The current content on this page will change significantly due to changes to the Heavy Vehicle National Law and Regulations that commence on 1 August 2026 and will no longer be accurate after that date. For more information, please see HVNL reform implementation.

Introduction

What is a Safety Management System (SMS) in the heavy vehicle industry?

A Safety Management System (SMS) is a practical way for heavy vehicle operators - of any size -to manage safety risks and demonstrate compliance with obligations under the Heavy Vehicle National Law (HVNL).

In the heavy vehicle industry, an SMS is a structured framework for managing the primary safety risks associated with road transport operations, including driver behaviour, fatigue, vehicle condition, loading practices, scheduling pressures and interactions with the public.

Putting an SMS in place is an important first step, but it shouldn’t be seen as something that is “finished” or set aside once documented. An effective SMS is not a standalone manual or folder of documents — it is how safety is managed as part of everyday work.

In practice, an SMS is a combination of policies, procedures, tools and ways of working that are actively used in day to day operations. This includes how decisions are made, how risks are identified and controlled, how work is planned and supervised, and how issues are raised and addressed.

Over time, your SMS should continue to evolve. This means regularly reviewing performance, learning from incidents, audits and feedback, and making improvements where needed. As your operations, risks, workforce or environment change, your SMS should be updated to reflect those changes.

A strong SMS is one that is:

  • Embedded – used consistently in daily activities, not just referenced when needed
  • Understood – people know their role and how to apply it in practice
  • Maintained – documentation reflects what actually happens
  • Improved – learnings are captured and applied to strengthen the system

Treating your SMS as a living system, rather than a static document, helps ensure it continues to support safe, consistent and compliant operations over time.

An effective SMS is designed to ensure the safe movement of freight and passengers by ensuring key hazards such as fatigue, speed, loading, vehicle maintenance, and scheduling pressures are proactively identified, assessed, and controlled. 

An SMS should be proportionate to the size, nature, risk and complexity of the organisation, and aligned with broader business objectives.

Why implement an SMS?

An SMS helps businesses manage safety risks in a structured and practical way, supporting safer transport operations, stronger compliance with HVNL and Chain of Responsibility obligations, and better management of fatigue, vehicle condition and day to day risks. By embedding clear responsibilities, consistent processes and informed decision making into everyday work, an SMS supports more reliable operations and enables early identification and control of issues before they lead to incidents. This reduces the risk of harm, operational disruptions and legal exposure, while strengthening safety culture and building confidence with regulators, customers and insurers.

Present, Suitable, Operating, and Effective (PSOE)

The Present, Suitable, Operating, and Effective (PSOE) audit methodology provides a clear, evidence-based way to assess whether a Safety Management System is Present (documented and in place), Suitable (appropriate for the size, nature, complexity, and risk profile of the operation), Operating (implemented and consistently used in day-to-day activities), and Effective (achieving the intended safety outcomes and driving continual improvement).

This is known as the PSOE audit methodology. This methodology is prescribed in the ministerially approved National Audit Standard (NAS) and applies to all audits conducted within a period of accreditation. This includes the:

  • entry audit
  • initial compliance audit
  • compliance audit

PSOE is a practical way to test each SMS component by moving from “does it exist?” to “does it work?”. For each topic area, an auditor will gather objective evidence and record findings against the four elements below.

Present

Is the requirement clearly defined and available?

  • Documented policies, procedures, work instructions and forms (current version controlled copies).
  • Defined roles, responsibilities and delegations (e.g., org chart, position descriptions).
  • Risk registers/hazard identification outputs relevant to the operation.
  • Training/induction materials and communication artefacts (toolbox talks, notices, briefings).

Suitable

Is it appropriate for the risks, scale and complexity of the operation?

  • Controls match the key transport risks (fatigue, speed, maintenance, loading/restraint, scheduling, driver competence, contractor management).
  • Requirements are tailored to the fleet, routes, operating hours, commodities and customer interfaces.
  • Performance measures and frequencies are realistic (e.g., inspection intervals, audit schedules, review cycles).
  • Interfaces with other systems are addressed (e.g., HR, maintenance providers, schedulers, subcontractors, the general public).

Operating

Is it implemented and consistently followed in practice?

