QMS & SMS Setup

Configure your Quality, Safety, Security, and Dangerous Goods management systems.

Follow these steps before running your first audits or receiving reports. Musket pre-seeds most settings — your job is to review, adapt, and tailor them to your organisation.

1 Step 1 — Give QSS Personnel Access

Who does this: System Administrator

Assign the correct system roles to the appropriate staff members. System roles grant access to each QSS module and its notifications.

Safety role → Safety Manager (receives safety reports; can create safety audits)
Quality role → Quality Manager
Security role → Security Manager
Dangerous Goods role → DG Manager
Ad-hoc Investigator role → designated ad-hoc investigators

There is an alternative: in each module's Settings, there is a dedicated people tab where you can add members directly — this assigns the system role to them. Both methods achieve the same result. The tab names differ per module: Auditors (Quality), Safety Auditors/Investigators (Safety), Security Auditors/Investigators (Security), DG Auditors/Investigators (Dangerous Goods), and Ad Hoc Investigators (Ad-Hoc).

Full details: Role Management

2 Step 2 — Main QSS Settings

Who does this: Safety Manager, Quality Manager, System Administrator

Go to Quality Safety Security → Settings (at the bottom of the QSS menu). Work through the following tabs:

2.1 Compliance Types (most important)

Compliance Types define the categories of findings raised from audits, reports, and MoCs — for example: Level 1 Finding, Level 2 Finding, Observation, Risk Management Workshop Action.

Review and adapt the pre-seeded types to match your organisation's terminology.
Set default response periods per type (how many days the responsible party has to respond to a finding of each type).
Choose the submission workflow for findings:
- Always Combined — single submission combining the corrective action plan and its implementation (simpler, recommended for smaller teams).
- Always Separate — separate submissions for plan and implementation (useful for auditing workflows where plan approval is required before implementation begins).

Full details: QSS Main Settings — Compliance Types

2.2 Tolerabilities

Tolerability bands define the risk acceptance levels used in the Risk Matrix and throughout QSS risk assessments. Musket pre-seeds standard bands — review and adjust to match your organisation's risk policy.

Full details: QSS Main Settings — Tolerabilities

2.3 Risk Matrix

The Risk Matrix combines likelihood and severity scores to produce a risk level. It ties directly into the Tolerabilities you configured above. Review the default matrix and adjust if your organisation uses different dimensions, scores, or labels.

Full details: QSS Main Settings — Risk Matrix

2.4 Hazards

Hazard categories are used when logging risks in the Risk & Hazard Register and when categorising findings and reports. Musket pre-seeds common aviation hazard categories — add, rename, or remove categories to reflect your operational environment.

Full details: QSS Main Settings — Hazards

2.5 Causal Factors

Causal Factor categories are used when investigating reports and findings to identify root causes. Musket seeds common categories (Human Factors, Equipment, Procedures, Environment, etc.) — review and adjust if needed.

Full details: QSS Main Settings — Causal Factors

2.6 Notification Types

Notification Types are the tag categories used when sending notifications to staff (e.g. Red Tag, Yellow Tag, Info Tag, NOTAM, Company Memo). Musket seeds default types — add or rename as needed for your operation.

These are the same notification types used across the entire system — in both QSS and Organisation → Notifications & Tags. Configuring them here applies system-wide.

Full details: QSS Main Settings — Notification Types

3 Step 3 — Audit Setup (per module)

Who does this: Safety Manager / Quality Manager / Security Manager / DG Manager

Repeat the following steps for each QSS module applicable to your operation (Safety, Quality, Security, Dangerous Goods):

Add Checklists — go to the module's Settings → Checklists tab. Use the AI checklist generation tool to upload your existing checklists or generate new ones from a description. Recommended: Keep individual checklists short. You can attach multiple checklists to a single audit, which makes them more reusable across different audit types.
Create Templates *(optional)* — if you run recurring audits with the same structure, create reusable audit templates to save time.
Review Audit Types — audit types are shared across all modules. Confirm or adjust the default types (e.g. Internal Audit, External Audit, Surveillance).

Back in Main QSS Settings → Audit/MoC Settings tab — configure shared options: auto-generated audit subjects, whether checklists can be shared across modules, and similar global audit preferences.

You can begin creating audits (pre-building your audit schedule) before checklists are ready. Checklists must be added to each audit before it is actually run.

4 Step 4 — Reporting Setup (per module)

Who does this: Safety Manager / Security Manager / DG Manager

Note: The Quality module does not have a reporting/investigation function — it uses Audits only (configured in Step 3 above). Reporting Setup applies to: Safety, Security, Dangerous Goods, and Ad-Hoc.

Repeat the following steps for each applicable module (Safety, Security, Dangerous Goods, Ad-Hoc):

Go to the module's Settings → Report Categories tab.
Each Report Category defines a reporting form (e.g. Accident Report, Near Miss Report, Dangerous Goods Occurrence).
Build the form fields for each category — the fields you add here appear on the reporting form when a user submits a report of that type.
Optionally assign a default investigation team per category — these people automatically receive alerts and are added to the investigation whenever a report of that category is submitted.

Important: Once at least one active Report Category exists in a module, the generic default form is replaced by the specific forms you've created — only those forms are available to users.

Not ready to configure yet? Leave the module unconfigured. Users can still submit basic reports with a description and document attachment.
Want to revert to the basic form temporarily? Deactivate all categories in that module — with no active categories, the system standard form becomes active again.

Full details: Safety Report Categories | Security Report Categories | DG Report Categories | Ad-Hoc Report Categories

5 Step 5 — Risk Management Setup

Who does this: Safety Manager / System Administrator

Auto-Linking — decide whether to enable this from the start. Auto-Linking automatically links risks from reports, audits, and MoCs to your Risk & Hazard Register. Go to Risk Management Settings to configure.
Impacted Factors / Parties — review the pre-seeded list of parties and factors that can be impacted by a risk (e.g. Passengers, Flight Crew, Third Parties, Environment). Adjust as needed.
Pre-populate the Risk & Hazard Register (optional) — if your organisation already has an existing risk register, add your current company hazards and associated risks directly in the Risk & Hazard Register.

Full details: Risk Management Settings | Risk & Hazard Register | Risk Sources

6 Step 6 — Management of Change (MoC) Setup

Who does this: Quality Manager / Safety Manager

MoC Types — go to MoC Settings and review/adjust the default MoC types (e.g. Procedure Change, Equipment Change, Organisational Change).
Checklists & Templates — optionally add checklists and templates for MoC workflows.

Recommended: Don't pre-build everything upfront. Add checklists as you run your first real MoCs. Keep checklists generic so they can be reused across multiple MoCs of the same type.

Full details: MoC Types | MoC Checklists | MoC Templates | MoC Settings | MoC Register

7 You're Ready

Your QMS and SMS configuration is now operational. Users can:

Submit safety, security, DG, and ad-hoc reports.
Create and run audits using your checklists.
Log findings and corrective action requests (CARs) with tracked response periods.
Manage risks in the Risk & Hazard Register.

Recommended: Before going live, run a test report submission and a test audit in each module to verify that forms, notifications, and team assignments work as expected.

8 What's Next

Maintenance Setup — maintenance tracking, MEL, technical directives
Commercial Setup — quoting, fees, clients, invoicing
Data Imports — import historical data from previous systems
Integrations — connect with third-party systems