Keeping EFB regulations up with the times

Aircraft IT meets Brian Hint, Aviation Safety Inspector (Operations) at the FAA to catch up with the latest developments in regulation for EFBs

Times change and priorities with them. The growing trend for EFBs (Electronic Flight Bags) to replace weighty paper filled pilot flight bags has now moved from new to established use of technology. Along with that, the need to ensure that new electronic devices can offer the same or greater utility and integrity as the paper they replaced has now shifted to a need to ensure that the myriad developments accompanying second generation EFBs, and the many ways they may integrate with wider systems, will deliver the same or greater utility and integrity as the first wave of EFB programs. As these needs evolve, a key regulator like the FAA must re-evaluate its approach to better manage this new reality.

In that spirit, a recent task at the FAA has been to work on a draft for Advisory Circular 120-76, revision D. It represents not a total rewrite, but a clarification of philosophy, and is written in a way that the regulator hopes will make it easier for readers to understand where the FAA is going and the way forward for EFB systems. This will entail some specific policy changes, data connectivity and cybersecurity, as well as standards in cybersecurity; and the regulator also has to define what an EFB program is in terms of OpSpec A061, the Operations Specification for EFBs.

Why make changes?
A fair first question would be to ask why the FAA needed to change EFB policy so that’s what we did when Aircraft IT met Brian Hint, Aviation Safety Inspector (Operations) at the FAA. He explained that, “Over and above the general case there are several reasons to change starting with the FAA’s close working relationship with EASA.” It seems that, having in 2013 discussed with EASA the FAA’s idea for a classless EFB policy, EASA went ahead and published its own guidance on portable and installed EFBs so, as Brian added, “it makes sense that our policy should be harmonized with EASA.” The FAA is also on the ICAO Ops Panel as part of the EFB sub-working Group which came together a few years ago and has already published an EFB definition and Standards and Recommended Practices (SARPS) in Annex 6. An ICAO EFB Manual is currently out for review by states’ regulatory authorities before being published, hopefully later this year.

As well as talking with other authorities, the FAA talks with the field which generates a lot of interesting questions that might not be clear with current policy. The purpose is to clear up any confusion so operators and FAA Principal Inspectors are on the same song sheet. The regulators also attend conferences to, as much as possible, talk with operators. Brian recalls that, “they are usually forthcoming about any issues are with our policies.”

These are the various inputs driving the changes that the FAA has made as well as a wish to avoid scope creep of non-EFB applications, see further on.

Specific policy changes
If, with the proposed classless policy, there’s no longer going to be hardware with class 1, 2, 3 categorizations; the industry will have to talk about installed and portable devices. However, in practice, it doesn’t matter to the FAA today whether the EFB device is installed or portable; these days, it seems, it’s all about the application or function being displayed on the device. So, for example, when things are being displayed to the user, it doesn’t much matter what the device is as long as relevant information can be displayed clearly. EFB software applications are driving the policy and it is proposed that they be divided into two types: ‘A’ and ‘B’.

Type A and type B EFB applications
If it’s not required by in-flight operational or airworthiness regulations and is considered to have no safety effect, then the revised policy proposes to consider it a type A application. EFB applications will be considered type A where…

• The intended use does not substitute or replace any paper, system, or equipment required by airworthiness or in-flight (i.e., aircraft movement under its own power intended for flight) operational regulations;
• They have a failure condition classification considered to be a no safety effect;
• They do not require formal assessment for use (i.e., although the Type A EFB application is part of the operator’s EFB program, each Type A EFB application is not individually validated by the FAA);
• They may be hosted on either portable or installed components;
• There are no requirements for FAA design, production, or installation approval; including formal evaluation and testing; and…
• They are listed in appendix A of the EFB AC (Advisory Circular).

If Type A EFB applications have no effect on safety, why, we asked Brian, does the FAA require they be part of the OpSpec? He answered by citing  specifically, Part 121 Regulation 121.542(d) which states, ‘During all flight time as defined in 14 CFR 1.1, no flight crewmember may use, nor may any pilot in command permit the use of, a personal wireless communications device (as defined in 49 U.S.C. 44732(d)) or laptop computer while at a flight crewmember duty station, unless the purpose is directly related to operation of the aircraft, or for emergency, safety-related or employment-related communications, in accordance with air carrier procedures approved by the Administrator.’

