make such information available to the 
Administrator upon request is grounds for legal enforcement action.
---------------------------------------------------------------------------

    3. How persons may participate: A certificate holder participates 
by having an SMS that is applicable to that certificate holder as 
described in paragraph A., above, and by voluntarily sharing 
information from the SMS with the FAA.
    4. Duration of this information sharing program: This program will 
continue in effect as long as a certificate holder maintains the SMS 
that is applicable to that certificate holder as described in paragraph 
A, above.

[[Page 60082]]

IV. Proposed Findings

    Based on the following findings and pursuant to the FAA's authority 
under 49 U.S.C. 40123 and 14 CFR 193.7, the FAA proposes to designate 
voluntarily provided information associated with the processes 
described in 14 CFR part 5 as protected from disclosure in accordance 
with 14 CFR part 193, including but not limited to information set 
forth in the Appendix 1: \4\
---------------------------------------------------------------------------

    \4\ Appendix 1 cites the processes and associated data 
requirements under 14 CFR part 5.
---------------------------------------------------------------------------

    1. Summary of why the FAA finds that the information will be 
provided voluntarily.
    The FAA anticipates that information from a certificate holder's 
SMS will be provided to the FAA voluntarily to facilitate ongoing 
compliance and oversight processes such as approval, acceptance, and 
certification of proposed actions on the part of the organization. As a 
result of this proposed designation, certificate holders will be 
reassured that information they voluntarily provide from their SMS will 
receive further protection from disclosure, including when the FAA 
shares the information with other Federal agencies with safety or 
security responsibilities.
    2. Description of the type of information that may be voluntarily 
provided under the program and a summary of why the FAA finds that the 
information is safety or security related.
    Certificate holders under 14 CFR part 119 authorized to conduct 
operations in accordance with the requirements of 14 CFR part 121 may 
voluntarily provide information that is associated with the processes 
described in 14 CFR part 5, including but not limited to information 
set forth in Appendix 1. For example, voluntary provided information 
includes records of the outputs of safety risk management and safety 
assurance processes, training records of employees performing risk 
management and assurance processes, and safety objectives upon which 
safety performance assessments are based.
    Other certificate holders may voluntarily provide information that 
is associated with the processes described in the voluntary SMS program 
standards applicable to the specific certificate holder. Such standards 
are identical to those set forth in 14 CFR part 5.
    3. Summary of why the FAA finds that the disclosure of the 
information would inhibit persons from voluntarily providing that type 
of information.
    Safety risk management and safety assurance data contains details 
of an organization's internal processes, the risks that they face, and 
the decisions and actions taken to address them. Disclosure of these 
data could harm the certificate holder in terms of publicity and 
litigation. These considerations could inhibit the willingness of 
certificate holders to interact openly with the FAA on collaborative 
approaches to solution of safety problems. While this type of 
information enjoys some protection from disclosure in accordance with 
49 U.S.C. 44735, the FAA is exercising its authority to broaden 
protection from disclosure under 49 U.S.C. 40123 including in 
circumstances when the FAA needs to share information with other 
Federal agencies with safety or security responsibilities.
    4. Summary of why the receipt of that type of information aids in 
fulfilling the FAA's safety and security responsibilities.
    The FAA finds that receipt of SMS information aids in fulfilling 
the FAA's safety and security responsibilities. Because of its capacity 
to provide early identification of needed safety improvements, an SMS 
offers significant potential for incident and accident avoidance. For 
example, SMS data concerning technical or operational events could 
potentially identify common causal factors in producing such incidents. 
Receipt of this information provides the FAA with an improved basis for 
modifying procedures, policies, and regulations in order to improve 
safety and efficiency. Other programs (e.g., ASAP, FOQA, VDRP) provide 
some of this information from participating organizations. However, SMS 
is more comprehensive, covering significant gaps that may exist, even 
where these programs are in place. Moreover, SMS serves as an 
integrated system, which will incorporate any existing programs.
    As noted above, this information is protected from disclosure in 
accordance with 49 U.S.C. 44735. However, broader protection under 49 
U.S.C. 40123 further encourages submission of information to aid the 
FAA in fulfilling its safety and security responsibilities, including 
where the FAA shares the information with other Federal agencies with 
safety or security responsibilities.
    5. Summary of why withholding such information from disclosure 
would be consistent with the FAA's safety and security 
responsibilities, including a statement as to the circumstances under 
which, and a summary of why, withholding such information from 
disclosure would not be consistent with the FAA's safety and security 
responsibilities, as described in 14 CFR 193.9.
    The FAA finds that withholding SMS information provided to the FAA 
is consistent with the FAA's safety responsibilities. The SMS 
specifically provides that corrective action will be taken when 
necessary.\5\ Corrective action under the SMS can be accomplished 
without disclosure of protected information.
---------------------------------------------------------------------------

