AMC3 SPA.EFB.100(b)(3) Use of electronic flight bags (EFBs) – Operational approval    

CAA ORS9 Decision No. 1

PROCEDURES

(a) General

If an EFB system generates information similar to that generated by existing certified systems, procedures should clearly identify which information source will be the primary, which source will be used for backup information, and under which conditions the backup source should be used. Procedures should define the actions to be taken by the flight crew when information provided by an EFB system is not consistent with that from other flight crew compartment sources, or when one EFB system shows different information than the other.

In the case of EFB applications providing information which might be affected by Notice(s) to Airmen NOTAMS (e.g. Airport moving map display (AMMD), performance calculation, etc.), the procedure for the use of these applications should include the handling of the relevant NOTAMS before their use.

(b) Flight crew awareness of EFB software/database revisions

The operator should have a procedure in place to verify that the configuration of the EFB, including software application versions and, where applicable, database versions, are up to date. Flight crew members should have the ability to easily verify the validity of database versions used on the EFB. Nevertheless, flight crew members should not be required to confirm the revision dates for other databases that do not adversely affect flight operations, such as maintenance log forms or a list of airport codes. An example of a date-sensitive revision is that applied to an aeronautical chart database. Procedures should specify what actions should be taken if the software applications or databases loaded on the EFB system are outdated.

(c) Procedures to mitigate and/or control workload

Procedures should be designed to mitigate and/or control additional workload created by using an EFB system. The operator should implement procedures to ensure that, while the aircraft is in flight or moving on the ground, flight crew members do not become preoccupied with the EFB system at the same time. Workload should be shared between flight crew members to ensure ease of use and continued monitoring of other flight crew functions and aircraft equipment. These procedures should be strictly applied in flight and the operator should specify any times when the flight crew may not use a specific EFB application.

(d) Dispatch

The operator should establish dispatch criteria for EFB systems. The operator should ensure that the availability of the EFB system is confirmed by preflight checks. Instructions to the flight crew should clearly define the actions to be taken in the event of any EFB system deficiency.

Mitigation should be in the form of maintenance and/or operational procedures for items such as:

      (1) replacement of batteries at defined intervals as required;

      (2) ensuring there is a fully charged backup battery on board;

      (3) the flight crew checking the battery charging level before departure; and

      (4) the flight crew switching off the EFB in a timely manner when the aircraft power source is lost.

      In the event of a partial or complete failure of the EFB, specific dispatch procedures should be followed. These procedures should be included either in the minimum equipment list (MEL) or in the operations manual, and should ensure an acceptable level of safety.

      Particular attention should be paid to establishing specific dispatch procedures allowing to obtain operational data (e.g. performance data) in case of a failure of an EFB hosting an application that normally provides such calculated data.

      When the integrity of data input and output is verified by cross-checking and gross-error checks, the same checking principle should be applied to alternative dispatch procedures to ensure equivalent protection.

(e) Maintenance

Procedures should be established for the routine maintenance of the EFB system and detailing how unserviceability and failures are to be dealt with to ensure that the integrity of the EFB system is preserved. Maintenance procedures should also include the secure handling of updated information and how this information is validated and then promulgated in a timely manner and in a complete format to all users.

As part of the EFB system’s maintenance, the operator should ensure that the EFB system batteries are periodically checked and replaced as required.

Should faults or failures of the system arise, it is essential that such failures are brought to the immediate attention of the flight crew and that the system is isolated until rectification action is taken. In addition to backup procedures to deal with system failures, a reporting system should be in place so that the necessary corrective action, either to a particular EFB system or to the whole system, is taken in order to prevent the use of erroneous information by flight crew members.

(f) Security

The EFB system (including any means used for updating it) should be secure from unauthorised intervention (e.g. by malicious software). The operator should ensure that adequate security procedures are in place to protect the system at the software level and to manage the hardware (e.g. the identification of the person to whom the hardware is released, protected storage when the hardware is not in use) throughout the operational lifetime of the EFB system. These procedures should guarantee that, prior to each flight, the EFB operational software works as specified and the EFB operational data is complete and accurate. Moreover, a system should be in place to ensure that the EFB does not accept a data load that contains corrupted contents. Adequate measures should be in place for the compilation and secure distribution of data to the aircraft.

Procedures should be transparent and easy to understand to follow and to oversee that:

      (1) if an EFB is based on consumer electronics (e.g. a laptop) which can be easily removed, manipulated, or replaced by a similar component, that special consideration is given to the physical security of the hardware;

      (2) portable EFB platforms are subject to allocation tracking to specific aircraft or persons;

      (3) where a system has input ports, and especially if widely known protocols are used through these ports, or internet connections are offered, that special consideration is given to the risks associated with these ports;

      (4) where physical media are used to update the EFB system, and especially if widely known types of physical media are used, that the operator uses technologies and/or procedures to assure that unauthorised content cannot enter the EFB system through these media.

      The required level of EFB security depends on the criticality of the functions used (e.g. an EFB that only holds a list of fuel prices may require less security than an EFB used for performance calculations).

      Beyond the level of security required to assure that the EFB can properly perform its intended functions, the level of security that is ultimately required depends on the capabilities of the EFB.

(g) Electronic signatures

Part-CAT and Part-M may require a signature when issuing or accepting a document (e.g. load sheet, technical logbook, notification to captain (NOTOC)). In order to be accepted as being equivalent to a handwritten signature, electronic signatures used in EFB applications need, as a minimum, to fulfil the same objectives and to assure the same degree of security as the handwritten or any other form of signature that they are intended to replace.

AMC1 CAT.POL.MAB.105(c) provides the means to comply with the required handwritten signature or its equivalent for mass and balance documentation.

On a general basis, in the case of required signatures, an operator should have in place procedures for electronic signatures that guarantee:

    (1) their uniqueness: a signature should identify a specific individual and should be difficult to duplicate;

    (2) their significance: an individual using an electronic signature should take deliberate and recognisable action to affix their signature;

    (3) their scope: the scope of the information being affirmed with an electronic signature should be clear to the signatory and to the subsequent readers of the record, record entry, or document;

    (4) their security: the security of an individual’s handwritten signature is maintained by ensuring that it is difficult for another individual to duplicate or alter it;

    (5) their non-repudiation: an electronic signature should prevent a signatory from denying that they affixed a signature to a specific record, record entry, or document; the more difficult it is to duplicate a signature, the likelier it is that the signature was created by the signatory; and

    (6) their traceability: an electronic signature should provide positive traceability to the individual who signed a record, record entry, or any other document.

    An electronic signature should retain those qualities of a handwritten signature that guarantee its uniqueness. Systems using either a PIN or a password with limited validity (timewise) may be appropriate in providing positive traceability to the individual who affixed it. Advanced electronic signatures, qualified certificates and secured signature-creation devices needed to create them in the context of Regulation (EU) No 910/2014 are typically not required for EFB operations.