  • Records demonstrate use (e.g., pre-starts, maintenance work orders, load restraint checks, fatigue work diaries/records, training sign-offs).
  • Staff can explain the process and show how it is applied (drivers, schedulers, supervisors, managers).
  • Evidence of supervision and verification (spot checks, internal audits, ride-alongs, checks of subcontractors).
  • Non-conformances are identified and managed (incident reports, corrective actions, coaching, disciplinary processes where needed).

Effective

Is it achieving intended outcomes and improving safety performance?

  • Trends show improvement or control (e.g., incident/near miss rates, defect re-occurrence, fatigue breaches, overloading events, speeding exceptions).
  • Corrective actions are closed out and verified for effectiveness (not just completed).
  • Management review decisions lead to positive changes (updated controls, resourcing, training, scheduling practices).
  • Lessons learned are communicated and embedded (updates to procedures, briefings, shared learnings across depots/contractors).

Audit Summary using PSOE

A PSOE summary is typically written in plain language to explain what was observed and what it indicates. It will reference the key evidence sources (e.g., documents/records reviewed, conversations held, observations made) and describe what they indicate for each PSOE element: Present (is it there), Suitable (is it appropriate), Operating (is it used), and Effective (is it working). Where gaps are identified, summaries generally describe the likely impact (risk, consistency, confidence in controls) and opportunities to strengthen the system. Common signals looked for include outdated or conflicting information in use, controls that don’t match how work is actually done, activity recorded but not evident in practice, and repeated issues without learning, follow up or improvement.

In each of the SMS framework components, the Present and Suitable section contains information to assist with what should be in place. This includes the policies, processes and arrangements that should exist, and how they should be designed so they are appropriate for the size, nature and risks of your transport operation.

The Operating and Effective section contains information about how these arrangements should be used in practice. It explains what it looks like when the SMS is being followed day to day, and how to tell whether the arrangements are actually working to manage safety risks.

The Continuous Improvement section explains how you monitor, review and improve safety over time.

1. Leadership and Commitment

Leadership and commitment set the direction for how safety is prioritised and managed across a transport business. Under the SMS Standard, operators are expected to demonstrate leadership commitment through governance arrangements that assign clear responsibility and accountability for managing public risk arising from their transport activities.

This includes implementing SMS policies, procedures and systems of work that manage identified risks in practice and maintaining a reporting culture where drivers and other workers can raise hazards, incidents and improvement opportunities without fear of reprisal. Leadership is assessed on how well the SMS is implemented and how effectively it supports safe operations.

In practice, this standard is reflected in how safety priorities are set, how decisions are made when trade-offs arise (time, cost, service), and how leaders verify that critical controls are resourced and working. Strong leadership is typically evident through regular safety discussions, clear expectations for reporting and follow up, and governance routines that turn information into timely action.

Key SMS Sub-components:

  • 1.1 Responsibility and accountability
  • 1.2 Development and implementation
  • 1.3 Resource allocation
  • 1.4 Safety Culture

To be Present, you should be able to show that leadership and governance expectations are defined and accessible, including:

  • Clear governance arrangements that allocate SMS responsibilities (who is responsible, who is accountable, and how oversight occurs).
  • Delegations and authority for safety decisions, including escalation pathways for serious public risks.
  • Reporting processes for hazards, incidents, near misses and improvement opportunities, including protection from reprisal.
  • A description of how senior management maintains a sound understanding of the operating context (activities undertaken, key hazards/public risks, and the controls relied on).
  • Supporting governance documentation and tools are available and current (e.g., role statements, reporting templates, meeting/oversight records).

To be Suitable, these arrangements should fit the size, nature, complexity and risk profile of your operation, meaning:

  • Responsibilities and oversight reflect how work is actually done (including contractors/interfaces), not just how it is described.
  • Safety decisions are made at the right level, with governance retaining accountability for SMS outcomes.
  • Reporting channels are practical for the workforce and operating model (e.g., mobile/dispersed) and are trusted in practice.
  • Leadership has visibility of the safety information needed for informed oversight (risk profile changes, incidents/non-conformances, control performance, review outcomes).
  • Documentation, tools and templates are fit for purpose and support consistent decision making and oversight.

