Transcript System Safety and Software Assurance

Electronic Flight Bags
AAP7001.054 Sect 2 Chap 22
SQNLDR Derek Reinhardt
Systems Certification and Integrity (SCI)
Directorate of Aircraft Engineering
(DAIRENG)
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
1
Overview
• EFBs are being used in more challenging and
potentially hazardous ways
– host functions previously only available by
dedicated aircraft instrumentation and systems
• Increasing imperative to assure EFB systems
are of an appropriate integrity for their
intended function or application
– AND relevant technical and operation
considerations are addressed
• New - AAP7001.054 Sect 2 Chap 22
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
2
Scope of Chapter
• Provides guidance for the technical approval,
service release and management of EFBs on
ADF aircraft
• Primarily focuses on technical issues
• Provides suggestions for operational
management where necessary to
complement the technical requirements
• Based on the FAA approach to EFB approval
– number of important differences
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
3
FAA Approach
• FAA Documents on EFBs
– AC120-76A – Guidelines for the Certification,
Airworthiness, and Operational Approval of Electronic
Flight Bags Computing Devices
– AC20-159 – Obtaining Design and Production Approval of
Airport Moving Map Display Applications Intended for
Electronic Flight Bag Systems
• Defines 3 Types of Software Applications
– Type A, Type B, Type C
• Defines 3 Classes of EFB Hardware
– Class 1, Class 2, Class 3
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
4
ADF Hardware Classes
• Portable EFB Hardware
–
–
–
–
–
–
–
–
–
–
–
–
COTS hardware
considered a portable electronic device (PED)
may be connected to a mounting device, arm mounted, kneepad
designated means of storage when not mounted
connected to aircraft power through a SPO approved power interface,
that may be also used to recharge internal batteries
read only data connectivity to other aircraft systems through SPO
approved interface
requires quick disconnect from power and data for ground egress
compatible with ejection (if required)
may receive/transmit data connectivity
host Type A and B applications
host Type C applications under special circumstances only
SPO approval for hardware environmental and interface requirements
to aircraft, applications and operating system
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
5
ADF Hardware Classes
• Integrated EFB Hardware
– installed aircraft system
– requires design approval and acceptance as per any
other flight display or aircraft instrument
– must meet relevant aircraft standards
– designed and built to a level of integrity commensurate
with the system safety assessment findings
– host Type C applications – flight displays and moving
maps
– co-host Type A and B applications
• provided specific considerations are addressed
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
6
Software Applications
• Type A
– pre-composed manuals and procedures, references
– forms, logs, training applications
• Type B
– calculations, charts, electronic checklists (non-interactive
with aircraft systems), data services, video
• Type C
– primary flight displays, secondary flight displays,
navigation displays, moving maps, airport moving maps,
airborne collision avoidance, cockpit display of traffic
information, electronic checklists (interactive with aircraft
systems)
• Refer to Annex A to the chapter
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
7
Type A Applications
•
•
•
•
•
Not required to meet software assurance ‘key issues’ of section 2 chapter 7
Should be demonstrated to meet their intended function, be sufficiently robust
and do not provide confusing or misleading information
As the majority of these applications will be COTS, the intended function and use
of these applications on the EFB should be documented, and a verification
program (functional and robustness) conducted.
The verification program should pay particular attention to opportunities for
confusing or misleading information to be presented.
The verification program should seek to assess the accuracy, availability and
timeliness of the EFB applications, and should address the following robustness
criteria:
– interaction with other applications and the COTS OS hosted on the EFB during worst
case loading conditions (memory usage, disk usage, device driver interaction, etc.)
should be analysed to determine the acceptability of potential interactions
– displayed resolution, legibility, true representation (e.g. correct layout and positioning of
document objects and text) and navigation of pre-composed static documents during
worst case zoom and resize conditions should be analysed to determine the
acceptability of information presentation
– any other robustness criteria that the safety assessment determines may contribute to
the accuracy, availability, and timeliness of information/functions provided should be
analysed
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
8
Type B Applications
•
•
Should address the software assurance “Key Issues” identified in Section 2 Chapter 7
Safety assessment is required to assess the required software assurance level
–
–
–
•
typically require assurance commensurate to DO-178B Level D
required flight information will be presented for each applicable phase of flight
operating system and hosted applications should be demonstrated to meet their intended function,
be sufficiently robust and to not provide confusing or misleading information
Many Type B applications will be based on COTS applications
–
–
high level software requirements for the use of these applications on the EFB should be
documented
verification program (functional and robustness)
•
•
•
•
•
pay particular attention to opportunities for confusing or misleading information to be presented
assess the accuracy, availability and timeliness of the EFB applications
robustness
Type B applications may be hosted on Portable or Integrated EFBs
Loading flight or mission data from a standard Mission Planning System onto the on-board
system via the aircraft interface.