    \5\ See 14 CFR 5.73(b) for situations where new hazards or 
ineffective risk controls are found as a result of safety 
performance assessments and 14 CFR 5.75 for other safety performance 
deficiencies.
---------------------------------------------------------------------------

    In order to explain the need for changes in FAA policies, 
procedures, and regulations, the FAA may disclose de-identified (e.g., 
the identity of the source of the information and the names of the 
certificate holder, the employee, and other persons redacted) summary 
information that has been extracted from reports under the SMS data. 
The FAA may disclose de-identified, summarized SMS information that 
identifies a systemic problem in the aviation system, when other 
persons need to be advised of the problem so that they can take 
corrective action. The FAA may disclose de-identified aggregate 
statistical information concerning SMS activities. The FAA may disclose 
independently obtained information relating to any event disclosed in 
SMS data.
    6. Summary of how the FAA will distinguish information protected 
under part 193 from information the FAA receives from other sources.
    All voluntarily submitted SMS data must be clearly labeled as such. 
It must be clearly labeled as follows in order to be protected under 
this designation: ``WARNING: The information in this document/system is 
protected from disclosure under 49 U.S.C. 40123 and/or Sec.  44735, 
and/or 14 CFR part 193.'' To ensure that the FAA appropriately applies 
these protections from disclosure, the FAA will take steps to ensure 
that the information that a certificate holder voluntarily provides 
through its SMS is segregated from any required information that the 
certificate also provides through its SMS.

V. Proposed Designation

    Accordingly, the Federal Aviation Administration hereby proposes to 
designate the above described information submitted from a certificate 
holder's SMS to be protected under 49 U.S.C. 40123 and 14 CFR part 193.

VI. Comments Invited

    Interested persons are invited to comment on the proposed 
designation by submitting such written data, views, or arguments as 
they may desire. Comments relating to the

[[Page 60083]]

environmental, energy, federalism, or economic impact that might result 
from adopting the proposal in this notice are also invited. Substantive 
comments should be accompanied by cost estimates, where appropriate. 
Comments should identify the notice number and should be submitted to 
the docket address specified above.
    The FAA will file in the docket all comments it receives, as well 
as a report summarizing each substantive public contact with FAA 
personnel concerning this proposed designation. Before taking action on 
this proposed designation, the FAA will consider all comments it 
receives on or before the closing date for comments. The FAA will 
consider comments filed after the comment period has closed if it is 
possible to do so without incurring expense or delay. The Agency may 
change this proposal in light of the comments it receives.

VII. Availability of This Proposed Designation

    An electronic copy of designation documents may be obtained from 
the internet by--
     Searching the Federal eRulemaking Portal (https://www.regulations.gov);
     Accessing the Government Publishing Office's web page at 
https://www.govinfo.gov.
    All documents the FAA considered in developing this proposed 
designation, may be accessed from the internet through the Federal 
eRulemaking Portal referenced in item (1) above.
    Any person may obtain a copy of this document by submitting a 
request to the Federal Aviation Administration, Air Transportation 
Division, AFS-200, 800 Independence Ave. SW, Washington, DC 20591, or 
by calling (202) 267-8166. Communications must identify the docket 
number and title of this designation.

    Issued in Washington, DC, on October 21, 2021.
Robert C. Carty,
Acting Executive Director, Flight Standards Service.