To be Operating, you should be able to demonstrate leadership arrangements are used day-to-day, such as:

  • Leaders use safety information to make decisions about priorities, resourcing and changes to controls.
  • Reports are received, recorded where appropriate, escalated and responded to in a timely way.
  • Safety-related decisions are made by competent people with appropriate authority and delegation.
  • SMS arrangements guide day-to-day work, including how safety issues are raised, assessed and addressed.
  • Documentation, tools and templates are used in practice to support leadership oversight (e.g., reporting packs, meeting minutes, decision logs, action trackers).

To be Effective, evidence should show leadership and governance improve safety outcomes, including:

  • Governance identifies emerging risk and recurring issues early and prompts timely action.
  • Reporting and feedback lead to learning and measurable improvements to controls and ways of working.
  • Leadership decisions result in safer, more consistent operations over time.
  • Documentation and tools are maintained so they reflect current governance expectations and drive sustained improvements (e.g., updated templates, clearer guidance, improved reporting quality).

Leadership should drive improvement by ensuring:

  • Review safety information (monitoring results, audits, incidents and feedback) to identify where the SMS needs strengthening.
  • Make risk-based improvements that address underlying causes, and ensure actions are implemented in practice.
  • Share learnings and embed changes so the SMS stays current as operations, risks and requirements change.

2. Risk Management

Risk management is the foundation of an effective SMS. It involves identifying hazards, assessing and prioritising risks, applying controls to eliminate or minimise public risk so far as is reasonably practicable, responding to incidents and near misses, and reviewing risks and controls as operations and conditions change.

A mature risk management approach goes beyond reacting to incidents and treats risk as a normal part of everyday decision making. It proactively identifies, assesses, and controls risks, integrates risk considerations into planning and operational activities, and uses data, worker input, and experience to identify emerging risks early.

It clearly defines how risk decisions are made and approved, how changes are assessed—such as new routes, customers, vehicles, rostering, or contractors—and how risk information is shared so it genuinely influences planning and day to day operations. Risks and controls are regularly reviewed, lessons are learned from incidents and near misses, and the system is continually improved rather than relying on compliance alone.

Key SMS Measures:

  • 2.1 Hazard identification
  • 2.2 Risk assessment
  • 2.3 Risk controls
  • 2.4 Incident management
  • 2.5 Ongoing risk management
  • A hazard identification process that reflects real work and includes interface/third-party hazards
  • A risk assessment approach that characterises risks to support comparison and prioritisation.
  • Risk controls selected to suit the assessed risk and operating context (including layered controls where needed).
  • Incident and near-miss arrangements that support timely response, investigation and corrective action.
  • Ongoing risk management expectations, including triggers and periodic review of risks and controls.
  • Risk documentation and tools are established and accessible (e.g., hazard/incident forms, risk register templates, investigation tools, action trackers).

To be Suitable, these processes should:

  • Reflect how work is actually planned and performed, including scheduling pressures, routes, environments and interfaces.
  • Be proportionate to your risk profile (higher-risk activities prompt more structured attention and earlier action).
  • Use methods that are practical for your operation (the Standard does not mandate a specific tool or matrix).
  • Select controls that are fit-for-purpose in your context (not generic controls copied from elsewhere).
  • Documentation, tools and templates are fit for purpose for the operation and support consistent risk decisions (e.g., usable forms, practical registers, clear guidance).

To be Operating, you should be able to show:

  • Hazards are being identified proactively during normal operations (not only after incidents).
  • Risks are assessed and prioritised to guide decisions on what gets addressed first.
  • Controls are actually applied in day-to-day operations and supported with the necessary information, coordination and resources.
  • Incidents/near misses are responded to in a timely way, investigated for contributing/systemic factors, and lead to corrective actions.
  • Documentation, tools and templates are routinely used to identify, assess and control risks (e.g., completed hazard reports, risk assessments, investigation records, action registers).

To be Effective, evidence should show:

  • Controls reduce risk in practice (fewer repeat incidents/defects, improved control performance, reduced drift).
  • Reviews detect emerging risk before serious harm occurs and lead to meaningful adjustments.
  • Corrective actions prevent recurrence and improve safety outcomes, not just administrative closure.
  • Documentation and tools enable learning and improvement over time (e.g., trend reports, refreshed risk guidance, updated forms/templates based on lessons learned).

Risk management improves when you:

  • Regularly evaluate whether controls remain suitable and effective, using triggers such as incidents, changes in operations, emerging risks and periodic review.
  • Adjust risk priorities and controls when circumstances change or new information becomes available.
  • Share learnings so improvements are applied beyond the single event or site where they were identified.