–
–
–
–
–
should be limited to Integrated EFBs - Portable EFB hardware should only have read-only data
connectivity during flight to other aircraft systems through a SPO approved interface
should not include executable code
should ensure that there is a means to establish that the correct information is loaded into the FMS
or MC
ensure the correct information has been entered into the MPS prior to upload
portable EFB hardware can be used to load flight or mission data from a MPS prior to flight
•
provided it can be demonstrated that this mode cannot be exercised during flight
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
9
Type C Applications
• Address the software assurance “Key Issues” identified in Section 2
Chapter 7
• Safety assessment - to assess the required software assurance level
– typically required assurance commensurate with DO-178B Level C through A
• Safety program should ensure that the required flight information can be
presented for each applicable phase of flight
• Operating system and hosted applications should be demonstrated to
meet their intended function, be sufficiently robust and to not provide
false or hazardously misleading information
• Type C applications are hosted on Integrated EFBs, and Portable EFBs
only as specifically only in special circumstances.
• Further advice should be sought from DGTA regarding hosting Type C
applications on Portable EFBs, as these will be critically assessed on the
basis of rigorous system and software safety assessments.
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
10
Co-hosting Type C with
Type A & B
• Hardware and/or software partitioning should be established
– protect Type C applications from Type A and B applications, the
COTS computing platform and COTS operating system
– containment and mediation, including detection and fault handling
• Preferred approach
– dual microprocessor system
– first microprocessor hosts the COTS OS and Type A and B
applications,
– second microprocessor hosting an appropriately assured DO-178B
Real Time Operating System (RTOS) and Type C applications.
• Numerous commercially available EFB systems
• Other approaches using software partitioning are also
possible, however DGTA should be engaged on any
proposal to adopt a software partitioning approach
• FAA partial TSO for AMMD software applications
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
11
EFB System Design
Considerations
•
•
•
•
•
•
•
•
•
•
•
•
Use of Aircraft Electrical Power Sources
Batteries
Environmental Hazard Identification and Qualification Testing
EFB Mounting Device
Human Machine Interface (HMI)
COTS Operating Systems
Aeronautical Information Databases
Source Documents
Security
Additional System Safety Considerations
EFB Configuration Control
Instructions for Continued Airworthiness
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
12
Operational Considerations
• Cockpit procedures, references, emergency checklists, etc.
are typically developed during the initial development and
certification of an aircraft, and in support of subsequent
modifications.
• Many implicit relationships to assumptions (e.g. availability,
accuracy, and completeness of information) made in the
system safety program accompanying aircraft development
and/or modification
– vital that they are captured
• Operations Issues
– training, human factors (HMI and workload), currency, procedures
• Procedures
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
13
Transitioning to Paperless Cockpit
• Operational Evaluation
– minimum 6 month operational evaluation is recommended
• SPO Obligations
– all system safety assumptions (availability, accuracy, completeness)
associated with all paper-based procedures and references used in the
cockpit are identified and addressed by their EFB replacement
– the design supports the required availability, accuracy and completeness of
information
– separate and backup power sources as necessary are provided to meet
safety objectives
– multiple redundant and/or diverse EFBs are provided to mitigate sources of
common mode failures
– factors relating to employment in single versus multi-crew aircraft, associated
workload and availability of information have been assessed
– if required as a mitigation for potential design related failure conditions, that
paper products are carried by selected aircrew members, or a complete set of
sealed paper backups stored within reach of the cockpit
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
14
Managing Deficiencies Against
EFB Design Requirements
• Issue Paper is the preferred means
– an ADF application does not neatly fall into the defined application types
– an ADF application does not meet the relevant software safety and assurance
requirements for its type, but the OAA considers the improvement in
operational safety or capability to be worth retaining the residual risk
– any other circumstances where technical shortcomings of the EFB system
against the criteria of this chapter require operational mitigations (usually
procedures) to retain an acceptable level of safety
• TAA’s firm expectation is that ADF engineers will strive to achieve the
benchmark level of safety widely accepted in the civilian domain.
• Only where significant technical issues or an urgent operational
imperative prevent full compliance with the requirements of this chapter,
will the TAA propose to the OAA that a lesser level of safety be accepted.
– factors such as rapid acquisition and cost, would not normally be considered
adequate justification for short cuts in engineering rigour
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
15
Summary
• Provides guidance for the technical approval,
service release and management of EFBs on
ADF aircraft
• Primarily focuses on technical issues
• Provides suggestions for operational
management where necessary to
complement the technical requirements
• Released ready for use – 054 amendment
coming soon
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
16
Questions
DGTA-ADF
Directorate General Technical Airworthiness
Electronic Flight Bags
17