Appendix 1

    Processes per 14 CFR part 5 and Flight Standards SMS Voluntary 
Program (SMSVP) Standard.
    Part 5 and, therefore, the SMSVP Standard are process-based 
standards.\6\ That is, these standards require certificate holders 
or SMSVP participants, as appropriate, to implement certain 
processes but without prescriptive requirements for the 
configuration, methods, or organizational structures to support 
these processes. Sec.  5.97 requires records of the ``outputs'' of 
Safety Risk Management (SRM) and Safety Assurance (SA) processes.
---------------------------------------------------------------------------

    \6\ Additional information can be obtained in the Federal 
Register Vol. 80, No. 5, Jan 8, 2015, Final Rule: Safety Management 
Systems for Domestic, Flag, and Supplemental Operations Certificate 
Holders, Paragraph Q.
---------------------------------------------------------------------------

    The table below summarizes the process requirements in subparts 
C (SRM) and D (SA). Additionally, Sec.  5.97 requires certificate 
holders/participants to maintain records of training required under 
Sec.  5.91 and safety communications required under Sec.  5.93.
    This summary includes known data in a properly designed and 
performing SMS. The exact data elements and media is at the 
discretion of the certificate holder/participant, as accepted by the 
FAA.

 
------------------------------------------------------------------------
                             Process or process-
        Part 5 ref           related information          Comments
------------------------------------------------------------------------
                       Policy Related to Processes
------------------------------------------------------------------------
5.21(a)(1), 5.95..........  Safety Objectives....  5.73(a) refers to
                                                    assessments,
                                                    ``against (CH's)
                                                    safety objectives''.
------------------------------------------------------------------------
    Safety Risk Management Processes (Records of Outputs Required per
                                5.97(a))
------------------------------------------------------------------------
5.53(c)...................  Hazard Identification
5.55(a)...................  Risk Analysis........
5.55(b)...................  Risk Assessment        Process for
                             (acceptability         acceptability
                             decision).             decisions including
                                                    tools (e.g.,
                                                    matrix).
5.55(c)...................  Risk Control.........
5.55(d)...................  Risk Control           Pre-implementation
                             Effectiveness.         evaluation of
                                                    estimated
                                                    effectiveness.
------------------------------------------------------------------------
  Safety Assurance Processes (Records of Outputs Required per 5.97(b))
------------------------------------------------------------------------
5.71(a)(1)................  Monitoring of          May have FOQA
                             operational            relationship where
                             processes.             used.
5.71(a)(2)................  Monitoring of
                             operational
                             environment.
5.71(a)(3)................  Auditing of            May have LOSA
                             operational            relationships where
                             processes and          used.
                             systems.
5.71(a)(4)................  Evaluation of SMS and  May have IEP
                             operational            relationship where
                             processes.             integrated.
5.71(a)(5)................  Investigations of
                             incidents and
                             accidents.
5.71(a)(6)................  Investigations of      May have Compliance
                             reports regarding      Philosophy and/or
                             potential              VDRP implications.
                             noncompliance.
5.71(a)(7)................  Confidential Employee  May be additional
                             Reporting System.      requirements where
                                                    ASAP is involved.
5.71(b)...................  Performance
                             Monitoring and
                             Measurement Analysis.
5.73(a)...................  Safety Performance
                             Assessment Process
                             (including):
                            Management Review and
                             assessments of:
                            (1) Compliance with
                             risk controls.
                            (2) Performance of
                             the SMS.
                            (3) Effectiveness of
                             risk controls.
                            (4) Changes in
                             operational
                             environment.
                            (5) new hazards......
5.75......................  Corrective Action
                             Process.
------------------------------------------------------------------------

[[Page 60084]]

 
                          Training Requirements
------------------------------------------------------------------------
5.91......................  Employee training as
                             required.
------------------------------------------------------------------------
                Communication Related to Process Outputs
------------------------------------------------------------------------
5.93......................  Communication........
                             Employee
                             awareness of SMS.
                             Hazard
                             information to
                             employees.
                             Explanation
                             of why actions have
                             been taken.
                             Explanation
                             of why safety
                             procedures are
                             introduced or
                             changed.
------------------------------------------------------------------------

[FR Doc. 2021-23522 Filed 10-28-21; 8:45 am]
BILLING CODE 4910-13-P