3. People

People at all levels influence safety through the decisions they make every day. This standard focuses on fitness to drive, role-based training and competence, and clear two-way communication so that drivers and other workers can manage public risk at the point of work.

This includes ensuring people have the right information at the right time, that safety expectations are understood and applied consistently, and that workers feel able to speak up when conditions are unsafe. Evidence of strength in this area often includes clear role expectations, practical coaching and supervision, and communication methods that work for a mobile and geographically dispersed workforce.

Key SMS Measures:

  • 3.1 Fitness to drive
  • 3.2 Training and competency
  • 3.3 Communication.

To be Present, you should have:

  • Fitness-to-drive mechanisms (licensing verification; expectations for health, fatigue, impairment; escalation/response pathways; confidentiality handling where health info is used).
  • Training and competency arrangements (role-based competence needs, induction, refreshers, reactive training after events, supervision for developing competence).
  • Communication mechanisms (two-way channels, prioritisation of safety-critical info, accessible methods suited to your workforce).
  • Supporting documentation and tools are in place (e.g., fitness-to-drive guidance, induction/training materials, communication templates and records).

To be Suitable, these arrangements should:

  • Match your operating context (mobile/dispersed workforce, subcontractors/interfaces, types of tasks and risk exposures).
  • Enable real decisions at the point of work (fitness expectations that are operationally usable; communication that reaches the right people at the right time).
  • Focus training on managing hazards and public risks relevant to the work performed.
  • Documentation, tools and templates are practical and accessible for the workforce (e.g., plain-language guidance, mobile-friendly formats, consistent messages).

To be Operating, you should be able to demonstrate:

  • Licensing checks and fitness processes are embedded in practice (including for new/relief/casual drivers where relevant).
  • Drivers are empowered and supported to stop work when unfit, with non-reprisal made real through how reports are handled.
  • Training occurs at induction and when roles/risks change, and competence is demonstrated in practice (not only by qualifications).
  • Communication channels are actively used for feedback, questions, escalation, and sharing safety-critical updates.
  • Documentation, tools and templates are actively used to support people processes (e.g., training records and sign offs, fitness declarations/assessments where used, briefing templates, communication logs).

To be Effective, evidence should show:

  • Fitness-to-drive issues are identified early and prevented from becoming unsafe driving.
  • Training improves safe task performance and reduces errors, repeated non-conformances, and incident recurrence.
  • Communication supports early identification of issues and consistent application of controls across the workforce.
  • Documentation and tools are updated based on feedback and performance so they better support safe work decisions (e.g., improved training materials, clearer guidance, more usable templates).

People systems improve when you:

  • Review fitness-to-drive and competency mechanisms when triggers arise (e.g., repeated events, incidents, feedback indicating barriers).
  • Update training/briefings and supervision approaches based on experience, new risks, and learnings.
  • Strengthen communication methods where messages aren’t reaching the right people or aren’t driving action.

4. Assurance, Monitoring and Improvement

Assurance, monitoring and improvement confirm that the SMS is working as intended over time. This requirement focuses on setting meaningful performance objectives and indicators, monitoring and reviewing control effectiveness, using audits and reviews to identify issues, and implementing improvements where needed.
Effective assurance creates confidence that critical controls are being applied and remain fit for purpose as conditions change. It typically combines leading and lagging indicators with targeted checks, analysis of trends, and structured reviews so the business can detect drift early, prioritise improvements, and verify that actions taken have reduced risk rather than simply closing items.

Key SMS Measures:

  • 4.1 Performance targets and indicators
  • 4.2 Monitoring and review
  • 4.3 Continuous improvement
  • 4.4 Evidence.

To be Present, you should have:

  • Defined safety performance objectives and indicators (leading/lagging as appropriate).
  • Monitoring arrangements targeted to known risks and critical controls, using multiple information sources.
  • Defined review triggers (incidents, changes, control failures, feedback) and periodic review intervals proportionate to risk.
  • Improvement and corrective action arrangements (how decisions to act are made, how actions are tracked/closed, how effectiveness is considered).
  • Evidence arrangements sufficient to demonstrate effective operation of the SMS.
  • Monitoring and improvement documentation and tools are established (e.g., KPI definitions, audit/review templates, action registers, evidence matrices).