He continued to add that if an operator identifies a Type A EFB application as part of their EFB program, it ensures the crewmember is using the application to support the operation of the aircraft.  Since the FAA holds all certificated operators to the same general standards for EFB employment, all operators seeking authorization under (14 CFR) part 121, 125, 135, or 91 subpart F (part 91F) and part 91 subpart K (part 91K)) must utilize the language within AC 120-76 to develop an EFB Program.

That’s a type A application; but what about type B? EFB applications will be considered type B where…

• The intended use is to substitute or replace any in-flight operational information required by the operating regulations;
• They do not substitute or replace any installed system, or equipment required by airworthiness or operational regulations;
• They have a failure condition classification considered to be minor;
• They require formal assessment  for operational authorization for use by the FAA (i.e., each Type B EFB application is individually validated by the FAA);
• They may be hosted on either portable or installed components;
• They have no requirements for FAA design, production, or installation approval, including formal evaluation and testing; and…
• They are listed in appendix B of the EFB AC.

In summary, an operator who chooses to utilize a Type A EFB application may self-authorize: they have to notify the appropriate CMO (Certificate Management Office) and have to devise training and procedures to ensure users know how to use the application but it’s not something specifically validated by the CMO. But if the choice is a type B application, the FAA needs to validate the operator’s application for use, as well as the EFB functions listed.

What about ‘non-EFB functions’, or those applications not listed in Appendix A or B?  The FAA has devised a new process addressing this unique situation. Intended functions found in published avionics policy, or not listed in appendices A and B of this AC are defined as ‘non-EFB.’  Non-EFB functions having published avionics policy, or identified as similar, will likely continue to require installation approval in much the same fashion as other legacy avionics systems. However, as new capabilities emerge (e.g., NextGen), new non-avionics functions may be considered for addition to the EFB application listing through AFS/AIR (Flight Standards Service / Aircraft Certification Service) formal coordination and publication update, in much the same way as the applications listed in appendices A and B of this AC were originally done.  For non-avionics functions to be considered for inclusion in the EFB application listing, they must meet both of the following criteria:

• Failure condition classification of minor or no effect through a functional hazard assessment (FHA), as defined by Aircraft Certification; and…
• FHA must be pre-coordinated with the FAA for review.

How many devices?
One question that the regulator gets asked frequently is ‘how many EFBs are needed for operational use?’ From a policy standpoint, the FAA requires two EFBs as a general risk mitigation strategy because electronics might not have the same level of integrity as paper and there will be occasions when, whatever the reason, one of those electronic flight bags could be out of commission. The FAA’s not looking to strand any operators because of EFB policy, but wants to make the point that there should be no single unit failure or no single point of failure. Brian makes the point that, “If an operator can come up with an alternative risk mitigation strategy to back up what is on the EFB, we’ll consider that.”

It isn’t such a critical issue for two pilot crews, however, where it has become a potential issue is for single pilot operations. If only one EFB is available, operational procedures are still required to mitigate the risk of a single point of failure. The design of the EFB application and hardware requires that no single failure or common mode error may cause the loss of required aeronautical information. But, again, if operators can come up with an alternative risk mitigation strategy, they should be able to prove to their CMO that there is back-up. Type A applications are not subject to this requirement

Testing
Other policy changes considered by the FAA have included a full revision of EMI/EMC testing but still with three methods for compliance… one being full spectrum analysis, two being in-flight and ground testing, and three being proof the aircraft is already Portable Electronic Device (PED) tolerant. Validation testing has also been changed: at Phase 4 of the authorization process, there was previously a six month validation period during which the operator, having gained temporary approval, could ensure that everything expected from and promised for their EFB actually works in the field: plus it’s also a chance for the CMO to manage their own oversight or surveillance; to ensure that what has been proposed is the same as what has actually been done.

That six month period was set when a lot of conversions represented major changes from paper filled flight bags to digital electronic replacements in which almost everything was new and untested and around which there was only limited experience on which to draw. However, these days, most changes are modifications within the electronic systems and therefore are changes of a different order. So the FAA had to ask, why was it still necessary to go through this validation phase when the viability of most changes could be proved in a simulator and with a given number of flight hours? It seems more sensible to devolve that role to the operator and their CMO who can agree how they will ascertain and demonstrate that the proposed change to the program is working and how long their validation test should be.

