SMS in Aviation: Common Gaps That Lead to Audit Findings
In an industry where safety is paramount and oversight is continuous, a well-functioning Safety Management System (SMS) is essential. However, despite widespread adoption of SMS frameworks across aviation, audit findings related to SMS remain common.
In most cases, these findings are not due to a lack of documentation, but because the SMS does not function effectively in practice, is not consistently applied, or cannot be adequately evidenced.
Based on extensive regulatory support and audit experience, Bostonair Safety and Compliance Services regularly supports organisations across maintenance, training, and operational environments where SMS is present but not fully embedded. This article explores the most frequent SMS weaknesses identified during audits, why they occur, and how they can be addressed through effective implementation and training.
What Auditors Are Really Assessing:
While manuals and procedures are important, auditors focus on whether SMS is alive within the organisation. Specifically, they assess:
- How safety risks are identified, assessed, and controlled
- Whether staff understand and actively participate in SMS
- How safety data is monitored, reviewed, and acted upon
- The extent of management ownership and oversight
- Whether the system drives continuous improvement
An SMS that exists only as documentation and without behavioural adoption, will almost always result in findings.
Get in touch with our experts to see can support you…
Common SMS Gaps That Lead to Audit Findings:
1. SMS Documentation Is Not Reflected in Day-to-Day Operations
One of the most common findings is an SMS that appears compliant on paper but has little operational impact.
Auditors frequently encounter:
- Risk assessments that are generic, outdated, or copied across activities
- Procedures that do not reflect how work is actually performed
- Safety actions raised but not closed or reviewed for effectiveness
This disconnect indicates that SMS has been implemented as a compliance exercise rather than as an operational management tool.
2. Hazard Identification Is Reactive and Incomplete
Proactive hazard identification is fundamental to SMS, yet many organisations rely heavily on:
- Incident-driven hazard identification
- Limited management input without frontline engagement
- Narrow hazard registers that fail to reflect operational complexity
Auditors expect to see multiple hazard identification sources, including reporting systems, audits, safety meetings, trend analysis, and management review inputs.
When hazards are poorly defined, risk controls become ineffective and audit findings follow.
3. Risk Assessments Do Not Support Decision-Making
Risk assessment processes are often present but underdeveloped.
Typical issues include:
- Inconsistent application of risk matrices
- Mitigations that are vague or unenforceable
- No reassessment after changes or events
Auditors assess whether risk assessments are used to inform decisions, not simply filed for reference. If risk controls cannot be shown to reduce risk to an acceptable level, findings are likely.
4. Safety Reporting Systems Exist Without a Safety Culture
Many organisations have reporting tools in place, yet reporting rates remain low or reports lack meaningful content.
Audit findings often reveal:
- Staff uncertainty about what should be reported
- Fear of blame or disciplinary action
- No feedback to reporters on actions taken
A lack of feedback erodes trust and engagement. Auditors will look for evidence of a just culture, where reporting is encouraged, protected, and leads to improvement.
5. SMS Training Is Insufficient or Misaligned
SMS training is one of the most frequent contributors to audit findings.
Common shortcomings include:
- One-time SMS training with no refresher programme
- Generic training that does not reflect individual roles
- Limited SMS competence at supervisory and management levels
- Contractors and temporary staff excluded from SMS training
Auditors expect training to be role-specific, current, and demonstrably effective, not simply completed.
6. Safety Performance Monitoring Lacks Depth
Many organisations struggle to demonstrate how safety performance is monitored and improved.
Typical gaps include:
- KPIs focused on activity rather than risk or outcomes
- Safety data collected but not analysed for trends
- Safety indicators reviewed but not escalated or acted upon
An effective SMS uses data to drive decisions and improvement, a key area of audit focus.
7. Management Oversight Is Passive Rather Than Active
Management commitment is central to SMS maturity and is closely scrutinised during audits.
Findings arise where:
- Management reviews are irregular or poorly documented
- Senior leadership attendance is inconsistent
- Safety actions are not tracked to completion
Auditors expect to see leadership actively owning safety performance, not delegating responsibility entirely.
Why SMS Implementation Is Where Many Organisations Fall Short
Many organisations understand SMS requirements but struggle with implementation because systems are:
- Overly complex and avoided by staff
- Poorly aligned with operational workflows
- Implemented using generic templates rather than operational realities
An effective SMS must be designed around how the organisation actually operates, not how it is assumed to operate.
Embedding SMS Through Practical Implementation and Training
Closing SMS gaps requires more than updating documentation. It requires structured implementation and meaningful training.
Bostonair supports organisations by:
- Implementing tailored SMS frameworks aligned to approvals, size, and risk profile
- Translating regulatory requirements into practical, usable procedures
- Integrating SMS into existing management systems
- Delivering role-specific SMS training that builds competence and confidence
- Supporting organisations through regulatory engagement and audits
Training focuses on behaviour and understanding, ensuring staff know what SMS is, how to use it, and why it matters.