AMC2 NCC.GEN.131(b)(2) Use of electronic flight bags (EFBs)    

CAA ORS9 Decision No. 1

PROCEDURES

The procedures for the administration or the use of the EFB device and the type B EFB application may be fully or partly integrated in the operations manual.

(a) General

If an EFB system generates information similar to that generated by existing certified systems, procedures should clearly identify which information source will be the primary, which source will be used for backup information, and under which conditions the backup source should be used. Procedures should define the actions to be taken by the flight crew members when information provided by an EFB system is not consistent with that from other flight crew compartment sources, or when one EFB system shows different information than the other.

In the case of EFB applications providing information which might be affected by Notice(s) to Airmen NOTAMS (e.g. Airport moving map display (AMMD), performance calculation,…), the procedure for the use of these applications should include the handling of the relevant NOTAMS before their use.

(b) Flight crew awareness of EFB software/database revisions

The operator should have a process in place to verify that the configuration of the EFB, including software application versions and, where applicable, database versions, are up to date. Flight crew members should have the ability to easily verify the validity of database versions used on the EFB. Nevertheless, flight crew members should not be required to confirm the revision dates for other databases that do not adversely affect flight operations, such as maintenance log forms or a list of airport codes. An example of a date-sensitive revision is that applied to an aeronautical chart database. Procedures should specify what actions should be taken if the software applications or databases loaded on the EFB system are outdated.

(c) Workload mitigation and/or control

The operator should ensure that additional workload created by using an EFB system is adequately mitigated and/or controlled. The operator should ensure that, while the aircraft is in flight or moving on the ground, flight crew members do not become preoccupied with the EFB system at the same time. Workload should be shared between flight crew members to ensure ease of use and continued monitoring of other flight crew functions and aircraft equipment. This should be strictly applied in flight and the operator should specify any times when the flight crew members may not use the specific EFB application.

(d) Dispatch

The operator should establish dispatch criteria for the EFB system. The operator should ensure that the availability of the EFB system is confirmed by preflight checks. Instructions to flight crew should clearly define the actions to be taken in the event of any EFB system deficiency.

Mitigation may be in the form of maintenance and/or operational procedures for items such as:

    (1) replacement of batteries at defined intervals as required;

    (2) ensuring that there is a fully charged backup battery on board;

    (3) the flight crew checking the battery charging level before departure; and

    (4) the flight crew switching off the EFB in a timely manner when the aircraft power source is lost.

    In the event of a partial or complete failure of the EFB, specific dispatch procedures should be followed. These procedures should be included either in the minimum equipment list (MEL) or in the operations manual and should ensure an acceptable level of safety.

    Particular attention should be paid to establishing specific dispatch procedures allowing to obtain operational data (e.g. performance data) in the event of a failure of an EFB hosting application that provides such calculated data.

    When the integrity of data input and output is verified by cross-checking and gross-error checks, the same checking principle should be applied to alternative dispatch procedures to ensure equivalent protection.

(e) Maintenance

Procedures should be established for the routine maintenance of the EFB system and detailing how unserviceability and failures are to be dealt with to ensure that the integrity of the EFB system is preserved. Maintenance procedures should also include the secure handling of updated information and how this information is validated and then promulgated in a timely manner and in a complete format to all users.

As part of the EFB system’s maintenance, the operator should ensure that the EFB system batteries are periodically checked and replaced as required.

Should a fault or failure of the system arise, it is essential that such failures are brought to the immediate attention of the flight crew and that the system is isolated until rectification action is taken. In addition to backup procedures, to deal with system failures, a reporting system should be in place so that the necessary action, either to a particular EFB system or to the whole system, is taken in order to prevent the use of erroneous information by flight crew members.

(f) Security

The EFB system (including any means used for updating it) should be secure from unauthorised intervention (e.g. by malicious software). The operator should ensure that the system is adequately protected at the software level and that the hardware is appropriately managed (e.g. the identification of the person to whom the hardware is released, protected storage when the hardware is not in use) throughout the operational lifetime of the EFB system. The operator should ensure that prior to each flight the EFB operational software works as specified and the EFB operational data is complete and accurate. Moreover, a system should be in place to ensure that the EFB does not accept a data load that contains corrupted contents. Adequate measures should be in place for the compilation and secure distribution of data to the aircraft.

Procedures should be transparent, and easy to understand, to follow and to oversee:

    (1) If an EFB is based on consumer electronics (e.g. a laptop) which can be easily removed, manipulated, or replaced by a similar component, then special consideration should be given to the physical security of the hardware;

    (2) Portable EFB platforms should be subject to allocation tracking to specific aircraft or persons;

    (3) Where a system has input ports, and especially if widely known protocols are used through these ports or internet connections are offered, then special consideration should be given to the risks associated with these ports;

    (4) Where physical media are used to update the EFB system, and especially if widely known types of physical media are used, then the operator should use technologies and/or

    procedures to assure that unauthorised content cannot enter the EFB system through these media.

    The required level of EFB security depends on the criticality of the functions used (e.g. an EFB which only holds a list of fuel prices may require less security than an EFB used for performance calculations).

    Beyond the level of security required to assure that the EFB can properly perform its intended functions, the level of security ultimately required depends on the capabilities of the EFB.

(g) Electronic signatures

Some applicable requirements may require a signature when issuing or accepting a document (e.g. load sheet, technical logbook, notification to captain (NOTOC)). In order to be accepted as being equivalent to a handwritten signature, electronic signatures used in EFB applications need, as a minimum, to fulfil the same objectives and should assure the same degree of security as the handwritten or any other form of  signature  that  they  are  intended  to  replace.  AMC1 NCC.POL.110(c) provides means to comply with the required handwritten signature or its equivalent for mass and balance documentation.

On a general basis, in the case of required signatures, an operator should have in place procedures for electronic signatures that guarantee:

    (1) their uniqueness: a signature should identify a specific individual and be difficult to duplicate;

    (2) their significance: an individual using an electronic signature should take deliberate and recognisable action to affix their signature;

    (3) their scope: the scope of the information being affirmed with an electronic signature should be clear to the signatory and to the subsequent readers of the record, record entry, or document;

    (4) their security: the security of an individual’s handwritten signature is maintained by ensuring that it is difficult for another individual to duplicate or alter it;

    (5) their non-repudiation: an electronic signature should prevent a signatory from denying that they affixed a signature to a specific record, record entry, or document; the more difficult it is to duplicate a signature, the more likely it is that the signature was created by the signatory; and

    (6) their traceability: an electronic signature should provide positive traceability to the individual who signed a record, record entry, or any other document.

    An electronic signature should retain those qualities of a handwritten signature that guarantee its uniqueness. Systems using either a PIN or a password with limited validity (timewise) may be appropriate in providing positive traceability to the individual who affixed it. Advanced electronic signatures, qualified certificates and secured signature-creation devices needed to create them in the context of Regulation (EU) No 910/2014 are typically not required for EFB operations.