To be Suitable, these should:

  • Focus on what matters most to public risk and control performance (not just easy-to-measure metrics).
  • Be timely enough to detect drift and emerging risk before harm occurs.
  • Avoid unnecessary administrative burden while still providing credible assurance.
  • Documentation, tools and templates are fit for purpose and support efficient, credible assurance (e.g., streamlined checklists, clear criteria, usable trackers).

To be Operating, you should be able to show:

  • Indicators are used in practice to inform oversight and decisions.
  • Monitoring occurs using real operational inputs (records, observations, feedback, incidents/near misses).
  • Reviews happen when triggered and periodically, and examine both risk assessments and control effectiveness.
  • Improvement actions are implemented (not stuck as recommendations) and tracked to completion.
  • Documentation, tools and templates are used consistently to plan, record and track assurance activities (e.g., completed checklists, review notes, KPI reports, action registers).

To be Effective, evidence should show:

  • Monitoring and review identify patterns/trends early and lead to timely risk-based action.
  • Corrective actions address underlying causes and reduce repeat issues.
  • The SMS stays relevant and effective as risks and operations change.
  • Documentation and tools support decisions that improve outcomes (e.g., revised indicators, updated audit criteria, improved evidence quality, fewer repeat findings).

Continuous improvement is achieved when you:

  • Regularly use information from audits, monitoring, investigations and reviews to decide where change is needed.
  • Implement targeted improvements and then check whether they worked.
  • Capture and apply learnings across the SMS so the same issues don’t recur elsewhere.

Safety Systems

Safety systems bring the SMS together so safety is embedded in everyday operations. This requirement focuses on integrating SMS processes across the organisation, coordinating safety activities where risks span roles or functions, and ensuring the SMS is used in day-to-day operational decision-making.

Integration is usually demonstrated by consistent information flows, aligned processes and shared decision points across roles such as schedulers, supervisors, maintainers and drivers. A well integrated SMS reduces duplication and gaps, helps manage interface risks (including contractors and customers), and makes it easier for the business to apply controls consistently even when operations are changing or under pressure.

Key SMS Measures:

  • 5.1 Safety Systems
  • 5.2 System Coordination
  • 5.3 System integration

To be Present, you should be able to describe and show:

  • How SMS processes connect (risk management, communication, monitoring, improvement) as one coherent system.
  • How responsibilities align across the organisation to support coordination (including where risks span multiple teams).
  • How safety information flows to the right decision-makers to support timely action.
  • How SMS is embedded into operational planning and conduct (frontline/supervisory use).
  • System documentation and decision-support tools are available (e.g., process maps, integration guides, handover templates, information-flow tools).

To be Suitable, integration should be:

  • Scaled to the size, nature and complexity of the business (fit-for-purpose, not overly complex).
  • Designed around real work and decision points where public risks arise (planning, dispatch, loading, maintenance, route changes, incident response).
  • Capable of managing interface risks with contractors/other parties in the Chain of Responsibility where relevant.
  • Documentation, tools and templates support integration in practice (e.g., aligned forms and records across functions, common terminology, consistent workflows).

To be Operating, you should be able to demonstrate:

  • The SMS actively informs operational decisions (not applied only after the fact).
  • Frontline and supervisory decision-makers can use the SMS processes in practice.
  • Coordination occurs where risks and controls span functions (no gaps/duplication/conflicting actions).
  • Operational practices align with SMS intent and do not routinely bypass it.
  • Documentation, tools and templates are used across functions to support consistent SMS application (e.g., shared workflow tools, aligned records, common handover/coordination templates).

To be Effective, evidence should show:

  • Decisions are more consistent and risk-based across the business.
  • Safety information leads to timely action before serious incidents occur.
  • Integration reduces “workarounds” and improves control consistency and safety outcomes.
  • Documentation and tools are improved over time to strengthen integration and reduce variation (e.g., simplified templates, better information flows, clearer end to end guidance).

Safety systems improve when you:

  • Use monitoring/review/incident learning to strengthen integration points (handoffs, interfaces, information flows).
  • Adjust coordination and responsibilities when operations, risks, or organisational structures change.
  • Embed improvements into routine operations so changes stick (updated decision tools, revised workflows, refreshed communications/training).