Data connectivity and cybersecurity
The next subject to be considered after the classification of EFB application types was data connectivity. Although the FAA now agrees that two-way data connectivity is permitted, there are still conditions to be met. For instance, where any COTS (commercial off the shelf) equipment will be sending information to an aircraft system with a major or higher hazard classification, then aircraft certification requires special conditions to be established and adhered to and requires an issue paper. On the other hand, data connectivity with onboard Wi-Fi will not require an issue paper. However, in the longer term, the fact of data security as well as its wider ramifications might well drive additional cybersecurity protections…

… which lead us nicely to the subject of cybersecurity itself. In the past, FAA Aircraft Certification has taken the lead for cybersecurity and Flight Standards has adopted some of those policies; but now Flight Standards has developed its own cybersecurity policy through AFS-360. In reality, that will take some time to complete and so, in the meantime the FAA has adopted EASA EFB cybersecurity policy. This sets out a list (non-exhaustive) of examples of processes, steps and requirements to maintain the necessary safety and security defenses for cybersecurity. Examples of typical safety and security defenses for cybersecurity would include…

• Individual system firewalls;
• Clustering of systems with similar safety standards into domains;
• Data encryption and authentication;
• Virus scans;
• Keeping the operating system (OS) up to date;
• Initiating air/ground connections only when required and always from the aircraft;
• ‘Whitelists’ for allowed Internet domains;
• Virtual Private Networks (VPNs);
• Granting of access rights on a need-to-have basis;
• Troubleshooting procedures should also consider security threats as potential root cause of EFB misbehavior, and responses should be developed to prevent future successful attacks when relevant;
• Virtualization; and…
• Forensic tools and procedures.

As well as being non-exhaustive, the list is ever changing to reflect new technologies, capabilities and potential threats. Operators need to develop a strategy that takes into account all the different developments in cybersecurity.

Finally, A061 is the OpSpec for EFB authorization for use. “Instead of highlighting, within the OpSpec table, the specific hardware and software the operator is authorized to use, ” Brian explained, “ the new approach focuses on managing an EFB program (e.g., operating procedures, pertinent training modules, checklists, operations manuals, training manuals, maintenance programs, minimum equipment lists (MEL), other pertinent documents, reporting procedures, etc.).” The FAA wants to see operators getting feedback from their flight crews and talking with other operators to share experiences and lessons which can be used as part of a continual process of improvement. They also want operators to work with their CMO to develop a better program: it’s like any other program that an operator may have.

Alongside all that, there are human factors to consider: as we go down the road towards data connectivity, how will flight crews utilize the growing volumes of information? Brian confirms that, “The FAA has to consider what changes we’re going to have to embrace as we develop standards for aeronautical information.” This includes how to handle cockpit display design considerations as ever increasing amounts of information are available to be displayed; and how to ensure that the pilot is able to safely handle and use that information?

Although the changes outlined above are more or less complete, the FAA is still determined to ensure that the industry has a chance to comment before final publication. It is likely that the DRAFT EFB AC will be published for comment later this year. All of these considerations reflect the development of EFB from ‘new’ technology to established technology and must reflect the changing world the pilot has to manage. In this, the FAA will continue to develop its own approach to ensure that, whatever happens around EFB, the advice, guidance and regulation will continue to be relevant and useful for operators, CMOs and pilots.

Contributor’s Details
Brian Hint

Brian Hint is an Aviation Safety Inspector (Operations) with the Federal Aviation Administration. For the past two years, he has supported the Future Flight Technologies Branch (AFS-430) located at FAA Headquarters, Washington DC. The focus of the branch is the integration of evolutionary and revolutionary technology, along with new technology-based operations, into the FAA’s vision for the Next Generation Air Transportation System. Brian is the subject matter expert for Portable Electronic Flight Bag policy.

FAA

The Federal Aviation Administration (FAA) is the national aviation authority of the United States. An agency of the United States Department of Transportation, it has authority to regulate and oversee all aspects of American civil aviation.